Edit tour

Windows Analysis Report
xuI8pQHlxExL.exe

Overview

General Information

Sample name:	xuI8pQHlxExL.exe
Analysis ID:	1429847
MD5:	ed064734a0bf02c905e63d64a495364b
SHA1:	b5c8e93ccd6aa3457f9727ed319384ba97c9ac71
SHA256:	544a4d7177ed4b85a9c9807fa396e07e3243e2e6c4ce2b0fe0f908d6ee37bdc9
Tags:	exenjRat
Infos:

Detection

Njrat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Snort IDS alert for network traffic

Yara detected Njrat

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

C2 URLs / IPs found in malware configuration

Contains functionality to log keystrokes (.Net Source)

Machine Learning detection for sample

Self deletion via cmd or bat file

Uses dynamic DNS services

Allocates memory with a write watch (potentially for evading sandboxes)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

xuI8pQHlxExL.exe (PID: 7096 cmdline: "C:\Users\user\Desktop\xuI8pQHlxExL.exe" MD5: ED064734A0BF02C905E63D64A495364B)

cmd.exe (PID: 4488 cmdline: cmd.exe /C Y /N /D Y /T 1 & Del "C:\Users\user\Desktop\xuI8pQHlxExL.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
NjRAT	RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.	AQUATIC PANDA Earth Lusca Operation C-Major The Gorgon Group	http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/ http://blogs.360.cn/post/analysis-of-apt-c-37.html http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/ https://asec.ahnlab.com/1369	https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

Malware Configuration

Threatname: Njrat

{"Host": "resilencia2023.duckdns.org", "Port": "2009", "Campaign ID": "NYAN CAT", "Network Seprator": "@!#&^%$", "Registry": "8abd92e56969"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
xuI8pQHlxExL.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000000.1653940468.00000000009C2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000000.00000002.2477580512.0000000003021000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: xuI8pQHlxExL.exe PID: 7096	JoeSecurity_Njrat	Yara detected Njrat	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.xuI8pQHlxExL.exe.9c0000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity Sending Screenshot (CAP) - Source IP: 192.168.2.4 - Destination IP: 179.14.8.182

Timestamp:	04/22/24-19:06:15.002589
SID:	2825565
Source Port:	49730
Destination Port:	2009
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) - Source IP: 192.168.2.4 - Destination IP: 179.14.8.182

Timestamp:	04/22/24-19:06:09.223118
SID:	2825564
Source Port:	49730
Destination Port:	2009
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) - Source IP: 192.168.2.4 - Destination IP: 179.14.8.182

Timestamp:	04/22/24-19:06:05.495111
SID:	2825563
Source Port:	49730
Destination Port:	2009
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 179.14.8.182

Timestamp:	04/22/24-19:06:05.253890
SID:	2033132
Source Port:	49730
Destination Port:	2009
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity Sending Screenshot (CAP) - Source IP: 192.168.2.4 - Destination IP: 179.14.8.182

Timestamp:	04/22/24-19:07:00.449324
SID:	2825565
Source Port:	49737
Destination Port:	2009
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) - Source IP: 192.168.2.4 - Destination IP: 179.14.8.182

Timestamp:	04/22/24-19:06:56.900357
SID:	2825564
Source Port:	49737
Destination Port:	2009
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) - Source IP: 192.168.2.4 - Destination IP: 179.14.8.182

Timestamp:	04/22/24-19:06:34.186569
SID:	2825563
Source Port:	49737
Destination Port:	2009
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 179.14.8.182

Timestamp:	04/22/24-19:06:33.952521
SID:	2033132
Source Port:	49737
Destination Port:	2009
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 179.14.8.182

Timestamp:	04/22/24-19:07:07.929032
SID:	2033132
Source Port:	49739
Destination Port:	2009
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity Sending Screenshot (CAP) - Source IP: 192.168.2.4 - Destination IP: 179.14.8.182

Timestamp:	04/22/24-19:06:30.056799
SID:	2825565
Source Port:	49736
Destination Port:	2009
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) - Source IP: 192.168.2.4 - Destination IP: 179.14.8.182

Timestamp:	04/22/24-19:06:25.711913
SID:	2825564
Source Port:	49736
Destination Port:	2009
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) - Source IP: 192.168.2.4 - Destination IP: 179.14.8.182

