Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
x7RZVIWaDKb5.exe

Overview

General Information

Sample name:x7RZVIWaDKb5.exe
Analysis ID:1428388
MD5:723480351d4946b6b8dd3e953a4ab4a6
SHA1:c58cf420e9555cfc916843437d73965394887f95
SHA256:66969ca6880e2ff107b78ea8a8ea31900912a8e3c910c336134f8cf78cc39a75
Tags:exenjRat
Infos:

Detection

Njrat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Njrat
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Machine Learning detection for sample
Self deletion via cmd or bat file
Uses dynamic DNS services
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64
  • x7RZVIWaDKb5.exe (PID: 1364 cmdline: "C:\Users\user\Desktop\x7RZVIWaDKb5.exe" MD5: 723480351D4946B6B8DD3E953A4AB4A6)
    • cmd.exe (PID: 6508 cmdline: cmd.exe /C Y /N /D Y /T 1 & Del "C:\Users\user\Desktop\x7RZVIWaDKb5.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
NjRATRedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.
  • AQUATIC PANDA
  • Earth Lusca
  • Operation C-Major
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

Malware Configuration

Threatname: Njrat

{"Host": "rusia.duckdns.org", "Port": "1994", "Campaign ID": "NYAN CAT", "Network Seprator": "@!#&^%$", "Registry": "7fc3d7b5df89403"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
x7RZVIWaDKb5.exeJoeSecurity_NjratYara detected NjratJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000000.1640342280.0000000000EA2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_NjratYara detected NjratJoe Security
      Process Memory Space: x7RZVIWaDKb5.exe PID: 1364JoeSecurity_NjratYara detected NjratJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.0.x7RZVIWaDKb5.exe.ea0000.0.unpackJoeSecurity_NjratYara detected NjratJoe Security

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          Timestamp:04/18/24-22:06:08.202041
          SID:2033132
          Source Port:49705
          Destination Port:1994
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:04/18/24-22:06:08.592139
          SID:2825563
          Source Port:49705
          Destination Port:1994
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:04/18/24-22:07:29.104221
          SID:2825564
          Source Port:49705
          Destination Port:1994
          Protocol:TCP
          Classtype:A Network Trojan was detected

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: x7RZVIWaDKb5.exeAvira: detected
          Found malware configuration
          Source: 00000000.00000000.1640342280.0000000000EA2000.00000002.00000001.01000000.00000003.sdmpMalware Configuration Extractor: Njrat {"Host": "rusia.duckdns.org", "Port": "1994", "Campaign ID": "NYAN CAT", "Network Seprator": "@!#&^%$", "Registry": "7fc3d7b5df89403"}
          Multi AV Scanner detection for submitted file
          Source: x7RZVIWaDKb5.exeReversingLabs: Detection: 94%
          Yara detected Njrat
          Source: Yara matchFile source: x7RZVIWaDKb5.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.x7RZVIWaDKb5.exe.ea0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000000.1640342280.0000000000EA2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: x7RZVIWaDKb5.exe PID: 1364, type: MEMORYSTR
          Machine Learning detection for sample
          Source: x7RZVIWaDKb5.exeJoe Sandbox ML: detected
          Source: x7RZVIWaDKb5.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
          Source: x7RZVIWaDKb5.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

          Networking

          barindex
          Snort IDS alert for network traffic
          Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49705 -> 46.246.14.17:1994
          Source: TrafficSnort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.5:49705 -> 46.246.14.17:1994
          Source: TrafficSnort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.5:49705 -> 46.246.14.17:1994
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: rusia.duckdns.org
          Uses dynamic DNS services
          Source: unknownDNS query: name: rusia.duckdns.org
          Source: global trafficTCP traffic: 192.168.2.4:49730 -> 46.246.14.17:1994
          Source: Joe Sandbox ViewASN Name: PORTLANEwwwportlanecomSE PORTLANEwwwportlanecomSE
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownDNS traffic detected: queries for: rusia.duckdns.org

          Key, Mouse, Clipboard, Microphone and Screen Capturing

          barindex
          Contains functionality to log keystrokes (.Net Source)
          Source: x7RZVIWaDKb5.exe, Keylogger.cs.Net Code: VKCodeToUnicode

          E-Banking Fraud

          barindex
          Yara detected Njrat
          Source: Yara matchFile source: x7RZVIWaDKb5.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.x7RZVIWaDKb5.exe.ea0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000000.1640342280.0000000000EA2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: x7RZVIWaDKb5.exe PID: 1364, type: MEMORYSTR
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeCode function: 0_2_018A19F00_2_018A19F0
          Source: x7RZVIWaDKb5.exe, 00000000.00000000.1640362266.0000000000EA8000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameClient.exe4 vs x7RZVIWaDKb5.exe
          Source: x7RZVIWaDKb5.exe, 00000000.00000002.2250488877.000000000152E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs x7RZVIWaDKb5.exe
          Source: x7RZVIWaDKb5.exeBinary or memory string: OriginalFilenameClient.exe4 vs x7RZVIWaDKb5.exe
          Source: x7RZVIWaDKb5.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@4/1@1/1
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeCode function: 0_2_057A22AA AdjustTokenPrivileges,0_2_057A22AA
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeCode function: 0_2_057A2273 AdjustTokenPrivileges,0_2_057A2273
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\x7RZVIWaDKb5.exe.logJump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeMutant created: NULL
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeMutant created: \Sessions\1\BaseNamedObjects\7fc3d7b5df89403
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6960:120:WilError_03
          Source: x7RZVIWaDKb5.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: x7RZVIWaDKb5.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: x7RZVIWaDKb5.exeReversingLabs: Detection: 94%
          Source: unknownProcess created: C:\Users\user\Desktop\x7RZVIWaDKb5.exe "C:\Users\user\Desktop\x7RZVIWaDKb5.exe"
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C Y /N /D Y /T 1 & Del "C:\Users\user\Desktop\x7RZVIWaDKb5.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C Y /N /D Y /T 1 & Del "C:\Users\user\Desktop\x7RZVIWaDKb5.exe"Jump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeSection loaded: shfolder.dllJump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeSection loaded: avicap32.dllJump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeSection loaded: msvfw32.dllJump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeSection loaded: windowscodecs.dllJump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
          Source: x7RZVIWaDKb5.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
          Source: x7RZVIWaDKb5.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

          Data Obfuscation

          barindex
          .NET source code contains potential unpacker
          Source: x7RZVIWaDKb5.exe, Program.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])

          Hooking and other Techniques for Hiding and Protection

          barindex
          Self deletion via cmd or bat file
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeProcess created: cmd.exe /C Y /N /D Y /T 1 & Del "C:\Users\user\Desktop\x7RZVIWaDKb5.exe"
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeProcess created: cmd.exe /C Y /N /D Y /T 1 & Del "C:\Users\user\Desktop\x7RZVIWaDKb5.exe"Jump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeMemory allocated: 1510000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeMemory allocated: 3560000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeMemory allocated: 5560000 memory commit | memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeWindow / User API: threadDelayed 3262Jump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exe TID: 6528Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: x7RZVIWaDKb5.exe, 00000000.00000002.2250488877.00000000015A5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllxtBindingCollectionElement, System.WorkflowServices, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          .NET source code references suspicious native API functions
          Source: x7RZVIWaDKb5.exe, Program.csReference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, cbName, ref lpszVer, 100)
          Source: x7RZVIWaDKb5.exe, Keylogger.csReference to suspicious API methods: MapVirtualKey(a, 0u)
          Source: x7RZVIWaDKb5.exe, Keylogger.csReference to suspicious API methods: GetAsyncKeyState(num2)
          Source: x7RZVIWaDKb5.exe, 00000000.00000002.2251000874.0000000003561000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
          Source: x7RZVIWaDKb5.exe, 00000000.00000002.2251000874.0000000003561000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager@9
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\x7RZVIWaDKb5.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected Njrat
          Source: Yara matchFile source: x7RZVIWaDKb5.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.x7RZVIWaDKb5.exe.ea0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000000.1640342280.0000000000EA2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: x7RZVIWaDKb5.exe PID: 1364, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Yara detected Njrat
          Source: Yara matchFile source: x7RZVIWaDKb5.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.x7RZVIWaDKb5.exe.ea0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000000.1640342280.0000000000EA2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: x7RZVIWaDKb5.exe PID: 1364, type: MEMORYSTR

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
          Native API          		1
          DLL Side-Loading          		1
          Access Token Manipulation          		1
          Masquerading          		1
          Input Capture          		1
          Security Software Discovery          		Remote Services1
          Input Capture          		1
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts2
          Process Injection          		1
          Disable or Modify Tools          		LSASS Memory1
          Process Discovery          		Remote Desktop Protocol1
          Archive Collected Data          		1
          Non-Standard Port          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
          DLL Side-Loading          		31
          Virtualization/Sandbox Evasion          		Security Account Manager31
          Virtualization/Sandbox Evasion          		SMB/Windows Admin SharesData from Network Shared Drive1
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
          Access Token Manipulation          		NTDS1
          Application Window Discovery          		Distributed Component Object ModelInput Capture21
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
          Process Injection          		LSA Secrets12
          System Information Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Software Packing          		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
          DLL Side-Loading          		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
          File Deletion          		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          x7RZVIWaDKb5.exe95%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi
          x7RZVIWaDKb5.exe100%AviraTR/Dropper.Gen7
          x7RZVIWaDKb5.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          No Antivirus matches

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          rusia.duckdns.org
          		46.246.14.17
          		truetrue
            		unknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            rusia.duckdns.orgtrue
              		unknown

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              46.246.14.17
              		rusia.duckdns.orgSweden
              		42708PORTLANEwwwportlanecomSEtrue

              General Information

              Joe Sandbox version:40.0.0 Tourmaline
              Analysis ID:1428388
              Start date and time:2024-04-18 22:09:51 +02:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 4m 59s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Run name:Run with higher sleep bypass
              Number of analysed new started processes analysed:7
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:x7RZVIWaDKb5.exe
              Detection:MAL
              Classification:mal100.troj.spyw.evad.winEXE@4/1@1/1
              EGA Information:
              • Successful, ratio: 100%
              HCA Information:
              • Successful, ratio: 100%
              • Number of executed functions: 93
              • Number of non-executed functions: 0
              Cookbook Comments:
              • Found application associated with file extension: .exe
              • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
              • Stop behavior analysis, all processes terminated

              Warnings

              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
              • Not all processes where analyzed, report is missing behavior information
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              • VT rate limit hit for: x7RZVIWaDKb5.exe

              Simulations

              Behavior and APIs

              TimeTypeDescription
              22:11:17API Interceptor43x Sleep call for process: x7RZVIWaDKb5.exe modified

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              46.246.14.17bUBL.exeGet hashmaliciousNjratBrowse
                Bomolovo.exeGet hashmaliciousNjratBrowse
                  a1.exeGet hashmaliciousGuLoaderBrowse

                    Domains

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    rusia.duckdns.orgbUBL.exeGet hashmaliciousNjratBrowse
                    • 46.246.14.17
                    x6Xw7vcuD9zM.exeGet hashmaliciousNjratBrowse
                    • 46.246.14.23
                    bTAB.exeGet hashmaliciousNjratBrowse
                    • 46.246.80.3
                    xbd0vU3xnyOS.exeGet hashmaliciousNjratBrowse
                    • 46.246.6.7
                    x38kbgLd6bPu.exeGet hashmaliciousNjratBrowse
                    • 46.246.12.24

                    ASNs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    PORTLANEwwwportlanecomSEbUBL.exeGet hashmaliciousNjratBrowse
                    • 46.246.14.17
                    bUBD.exeGet hashmaliciousNjratBrowse
                    • 46.246.14.22
                    xutnF2gKGTTy.exeGet hashmaliciousAsyncRATBrowse
                    • 46.246.4.3
                    8ubQTzsAqG.exeGet hashmaliciousUnknownBrowse
                    • 185.117.88.39
                    8ubQTzsAqG.exeGet hashmaliciousUnknownBrowse
                    • 185.117.88.39
                    ODOCVzwXq5.elfGet hashmaliciousMiraiBrowse
                    • 195.190.218.30
                    bSRh.exeGet hashmaliciousXWormBrowse
                    • 46.246.86.13
                    xjwP3UYA8ujq.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                    • 46.246.82.6
                    x6Xw7vcuD9zM.exeGet hashmaliciousNjratBrowse
                    • 46.246.14.23

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\x7RZVIWaDKb5.exe.log

                    Download File
                    Process:C:\Users\user\Desktop\x7RZVIWaDKb5.exe
                    File Type:ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):907
                    Entropy (8bit):5.243019596074263
                    Encrypted:false
                    SSDEEP:24:MLF2CpI329Iz52VMzffup26KTnKoO2+b2hHAa/:MwQd9IzoaXuY6Ux+SF/
                    MD5:48A0572426885EBDE53CA62C7F2E194E
                    SHA1:035628CDF6276367F6C83E9F4AA2172933850AA8
                    SHA-256:4C68E10691304CAC8DA65A05CF2580728EC0E294104F267840712AF1C46A6538
                    SHA-512:DEFE728C2312918D94BD43C98908C08CCCA5EBFB77F873779DCA784F14C607B33A4E29AC5ECB798F2F741668B7692F72BCB60DEFD536EA86B296B64FA359C42D
                    Malicious:false
                    Reputation:moderate, very likely benign file
                    Preview:1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7d443c6c007fe8696f9aa6ff1da53ef7\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\53992d421e2c7ecf6609c62b3510a6f0\System.Configuration.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\74774597e319a738b792e6a6c06d3559\System.Xml.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\1bd56c432cb9ff27e335d97f404caf8f\System.Management.ni.dll",0..

                    Static File Info

                    General

                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                    Entropy (8bit):3.799612187761317
                    TrID:
                    • Win32 Executable (generic) Net Framework (10011505/4) 49.79%
                    • Win32 Executable (generic) a (10002005/4) 49.75%
                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                    • Windows Screen Saver (13104/52) 0.07%
                    • Win16/32 Executable Delphi generic (2074/23) 0.01%
                    File name:x7RZVIWaDKb5.exe
                    File size:32'768 bytes
                    MD5:723480351d4946b6b8dd3e953a4ab4a6
                    SHA1:c58cf420e9555cfc916843437d73965394887f95
                    SHA256:66969ca6880e2ff107b78ea8a8ea31900912a8e3c910c336134f8cf78cc39a75
                    SHA512:603c55850d4dc6dee78faf67702241af36d7767ac9b6504b7bebfcf716322464347a54d61838cbd20f3942cbfaaff2fdf5a365f4128869fc41462c43f0f84d91
                    SSDEEP:384:w0bUe5XB4e0XfOVcsw0Q0mS03AWTxtTUFQqzFxObbR:1T9Bu26555dPbR
                    TLSH:4BE208067BF98215C6BC5AF88CB313214772E3838532EB6F5CDC88CA4B676D04655EE9
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...4z!f.................P... ......ng... ........@.. ....................................@................................