Timestamp:	04/22/24-19:06:22.749074
SID:	2825563
Source Port:	49736
Destination Port:	2009
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 179.14.8.182

Timestamp:	04/22/24-19:06:22.528207
SID:	2033132
Source Port:	49736
Destination Port:	2009
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) - Source IP: 192.168.2.4 - Destination IP: 179.14.8.182

Timestamp:	04/22/24-19:07:17.873841
SID:	2825564
Source Port:	49739
Destination Port:	2009
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: xuI8pQHlxExL.exe

Avira: detected

Found malware configuration

Source: 00000000.00000000.1653940468.00000000009C2000.00000002.00000001.01000000.00000003.sdmp

Malware Configuration Extractor: Njrat {"Host": "resilencia2023.duckdns.org", "Port": "2009", "Campaign ID": "NYAN CAT", "Network Seprator": "@!#&^%$", "Registry": "8abd92e56969"}

Yara detected Njrat

Source: Yara match	File source: xuI8pQHlxExL.exe, type: SAMPLE
Source: Yara match	File source: 0.0.xuI8pQHlxExL.exe.9c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1653940468.00000000009C2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2477580512.0000000003021000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: xuI8pQHlxExL.exe PID: 7096, type: MEMORYSTR

Machine Learning detection for sample

Source: xuI8pQHlxExL.exe

Joe Sandbox ML: detected

Source: xuI8pQHlxExL.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: xuI8pQHlxExL.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49730 -> 179.14.8.182:2009
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49730 -> 179.14.8.182:2009
Source: Traffic	Snort IDS: 2825565 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity Sending Screenshot (CAP) 192.168.2.4:49730 -> 179.14.8.182:2009
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49730 -> 179.14.8.182:2009
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49736 -> 179.14.8.182:2009
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49736 -> 179.14.8.182:2009
Source: Traffic	Snort IDS: 2825565 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity Sending Screenshot (CAP) 192.168.2.4:49736 -> 179.14.8.182:2009
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49736 -> 179.14.8.182:2009
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49737 -> 179.14.8.182:2009
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49737 -> 179.14.8.182:2009
Source: Traffic	Snort IDS: 2825565 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity Sending Screenshot (CAP) 192.168.2.4:49737 -> 179.14.8.182:2009
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49737 -> 179.14.8.182:2009
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49739 -> 179.14.8.182:2009
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49739 -> 179.14.8.182:2009

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: resilencia2023.duckdns.org

Uses dynamic DNS services

Source: unknown

DNS query: name: resilencia2023.duckdns.org

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 179.14.8.182:2009

Source: Joe Sandbox View

ASN Name: ColombiaMovilCO ColombiaMovilCO

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: resilencia2023.duckdns.org

Source: xuI8pQHlxExL.exe, 00000000.00000002.2476333254.0000000000F11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.microsoft.
Source: xuI8pQHlxExL.exe, 00000000.00000002.2476333254.0000000000F11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.microsoft.LinkId=42127

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: xuI8pQHlxExL.exe, Keylogger.cs

.Net Code: VKCodeToUnicode

E-Banking Fraud

Yara detected Njrat

Source: Yara match	File source: xuI8pQHlxExL.exe, type: SAMPLE
Source: Yara match	File source: 0.0.xuI8pQHlxExL.exe.9c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1653940468.00000000009C2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2477580512.0000000003021000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: xuI8pQHlxExL.exe PID: 7096, type: MEMORYSTR

Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe

Code function: 0_2_05171930

0_2_05171930

Source: xuI8pQHlxExL.exe, 00000000.00000000.1653958739.00000000009C8000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameClient22.exe4 vs xuI8pQHlxExL.exe
Source: xuI8pQHlxExL.exe, 00000000.00000002.2476333254.0000000000EAE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemscorwks.dllT vs xuI8pQHlxExL.exe
Source: xuI8pQHlxExL.exe	Binary or memory string: OriginalFilenameClient22.exe4 vs xuI8pQHlxExL.exe

Source: xuI8pQHlxExL.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/1@3/1

Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Code function: 0_2_052C339E AdjustTokenPrivileges,		0_2_052C339E
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Code function: 0_2_052C3367 AdjustTokenPrivileges,		0_2_052C3367

Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\xuI8pQHlxExL.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5296:120:WilError_03
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Mutant created: \Sessions\1\BaseNamedObjects\8abd92e56969

Source: xuI8pQHlxExL.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: xuI8pQHlxExL.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%

Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\xuI8pQHlxExL.exe "C:\Users\user\Desktop\xuI8pQHlxExL.exe"
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C Y /N /D Y /T 1 & Del "C:\Users\user\Desktop\xuI8pQHlxExL.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C Y /N /D Y /T 1 & Del "C:\Users\user\Desktop\xuI8pQHlxExL.exe"	Jump to behavior

Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Section loaded: windowscodecs.dll	Jump to behavior

Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: xuI8pQHlxExL.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: xuI8pQHlxExL.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: xuI8pQHlxExL.exe, Program.cs

.Net Code: Plugin System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Code function: 0_2_0577076B push 69E6C310h; ret	0_2_05770782
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Code function: 0_2_057709B8 push 69E6C3B0h; ret	0_2_057709CE
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Code function: 0_2_05770890 push 69E6C360h; ret	0_2_057708A6

Hooking and other Techniques for Hiding and Protection

Self deletion via cmd or bat file

Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Process created: cmd.exe /C Y /N /D Y /T 1 & Del "C:\Users\user\Desktop\xuI8pQHlxExL.exe"
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Process created: cmd.exe /C Y /N /D Y /T 1 & Del "C:\Users\user\Desktop\xuI8pQHlxExL.exe"			Jump to behavior

Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Memory allocated: 1360000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Memory allocated: 3020000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Memory allocated: 1360000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Window / User API: threadDelayed 3650	Jump to behavior
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Window / User API: threadDelayed 5234	Jump to behavior
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Window / User API: foregroundWindowGot 1761	Jump to behavior

Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe TID: 7100	Thread sleep time: -196000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe TID: 7100	Thread sleep time: -5234000s >= -30000s			Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: xuI8pQHlxExL.exe, 00000000.00000002.2476333254.0000000000F11000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: xuI8pQHlxExL.exe, Program.cs	Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, cbName, ref lpszVer, 100)
Source: xuI8pQHlxExL.exe, Keylogger.cs	Reference to suspicious API methods: MapVirtualKey(a, 0u)
Source: xuI8pQHlxExL.exe, Keylogger.cs	Reference to suspicious API methods: GetAsyncKeyState(num2)

Source: xuI8pQHlxExL.exe, 00000000.00000002.2477580512.000000000358A000.00000004.00000800.00020000.00000000.sdmp, xuI8pQHlxExL.exe, 00000000.00000002.2477580512.0000000003590000.00000004.00000800.00020000.00000000.sdmp, xuI8pQHlxExL.exe, 00000000.00000002.2477580512.00000000030BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: xuI8pQHlxExL.exe, 00000000.00000002.2477580512.0000000003590000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerX
Source: xuI8pQHlxExL.exe, 00000000.00000002.2477580512.000000000358A000.00000004.00000800.00020000.00000000.sdmp, xuI8pQHlxExL.exe, 00000000.00000002.2477580512.0000000003590000.00000004.00000800.00020000.00000000.sdmp, xuI8pQHlxExL.exe, 00000000.00000002.2477580512.00000000030BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@9

Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\xuI8pQHlxExL.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Njrat

Source: Yara match	File source: xuI8pQHlxExL.exe, type: SAMPLE
Source: Yara match	File source: 0.0.xuI8pQHlxExL.exe.9c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1653940468.00000000009C2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2477580512.0000000003021000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: xuI8pQHlxExL.exe PID: 7096, type: MEMORYSTR