                    File Icon

                    Icon Hash:90cececece8e8eb0

                    Static PE Info

                    General

                    Entrypoint:0x40676e
                    Entrypoint Section:.text
                    Digitally signed:false
                    Imagebase:0x400000
                    Subsystem:windows gui
                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Time Stamp:0x66217A34 [Thu Apr 18 19:53:24 2024 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:
                    OS Version Major:4
                    OS Version Minor:0
                    File Version Major:4
                    File Version Minor:0
                    Subsystem Version Major:4
                    Subsystem Version Minor:0
                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                    Entrypoint Preview

                    Instruction
                    jmp dword ptr [00402000h]
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IMPORT0x67180x53.text
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x80000x2a0.rsrc
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xa0000xc.reloc
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    .text0x20000x47740x50002efec48f4ef368396528908fb400a01cFalse0.475data5.290607913558853IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    .rsrc0x80000x2a00x100072e29550a9764ae2ca0bc9263e829114False0.07666015625data0.6655850551657312IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .reloc0xa0000xc0x100034585954bedb30c5084980db7d41ad8fFalse0.0087890625data0.013126943721219527IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                    Resources

                    NameRVASizeTypeLanguageCountryZLIB Complexity
                    RT_VERSION0x80580x244data0.46379310344827585

                    Imports

                    DLLImport
                    mscoree.dll_CorExeMain

                    Network Behavior

                    Snort IDS Alerts

                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                    04/18/24-22:06:08.202041TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)497051994192.168.2.546.246.14.17
                    04/18/24-22:06:08.592139TCP2825563ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)497051994192.168.2.546.246.14.17
                    04/18/24-22:07:29.104221TCP2825564ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)497051994192.168.2.546.246.14.17

                    Network Port Distribution

                    TCP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Apr 18, 2024 22:10:46.795777082 CEST497301994192.168.2.446.246.14.17
                    Apr 18, 2024 22:10:47.096146107 CEST19944973046.246.14.17192.168.2.4
                    Apr 18, 2024 22:10:47.096251011 CEST497301994192.168.2.446.246.14.17
                    Apr 18, 2024 22:10:47.213634968 CEST497301994192.168.2.446.246.14.17
                    Apr 18, 2024 22:10:47.633275032 CEST19944973046.246.14.17192.168.2.4
                    Apr 18, 2024 22:10:47.633336067 CEST497301994192.168.2.446.246.14.17
                    Apr 18, 2024 22:10:48.026959896 CEST19944973046.246.14.17192.168.2.4
                    Apr 18, 2024 22:10:52.682153940 CEST497301994192.168.2.446.246.14.17
                    Apr 18, 2024 22:10:53.034111977 CEST19944973046.246.14.17192.168.2.4
                    Apr 18, 2024 22:10:54.220294952 CEST19944973046.246.14.17192.168.2.4
                    Apr 18, 2024 22:10:54.274626017 CEST497301994192.168.2.446.246.14.17
                    Apr 18, 2024 22:10:54.440316916 CEST497301994192.168.2.446.246.14.17
                    Apr 18, 2024 22:10:54.821935892 CEST19944973046.246.14.17192.168.2.4
                    Apr 18, 2024 22:10:57.294316053 CEST19944973046.246.14.17192.168.2.4
                    Apr 18, 2024 22:10:57.294400930 CEST497301994192.168.2.446.246.14.17
                    Apr 18, 2024 22:10:59.307415009 CEST497301994192.168.2.446.246.14.17
                    Apr 18, 2024 22:10:59.309397936 CEST497341994192.168.2.446.246.14.17
                    Apr 18, 2024 22:10:59.592217922 CEST19944973046.246.14.17192.168.2.4
                    Apr 18, 2024 22:10:59.594691992 CEST19944973446.246.14.17192.168.2.4
                    Apr 18, 2024 22:10:59.594773054 CEST497341994192.168.2.446.246.14.17
                    Apr 18, 2024 22:10:59.603421926 CEST497341994192.168.2.446.246.14.17
                    Apr 18, 2024 22:11:00.067428112 CEST19944973446.246.14.17192.168.2.4
                    Apr 18, 2024 22:11:00.067517042 CEST497341994192.168.2.446.246.14.17
                    Apr 18, 2024 22:11:00.574152946 CEST19944973446.246.14.17192.168.2.4
                    Apr 18, 2024 22:11:00.899876118 CEST497341994192.168.2.446.246.14.17
                    Apr 18, 2024 22:11:01.268405914 CEST19944973446.246.14.17192.168.2.4
                    Apr 18, 2024 22:11:06.740215063 CEST19944973446.246.14.17192.168.2.4
                    Apr 18, 2024 22:11:06.741096973 CEST497341994192.168.2.446.246.14.17
                    Apr 18, 2024 22:11:07.236704111 CEST19944973446.246.14.17192.168.2.4
                    Apr 18, 2024 22:11:23.314671040 CEST19944973446.246.14.17192.168.2.4
                    Apr 18, 2024 22:11:23.315192938 CEST497341994192.168.2.446.246.14.17
                    Apr 18, 2024 22:11:23.748182058 CEST19944973446.246.14.17192.168.2.4
                    Apr 18, 2024 22:11:37.596513987 CEST19944973446.246.14.17192.168.2.4
                    Apr 18, 2024 22:11:37.649424076 CEST497341994192.168.2.446.246.14.17
                    Apr 18, 2024 22:11:37.685404062 CEST497341994192.168.2.446.246.14.17
                    Apr 18, 2024 22:11:38.060549974 CEST19944973446.246.14.17192.168.2.4
                    Apr 18, 2024 22:11:39.385565042 CEST19944973446.246.14.17192.168.2.4
                    Apr 18, 2024 22:11:39.385992050 CEST497341994192.168.2.446.246.14.17
                    Apr 18, 2024 22:11:39.766818047 CEST19944973446.246.14.17192.168.2.4
                    Apr 18, 2024 22:11:40.279572964 CEST19944973446.246.14.17192.168.2.4
                    Apr 18, 2024 22:11:40.314887047 CEST497341994192.168.2.446.246.14.17

                    UDP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Apr 18, 2024 22:10:46.655452013 CEST6541453192.168.2.41.1.1.1
                    Apr 18, 2024 22:10:46.792927027 CEST53654141.1.1.1192.168.2.4

                    DNS Queries

                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                    Apr 18, 2024 22:10:46.655452013 CEST192.168.2.41.1.1.10x90a9Standard query (0)rusia.duckdns.orgA (IP address)IN (0x0001)false

                    DNS Answers

                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                    Apr 18, 2024 22:10:46.792927027 CEST1.1.1.1192.168.2.40x90a9No error (0)rusia.duckdns.org46.246.14.17A (IP address)IN (0x0001)false

                    Statistics

                    CPU Usage

                    Click to jump to process

                    Memory Usage

                    Click to jump to process

                    High Level Behavior Distribution

                    Click to dive into process behavior distribution

                    Behavior

                    Click to jump to process

                    System Behavior

                    General

                    Target ID:0
                    Start time:22:10:38
                    Start date:18/04/2024
                    Path:C:\Users\user\Desktop\x7RZVIWaDKb5.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\Desktop\x7RZVIWaDKb5.exe"
                    Imagebase:0xea0000
                    File size:32'768 bytes
                    MD5 hash:723480351D4946B6B8DD3E953A4AB4A6
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000000.1640342280.0000000000EA2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:4
                    Start time:22:11:39
                    Start date:18/04/2024
                    Path:C:\Windows\SysWOW64\cmd.exe
                    Wow64 process (32bit):true
                    Commandline:cmd.exe /C Y /N /D Y /T 1 & Del "C:\Users\user\Desktop\x7RZVIWaDKb5.exe"
                    Imagebase:0x240000
                    File size:236'544 bytes
                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:5
                    Start time:22:11:39
                    Start date:18/04/2024
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff7699e0000
                    File size:862'208 bytes
                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    Disassembly

                    Reset < >

                      Execution Graph

                      Execution Coverage:15.2%
                      Dynamic/Decrypted Code Coverage:81.8%
                      Signature Coverage:2%
                      Total number of Nodes:148
                      Total number of Limit Nodes:8
                      execution_graph 6600 57a1f7a 6602 57a1faf ioctlsocket 6600->6602 6603 57a1fdb 6602->6603 6608 146a646 6610 146a67e CreateMutexW 6608->6610 6611 146a6c1 6610->6611 6671 57a2e3a 6672 57a2e66 LoadLibraryShim 6671->6672 6674 57a2e94 6672->6674 6675 146a186 6676 146a1f3 6675->6676 6677 146a1bb send 6675->6677 6676->6677 6678 146a1c9 6677->6678 6679 146a486 6680 146a4bb RegSetValueExW 6679->6680 6682 146a507 6680->6682 6683 57a09be 6684 57a09f9 getaddrinfo 6683->6684 6686 57a0a6b 6684->6686 6687 57a37be 6688 57a37f3 RegDeleteKeyW 6687->6688 6690 57a382b 6688->6690 6615 146a74e 6616 146a77a FindCloseChangeNotification 6615->6616 6617 146a7b9 6615->6617 6618 146a788 6616->6618 6617->6616 6619 57a0ff2 6622 57a102d LoadLibraryA 6619->6622 6621 57a106a 6622->6621 6623 146adce 6624 146ae30 6623->6624 6625 146adfa OleInitialize 6623->6625 6624->6625 6626 146ae08 6625->6626 6691 57a0032 6692 57a0082 GetComputerNameW 6691->6692 6693 57a0090 6692->6693 6694 57a01b6 6696 57a01ee ConvertStringSecurityDescriptorToSecurityDescriptorW 6694->6696 6697 57a022f 6696->6697 6698 57a212a 6699 57a2153 LookupPrivilegeValueW 6698->6699 6701 57a217a 6699->6701 6702 57a1daa 6703 57a1de2 RegCreateKeyExW 6702->6703 6705 57a1e54 6703->6705 6706 57a22aa 6709 57a22d9 AdjustTokenPrivileges 6706->6709 6708 57a22fb 6709->6708 6710 146a392 6712 146a3c7 RegQueryValueExW 6710->6712 6713 146a41b 6712->6713 6627 146bc5e 6629 146bc96 WSASocketW 6627->6629 6630 146bcd2 6629->6630 6714 146b61e 6715 146b656 CreateFileW 6714->6715 6717 146b6a5 6715->6717 6631 57a0366 6632 57a039e MapViewOfFile 6631->6632 6634 57a03ed 6632->6634 6635 146a2da 6636 146a306 SetErrorMode 6635->6636 6637 146a32f 6635->6637 6638 146a31b 6636->6638 6637->6636 6639 57a25e6 6642 57a261b SetProcessWorkingSetSize 6639->6642 6641 57a2647 6642->6641 6718 57a2426 6721 57a245b GetExitCodeProcess 6718->6721 6720 57a2484 6721->6720 6643 146bd62 6644 146bdd2 6643->6644 6645 146bd9a setsockopt 6643->6645 6644->6645 6646 146bda8 6645->6646 6722 57a0b9e 6723 57a0bd3 WSAConnect 6722->6723 6725 57a0bf2 6723->6725 6647 57a08d2 6650 57a0907 GetProcessTimes 6647->6650 6649 57a0939 6650->6649 6651 57a2056 6652 57a207f select 6651->6652 6654 57a20b4 6652->6654 6726 57a3b16 6727 57a3b4b PostMessageW 6726->6727 6728 57a3b76 6726->6728 6729 57a3b60 6727->6729 6728->6727 6730 146ac2a 6731 146aca0 6730->6731 6732 146ac68 DuplicateHandle 6730->6732 6731->6732 6733 146ac76 6732->6733 6659 57a39ca 6660 57a39f9 WaitForInputIdle 6659->6660 6661 57a3a2f 6659->6661 6662 57a3a07 6660->6662 6661->6660 6663 146b9f6 6666 146ba2b ReadFile 6663->6666 6665 146ba5d 6666->6665 6734 146b736 6736 146b76b GetFileType 6734->6736 6737 146b798 6736->6737 6738 57a060a 6740 57a063f shutdown 6738->6740 6741 57a0668 6740->6741 6742 18a03f8 KiUserExceptionDispatcher 6743 18a042c 6742->6743 6744 57a2502 6746 57a2537 GetProcessWorkingSetSize 6744->6746 6747 57a2563 6746->6747 6748 18a0972 6749 18a0622 6748->6749 6754 18a0a13 6749->6754 6759 18a0998 6749->6759 6764 18a0a1a 6749->6764 6769 18a0a01 6749->6769 6755 18a0a18 6754->6755 6756 18a0ad7 6755->6756 6774 18a0cf8 6755->6774 6778 18a0ce6 6755->6778 6760 18a09d3 6759->6760 6761 18a0ad7 6760->6761 6762 18a0cf8 2 API calls 6760->6762 6763 18a0ce6 2 API calls 6760->6763 6762->6761 6763->6761 6765 18a0a1f 6764->6765 6766 18a0ad7 6765->6766 6767 18a0cf8 2 API calls 6765->6767 6768 18a0ce6 2 API calls 6765->6768 6767->6766 6768->6766 6770 18a0a06 6769->6770 6771 18a0ad7 6770->6771 6772 18a0cf8 2 API calls 6770->6772 6773 18a0ce6 2 API calls 6770->6773 6772->6771 6773->6771 6775 18a0d23 6774->6775 6776 18a0d6a 6775->6776 6782 18a11c3 6775->6782 6776->6756 6779 18a0d23 6778->6779 6780 18a0d6a 6779->6780 6781 18a11c3 2 API calls 6779->6781 6780->6756 6781->6780 6783 18a11f5 6782->6783 6784 18a1233 6783->6784 6787 57a0d10 6783->6787 6791 57a0d66 6783->6791 6784->6776 6788 57a0d66 GetVolumeInformationA 6787->6788 6790 57a0dbe 6788->6790 6790->6784 6792 57a0db6 GetVolumeInformationA 6791->6792 6793 57a0dbe 6792->6793 6793->6784 6667 146a7fa 6668 146a832 RegOpenKeyExW 6667->6668 6670 146a888 6668->6670