Remote Access Functionality

Yara detected Njrat

Source: Yara match	File source: xuI8pQHlxExL.exe, type: SAMPLE
Source: Yara match	File source: 0.0.xuI8pQHlxExL.exe.9c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1653940468.00000000009C2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2477580512.0000000003021000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: xuI8pQHlxExL.exe PID: 7096, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	1 Masquerading	1 Input Capture	1 Security Software Discovery	Remote Services	1 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	2 Process Injection	2 Virtualization/Sandbox Evasion	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Disable or Modify Tools	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Access Token Manipulation	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	21 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Process Injection	LSA Secrets	12 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 File Deletion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
xuI8pQHlxExL.exe	100%	Avira	TR/Dropper.Gen7
xuI8pQHlxExL.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://go.microsoft.	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
resilencia2023.duckdns.org	179.14.8.182	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
resilencia2023.duckdns.org	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://go.microsoft.	xuI8pQHlxExL.exe, 00000000.00000002.2476333254.0000000000F11000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://go.microsoft.LinkId=42127	xuI8pQHlxExL.exe, 00000000.00000002.2476333254.0000000000F11000.00000004.00000020.00020000.00000000.sdmp	false		low

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
179.14.8.182	resilencia2023.duckdns.org	Colombia		27831	ColombiaMovilCO	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1429847
Start date and time:	2024-04-22 19:05:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	xuI8pQHlxExL.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@4/1@3/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 95 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: xuI8pQHlxExL.exe

Simulations

Behavior and APIs

Time	Type	Description
19:06:33	API Interceptor	80221x Sleep call for process: xuI8pQHlxExL.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
179.14.8.182	xqA8bBVh2QxU.exe	Get hash	malicious	Njrat	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
resilencia2023.duckdns.org	xqA8bBVh2QxU.exe	Get hash	malicious	Njrat	Browse	179.14.8.182
	bPdP.exe	Get hash	malicious	Njrat	Browse	181.52.102.110
	bKIJ.exe	Get hash	malicious	Njrat	Browse	181.141.1.67
	bJ5p.exe	Get hash	malicious	Njrat	Browse	181.141.1.67

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ColombiaMovilCO	YKLjlQEZKY.elf	Get hash	malicious	Mirai	Browse	179.13.242.211
	CxBkzmVHaR.elf	Get hash	malicious	Mirai	Browse	181.204.131.151
	jdsfl.arm.elf	Get hash	malicious	Mirai	Browse	191.92.238.135
	jdsfl.x86.elf	Get hash	malicious	Mirai	Browse	181.204.131.163
	dI3tFWyJ6d.elf	Get hash	malicious	Mirai	Browse	177.254.72.247
	aQvU3QHA3N.elf	Get hash	malicious	Unknown	Browse	179.13.85.216
	xPvEDYX7g1YE.exe	Get hash	malicious	AsyncRAT	Browse	179.13.0.175
	xmo4WvZPV3Q0.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	179.13.0.175
	xXQ39a5f9EJP.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	179.13.0.175
	6VXQ3TUNZo.elf	Get hash	malicious	Mirai	Browse	181.207.246.71

Process:	C:\Users\user\Desktop\xuI8pQHlxExL.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	907
Entropy (8bit):	5.243019596074263
Encrypted:	false
SSDEEP:	24:MLF2CpI329Iz52VMzffup26KTnKoO2+b2hHAa/:MwQd9IzoaXuY6Ux+SF/
MD5:	48A0572426885EBDE53CA62C7F2E194E
SHA1:	035628CDF6276367F6C83E9F4AA2172933850AA8
SHA-256:	4C68E10691304CAC8DA65A05CF2580728EC0E294104F267840712AF1C46A6538
SHA-512:	DEFE728C2312918D94BD43C98908C08CCCA5EBFB77F873779DCA784F14C607B33A4E29AC5ECB798F2F741668B7692F72BCB60DEFD536EA86B296B64FA359C42D
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7d443c6c007fe8696f9aa6ff1da53ef7\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\53992d421e2c7ecf6609c62b3510a6f0\System.Configuration.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\74774597e319a738b792e6a6c06d3559\System.Xml.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\1bd56c432cb9ff27e335d97f404caf8f\System.Management.ni.dll",0..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	3.8035401193939826
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.79% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Win16/32 Executable Delphi generic (2074/23) 0.01%
File name:	xuI8pQHlxExL.exe
File size:	32'768 bytes
MD5:	ed064734a0bf02c905e63d64a495364b
SHA1:	b5c8e93ccd6aa3457f9727ed319384ba97c9ac71
SHA256:	544a4d7177ed4b85a9c9807fa396e07e3243e2e6c4ce2b0fe0f908d6ee37bdc9
SHA512:	ea54436dec688d075b3d095fb3ea79cce1cd4bb2cb4c7d243517d819a46f8b51b812f16bf982af1db9eeb5816e8ed8578c70e1c3aabcdf50818fe8aedff8776f
SSDEEP:	384:f0bUe5XB4e0XeOhJggUBZIGlWT1tTUFQqzFVkObbR:UT9Bu9zggUBZI567bR
TLSH:	AAE2080A7BA58215C6BC5AFC8CB313200772E3478532EB6F5CDC88CA4B676D44645EED
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...#.&f.................P... ......~g... ........@.. ....................................@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x40677e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66268F23 [Mon Apr 22 16:24:03 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6728	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8000	0x2a8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x4784	0x5000	4fa3424137a466c469de4a76d0bd8119	False	0.47548828125	data	5.293800246831452	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x8000	0x2a8	0x1000	06f784705978c77c74b103740d210ee3	False	0.07763671875	data	0.6775791141051085	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xa000	0xc	0x1000	6c4dd48bf3226f24c0a279b97a87449d	False	0.008544921875	data	0.013126943721219527	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x8058	0x24c	data			0.46598639455782315