                      Executed Functions

                      Function 018A19F0 Relevance: 3.9, Strings: 2, Instructions: 1396COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 0 18a19f0-18a1a4c 4 18a2f39-18a2f5a 0->4 5 18a1a52-18a1a66 0->5 8 18a2f5c-18a2f66 4->8 9 18a2fc6-18a3002 4->9 10 18a1a68-18a1a6f 5->10 11 18a1a74-18a1a85 5->11 12 18a3069 8->12 13 18a2f6c-18a2fbc 8->13 28 18a304d-18a3052 9->28 29 18a3004-18a304b call 18a13b0 9->29 14 18a306e-18a3075 10->14 18 18a1acc-18a1add 11->18 19 18a1a87-18a1ac7 call 18a13b0 11->19 12->14 13->9 26 18a2fbe-18a2fc0 13->26 24 18a1c12-18a1c23 18->24 25 18a1ae3-18a1aed 18->25 19->14 35 18a1c29-18a1c33 24->35 36 18a1e61-18a1e72 24->36 25->4 30 18a1af3-18a1b07 25->30 26->9 43 18a305d-18a3067 28->43 29->43 39 18a1b3b-18a1b4c 30->39 40 18a1b09-18a1b13 30->40 35->4 41 18a1c39-18a1c40 35->41 50 18a2288-18a2299 36->50 51 18a1e78-18a1e82 36->51 55 18a1bdd-18a1bee 39->55 56 18a1b52-18a1b5c 39->56 40->4 46 18a1b19-18a1b26 40->46 41->4 47 18a1c46-18a1c4b 41->47 43->14 46->4 52 18a1b2c-18a1b36 call 18a1908 46->52 53 18a1d0d-18a1d36 47->53 54 18a1c51-18a1c7a 47->54 67 18a229f-18a22a9 50->67 68 18a2583-18a2594 50->68 51->4 60 18a1e88-18a1eb8 call 18a0550 51->60 52->14 94 18a1d71-18a1d8d call 18a13b0 53->94 81 18a1ccf-18a1d08 call 18a13b0 * 2 54->81 82 18a1c7c-18a1ca0 54->82 55->14 76 18a1bf4-18a1bfe 55->76 56->4 63 18a1b62-18a1b6f 56->63 60->4 100 18a1ebe-18a1edf 60->100 63->4 70 18a1b75-18a1bd8 call 18a1908 call 18a0550 call 18a13b0 63->70 67->4 74 18a22af-18a22df call 18a0550 67->74 88 18a259a-18a2761 68->88 89 18a2932-18a2943 68->89 70->14 74->4 126 18a22e5-18a2306 74->126 76->4 83 18a1c04-18a1c0d 76->83 81->14 104 18a1cca 82->104 105 18a1ca2-18a1cc5 82->105 83->14 88->4 313 18a2767-18a277f 88->313 112 18a2949-18a2953 89->112 113 18a29fe-18a2a0f 89->113 94->4 129 18a1d93-18a1dfd call 18a13b0 94->129 109 18a1f68-18a1f6f 100->109 110 18a1ee5-18a1f63 call 18a13b0 100->110 104->81 105->94 117 18a2069-18a217e call 18a13b0 109->117 118 18a1f75-18a1ff1 109->118 110->14 112->4 121 18a2959-18a296d 112->121 130 18a2c51-18a2c62 113->130 131 18a2a15-18a2a1f 113->131 117->4 343 18a2184-18a21c8 117->343 118->4 249 18a1ff7-18a202f 118->249 144 18a297a-18a298b 121->144 145 18a296f 121->145 135 18a238f-18a2396 126->135 136 18a230c-18a238a call 18a13b0 126->136 129->14 160 18a2c68-18a2c6f 130->160 161 18a2de1-18a2df2 130->161 131->4 143 18a2a25-18a2a2c 131->143 140 18a241f-18a257e call 18a13b0 * 2 135->140 141 18a239c-18a23e5 135->141 136->14 140->14 207 18a23eb-18a241a call 18a1908 141->207 208 18a2f34 141->208 143->4 151 18a2a32-18a2a37 143->151 167 18a298d-18a29ac 144->167 168 18a29b1-18a29c2 144->168 412 18a296f call 18a316c 145->412 413 18a296f call 18a31b2 145->413 414 18a296f call 18a31a0 145->414 415 18a296f call 18a3081 145->415 163 18a2aeb-18a2b1a 151->163 164 18a2a3d-18a2a80 151->164 171 18a2cfe-18a2d65 160->171 172 18a2c75-18a2c9e call 18a13b0 160->172 161->14 188 18a2df8-18a2e3b 161->188 227 18a2b55-18a2c4c call 18a13b0 * 2 163->227 219 18a2aad-18a2ae6 call 18a13b0 * 2 164->219 220 18a2a82-18a2aa8 164->220 166 18a2975 166->14 167->14 168->14 195 18a29c8-18a29f9 168->195 171->4 232 18a2d6b-18a2d94 171->232 198 18a2cdc-18a2cf8 172->198 199 18a2ca0-18a2ca3 172->199 188->208 250 18a2e41-18a2f2f 188->250 195->14 198->14 198->171 199->208 210 18a2ca9-18a2cda 199->210 207->140 208->4 210->198 210->199 219->14 220->227 227->14 232->14 256 18a2d9a-18a2d9e 232->256 249->208 299 18a2035-18a2064 call 18a1908 249->299 250->14 256->4 266 18a2da4-18a2ddc 256->266 266->14 299->117 313->4 324 18a2785-18a289d call 18a3081 313->324 393 18a289f-18a28cb 324->393 394 18a28f3-18a28f7 324->394 364 18a21d4-18a223c 343->364 384 18a21ca 364->384 385 18a223e-18a2283 364->385 384->364 385->14 403 18a28cd-18a28cf 393->403 404 18a28d7-18a28da 393->404 396 18a28ff-18a2928 call 18a13e8 394->396 411 18a292d 396->411 403->208 405 18a28d5 403->405 404->208 406 18a28e0-18a28f1 404->406 405->406 406->396 411->14 412->166 413->166 414->166 415->166
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2250845633.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_18a0000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID:
                      • String ID: $
                      • API String ID: 0-227171996
                      • Opcode ID: 2fef93bcf0cf83b55f19a1ba0e0eed243c07248ad445ff769137d5701ecb748c
                      • Instruction ID: 2d76b8ac6f918372689eada0436fdd0c25a1128e4f49476d9702004391fdaf53
                      • Opcode Fuzzy Hash: 2fef93bcf0cf83b55f19a1ba0e0eed243c07248ad445ff769137d5701ecb748c
                      • Instruction Fuzzy Hash: ADC29D34B00214DFDB24DF78C954BADB7A3BB88308F5180A9E5099B7A0DF789E45DB91
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 057A2273 Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                      Download Yara Rule
                      APIs
                      • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 057A22F3
                      Memory Dump Source
                      • Source File: 00000000.00000002.2251395214.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_57a0000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: AdjustPrivilegesToken
                      • String ID:
                      • API String ID: 2874748243-0
                      • Opcode ID: 6d861fede5952522197fa0d8135b4eef0811183309603650b8225e3a53daea65
                      • Instruction ID: 1def8d498731a3f798940da7fcadc120148d05c946ad3f48733ea23f2b3436b2
                      • Opcode Fuzzy Hash: 6d861fede5952522197fa0d8135b4eef0811183309603650b8225e3a53daea65
                      • Instruction Fuzzy Hash: FB21DE765093809FDB228F25DC44B62BFF4EF46310F0985DAE9858F5A3D274A908DB62
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 057A22AA Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                      Download Yara Rule
                      APIs
                      • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 057A22F3
                      Memory Dump Source
                      • Source File: 00000000.00000002.2251395214.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_57a0000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: AdjustPrivilegesToken
                      • String ID:
                      • API String ID: 2874748243-0
                      • Opcode ID: e56f8608565b4b7a1c9c63becce9fd097c6452e67fa5c6e8dd940aaa5062c04d
                      • Instruction ID: 7d20b2b5b97643b810a97ce3d173714012fcc8a25f1d21fd6d999394a2e243db
                      • Opcode Fuzzy Hash: e56f8608565b4b7a1c9c63becce9fd097c6452e67fa5c6e8dd940aaa5062c04d
                      • Instruction Fuzzy Hash: 0011C2365042009FDB20CF15D944B66FBE4FF48320F08C5AADD468BA52D735E408DF61
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 018A03F8 Relevance: 1.6, APIs: 1, Instructions: 104COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 556 18a03f8-18a0436 KiUserExceptionDispatcher 559 18a0439-18a043f 556->559 560 18a052d-18a053e 559->560 561 18a0445-18a0448 559->561 562 18a044a 561->562 590 18a044c call 1a70606 562->590 591 18a044c call 1a705e0 562->591 564 18a0451-18a0472 567 18a04b9-18a04bc 564->567 568 18a0474-18a0476 564->568 567->560 569 18a04be-18a04c4 567->569 587 18a0478 call 1a70606 568->587 588 18a0478 call 1a705e0 568->588 589 18a0478 call 18a1587 568->589 569->562 570 18a04c6-18a04cd 569->570 572 18a051e-18a0528 570->572 573 18a04cf-18a04e5 570->573 571 18a047e-18a0485 574 18a04b6 571->574 575 18a0487-18a04ae 571->575 572->559 573->560 579 18a04e7-18a04ef 573->579 574->567 575->574 581 18a0510-18a0516 579->581 582 18a04f1-18a04fc 579->582 581->572 582->560 583 18a04fe-18a0508 582->583 583->581 587->571 588->571 589->571 590->564 591->564
                      APIs
                      • KiUserExceptionDispatcher.NTDLL ref: 018A041F
                      Memory Dump Source
                      • Source File: 00000000.00000002.2250845633.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_18a0000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: DispatcherExceptionUser
                      • String ID:
                      • API String ID: 6842923-0
                      • Opcode ID: 04bf31da55f66d3f4ee570b548604876e5724833c4a4ecd79dbc72fe12891c72
                      • Instruction ID: 29d56c7250adee13536d4730b839a112ad4c64c292b9a332a1c5bb18f6fbe3ff
                      • Opcode Fuzzy Hash: 04bf31da55f66d3f4ee570b548604876e5724833c4a4ecd79dbc72fe12891c72
                      • Instruction Fuzzy Hash: 0D315C31A012048FDB24EF78D58499DB7F6EF88314B548479E808EB35ADB35DE85CBA1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0146B5DE Relevance: 1.6, APIs: 1, Instructions: 103fileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 592 146b5de-146b676 596 146b67b-146b687 592->596 597 146b678 592->597 598 146b68c-146b695 596->598 599 146b689 596->599 597->596 600 146b6e6-146b6eb 598->600 601 146b697-146b6bb CreateFileW 598->601 599->598 600->601 604 146b6ed-146b6f2 601->604 605 146b6bd-146b6e3 601->605 604->605
                      APIs
                      • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0146B69D
                      Memory Dump Source
                      • Source File: 00000000.00000002.2250219860.000000000146A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146A000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_146a000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: CreateFile
                      • String ID:
                      • API String ID: 823142352-0
                      • Opcode ID: 6b7d72bbffe0b0c2879154bf86e12c8a038f59e9cb39b6e3353cbfc372a74cb8
                      • Instruction ID: 8a268ef24faf61d43abc477e559bc6625afe3331518fb1bfbf5df12b2ad1471f
                      • Opcode Fuzzy Hash: 6b7d72bbffe0b0c2879154bf86e12c8a038f59e9cb39b6e3353cbfc372a74cb8
                      • Instruction Fuzzy Hash: D631C5715053806FE722CF25DC44BA2BFF8EF06314F08889AE985CB662D375A909DB71
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 018A03E8 Relevance: 1.6, APIs: 1, Instructions: 102COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 608 18a03e8-18a0425 KiUserExceptionDispatcher 609 18a042c-18a0436 608->609 611 18a0439-18a043f 609->611 612 18a052d-18a053e 611->612 613 18a0445-18a0448 611->613 614 18a044a 613->614 642 18a044c call 1a70606 614->642 643 18a044c call 1a705e0 614->643 616 18a0451-18a0472 619 18a04b9-18a04bc 616->619 620 18a0474-18a0476 616->620 619->612 621 18a04be-18a04c4 619->621 639 18a0478 call 1a70606 620->639 640 18a0478 call 1a705e0 620->640 641 18a0478 call 18a1587 620->641 621->614 622 18a04c6-18a04cd 621->622 624 18a051e-18a0528 622->624 625 18a04cf-18a04e5 622->625 623 18a047e-18a0485 626 18a04b6 623->626 627 18a0487-18a04ae 623->627 624->611 625->612 631 18a04e7-18a04ef 625->631 626->619 627->626 633 18a0510-18a0516 631->633 634 18a04f1-18a04fc 631->634 633->624 634->612 635 18a04fe-18a0508 634->635 635->633 639->623 640->623 641->623 642->616 643->616
                      APIs
                      • KiUserExceptionDispatcher.NTDLL ref: 018A041F
                      Memory Dump Source
                      • Source File: 00000000.00000002.2250845633.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_18a0000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: DispatcherExceptionUser
                      • String ID:
                      • API String ID: 6842923-0
                      • Opcode ID: 04221f612807083d677b106d99b66f10dcd06f8301ccde2b8f89d3b4b35917c7
                      • Instruction ID: 3712a2b742919942221b7fb24aa05bb186e3a046a17d6179bb4364d34423bea7
                      • Opcode Fuzzy Hash: 04221f612807083d677b106d99b66f10dcd06f8301ccde2b8f89d3b4b35917c7
                      • Instruction Fuzzy Hash: 2B418071A012008FDB14DF38C59499DBBF2EF88304B588479E809EB35ADB35DD41CBA1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 057A1D7E Relevance: 1.6, APIs: 1, Instructions: 99registryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 644 57a1d7e-57a1e02 648 57a1e07-57a1e13 644->648 649 57a1e04 644->649 650 57a1e18-57a1e21 648->650 651 57a1e15 648->651 649->648 652 57a1e23 650->652 653 57a1e26-57a1e3d 650->653 651->650 652->653 655 57a1e7f-57a1e84 653->655 656 57a1e3f-57a1e52 RegCreateKeyExW 653->656 655->656 657 57a1e86-57a1e8b 656->657 658 57a1e54-57a1e7c 656->658 657->658
                      APIs
                      • RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 057A1E45
                      Memory Dump Source
                      • Source File: 00000000.00000002.2251395214.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_57a0000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: Create
                      • String ID:
                      • API String ID: 2289755597-0
                      • Opcode ID: d86308858f3a7f0f0945dfac036c1383a646591f8877877a3f1217c4c34df664
                      • Instruction ID: 33dd0f616a6465f45c133e431558bc0b2f741f6b1326dd3133f44220665852d5
                      • Opcode Fuzzy Hash: d86308858f3a7f0f0945dfac036c1383a646591f8877877a3f1217c4c34df664
                      • Instruction Fuzzy Hash: 36319072504344AFE721CB65CC44FA7BBFCEF19210F08859AE985CB662D324E908CBA1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0146BB4B Relevance: 1.6, APIs: 1, Instructions: 98registryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 663 146bb4b-146bb6b 664 146bb8d-146bbbf 663->664 665 146bb6d-146bb8c 663->665 669 146bbc2-146bc1a RegQueryValueExW 664->669 665->664 671 146bc20-146bc36 669->671
                      APIs
                      • RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 0146BC12
                      Memory Dump Source
                      • Source File: 00000000.00000002.2250219860.000000000146A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146A000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_146a000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: QueryValue
                      • String ID:
                      • API String ID: 3660427363-0
                      • Opcode ID: e42d8388ee4e4e8a155e11e800562a327b6ddda3f868105c3edb0e0839b4b6c9
                      • Instruction ID: e4bd04df398cc6fa73f8f0245071a2f4fbd6b9d083fbe0413794d73c87ec9380
                      • Opcode Fuzzy Hash: e42d8388ee4e4e8a155e11e800562a327b6ddda3f868105c3edb0e0839b4b6c9
                      • Instruction Fuzzy Hash: 7E317C6510E7C06FD3138B258C61A62BFB4EF47614F0E45DBD8C48F6A3D229A909D7B2
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0146A7C7 Relevance: 1.6, APIs: 1, Instructions: 95registryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 672 146a7c7-146a855 676 146a857 672->676 677 146a85a-146a871 672->677 676->677 679 146a8b3-146a8b8 677->679 680 146a873-146a886 RegOpenKeyExW 677->680 679->680 681 146a8ba-146a8bf 680->681 682 146a888-146a8b0 680->682 681->682
                      APIs
                      • RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 0146A879
                      Memory Dump Source
                      • Source File: 00000000.00000002.2250219860.000000000146A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146A000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_146a000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: Open
                      • String ID:
                      • API String ID: 71445658-0
                      • Opcode ID: 55c3c9560178e3bdc46e43d8d225cea777867d501e3fb1292a3b07239c441405
                      • Instruction ID: 6314f5eab28b767bf10e9e1ae398b59bd63592c310793f35e4d0ce369ea998ed
                      • Opcode Fuzzy Hash: 55c3c9560178e3bdc46e43d8d225cea777867d501e3fb1292a3b07239c441405
                      • Instruction Fuzzy Hash: F331B7714083846FE7228B559C44FA7BFBCEF16214F04849BE9808B693D224A909C771
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 057A099C Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 687 57a099c-57a0a5b 693 57a0aad-57a0ab2 687->693 694 57a0a5d-57a0a65 getaddrinfo 687->694 693->694 695 57a0a6b-57a0a7d 694->695 697 57a0a7f-57a0aaa 695->697 698 57a0ab4-57a0ab9 695->698 698->697
                      APIs
                      • getaddrinfo.WS2_32(?,00000E24), ref: 057A0A63
                      Memory Dump Source