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/22/24-19:06:15.002589	TCP	2825565	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity Sending Screenshot (CAP)	49730	2009	192.168.2.4	179.14.8.182
04/22/24-19:06:09.223118	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49730	2009	192.168.2.4	179.14.8.182
04/22/24-19:06:05.495111	TCP	2825563	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)	49730	2009	192.168.2.4	179.14.8.182
04/22/24-19:06:05.253890	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49730	2009	192.168.2.4	179.14.8.182
04/22/24-19:07:00.449324	TCP	2825565	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity Sending Screenshot (CAP)	49737	2009	192.168.2.4	179.14.8.182
04/22/24-19:06:56.900357	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49737	2009	192.168.2.4	179.14.8.182
04/22/24-19:06:34.186569	TCP	2825563	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)	49737	2009	192.168.2.4	179.14.8.182
04/22/24-19:06:33.952521	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49737	2009	192.168.2.4	179.14.8.182
04/22/24-19:07:07.929032	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49739	2009	192.168.2.4	179.14.8.182
04/22/24-19:06:30.056799	TCP	2825565	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity Sending Screenshot (CAP)	49736	2009	192.168.2.4	179.14.8.182
04/22/24-19:06:25.711913	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49736	2009	192.168.2.4	179.14.8.182
04/22/24-19:06:22.749074	TCP	2825563	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)	49736	2009	192.168.2.4	179.14.8.182
04/22/24-19:06:22.528207	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49736	2009	192.168.2.4	179.14.8.182
04/22/24-19:07:17.873841	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49739	2009	192.168.2.4	179.14.8.182