                      • Source File: 00000000.00000002.2251395214.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_57a0000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: getaddrinfo
                      • String ID:
                      • API String ID: 300660673-0
                      • Opcode ID: b03abeaede20e14ea4821a19cd52dfe53755d6532d77c139496368221299f0c1
                      • Instruction ID: 26155ae0cfcf058e51e88d72a35da0382a8c9174d70c84758fb8180a5fd3089c
                      • Opcode Fuzzy Hash: b03abeaede20e14ea4821a19cd52dfe53755d6532d77c139496368221299f0c1
                      • Instruction Fuzzy Hash: F131D1B2500300AFE721CB51CC44FA6FBACEF05314F04889AFA489B681D375A908CB70
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 057A0190 Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 718 57a0190-57a0211 722 57a0213 718->722 723 57a0216-57a021f 718->723 722->723 724 57a0221-57a0229 ConvertStringSecurityDescriptorToSecurityDescriptorW 723->724 725 57a0277-57a027c 723->725 727 57a022f-57a0241 724->727 725->724 728 57a027e-57a0283 727->728 729 57a0243-57a0274 727->729 728->729
                      APIs
                      • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 057A0227
                      Memory Dump Source
                      • Source File: 00000000.00000002.2251395214.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_57a0000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: DescriptorSecurity$ConvertString
                      • String ID:
                      • API String ID: 3907675253-0
                      • Opcode ID: 038279121061dfe809db37bcae6aede3585db0ee3dad0f15191d2d4b8b35bfdc
                      • Instruction ID: c25b71f1fd5d5a5f18645c074ac09a2cbc421f5d7a5058cc760f953bea9100ae
                      • Opcode Fuzzy Hash: 038279121061dfe809db37bcae6aede3585db0ee3dad0f15191d2d4b8b35bfdc
                      • Instruction Fuzzy Hash: A9319372504344AFEB21CB65DC45FA7BBF8EF45214F0888AAE944DB692D334E909CB71
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0146A612 Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 702 146a612-146a695 706 146a697 702->706 707 146a69a-146a6a3 702->707 706->707 708 146a6a5 707->708 709 146a6a8-146a6b1 707->709 708->709 710 146a702-146a707 709->710 711 146a6b3-146a6d7 CreateMutexW 709->711 710->711 714 146a709-146a70e 711->714 715 146a6d9-146a6ff 711->715 714->715
                      APIs
                      • CreateMutexW.KERNELBASE(?,?), ref: 0146A6B9
                      Memory Dump Source
                      • Source File: 00000000.00000002.2250219860.000000000146A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146A000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_146a000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: CreateMutex
                      • String ID:
                      • API String ID: 1964310414-0
                      • Opcode ID: 03511bc851823d3adaff232b8295912b10571e50b247c0ef14fd7f735c9e7dc5
                      • Instruction ID: 9614daa0dbb10cf8db05472bc42be63ee993b14f7e0df5dfa93ebf3ea6880ca0
                      • Opcode Fuzzy Hash: 03511bc851823d3adaff232b8295912b10571e50b247c0ef14fd7f735c9e7dc5
                      • Instruction Fuzzy Hash: 0B31B3B15097805FE722CB25DC45B96BFF8EF06214F08849AE984CF293D375E909C762
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 057A0894 Relevance: 1.6, APIs: 1, Instructions: 88timeCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 733 57a0894-57a0929 738 57a092b-57a0933 GetProcessTimes 733->738 739 57a0976-57a097b 733->739 740 57a0939-57a094b 738->740 739->738 742 57a097d-57a0982 740->742 743 57a094d-57a0973 740->743 742->743
                      APIs
                      • GetProcessTimes.KERNELBASE(?,00000E24,39754F38,00000000,00000000,00000000,00000000), ref: 057A0931
                      Memory Dump Source
                      • Source File: 00000000.00000002.2251395214.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_57a0000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: ProcessTimes
                      • String ID:
                      • API String ID: 1995159646-0
                      • Opcode ID: 811dab5592aad3052d53e5829fb1c2b4f52f2a7ffd3b8a95e502154db157396e
                      • Instruction ID: af33f14d375c8c7695fa70f1c0d98157fe957fd0f75a5b3ef1d325a2555ae062
                      • Opcode Fuzzy Hash: 811dab5592aad3052d53e5829fb1c2b4f52f2a7ffd3b8a95e502154db157396e
                      • Instruction Fuzzy Hash: 8531F9724053805FE7228F54DC45F96BFB8EF46314F08889AE9448F593D2249909CB71
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 057A1DAA Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 746 57a1daa-57a1e02 749 57a1e07-57a1e13 746->749 750 57a1e04 746->750 751 57a1e18-57a1e21 749->751 752 57a1e15 749->752 750->749 753 57a1e23 751->753 754 57a1e26-57a1e3d 751->754 752->751 753->754 756 57a1e7f-57a1e84 754->756 757 57a1e3f-57a1e52 RegCreateKeyExW 754->757 756->757 758 57a1e86-57a1e8b 757->758 759 57a1e54-57a1e7c 757->759 758->759
                      APIs
                      • RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 057A1E45
                      Memory Dump Source
                      • Source File: 00000000.00000002.2251395214.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_57a0000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: Create
                      • String ID:
                      • API String ID: 2289755597-0
                      • Opcode ID: 7032392e4d0cdc4b15571460dbbe0fd4113ad5e1fd6f730de92ab78fd16cf910
                      • Instruction ID: e55cda0a4c516c760651ce983423767b92847f0e0e348b81c0392dfc894c895f
                      • Opcode Fuzzy Hash: 7032392e4d0cdc4b15571460dbbe0fd4113ad5e1fd6f730de92ab78fd16cf910
                      • Instruction Fuzzy Hash: 09219C72504304AFEB31DF15CC44FA7BBECEF18614F04896AE945CAA52D734E508CAA1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 057A09BE Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                      Download Yara Rule
                      APIs
                      • getaddrinfo.WS2_32(?,00000E24), ref: 057A0A63
                      Memory Dump Source
                      • Source File: 00000000.00000002.2251395214.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_57a0000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: getaddrinfo
                      • String ID:
                      • API String ID: 300660673-0
                      • Opcode ID: bdcdfc14a501308aa1afbdc88f1c39366ee4cbfedc90cb90ae836221c2a4d4c2
                      • Instruction ID: db55205ac5a415c8e73a7c2dc6e28b2c065e0f778f581bef8d51bad508706bc3
                      • Opcode Fuzzy Hash: bdcdfc14a501308aa1afbdc88f1c39366ee4cbfedc90cb90ae836221c2a4d4c2
                      • Instruction Fuzzy Hash: C721D172501304AEFB30DB65CC84FA6F7ACEF54714F04886AFA489AA81D775E909CB71
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 057A0D10 Relevance: 1.6, APIs: 1, Instructions: 81COMMON
                      Download Yara Rule
                      APIs
                      • GetVolumeInformationA.KERNELBASE(?,00000E24,?,?), ref: 057A0DB6
                      Memory Dump Source
                      • Source File: 00000000.00000002.2251395214.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_57a0000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: InformationVolume
                      • String ID:
                      • API String ID: 2039140958-0
                      • Opcode ID: 4d667d4b57b5566f83adbf738bbe5ef56fad462f744566f6549d0a361525da75
                      • Instruction ID: 94ec9b378605ebe3b62cc4004f27ec7dfaa3e841e9ec9655314c6f2998e77eb4
                      • Opcode Fuzzy Hash: 4d667d4b57b5566f83adbf738bbe5ef56fad462f744566f6549d0a361525da75
                      • Instruction Fuzzy Hash: 6031C17150E3C06FD3128B258C51B62BFB8EF47210F0981DBE884CF693D225A949C7A2
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 057A201D Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2251395214.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_57a0000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: select
                      • String ID:
                      • API String ID: 1274211008-0
                      • Opcode ID: ff3fc36ab902c0bfe0ae818c393b02c3127a1875447047a13c330d17bfc5e35b
                      • Instruction ID: 6a236517626b852f6a5272b5c82af12b44d4a7b3236a7200b9f8f3a41091a843
                      • Opcode Fuzzy Hash: ff3fc36ab902c0bfe0ae818c393b02c3127a1875447047a13c330d17bfc5e35b
                      • Instruction Fuzzy Hash: 3B2191755093849FDB22CF25CC44B52BFF8EF46210F0884DAE885CB163D234E909DB61
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0146A370 Relevance: 1.6, APIs: 1, Instructions: 80registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegQueryValueExW.KERNELBASE(?,00000E24,39754F38,00000000,00000000,00000000,00000000), ref: 0146A40C
                      Memory Dump Source
                      • Source File: 00000000.00000002.2250219860.000000000146A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146A000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_146a000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: QueryValue
                      • String ID:
                      • API String ID: 3660427363-0
                      • Opcode ID: 81fb869d26b726e6e537154ca5d335c4eaa3c56c48b749dbeef89e945a7abc1c
                      • Instruction ID: 76c30d3a38c9b10b121d8d02f71f115f47f853cecdcea8eb3a965b8b4e541259
                      • Opcode Fuzzy Hash: 81fb869d26b726e6e537154ca5d335c4eaa3c56c48b749dbeef89e945a7abc1c
                      • Instruction Fuzzy Hash: 88219C71504740AFE721CB15CC84FA3BBFCEF05614F08849AE945DB6A2D374E949CB62
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 057A23F5 Relevance: 1.6, APIs: 1, Instructions: 79COMMON
                      Download Yara Rule
                      APIs
                      • GetExitCodeProcess.KERNELBASE(?,00000E24,39754F38,00000000,00000000,00000000,00000000), ref: 057A247C
                      Memory Dump Source
                      • Source File: 00000000.00000002.2251395214.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_57a0000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: CodeExitProcess
                      • String ID:
                      • API String ID: 3861947596-0
                      • Opcode ID: ee72725a03541e2d98c4ed0b95c9003061b0480f419a15c2472f87c4e03862ec
                      • Instruction ID: 32023a0bd6edb62a43455e7c6c94183ae5f5afb38e1b3860858fcce494377849
                      • Opcode Fuzzy Hash: ee72725a03541e2d98c4ed0b95c9003061b0480f419a15c2472f87c4e03862ec
                      • Instruction Fuzzy Hash: 0921C1725093806FE712CB24DC45FA6BFB8EF46314F0884EAE944CF693D268A909C771
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 057A0346 Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2251395214.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_57a0000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: FileView
                      • String ID:
                      • API String ID: 3314676101-0
                      • Opcode ID: f0200a340e7d109e063593f7e03adbc8a6be1c44196ef41a38505951060c5044
                      • Instruction ID: 3bed46b3e8167dbf9a61dbf46b4984701acf139fa6736f0e52e8dbb41d1c6133
                      • Opcode Fuzzy Hash: f0200a340e7d109e063593f7e03adbc8a6be1c44196ef41a38505951060c5044
                      • Instruction Fuzzy Hash: 2721F371405344AFE722CF15DC44F96FFF8EF09224F0488AEE9848B692D375A909CB61
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0146A462 Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegSetValueExW.KERNELBASE(?,00000E24,39754F38,00000000,00000000,00000000,00000000), ref: 0146A4F8
                      Memory Dump Source
                      • Source File: 00000000.00000002.2250219860.000000000146A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146A000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_146a000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: Value
                      • String ID:
                      • API String ID: 3702945584-0
                      • Opcode ID: a30ba7338a1ae344b2a07ce84dd600de530b0ad7cff453f1980b1ecd4e03c407
                      • Instruction ID: 4318d402f942c4c630d75ab75cb494ec3935f83edeabd2e537b59cdfc4f84db3
                      • Opcode Fuzzy Hash: a30ba7338a1ae344b2a07ce84dd600de530b0ad7cff453f1980b1ecd4e03c407
                      • Instruction Fuzzy Hash: 0721A1725047806FD7228B15DC44F67BFBCDF06614F08849AE945DB6A2C274E809C771
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0146BC3E Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON
                      Download Yara Rule
                      APIs
                      • WSASocketW.WS2_32(?,?,?,?,?), ref: 0146BCCA
                      Memory Dump Source
                      • Source File: 00000000.00000002.2250219860.000000000146A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146A000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_146a000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: Socket
                      • String ID:
                      • API String ID: 38366605-0
                      • Opcode ID: 356bc7231acdb6d30fcd25b92163add5a26c5c23e27c210233d2630c5b7013d7
                      • Instruction ID: 192466b58e8432b2fe87d495b9d3a088459d957014a55725e01558adfe33cbc1
                      • Opcode Fuzzy Hash: 356bc7231acdb6d30fcd25b92163add5a26c5c23e27c210233d2630c5b7013d7
                      • Instruction Fuzzy Hash: 0921B471505340AFD722CF55DC45F56FFF8EF05214F08889EE9858B692C375A509CB62
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 057A20EC Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                      Download Yara Rule
                      APIs
                      • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 057A2172
                      Memory Dump Source
                      • Source File: 00000000.00000002.2251395214.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_57a0000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: LookupPrivilegeValue
                      • String ID:
                      • API String ID: 3899507212-0
                      • Opcode ID: 06f555a194b55fbb4762c47d30bdde4dc6b6a51527fe0ac0dbd26a389dfe6f57
                      • Instruction ID: 914341d04ea6b9c4e7f7eb9234d75356c83b7d82993ad73aa6065c30e22bbe1a
                      • Opcode Fuzzy Hash: 06f555a194b55fbb4762c47d30bdde4dc6b6a51527fe0ac0dbd26a389dfe6f57
                      • Instruction Fuzzy Hash: 9E21D6B66093C05FD712CB25DC50B52BFB8AF56214F0D84DAE949CF293D225D808DB71
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 057A01B6 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                      Download Yara Rule
                      APIs
                      • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 057A0227
                      Memory Dump Source
                      • Source File: 00000000.00000002.2251395214.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_57a0000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: DescriptorSecurity$ConvertString
                      • String ID:
                      • API String ID: 3907675253-0
                      • Opcode ID: e77bab9b5293ae3fe0fe5c44764327c2c6064bab694ffb95f869b56c87e8e7f8
                      • Instruction ID: f177420a67b693c3b1dae1477ccda24adcb9ef15c6caf6d8d8c6bc214cec0850
                      • Opcode Fuzzy Hash: e77bab9b5293ae3fe0fe5c44764327c2c6064bab694ffb95f869b56c87e8e7f8
                      • Instruction Fuzzy Hash: F6210772500304AFEB20DF65DC44FABB7ECEF44314F04886AE944CBA81D734E5088A71
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0146B61E Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0146B69D
                      Memory Dump Source
                      • Source File: 00000000.00000002.2250219860.000000000146A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146A000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_146a000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: CreateFile
                      • String ID:
                      • API String ID: 823142352-0
                      • Opcode ID: eb969c301dd1ce4d53d6afd8f9685122b3e7ed8ef19aab2ba449a67631ee7fc7
                      • Instruction ID: a956b825ffa89e17cd3d99e70190bde622da35ca569c8cc93bc2f8f88ea92d17
                      • Opcode Fuzzy Hash: eb969c301dd1ce4d53d6afd8f9685122b3e7ed8ef19aab2ba449a67631ee7fc7
                      • Instruction Fuzzy Hash: 0B21B271604200AFE721CF29DD45F66FBE8EF08214F08886AE949CB751D375E809CB72
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 057A00AA Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegQueryValueExW.KERNELBASE(?,00000E24,39754F38,00000000,00000000,00000000,00000000), ref: 057A013C
                      Memory Dump Source
                      • Source File: 00000000.00000002.2251395214.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_57a0000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: QueryValue
                      • String ID:
                      • API String ID: 3660427363-0
                      • Opcode ID: ba2ccace9de24f37e062073ab4f3a560f2236d55eca45e33f83393124166b114
                      • Instruction ID: eae6cad3ec9f305fa719c2b0952538aff59cba1e3b0eb41055e497342e89b523
                      • Opcode Fuzzy Hash: ba2ccace9de24f37e062073ab4f3a560f2236d55eca45e33f83393124166b114
                      • Instruction Fuzzy Hash: EF21CF72505344AFD722CF15CC88FA7BBF8EF45610F08899AE945CB692C328E909CB71
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0146B6F4 Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                      Download Yara Rule
                      APIs
                      • GetFileType.KERNELBASE(?,00000E24,39754F38,00000000,00000000,00000000,00000000), ref: 0146B789
                      Memory Dump Source
                      • Source File: 00000000.00000002.2250219860.000000000146A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146A000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_146a000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: FileType
                      • String ID:
                      • API String ID: 3081899298-0
                      • Opcode ID: 0f2ec9dd502cb8109df3b19d5a6438ae33ff0d92e491ba2a11795583e1cf646e
                      • Instruction ID: 1b4d5618824baf0569170107414de52f2ee7b553a261b9899875c2aa0d7f0a03
                      • Opcode Fuzzy Hash: 0f2ec9dd502cb8109df3b19d5a6438ae33ff0d92e491ba2a11795583e1cf646e
                      • Instruction Fuzzy Hash: 6C212CB55087806FE7128B15DC44BA3BFBCDF46724F0884DBE9858B693D238A909C771
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0146A7FA Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 0146A879
                      Memory Dump Source
                      • Source File: 00000000.00000002.2250219860.000000000146A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146A000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_146a000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: Open
                      • String ID:
                      • API String ID: 71445658-0
                      • Opcode ID: 227e3c6717fe1484270c91818ab9693a45e7b2d62fb4a56570df97c79877461f
                      • Instruction ID: a3d4d7f5c11fc6f57d5ac43fa4543c51f8dbeb45d7b2d6b5974e3feda1e92937
                      • Opcode Fuzzy Hash: 227e3c6717fe1484270c91818ab9693a45e7b2d62fb4a56570df97c79877461f
                      • Instruction Fuzzy Hash: 7D210472400304AFE7318B55CC44FABFBECEF14214F04886AE9419BB51D734E8098AB2
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 057A24DF Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                      Download Yara Rule
                      APIs
                      • GetProcessWorkingSetSize.KERNEL32(?,00000E24,39754F38,00000000,00000000,00000000,00000000), ref: 057A255B
                      Memory Dump Source
                      • Source File: 00000000.00000002.2251395214.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_57a0000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: ProcessSizeWorking
                      • String ID:
                      • API String ID: 3584180929-0
                      • Opcode ID: 7647401c6ba0c989712ba2c6eca94664ef38a80d9858792638aa7944dd11d36b
                      • Instruction ID: e7b9dff7bf3a3d4b42d7239d69a8bffa90dc49123ed99f7e7808e75a71d2516e
                      • Opcode Fuzzy Hash: 7647401c6ba0c989712ba2c6eca94664ef38a80d9858792638aa7944dd11d36b
                      • Instruction Fuzzy Hash: 4621D4715093806FD722CB15DC49FABBFB8EF45210F08C8AAE944CB692D274A908CB71
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 057A25C3 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                      Download Yara Rule
                      APIs
                      • SetProcessWorkingSetSize.KERNEL32(?,00000E24,39754F38,00000000,00000000,00000000,00000000), ref: 057A263F
                      Memory Dump Source
                      • Source File: 00000000.00000002.2251395214.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_57a0000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: ProcessSizeWorking
                      • String ID:
                      • API String ID: 3584180929-0
                      • Opcode ID: 7647401c6ba0c989712ba2c6eca94664ef38a80d9858792638aa7944dd11d36b
                      • Instruction ID: 80c5a062ef67990662f365980dbc5da3c5d1b62de769e19be70c0c48ee588937
                      • Opcode Fuzzy Hash: 7647401c6ba0c989712ba2c6eca94664ef38a80d9858792638aa7944dd11d36b
                      • Instruction Fuzzy Hash: 2E21D4715093806FDB22CF25DC44FA7BFB8EF45214F08C8AAE944CB692D274A908CB71
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 057A05DD Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                      Download Yara Rule
                      APIs
                      • shutdown.WS2_32(?,00000E24,39754F38,00000000,00000000,00000000,00000000), ref: 057A0660
                      Memory Dump Source
                      • Source File: 00000000.00000002.2251395214.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_57a0000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: shutdown
                      • String ID:
                      • API String ID: 2510479042-0
                      • Opcode ID: 82e1aa5f1767514b71debc08bf74b79a937e3fe3374a4b2479501e797eb31c11
                      • Instruction ID: 2aaa3219999608538e1e84ad96572ec5699e83d3d564ffec2915076447b9a632
                      • Opcode Fuzzy Hash: 82e1aa5f1767514b71debc08bf74b79a937e3fe3374a4b2479501e797eb31c11
                      • Instruction Fuzzy Hash: 0121C5714093806FD7228B15CC44B56BFB8EF46214F0888DAE984DF692C278A909CB61
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0146A646 Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                      Download Yara Rule
                      APIs
                      • CreateMutexW.KERNELBASE(?,?), ref: 0146A6B9
                      Memory Dump Source
                      • Source File: 00000000.00000002.2250219860.000000000146A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146A000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_146a000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: CreateMutex
                      • String ID:
                      • API String ID: 1964310414-0
                      • Opcode ID: 93b4b813b5288423b6af3fca2119d98e4b7064f7b659cabc1ab68488046b3d66
                      • Instruction ID: c069b394cf1ef0f1e2db5bf92e35a2f1033cfe552cbbe97e508b6fce545057d1
                      • Opcode Fuzzy Hash: 93b4b813b5288423b6af3fca2119d98e4b7064f7b659cabc1ab68488046b3d66
                      • Instruction Fuzzy Hash: 7121D4716002009FE720DF29DD45BA6FBECEF04218F14C86AE989DB791D775E909CA72
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 057A3796 Relevance: 1.6, APIs: 1, Instructions: 71registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegDeleteKeyW.ADVAPI32(?,00000E24,39754F38,00000000,00000000,00000000,00000000), ref: 057A381C
                      Memory Dump Source
                      • Source File: 00000000.00000002.2251395214.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_57a0000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: Delete
                      • String ID:
                      • API String ID: 1035893169-0
                      • Opcode ID: 7c0a340b99f5a88d00870a5768f35d040c1fc4bcd96878530ebd70aa5582e2d4
                      • Instruction ID: 1786bbf83532ba4be6d9f10c739f8c3c27dfca58b2090132be4b49faafea403a
                      • Opcode Fuzzy Hash: 7c0a340b99f5a88d00870a5768f35d040c1fc4bcd96878530ebd70aa5582e2d4
                      • Instruction Fuzzy Hash: A221C3725093806FD722CB55DC45FA6FFB8EF46610F08C5DBE9448B692D268A908C771
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0146B9D6 Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON
                      Download Yara Rule
                      APIs
                      • ReadFile.KERNELBASE(?,00000E24,39754F38,00000000,00000000,00000000,00000000), ref: 0146BA55
                      Memory Dump Source
                      • Source File: 00000000.00000002.2250219860.000000000146A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146A000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_146a000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: FileRead
                      • String ID:
                      • API String ID: 2738559852-0
                      • Opcode ID: 780d2b32097613e8529fdaff26d0811bc10f19ea976a8ac9e9022d6832635bce
                      • Instruction ID: 2c8359692a69f6d81cc2bfb44ffe87c71acb4f7d157c25d4e8ff15204a44835a
                      • Opcode Fuzzy Hash: 780d2b32097613e8529fdaff26d0811bc10f19ea976a8ac9e9022d6832635bce
                      • Instruction Fuzzy Hash: 4921A471505340AFDB22CF55DC44F97BFB8EF45714F08889AE9459B652C234A909CB72
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 057A1F57 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                      Download Yara Rule
                      APIs
                      • ioctlsocket.WS2_32(?,00000E24,39754F38,00000000,00000000,00000000,00000000), ref: 057A1FD3
                      Memory Dump Source
                      • Source File: 00000000.00000002.2251395214.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_57a0000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: ioctlsocket
                      • String ID:
                      • API String ID: 3577187118-0
                      • Opcode ID: 17a86a40098c673e7e0f26a77561eacff798db2bc037fe28029cba4de18035ae
                      • Instruction ID: 6e86ca7324dc1c4b6cdda8b2a765c61a7f27290bf8868dbb1d77b9d92e9c9827
                      • Opcode Fuzzy Hash: 17a86a40098c673e7e0f26a77561eacff798db2bc037fe28029cba4de18035ae
                      • Instruction Fuzzy Hash: 1C21F3714093806FD722CF14CC44FA7BFB8EF45210F0888AAE9449B692C234A908CB71
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0146A140 Relevance: 1.6, APIs: 1, Instructions: 69networkCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2250219860.000000000146A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146A000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_146a000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: send
                      • String ID:
                      • API String ID: 2809346765-0
                      • Opcode ID: 9c009b0f874991df1d4d5e2427ded133ec70cfd0448bdf78f939980e894935c7
                      • Instruction ID: 89273f916f6169c0a232f92a59e07c4ea29af317de59ced3a204c5a22bca05eb
                      • Opcode Fuzzy Hash: 9c009b0f874991df1d4d5e2427ded133ec70cfd0448bdf78f939980e894935c7
                      • Instruction Fuzzy Hash: 7121AC7140D7C09FD7238B25DC54A52BFB4EF07220F0A84DBD9858F5A3C279A809CB62
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0146A392 Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegQueryValueExW.KERNELBASE(?,00000E24,39754F38,00000000,00000000,00000000,00000000), ref: 0146A40C
                      Memory Dump Source
                      • Source File: 00000000.00000002.2250219860.000000000146A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146A000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_146a000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: QueryValue
                      • String ID:
                      • API String ID: 3660427363-0
                      • Opcode ID: 712eb347707ccbb93285553d0d0e4af42c7754735e9a9c339d3a363a471e6d8e
                      • Instruction ID: 4856eced38036f5405972c24d2004a693435acc03f5b8f831fd727885907a7e3
                      • Opcode Fuzzy Hash: 712eb347707ccbb93285553d0d0e4af42c7754735e9a9c339d3a363a471e6d8e
                      • Instruction Fuzzy Hash: 9C219D716006049FE721CF19CD84FA7B7ECEF04614F18846AE945DB7A2D774E849CA72
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 057A0B6E Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON
                      Download Yara Rule
                      APIs
                      • WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 057A0BEA
                      Memory Dump Source
                      • Source File: 00000000.00000002.2251395214.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_57a0000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: Connect
                      • String ID:
                      • API String ID: 3144859779-0
                      • Opcode ID: 5e5a947aac193d113759db829841413f9a2f2577a0cefaf4acc9b73527d3e06f
                      • Instruction ID: 76a28675e2c2c04f23f119ee3cb54eb9ffd5761c33945b3ceda0a34898b32361
                      • Opcode Fuzzy Hash: 5e5a947aac193d113759db829841413f9a2f2577a0cefaf4acc9b73527d3e06f
                      • Instruction Fuzzy Hash: 2F219271509384AFDB228F55DC44B62FFF4FF46310F0889DAE9858B562D235A818DB61
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 057A0366 Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2251395214.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_57a0000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: FileView
                      • String ID:
                      • API String ID: 3314676101-0
                      • Opcode ID: 86016761df6ee8965da6976c717dd69458ed04f6f6422a1e11d932aa301abd3e
                      • Instruction ID: e0c3c9ac847fe73abedd594fa8a5dac6d98c4e23859f513c6943db315b67530f
                      • Opcode Fuzzy Hash: 86016761df6ee8965da6976c717dd69458ed04f6f6422a1e11d932aa301abd3e
                      • Instruction Fuzzy Hash: 7521C372500204AFE731CF19DD45FA6FBE8EF08324F04896DE9458BA51D775E509CB61
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0146BC5E Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON
                      Download Yara Rule
                      APIs
                      • WSASocketW.WS2_32(?,?,?,?,?), ref: 0146BCCA
                      Memory Dump Source
                      • Source File: 00000000.00000002.2250219860.000000000146A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146A000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_146a000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: Socket
                      • String ID:
                      • API String ID: 38366605-0
                      • Opcode ID: ce899d42f44fb933eea138d928f0cda9e867856fbc5f36b39542296501882f26
                      • Instruction ID: a49d5c12dfba12ea0d3054f98eb8aca9aacfbde90b8127812117c1eabd50584e
                      • Opcode Fuzzy Hash: ce899d42f44fb933eea138d928f0cda9e867856fbc5f36b39542296501882f26
                      • Instruction Fuzzy Hash: 2121F671500200AFE731DF55DD45B56FBE8EF08324F04886EE9458BB92C775A509CB72
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0146BD23 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                      Download Yara Rule
                      APIs
                      • setsockopt.WS2_32(?,?,?,?,?), ref: 0146BDA0
                      Memory Dump Source
                      • Source File: 00000000.00000002.2250219860.000000000146A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146A000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_146a000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: setsockopt
                      • String ID:
                      • API String ID: 3981526788-0
                      • Opcode ID: e8abe74c41c3cd972bc27fac81491168e2c65dbf962e0e14c5ff4e512da2617f