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 22, 2024 19:06:04.930475950 CEST	49730	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:06:05.118997097 CEST	2009	49730	179.14.8.182	192.168.2.4
Apr 22, 2024 19:06:05.119340897 CEST	49730	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:06:05.253890038 CEST	49730	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:06:05.494960070 CEST	2009	49730	179.14.8.182	192.168.2.4
Apr 22, 2024 19:06:05.495110989 CEST	49730	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:06:05.731220007 CEST	2009	49730	179.14.8.182	192.168.2.4
Apr 22, 2024 19:06:05.873019934 CEST	2009	49730	179.14.8.182	192.168.2.4
Apr 22, 2024 19:06:05.914608002 CEST	49730	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:06:05.975680113 CEST	49730	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:06:06.206933975 CEST	2009	49730	179.14.8.182	192.168.2.4
Apr 22, 2024 19:06:08.906900883 CEST	2009	49730	179.14.8.182	192.168.2.4
Apr 22, 2024 19:06:08.961483955 CEST	49730	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:06:08.991170883 CEST	49730	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:06:09.222949982 CEST	2009	49730	179.14.8.182	192.168.2.4
Apr 22, 2024 19:06:09.223118067 CEST	49730	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:06:09.457201004 CEST	2009	49730	179.14.8.182	192.168.2.4
Apr 22, 2024 19:06:11.318907022 CEST	2009	49730	179.14.8.182	192.168.2.4
Apr 22, 2024 19:06:11.319550037 CEST	49730	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:06:11.553014994 CEST	2009	49730	179.14.8.182	192.168.2.4
Apr 22, 2024 19:06:11.928942919 CEST	2009	49730	179.14.8.182	192.168.2.4
Apr 22, 2024 19:06:11.977241039 CEST	49730	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:06:12.580398083 CEST	49730	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:06:12.813113928 CEST	2009	49730	179.14.8.182	192.168.2.4
Apr 22, 2024 19:06:14.964776993 CEST	2009	49730	179.14.8.182	192.168.2.4
Apr 22, 2024 19:06:15.002588987 CEST	49730	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:06:15.248832941 CEST	2009	49730	179.14.8.182	192.168.2.4
Apr 22, 2024 19:06:20.334891081 CEST	2009	49730	179.14.8.182	192.168.2.4
Apr 22, 2024 19:06:20.334959030 CEST	49730	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:06:22.338447094 CEST	49730	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:06:22.340182066 CEST	49736	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:06:22.518731117 CEST	2009	49736	179.14.8.182	192.168.2.4
Apr 22, 2024 19:06:22.518815041 CEST	49736	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:06:22.526794910 CEST	2009	49730	179.14.8.182	192.168.2.4
Apr 22, 2024 19:06:22.528207064 CEST	49736	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:06:22.748879910 CEST	2009	49736	179.14.8.182	192.168.2.4
Apr 22, 2024 19:06:22.749073982 CEST	49736	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:06:22.964945078 CEST	2009	49736	179.14.8.182	192.168.2.4
Apr 22, 2024 19:06:23.040847063 CEST	2009	49736	179.14.8.182	192.168.2.4
Apr 22, 2024 19:06:23.102132082 CEST	49736	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:06:23.103790998 CEST	49736	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:06:23.318680048 CEST	2009	49736	179.14.8.182	192.168.2.4
Apr 22, 2024 19:06:25.711913109 CEST	49736	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:06:25.936713934 CEST	2009	49736	179.14.8.182	192.168.2.4
Apr 22, 2024 19:06:26.066813946 CEST	2009	49736	179.14.8.182	192.168.2.4
Apr 22, 2024 19:06:26.117809057 CEST	49736	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:06:26.128598928 CEST	49736	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:06:26.342717886 CEST	2009	49736	179.14.8.182	192.168.2.4
Apr 22, 2024 19:06:28.864710093 CEST	2009	49736	179.14.8.182	192.168.2.4
Apr 22, 2024 19:06:28.914730072 CEST	49736	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:06:29.094758034 CEST	2009	49736	179.14.8.182	192.168.2.4
Apr 22, 2024 19:06:29.149101973 CEST	49736	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:06:29.838649988 CEST	49736	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:06:30.056720018 CEST	2009	49736	179.14.8.182	192.168.2.4
Apr 22, 2024 19:06:30.056798935 CEST	49736	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:06:30.278786898 CEST	2009	49736	179.14.8.182	192.168.2.4
Apr 22, 2024 19:06:31.728713036 CEST	2009	49736	179.14.8.182	192.168.2.4
Apr 22, 2024 19:06:33.745614052 CEST	49737	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:06:33.938525915 CEST	2009	49737	179.14.8.182	192.168.2.4
Apr 22, 2024 19:06:33.938854933 CEST	49737	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:06:33.952521086 CEST	49737	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:06:34.186455965 CEST	2009	49737	179.14.8.182	192.168.2.4
Apr 22, 2024 19:06:34.186568975 CEST	49737	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:06:34.424490929 CEST	2009	49737	179.14.8.182	192.168.2.4
Apr 22, 2024 19:06:35.146462917 CEST	2009	49737	179.14.8.182	192.168.2.4
Apr 22, 2024 19:06:35.195990086 CEST	49737	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:06:35.250015020 CEST	49737	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:06:35.480408907 CEST	2009	49737	179.14.8.182	192.168.2.4
Apr 22, 2024 19:06:38.184808969 CEST	2009	49737	179.14.8.182	192.168.2.4
Apr 22, 2024 19:06:38.217813969 CEST	49737	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:06:38.444734097 CEST	2009	49737	179.14.8.182	192.168.2.4
Apr 22, 2024 19:06:40.124571085 CEST	2009	49737	179.14.8.182	192.168.2.4
Apr 22, 2024 19:06:40.125027895 CEST	49737	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:06:40.358587027 CEST	2009	49737	179.14.8.182	192.168.2.4
Apr 22, 2024 19:06:50.290874958 CEST	2009	49737	179.14.8.182	192.168.2.4
Apr 22, 2024 19:06:50.336694956 CEST	49737	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:06:50.368941069 CEST	49737	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:06:50.600929022 CEST	2009	49737	179.14.8.182	192.168.2.4
Apr 22, 2024 19:06:54.334129095 CEST	2009	49737	179.14.8.182	192.168.2.4
Apr 22, 2024 19:06:54.383471012 CEST	49737	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:06:54.427655935 CEST	49737	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:06:54.666773081 CEST	2009	49737	179.14.8.182	192.168.2.4
Apr 22, 2024 19:06:54.666922092 CEST	49737	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:06:54.898799896 CEST	2009	49737	179.14.8.182	192.168.2.4
Apr 22, 2024 19:06:56.900357008 CEST	49737	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:06:57.130390882 CEST	2009	49737	179.14.8.182	192.168.2.4
Apr 22, 2024 19:06:57.362998009 CEST	2009	49737	179.14.8.182	192.168.2.4
Apr 22, 2024 19:06:57.414819956 CEST	49737	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:06:57.418292046 CEST	49737	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:06:57.656879902 CEST	2009	49737	179.14.8.182	192.168.2.4
Apr 22, 2024 19:06:58.162764072 CEST	2009	49737	179.14.8.182	192.168.2.4
Apr 22, 2024 19:06:58.163341999 CEST	49737	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:06:58.400791883 CEST	2009	49737	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:00.397083044 CEST	2009	49737	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:00.445964098 CEST	49737	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:00.449323893 CEST	49737	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:00.686681032 CEST	2009	49737	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:04.170533895 CEST	2009	49737	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:04.170777082 CEST	49737	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:07.088913918 CEST	49737	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:07.282749891 CEST	2009	49737	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:07.730252981 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:07.909965992 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:07.910068035 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:07.929032087 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:08.121830940 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:08.155158997 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:08.155226946 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:08.299022913 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:08.299235106 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:08.373229980 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:08.373317957 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:08.523318052 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:08.523479939 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:08.597162008 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:08.597291946 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:08.753245115 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:08.753968000 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:08.817195892 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:08.817971945 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:08.969130993 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:08.969862938 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:09.048351049 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:09.049843073 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:09.187309980 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:09.187436104 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:09.281486988 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:09.281877041 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:09.405311108 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:09.405857086 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:09.499126911 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:09.501851082 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:09.625135899 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:09.625860929 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:09.718982935 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:09.719131947 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:09.843153954 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:09.843246937 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:09.933238983 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:09.933350086 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:10.065447092 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:10.065834999 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:10.159194946 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:10.159288883 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:10.285259962 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:10.285378933 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:10.381061077 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:10.381210089 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:10.507205009 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:10.507442951 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:10.607229948 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:10.607439041 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:10.731347084 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:10.731451988 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:10.821281910 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:10.821397066 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:10.977164984 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:10.977289915 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:11.047120094 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:11.047224998 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:11.205178976 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:11.205296040 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:11.267106056 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:11.267170906 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:11.441165924 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:11.441278934 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:11.489109039 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:11.489295959 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:11.663216114 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:11.663378000 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:11.707333088 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:11.707406044 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:11.883141041 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:11.883244038 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:12.107413054 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:12.107534885 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:12.319303036 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:12.329436064 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:12.485876083 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:12.485972881 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:12.499030113 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:12.499124050 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:12.583023071 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:12.671241999 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:12.673858881 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:12.763142109 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:12.765913010 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:12.907166958 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:12.907272100 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:12.985209942 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:12.985927105 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:13.123110056 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:13.123209953 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:13.201251030 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:13.203433037 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:13.367394924 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:13.369940042 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:13.421154022 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:13.421864986 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:13.595048904 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:13.595175982 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:13.656960964 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:13.657052040 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:13.817409992 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:13.817523956 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:13.891113043 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:13.891289949 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:14.033111095 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:14.033560038 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:14.096941948 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:14.097184896 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:14.252976894 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:14.253278971 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:14.314949036 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:14.315191984 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:14.471004009 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:14.471132040 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:14.533665895 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:14.533852100 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:14.688909054 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:14.691795111 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:14.752909899 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:14.753869057 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:14.867292881 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:14.868005991 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:14.969120979 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:14.969284058 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:15.085042953 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:15.085165024 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:15.195019007 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:15.195111990 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:15.301193953 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:15.305629969 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:15.422296047 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:15.425878048 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:15.525186062 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:15.525310040 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:15.653078079 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:15.653176069 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:15.745018959 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:15.745106936 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:15.869168997 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:15.869342089 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:15.960994959 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:15.961287022 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:16.087131977 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:16.087404966 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:16.182760000 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:16.182873011 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:16.305005074 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:16.305226088 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:16.400881052 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:16.401082993 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:16.536844969 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:16.536995888 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:16.620942116 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:16.621202946 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:16.758898973 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:16.759104013 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:16.843013048 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:16.843251944 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:16.984941959 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:16.985025883 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:17.060892105 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:17.061038017 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:17.205131054 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:17.205249071 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:17.282845020 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:17.282933950 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:17.422972918 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:17.423091888 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:17.500941992 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:17.501050949 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:17.645083904 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:17.645462036 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:17.720989943 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:17.721875906 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:17.862916946 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:17.865988970 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:17.872910976 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:17.873841047 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:17.910923958 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:17.912424088 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:17.930804014 CEST	49739	2009	192.168.2.4	179.14.8.182
Apr 22, 2024 19:07:18.048923969 CEST	2009	49739	179.14.8.182	192.168.2.4
Apr 22, 2024 19:07:18.048994064 CEST	49739	2009	192.168.2.4	179.14.8.182