                      • Instruction ID: ae22013f116fd0ce2c06132c9a49896f0429baaf1413dfeb4af929433d91be43
                      • Opcode Fuzzy Hash: e8abe74c41c3cd972bc27fac81491168e2c65dbf962e0e14c5ff4e512da2617f
                      • Instruction Fuzzy Hash: 9F219D715093C09FDB128F65DC44A92BFB4EF17220F0D89DAD9848F5A3C235A959CB62
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 057A0FD2 Relevance: 1.6, APIs: 1, Instructions: 66libraryCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryA.KERNELBASE(?,00000E24), ref: 057A105B
                      Memory Dump Source
                      • Source File: 00000000.00000002.2251395214.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_57a0000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: LibraryLoad
                      • String ID:
                      • API String ID: 1029625771-0
                      • Opcode ID: 939a5789b48eee9e8b8fde90c90fa4b7a00d545180188f22ffbd57c228a86458
                      • Instruction ID: 59c72dab596a436ed9e3c60678e7f3d546a4e804ecb2ca53001481a8b219b72d
                      • Opcode Fuzzy Hash: 939a5789b48eee9e8b8fde90c90fa4b7a00d545180188f22ffbd57c228a86458
                      • Instruction Fuzzy Hash: C611E4714093806FE721CB15DC85FA6FBB8DF46720F08849AF9449F692C279A948CB61
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0146A710 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                      Download Yara Rule
                      APIs
                      • FindCloseChangeNotification.KERNELBASE(?), ref: 0146A780
                      Memory Dump Source
                      • Source File: 00000000.00000002.2250219860.000000000146A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146A000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_146a000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: ChangeCloseFindNotification
                      • String ID:
                      • API String ID: 2591292051-0
                      • Opcode ID: d332458f0c4b5a607d6ad5785d984a29e91715605d2f2e6afaf309bb62b1e785
                      • Instruction ID: 8641973890f7d06a643664323e0a1635cd45d7fc090619054e38dba35ede2448
                      • Opcode Fuzzy Hash: d332458f0c4b5a607d6ad5785d984a29e91715605d2f2e6afaf309bb62b1e785
                      • Instruction Fuzzy Hash: EA2102B55043809FD702CF15ED85752BFB8EF02324F0984ABEC458B6A3D235A909CB62
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 057A2E09 Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryShim.MSCOREE(?,?,?,?), ref: 057A2E85
                      Memory Dump Source
                      • Source File: 00000000.00000002.2251395214.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_57a0000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: LibraryLoadShim
                      • String ID:
                      • API String ID: 1475914169-0
                      • Opcode ID: 17ea964ec78f7215f37208e8ec14c08ce96f549037aba25ff7ff71fd0a4d4cba
                      • Instruction ID: 06ca8c8f4d165b5cf94d841b54852032e8141e7f1c95a852187397ed5caa387a
                      • Opcode Fuzzy Hash: 17ea964ec78f7215f37208e8ec14c08ce96f549037aba25ff7ff71fd0a4d4cba
                      • Instruction Fuzzy Hash: FB21C3765093809FD7228B15DC44B62BFF8EF46210F09808AED85CB293D265A808DB61
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 057A00CA Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegQueryValueExW.KERNELBASE(?,00000E24,39754F38,00000000,00000000,00000000,00000000), ref: 057A013C
                      Memory Dump Source
                      • Source File: 00000000.00000002.2251395214.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_57a0000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: QueryValue
                      • String ID:
                      • API String ID: 3660427363-0
                      • Opcode ID: 66176b4f674c388cda696a540b15140b5f708e7ebc600e0f6f1bf520650454f5
                      • Instruction ID: 89bf71fa5843203038c7c3e4f09b5b4b50efb792f6a63fab8d2c2a1fcf716fa3
                      • Opcode Fuzzy Hash: 66176b4f674c388cda696a540b15140b5f708e7ebc600e0f6f1bf520650454f5
                      • Instruction Fuzzy Hash: B711DF72500204AFE731CF15CC88FABB7E8EF44710F08C96AE9468AA91D734E809CA71
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0146A486 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegSetValueExW.KERNELBASE(?,00000E24,39754F38,00000000,00000000,00000000,00000000), ref: 0146A4F8
                      Memory Dump Source
                      • Source File: 00000000.00000002.2250219860.000000000146A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146A000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_146a000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: Value
                      • String ID:
                      • API String ID: 3702945584-0
                      • Opcode ID: 74e0c78167e8ac4d1f5d2999b80b9f34e4107598701b0a11ec9d285609a57d38
                      • Instruction ID: 1042a9f65996a4d8d8db1910b0f9e5fe98b5dd639cb8e8ba9a090d40a78a6ce1
                      • Opcode Fuzzy Hash: 74e0c78167e8ac4d1f5d2999b80b9f34e4107598701b0a11ec9d285609a57d38
                      • Instruction Fuzzy Hash: 0D11B172500700AFEB31CE19DD45FA7BBECEF04618F14846AED459BB91D774E4098A72
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 057A08D2 Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessTimes.KERNELBASE(?,00000E24,39754F38,00000000,00000000,00000000,00000000), ref: 057A0931
                      Memory Dump Source
                      • Source File: 00000000.00000002.2251395214.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_57a0000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: ProcessTimes
                      • String ID:
                      • API String ID: 1995159646-0
                      • Opcode ID: f3f20ec3e3f69afb90c796f0eab0f48db73a7edabb6b7aa4948b8755e0fd9a0e
                      • Instruction ID: d3c7ce7d9a97ded7a2e839e388782e8c38dbdb7a7f2e8d21b94bd6aab12ab33c
                      • Opcode Fuzzy Hash: f3f20ec3e3f69afb90c796f0eab0f48db73a7edabb6b7aa4948b8755e0fd9a0e
                      • Instruction Fuzzy Hash: FC11D372500200AFEB21CF55DD48FAAB7E8EF44724F04C86AE9458AA51D774A508CBB1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 057A2502 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                      Download Yara Rule
                      APIs
                      • GetProcessWorkingSetSize.KERNEL32(?,00000E24,39754F38,00000000,00000000,00000000,00000000), ref: 057A255B
                      Memory Dump Source
                      • Source File: 00000000.00000002.2251395214.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_57a0000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: ProcessSizeWorking
                      • String ID:
                      • API String ID: 3584180929-0
                      • Opcode ID: 677c06a4e0bfe8065cf6eed018f780850fa3f92d7a9ea840b12d80d659d430ef
                      • Instruction ID: a6083bed3927b3e461df1d29bdf60249efe544488a22b051c4e4087705ea2679
                      • Opcode Fuzzy Hash: 677c06a4e0bfe8065cf6eed018f780850fa3f92d7a9ea840b12d80d659d430ef
                      • Instruction Fuzzy Hash: EC11C4765002009FEB21CF59DD45BAAB7E9EF44724F04C8AAE905CBA81D778A5098AB1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 057A25E6 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                      Download Yara Rule
                      APIs
                      • SetProcessWorkingSetSize.KERNEL32(?,00000E24,39754F38,00000000,00000000,00000000,00000000), ref: 057A263F
                      Memory Dump Source
                      • Source File: 00000000.00000002.2251395214.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_57a0000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: ProcessSizeWorking
                      • String ID:
                      • API String ID: 3584180929-0
                      • Opcode ID: 677c06a4e0bfe8065cf6eed018f780850fa3f92d7a9ea840b12d80d659d430ef
                      • Instruction ID: 3a0f8693b0ea903493caf76e325b9c35cb40c8df52702d311a2df59fe418f08a
                      • Opcode Fuzzy Hash: 677c06a4e0bfe8065cf6eed018f780850fa3f92d7a9ea840b12d80d659d430ef
                      • Instruction Fuzzy Hash: 031108765012009FEB20CF15DD44BA6B7E8EF44314F04C86AED05CBA41D774A5058AB1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 057A3ADD Relevance: 1.6, APIs: 1, Instructions: 62windowCOMMON
                      Download Yara Rule
                      APIs
                      • PostMessageW.USER32(?,?,?,?), ref: 057A3B51
                      Memory Dump Source
                      • Source File: 00000000.00000002.2251395214.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_57a0000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: MessagePost
                      • String ID:
                      • API String ID: 410705778-0
                      • Opcode ID: ea3caf7e0d57fe8f48447f9d0a168312b00a12146514995be063186d89a7500c
                      • Instruction ID: 6e4faed5d5cf78d279fe76c84bd06c4601ead89abfee2c94b75fbcb9a92e385b
                      • Opcode Fuzzy Hash: ea3caf7e0d57fe8f48447f9d0a168312b00a12146514995be063186d89a7500c
                      • Instruction Fuzzy Hash: D6216D7240E3C09FDB238F25DC44A52BFB4EF17210F0985DBE9858F5A3D265A818DB62
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 057A2426 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                      Download Yara Rule
                      APIs
                      • GetExitCodeProcess.KERNELBASE(?,00000E24,39754F38,00000000,00000000,00000000,00000000), ref: 057A247C
                      Memory Dump Source
                      • Source File: 00000000.00000002.2251395214.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_57a0000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: CodeExitProcess
                      • String ID:
                      • API String ID: 3861947596-0
                      • Opcode ID: d71706f5b94e7c2117064054c5b103338f0026585be2a997704129133f998332
                      • Instruction ID: 64105b51e98b4d68e5feaba78b55de77e2a15067e1209b04e71bdf2352e97139
                      • Opcode Fuzzy Hash: d71706f5b94e7c2117064054c5b103338f0026585be2a997704129133f998332
                      • Instruction Fuzzy Hash: D3110A765002009FEB20CF29DD45FAAB7D8EF44724F04C47AED45CB681D778A9048BB1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 057A0007 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                      Download Yara Rule
                      APIs
                      • GetComputerNameW.KERNEL32(?,00000E24,?,?), ref: 057A0082
                      Memory Dump Source
                      • Source File: 00000000.00000002.2251395214.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_57a0000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: ComputerName
                      • String ID:
                      • API String ID: 3545744682-0
                      • Opcode ID: 6d2e482f9524e289318fb814da827aa023073ff4ca391677b4186e58548d7bae
                      • Instruction ID: e70bcb80a1b3987972be8465f509f6e567e0aa8521775aa5a07e936e137f9827
                      • Opcode Fuzzy Hash: 6d2e482f9524e289318fb814da827aa023073ff4ca391677b4186e58548d7bae
                      • Instruction Fuzzy Hash: C511E7715053406FD311CB15DC41F72BFF8EF86620F09819AEC489BA42D275B915CBB1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0146AC03 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                      Download Yara Rule
                      APIs
                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0146AC6E
                      Memory Dump Source
                      • Source File: 00000000.00000002.2250219860.000000000146A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146A000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_146a000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: DuplicateHandle
                      • String ID:
                      • API String ID: 3793708945-0
                      • Opcode ID: 8e7066771cdbed0e63a42cb38b1e104bf98bf400f0390c12b4b9353d32400705
                      • Instruction ID: 20fecd00484dbe9ff0d121db9c315de1384e56b645d1d80b67ddde0610d57da2
                      • Opcode Fuzzy Hash: 8e7066771cdbed0e63a42cb38b1e104bf98bf400f0390c12b4b9353d32400705
                      • Instruction Fuzzy Hash: 4F11B471409780AFDB228F55DC44B62FFF8EF4A310F0888DAED858B663C235A418DB61
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0146B9F6 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                      Download Yara Rule
                      APIs
                      • ReadFile.KERNELBASE(?,00000E24,39754F38,00000000,00000000,00000000,00000000), ref: 0146BA55
                      Memory Dump Source
                      • Source File: 00000000.00000002.2250219860.000000000146A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146A000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_146a000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: FileRead
                      • String ID:
                      • API String ID: 2738559852-0
                      • Opcode ID: e5d2abaf60e2e48bdb33f50c22fbd2249d7c8bc868967bbf65e817b967e218ba
                      • Instruction ID: b06571de21943b7ea65e0c2fd7cf584518a0b8e48cb5c0ffbba11ddd7ce96a96
                      • Opcode Fuzzy Hash: e5d2abaf60e2e48bdb33f50c22fbd2249d7c8bc868967bbf65e817b967e218ba
                      • Instruction Fuzzy Hash: 0011B271500300AFEB21CF55DD44BAAFBE8EF04715F04886AE9458AA51C779A5098BB2
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 057A1F7A Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                      Download Yara Rule
                      APIs
                      • ioctlsocket.WS2_32(?,00000E24,39754F38,00000000,00000000,00000000,00000000), ref: 057A1FD3
                      Memory Dump Source
                      • Source File: 00000000.00000002.2251395214.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_57a0000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: ioctlsocket
                      • String ID:
                      • API String ID: 3577187118-0
                      • Opcode ID: 36184e939c96ae5c76f70babdb15d45aac958a042466d3907df38e46c2e3d687
                      • Instruction ID: 1762d9a13f05c6d88decf22ea20b19631651d4d13fa8686a37fc2ec08e980aa4
                      • Opcode Fuzzy Hash: 36184e939c96ae5c76f70babdb15d45aac958a042466d3907df38e46c2e3d687
                      • Instruction Fuzzy Hash: 7F11E372501200AFEB21DF55DD44FAAF7E8EF44724F04C86AE9058B681D778A508CAB1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 057A060A Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                      Download Yara Rule
                      APIs
                      • shutdown.WS2_32(?,00000E24,39754F38,00000000,00000000,00000000,00000000), ref: 057A0660
                      Memory Dump Source
                      • Source File: 00000000.00000002.2251395214.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_57a0000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: shutdown
                      • String ID:
                      • API String ID: 2510479042-0
                      • Opcode ID: 363de84930d80c20ccd570547d668a675edb9e4f2482fbdcd1af071b0684cd18
                      • Instruction ID: 74a1a1b50ac30ae59ef41486e127e60e15f11be851feb7ad0a7960da95366a14
                      • Opcode Fuzzy Hash: 363de84930d80c20ccd570547d668a675edb9e4f2482fbdcd1af071b0684cd18
                      • Instruction Fuzzy Hash: 0311E972500204AFEB21CF15DD48FA6F7E8EF84728F04C8A6ED44DF641D778A5098AB1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 057A37BE Relevance: 1.6, APIs: 1, Instructions: 57registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegDeleteKeyW.ADVAPI32(?,00000E24,39754F38,00000000,00000000,00000000,00000000), ref: 057A381C
                      Memory Dump Source
                      • Source File: 00000000.00000002.2251395214.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_57a0000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: Delete
                      • String ID:
                      • API String ID: 1035893169-0
                      • Opcode ID: 1c39ac587451db885a3e41323bf8cb23394e9c58aaf6640f4f12358056c31600
                      • Instruction ID: a5064e0f5a732a352487011b55e0d749c8c152a3d311cedf50a35d54877bac63
                      • Opcode Fuzzy Hash: 1c39ac587451db885a3e41323bf8cb23394e9c58aaf6640f4f12358056c31600
                      • Instruction Fuzzy Hash: 9A11C272500200AFE721CF05DD85FA6F7E8EF44624F08C9AAED059BA81D678E408CAB1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 057A3C55 Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON
                      Download Yara Rule
                      APIs
                      • PostMessageW.USER32(?,?,?,?), ref: 057A3CB5
                      Memory Dump Source
                      • Source File: 00000000.00000002.2251395214.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_57a0000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: MessagePost
                      • String ID:
                      • API String ID: 410705778-0
                      • Opcode ID: 384846b899176f70a8fc7dc8b6064ca7cc0e1cb8a77baded3a8d97f5e00b8d4e
                      • Instruction ID: 82fd6add12db1bf0ff9adb2b3d00748fc1fef25d9f665dd1fe2f154b3041e413
                      • Opcode Fuzzy Hash: 384846b899176f70a8fc7dc8b6064ca7cc0e1cb8a77baded3a8d97f5e00b8d4e
                      • Instruction Fuzzy Hash: 001127765097809FDB228F11DC44B52FFB4FF16220F0885DEED858B6A3C275A818DB61
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 057A0FF2 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryA.KERNELBASE(?,00000E24), ref: 057A105B
                      Memory Dump Source
                      • Source File: 00000000.00000002.2251395214.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_57a0000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: LibraryLoad
                      • String ID:
                      • API String ID: 1029625771-0
                      • Opcode ID: 04348aae64cecfeddc0e8b0d656b566deb45ad7b64554fbb3b760c751cb13147
                      • Instruction ID: 985cec094f04e9feb034eba51e9f8f8d9259387a335b4b8625ba80b46b632b87
                      • Opcode Fuzzy Hash: 04348aae64cecfeddc0e8b0d656b566deb45ad7b64554fbb3b760c751cb13147
                      • Instruction Fuzzy Hash: 19112532500240AEF730DB15DD41FB6F7A8DF44724F04C4AAED044EB81C3B9A908CAA1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0146A2AE Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                      Download Yara Rule
                      APIs
                      • SetErrorMode.KERNELBASE(?), ref: 0146A30C
                      Memory Dump Source
                      • Source File: 00000000.00000002.2250219860.000000000146A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146A000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_146a000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: ErrorMode
                      • String ID:
                      • API String ID: 2340568224-0
                      • Opcode ID: a5431ec29db70aae59d1d047408c3ae38613fb3b90913e61ec18db86f9ae3748
                      • Instruction ID: c1837d08ea7ed0ea8d5164c18c3452c075166abfa7872fbf87ffa5261907ae5a
                      • Opcode Fuzzy Hash: a5431ec29db70aae59d1d047408c3ae38613fb3b90913e61ec18db86f9ae3748
                      • Instruction Fuzzy Hash: 1B118F714093C06FDB238B15DC54662BFB8DF47624F0980CBED848F6A3D2656808CB62
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 057A2056 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2251395214.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_57a0000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: select
                      • String ID:
                      • API String ID: 1274211008-0
                      • Opcode ID: 758eb83398e1fcdae35d5eae283e0550907c6b1d97b58245b57c734f3d1d40b0
                      • Instruction ID: 8b7d1cb3c9bf411ab3250a9481356b3c638e999f97c8dc5ec48c018a9fb0b6d2
                      • Opcode Fuzzy Hash: 758eb83398e1fcdae35d5eae283e0550907c6b1d97b58245b57c734f3d1d40b0
                      • Instruction Fuzzy Hash: BC115B766042049FDB20CF19D984B63FBE8EF44610F0889AADD4ACB652D734E548DA62
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0146AD9F Relevance: 1.6, APIs: 1, Instructions: 54comCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2250219860.000000000146A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146A000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_146a000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: Initialize
                      • String ID:
                      • API String ID: 2538663250-0
                      • Opcode ID: c141a044a85709aa02ed84e68362b45d09d9b9a1cd90cf481f5faf105aec6d94
                      • Instruction ID: 1156be1c5abafb3ab78cfda71588f6ae52e92bca848ef0af0acb7d2e75bb89ef
                      • Opcode Fuzzy Hash: c141a044a85709aa02ed84e68362b45d09d9b9a1cd90cf481f5faf105aec6d94
                      • Instruction Fuzzy Hash: C011BF714493C09FDB12CB15DC44B52BFB4EF06224F0884DBED898F693D279A808CB62
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 057A212A Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                      Download Yara Rule
                      APIs
                      • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 057A2172
                      Memory Dump Source
                      • Source File: 00000000.00000002.2251395214.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_57a0000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: LookupPrivilegeValue
                      • String ID:
                      • API String ID: 3899507212-0
                      • Opcode ID: a8bd7ebfc4c0450cb3e20976c1174252f9347128b86988c3d2843ac79543f985
                      • Instruction ID: 692e3500c7b3d1d4bab1c8f6648c1dd6dc1627765dbf57e48c9b7de94feed816
                      • Opcode Fuzzy Hash: a8bd7ebfc4c0450cb3e20976c1174252f9347128b86988c3d2843ac79543f985
                      • Instruction Fuzzy Hash: C311A5766142008FDB20CF19DC84B6AFBE8EF44320F08C5AADD45CB742D634D404DA62
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0146B736 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                      Download Yara Rule
                      APIs
                      • GetFileType.KERNELBASE(?,00000E24,39754F38,00000000,00000000,00000000,00000000), ref: 0146B789
                      Memory Dump Source
                      • Source File: 00000000.00000002.2250219860.000000000146A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146A000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_146a000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: FileType
                      • String ID:
                      • API String ID: 3081899298-0
                      • Opcode ID: a3345bed3e134e7d369f7b56da7acfe67b3305a6621c1c7ffa4ceb722bd20d2d
                      • Instruction ID: 775835cdad7d54179b41600c5be40aa83b9d549e59192cc75ac11c23ff75d513
                      • Opcode Fuzzy Hash: a3345bed3e134e7d369f7b56da7acfe67b3305a6621c1c7ffa4ceb722bd20d2d
                      • Instruction Fuzzy Hash: 08010471500200AEE720CB09DD84BA6F7ECDF04629F08C4A6ED048B791D778A5098AA2
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 057A39A8 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                      Download Yara Rule
                      APIs
                      • WaitForInputIdle.USER32(?,?), ref: 057A39FF
                      Memory Dump Source
                      • Source File: 00000000.00000002.2251395214.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_57a0000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: IdleInputWait
                      • String ID:
                      • API String ID: 2200289081-0
                      • Opcode ID: c3d561eb666350f71a029e21e9180b2ed350417c45208bb210039f1bc9464980
                      • Instruction ID: afa9c692343dd3290e9b51bed6f9bd008d6acda5be28341e76032aafe22f030e
                      • Opcode Fuzzy Hash: c3d561eb666350f71a029e21e9180b2ed350417c45208bb210039f1bc9464980
                      • Instruction Fuzzy Hash: 4311A0714093809FDB218F55DC84B62FFF4EF46220F0988DAED858F262D279A808CB61
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 057A0B9E Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON
                      Download Yara Rule
                      APIs
                      • WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 057A0BEA
                      Memory Dump Source
                      • Source File: 00000000.00000002.2251395214.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_57a0000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: Connect
                      • String ID:
                      • API String ID: 3144859779-0
                      • Opcode ID: 1bedffa15f0a0b7eb0def2a5f37a9b2ea1ee5a0bf03c9f196fc77084f75f1b08
                      • Instruction ID: bad06b2333627e43cecd6f7df9dfe802835d42e902e884375d0c39549d00323e
                      • Opcode Fuzzy Hash: 1bedffa15f0a0b7eb0def2a5f37a9b2ea1ee5a0bf03c9f196fc77084f75f1b08
                      • Instruction Fuzzy Hash: CE1182725046049FEB20CF55D944BA2FBE5FF48310F08C9AADD458BA51D335E458DF61
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 057A0D66 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                      Download Yara Rule
                      APIs
                      • GetVolumeInformationA.KERNELBASE(?,00000E24,?,?), ref: 057A0DB6
                      Memory Dump Source
                      • Source File: 00000000.00000002.2251395214.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_57a0000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: InformationVolume
                      • String ID:
                      • API String ID: 2039140958-0
                      • Opcode ID: ffde7c3bb3f0e8fe6ff32871606503f6a92bf9310c89cb96990591019cbe59ed
                      • Instruction ID: f9440fd0344b0fb200f4e26397d00856100c9a6cef02a34bc7a39637911dec46
                      • Opcode Fuzzy Hash: ffde7c3bb3f0e8fe6ff32871606503f6a92bf9310c89cb96990591019cbe59ed
                      • Instruction Fuzzy Hash: 2701B5715002006BD310DF16DD46B66FBE8EB88620F14856ADC089B741D735F515CBE1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 057A2E3A Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryShim.MSCOREE(?,?,?,?), ref: 057A2E85
                      Memory Dump Source
                      • Source File: 00000000.00000002.2251395214.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_57a0000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: LibraryLoadShim
                      • String ID:
                      • API String ID: 1475914169-0
                      • Opcode ID: ba77a15bb800de30c348b0a7cac37bdab9acea283a6c51aa45a8945e981231a6
                      • Instruction ID: 8fb5b0fc12632e3ea77b922c08ee0a9f21ea7225214e0787ca8509f4057e9cfd
                      • Opcode Fuzzy Hash: ba77a15bb800de30c348b0a7cac37bdab9acea283a6c51aa45a8945e981231a6
                      • Instruction Fuzzy Hash: E80192765082009FDB60DF19D948B22FBE4FF54620F08C5A9DD458B753D375E448DE62
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0146AC2A Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                      Download Yara Rule
                      APIs
                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0146AC6E
                      Memory Dump Source
                      • Source File: 00000000.00000002.2250219860.000000000146A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146A000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_146a000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: DuplicateHandle
                      • String ID:
                      • API String ID: 3793708945-0
                      • Opcode ID: 48fa8a744e5d3828a6810043b4b5384a2a878d254ebb1e4ebb71998c05f617cd
                      • Instruction ID: 98793a4837743be413316ef69b0281d2c9dcac5225b3d2af4c98c9d2c14ceff9
                      • Opcode Fuzzy Hash: 48fa8a744e5d3828a6810043b4b5384a2a878d254ebb1e4ebb71998c05f617cd
                      • Instruction Fuzzy Hash: 2D0161315006009FDB218F55D944B62FBE4EF48714F08C8AADE455BA66C375E415DF62
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 057A0032 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                      Download Yara Rule
                      APIs
                      • GetComputerNameW.KERNEL32(?,00000E24,?,?), ref: 057A0082
                      Memory Dump Source
                      • Source File: 00000000.00000002.2251395214.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_57a0000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: ComputerName
                      • String ID:
                      • API String ID: 3545744682-0
                      • Opcode ID: 660e774774337405b1c9fd468db8933f9f3c9905a63145a96721f5fa82786959
                      • Instruction ID: 36c67d184d8994926adde637dcfe2fe5741aeb908dd5b95def4137a8fc69036c
                      • Opcode Fuzzy Hash: 660e774774337405b1c9fd468db8933f9f3c9905a63145a96721f5fa82786959
                      • Instruction Fuzzy Hash: 9F01D671500200ABD310DF1ADD46B66FBE8FB88A20F14815AEC089BB81D735F916CBE5
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0146BBC2 Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 0146BC12
                      Memory Dump Source
                      • Source File: 00000000.00000002.2250219860.000000000146A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146A000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_146a000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: QueryValue
                      • String ID:
                      • API String ID: 3660427363-0
                      • Opcode ID: ee329f4d5c353a80032c4c33fde0183d801e26edf5296ea75e74837ae22b9001
                      • Instruction ID: 057f0b6a28a5fd1df0e1d77756a27a586beebc94092fb1da42024ef268e49a0a
                      • Opcode Fuzzy Hash: ee329f4d5c353a80032c4c33fde0183d801e26edf5296ea75e74837ae22b9001
                      • Instruction Fuzzy Hash: 0A01D671500200ABD310DF1ADD46B66FBE8FB88B20F14815AEC089BB81D771F916CBE5
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0146A74E Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                      Download Yara Rule
                      APIs
                      • FindCloseChangeNotification.KERNELBASE(?), ref: 0146A780
                      Memory Dump Source
                      • Source File: 00000000.00000002.2250219860.000000000146A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146A000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_146a000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: ChangeCloseFindNotification
                      • String ID:
                      • API String ID: 2591292051-0
                      • Opcode ID: 9ffec2c4427a749e29e96c8b1a32d4588971fc08776405f01e18ce104593ce87
                      • Instruction ID: e7cdd389f4e5c338d657d4938d2b8101c211accb9e5be43ace9264eb514cf123
                      • Opcode Fuzzy Hash: 9ffec2c4427a749e29e96c8b1a32d4588971fc08776405f01e18ce104593ce87
                      • Instruction Fuzzy Hash: 3701D4715006008FDB10CF19D984766FBE8DF04225F08C4ABDC469FB52D678E408CEA2
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0146BD62 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                      Download Yara Rule
                      APIs
                      • setsockopt.WS2_32(?,?,?,?,?), ref: 0146BDA0
                      Memory Dump Source
                      • Source File: 00000000.00000002.2250219860.000000000146A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146A000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_146a000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: setsockopt
                      • String ID:
                      • API String ID: 3981526788-0
                      • Opcode ID: 8442b2cdd0f311e76386dfeaab6d083800e0f1503d8b6fd9484908c935625bed
                      • Instruction ID: 4c719521e4de6a756cae710d9876d3804adb7e7aa819416bc291d3e333e6ace9
                      • Opcode Fuzzy Hash: 8442b2cdd0f311e76386dfeaab6d083800e0f1503d8b6fd9484908c935625bed
                      • Instruction Fuzzy Hash: D10192715042009FDB21CF55D944B56FBE4EF14324F08C8ABDD858FA62C379A419CF62
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 057A3C7A Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON
                      Download Yara Rule
                      APIs
                      • PostMessageW.USER32(?,?,?,?), ref: 057A3CB5
                      Memory Dump Source
                      • Source File: 00000000.00000002.2251395214.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_57a0000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: MessagePost
                      • String ID:
                      • API String ID: 410705778-0
                      • Opcode ID: 4c4bbfc125e1dcc9a6dec3e0d3f3890c7b6e2d86c91e7d5995c9703444190c7f
                      • Instruction ID: 831c82e94a135b59ab60772169b1ee84398bad1269de531aecd33ca434adc074
                      • Opcode Fuzzy Hash: 4c4bbfc125e1dcc9a6dec3e0d3f3890c7b6e2d86c91e7d5995c9703444190c7f
                      • Instruction Fuzzy Hash: AA01B136900600CFEB208F15DC44B66FBE1EF44320F18C9AADD464AA91C275E418DF61
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0146A186 Relevance: 1.5, APIs: 1, Instructions: 42networkCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2250219860.000000000146A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146A000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_146a000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: send
                      • String ID:
                      • API String ID: 2809346765-0
                      • Opcode ID: 642c26a3b0d3951d7e69eddae5a1496d410bd9ee17df92f18df55418f4c8a1b9
                      • Instruction ID: 6144b5f9e4b94747e90e038c6fd48d1b213aa3551351e1eba670d00646b6e809
                      • Opcode Fuzzy Hash: 642c26a3b0d3951d7e69eddae5a1496d410bd9ee17df92f18df55418f4c8a1b9
                      • Instruction Fuzzy Hash: AE01B531504640DFDB20CF59D944B52FBE4EF04324F08C4ABDD455BA52C379A408CF62
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 057A39CA Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                      Download Yara Rule
                      APIs
                      • WaitForInputIdle.USER32(?,?), ref: 057A39FF
                      Memory Dump Source
                      • Source File: 00000000.00000002.2251395214.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_57a0000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: IdleInputWait
                      • String ID:
                      • API String ID: 2200289081-0
                      • Opcode ID: db00b51b16d1c3ef0c7205630cddc65a303d2c89e9823214eeffb7a658c9957f
                      • Instruction ID: dd72c55fc99083650f0957e74879f8ce4e0aa4b16110defcee728ee6a7ba25fd
                      • Opcode Fuzzy Hash: db00b51b16d1c3ef0c7205630cddc65a303d2c89e9823214eeffb7a658c9957f
                      • Instruction Fuzzy Hash: 1801F2329042408FDB20CF05D984B61FBE0EF44320F08C9AADD498F656D379A404CF61
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0146ADCE Relevance: 1.5, APIs: 1, Instructions: 39comCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2250219860.000000000146A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146A000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_146a000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: Initialize
                      • String ID:
                      • API String ID: 2538663250-0
                      • Opcode ID: 44f642bfd8e39f174a057066d0f6fbb3370f93a129151ac1080d684a03c8363a
                      • Instruction ID: 0b1c1148dfe1ef84579de63424c7b3706c74a333b4fc9736ceeaf8b507c5aa2d
                      • Opcode Fuzzy Hash: 44f642bfd8e39f174a057066d0f6fbb3370f93a129151ac1080d684a03c8363a
                      • Instruction Fuzzy Hash: 9A01D1719046408FDB20CF19D984762FBE8EF44224F18C4ABDD499FB66D279A448CEA2
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 057A3B16 Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON
                      Download Yara Rule
                      APIs
                      • PostMessageW.USER32(?,?,?,?), ref: 057A3B51
                      Memory Dump Source
                      • Source File: 00000000.00000002.2251395214.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_57a0000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: MessagePost
                      • String ID:
                      • API String ID: 410705778-0
                      • Opcode ID: 86aad3e069ff6ad5559348e0e805f5c4cc8d5530d633c1f96a195a236b8f5eda
                      • Instruction ID: 5128ef81fb3c1fde485e5763d915ddc62c5f53e04d462edcfa69c0a4fefefb8f
                      • Opcode Fuzzy Hash: 86aad3e069ff6ad5559348e0e805f5c4cc8d5530d633c1f96a195a236b8f5eda
                      • Instruction Fuzzy Hash: B4018F32805204DFDB20CF09D984B61FBE1EF44721F08C9AADD450AA62D375A418DFA2
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0146A2DA Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                      Download Yara Rule
                      APIs
                      • SetErrorMode.KERNELBASE(?), ref: 0146A30C
                      Memory Dump Source
                      • Source File: 00000000.00000002.2250219860.000000000146A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146A000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_146a000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID: ErrorMode
                      • String ID:
                      • API String ID: 2340568224-0
                      • Opcode ID: e824b8345eaeec9b05541abebe04f0d40ddeea13354810949c7dbcb9d519bb99
                      • Instruction ID: 90040006376f0f7e0a226f429736028fd08881a65b79a7bf8f4f181fb04b7792
                      • Opcode Fuzzy Hash: e824b8345eaeec9b05541abebe04f0d40ddeea13354810949c7dbcb9d519bb99
                      • Instruction Fuzzy Hash: FCF0A4355046448FDB208F09D984762FBE4DF04628F18C0AADD055F762D3B9A448CE62
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 01A705E0 Relevance: .1, Instructions: 62COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2250984195.0000000001A70000.00000040.00000020.00020000.00000000.sdmp, Offset: 01A70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1a70000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6040528d04acee3dc795c95e922d28b92f3b684e0b5090e7b72d844fe528f64a
                      • Instruction ID: a62ea7eba80351d8d2a2694dfedd3e328193d06977cf80dfd8f1b240646348b8
                      • Opcode Fuzzy Hash: 6040528d04acee3dc795c95e922d28b92f3b684e0b5090e7b72d844fe528f64a
                      • Instruction Fuzzy Hash: A211CA7640E7C05FD7138B25AC61862BFB4DF4322071984DFE849CF553D129A909CB76
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 05C51C60 Relevance: .1, Instructions: 60COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2251588836.0000000005C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C50000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5c50000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e67775b3509625dbd7659f4dd4d770df1b66a8d49676bdd42f4ee20608b3cad8
                      • Instruction ID: 2f271910d33d266ebe21ac38e9a748dd94e452c0fc8090051e50c4f8ca206357
                      • Opcode Fuzzy Hash: e67775b3509625dbd7659f4dd4d770df1b66a8d49676bdd42f4ee20608b3cad8
                      • Instruction Fuzzy Hash: 7311F9B5908301AFC350CF19D880A5BFBE4FB88664F04896EF898D7311D235E9088FA2
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 01A707C4 Relevance: .1, Instructions: 59COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2250984195.0000000001A70000.00000040.00000020.00020000.00000000.sdmp, Offset: 01A70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1a70000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: abaf4e49b232e6049d655adac53132dbc98307a38bd373dcd99b2705950d26a4
                      • Instruction ID: eb4f27217737fcdbbfd6f8858d0fb1ab206705e8fd5dd360fc51d9482def5689
                      • Opcode Fuzzy Hash: abaf4e49b232e6049d655adac53132dbc98307a38bd373dcd99b2705950d26a4
                      • Instruction Fuzzy Hash: DF11E430204280DFD316CB14DA40B16FBE5AB8A708F28C9ACF5495BB53C77BD903CA91
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 05C51B04 Relevance: .1, Instructions: 52COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2251588836.0000000005C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C50000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5c50000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f5ac71d14810821527a71a5d3dbd718fe4db3c9d43a00eec4542ec389630f250
                      • Instruction ID: 3b806a572ad6590851f098be1ed346f41a832902b030d481ed3dcb207249f3e1
                      • Opcode Fuzzy Hash: f5ac71d14810821527a71a5d3dbd718fe4db3c9d43a00eec4542ec389630f250
                      • Instruction Fuzzy Hash: FB110CB5908301AFD750CF09DC80E5BFBE8EB88660F048D2EF95997711D235E9088FA2
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0147ADEC Relevance: .1, Instructions: 52COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2250274739.000000000147A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147A000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_147a000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 99b4a6abe769dc08d89d7490e052464387b4fafb519d9c60bd6793298cf61fe6
                      • Instruction ID: ab14d6c00d8af7ae26d36fa502d811e02195823dd7220d8c3d1444bdf7f07083
                      • Opcode Fuzzy Hash: 99b4a6abe769dc08d89d7490e052464387b4fafb519d9c60bd6793298cf61fe6
                      • Instruction Fuzzy Hash: A011FAB5A48301AFD350CF09DC40E5BFBE8EB98660F04892EF95997711D235E9088FA2
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 01A70774 Relevance: .0, Instructions: 41COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2250984195.0000000001A70000.00000040.00000020.00020000.00000000.sdmp, Offset: 01A70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1a70000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 157ee5f007ebdf02c69a0beb95ba7c47d62d1297ae8588ed6f02da35381a41b9
                      • Instruction ID: 01838a4ceb32a785185e5a2a647aa4c8bc2aee076adcef3cab81ecfa2d48e02e
                      • Opcode Fuzzy Hash: 157ee5f007ebdf02c69a0beb95ba7c47d62d1297ae8588ed6f02da35381a41b9
                      • Instruction Fuzzy Hash: AC016135109680DFD303CB14CD40B15FFA1EB8A618F2886DEE4844B6A3C33A9906CB52
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 01A70880 Relevance: .0, Instructions: 31COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2250984195.0000000001A70000.00000040.00000020.00020000.00000000.sdmp, Offset: 01A70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1a70000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 74b9f174851936b42c91253ba0377f3a0e724fe011995a5d7daf0febe73ee2ff
                      • Instruction ID: 16e5acda15c6ca23549b096a8b166abfbad634e8772f25592bcd9b5491caaf6d
                      • Opcode Fuzzy Hash: 74b9f174851936b42c91253ba0377f3a0e724fe011995a5d7daf0febe73ee2ff
                      • Instruction Fuzzy Hash: 3EF01D35104644DFC306CF44DA40B15FBA2FB89718F24CAADE94917B62C737D913DA81
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 01A70606 Relevance: .0, Instructions: 27COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2250984195.0000000001A70000.00000040.00000020.00020000.00000000.sdmp, Offset: 01A70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1a70000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 56e510722c6ab7f26955ac76cbfa3c5db98d13ec7243c4e973864418ec211a1b
                      • Instruction ID: f25246522fc8bc6672e5872364f4cf1209239f83ed12ec34773c2509666623c7
                      • Opcode Fuzzy Hash: 56e510722c6ab7f26955ac76cbfa3c5db98d13ec7243c4e973864418ec211a1b
                      • Instruction Fuzzy Hash: 23E092B66046044B9650CF0BFC41452F7D8EB88630708C47FDC0D8B751D239B508CEA5
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 05C51CCB Relevance: .0, Instructions: 26COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2251588836.0000000005C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C50000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5c50000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b90077e081508ec19e758d217a3a328457491a5cd5b8a4662901387c05a42b3b
                      • Instruction ID: 53d07ec258a9b43deb328a29371906b559722ca39f78a9db839cc8b9fc470769
                      • Opcode Fuzzy Hash: b90077e081508ec19e758d217a3a328457491a5cd5b8a4662901387c05a42b3b
                      • Instruction Fuzzy Hash: 8BE0D8B255120467D6508F0AAC45F52FBDCDB54931F08C467ED081B781D175B51489E1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 05C51B53 Relevance: .0, Instructions: 26COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2251588836.0000000005C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C50000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5c50000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: cd5239640d8f02215e0bd6c6996118363fd45933e920ea9d6809886ed8eaa820
                      • Instruction ID: 48f1685904659f30a60dce9d8559073238d96fbb894f51c93abb58cb82fed60e
                      • Opcode Fuzzy Hash: cd5239640d8f02215e0bd6c6996118363fd45933e920ea9d6809886ed8eaa820
                      • Instruction Fuzzy Hash: 54E0DFB294120467D6609F0AAC86F63FBD8DB50A31F08C56BED091B782E176B5048AF1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 05C51577 Relevance: .0, Instructions: 26COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2251588836.0000000005C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C50000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5c50000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 962ae607aa000004a4fd67dd7998349ff1a2555250665da080a264d859606ff0
                      • Instruction ID: dbbe3cfc0ae1b0ab8b35c1d6b3bf782a7e5dcc0f18f80e7cb6e0ec7e87939027
                      • Opcode Fuzzy Hash: 962ae607aa000004a4fd67dd7998349ff1a2555250665da080a264d859606ff0
                      • Instruction Fuzzy Hash: 0DE0DFB295120467D6609F0AAC46F63FBD8DB90A31F08C86BED095B782E176B514CEE1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0147AE3B Relevance: .0, Instructions: 26COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2250274739.000000000147A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147A000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_147a000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4be3fda576bc189785e4a7ced38558731a8bcb4b02f62a49dd1a52e8565f3f7f
                      • Instruction ID: ccb18c573824f053ac404ecc49d03b19966b897843635ce7056d1241c083ed6f
                      • Opcode Fuzzy Hash: 4be3fda576bc189785e4a7ced38558731a8bcb4b02f62a49dd1a52e8565f3f7f
                      • Instruction Fuzzy Hash: 3CE0DFB2A8120467D2608F0AAC46F62FB98DB54A31F08C56BED095B782E176B5048AF1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 014623F4 Relevance: .0, Instructions: 15COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2250204915.0000000001462000.00000040.00000800.00020000.00000000.sdmp, Offset: 01462000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1462000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 13851f62cae25d8c8f4082eadf93af384b8ff6a6455b60801c408bdd74c48dae
                      • Instruction ID: 8bd006af25398d1cd93adb03afbf10c5434d85c41708beae788eb881786d8e6a
                      • Opcode Fuzzy Hash: 13851f62cae25d8c8f4082eadf93af384b8ff6a6455b60801c408bdd74c48dae
                      • Instruction Fuzzy Hash: 2FD02B752006D04FE3128A0CC258F963BE86F41708F0604FA9800CB773C778D580C101
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 014623BC Relevance: .0, Instructions: 14COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2250204915.0000000001462000.00000040.00000800.00020000.00000000.sdmp, Offset: 01462000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1462000_x7RZVIWaDKb5.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c75bf6bbad7897c4dea4b7b45fea1f2e119187969d0bc49ccea436ad21c5c2cb
                      • Instruction ID: 82ab0bf299916d0cc426835a9a3544eb5d099c96c3fe198742e930bb1384733f
                      • Opcode Fuzzy Hash: c75bf6bbad7897c4dea4b7b45fea1f2e119187969d0bc49ccea436ad21c5c2cb
                      • Instruction Fuzzy Hash: 0FD05E342002814BD725DB1CC2D4F5A7BD8AB40718F0648EAAC108B772C7B4D8C0DA01
                      Uniqueness

                      Uniqueness Score: -1.00%