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 22, 2024 19:06:03.066065073 CEST	51961	53	192.168.2.4	1.1.1.1
Apr 22, 2024 19:06:04.102905989 CEST	51961	53	192.168.2.4	1.1.1.1
Apr 22, 2024 19:06:04.926836014 CEST	53	51961	1.1.1.1	192.168.2.4
Apr 22, 2024 19:06:04.926897049 CEST	53	51961	1.1.1.1	192.168.2.4
Apr 22, 2024 19:07:07.090286970 CEST	57871	53	192.168.2.4	1.1.1.1
Apr 22, 2024 19:07:07.729243994 CEST	53	57871	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 22, 2024 19:06:03.066065073 CEST	192.168.2.4	1.1.1.1	0x8d95	Standard query (0)	resilencia2023.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 22, 2024 19:06:04.102905989 CEST	192.168.2.4	1.1.1.1	0x8d95	Standard query (0)	resilencia2023.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 22, 2024 19:07:07.090286970 CEST	192.168.2.4	1.1.1.1	0x1434	Standard query (0)	resilencia2023.duckdns.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Apr 22, 2024 19:06:04.926836014 CEST	1.1.1.1	192.168.2.4	0x8d95	No error (0)	resilencia2023.duckdns.org	179.14.8.182	A (IP address)	IN (0x0001)	false
Apr 22, 2024 19:06:04.926897049 CEST	1.1.1.1	192.168.2.4	0x8d95	No error (0)	resilencia2023.duckdns.org	179.14.8.182	A (IP address)	IN (0x0001)	false
Apr 22, 2024 19:07:07.729243994 CEST	1.1.1.1	192.168.2.4	0x1434	No error (0)	resilencia2023.duckdns.org	179.14.8.182	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	19:05:54
Start date:	22/04/2024
Path:	C:\Users\user\Desktop\xuI8pQHlxExL.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\xuI8pQHlxExL.exe"
Imagebase:	0x9c0000
File size:	32'768 bytes
MD5 hash:	ED064734A0BF02C905E63D64A495364B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000000.1653940468.00000000009C2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000002.2477580512.0000000003021000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	19:07:17
Start date:	22/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C Y /N /D Y /T 1 & Del "C:\Users\user\Desktop\xuI8pQHlxExL.exe"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	19:07:17
Start date:	22/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	17%
Dynamic/Decrypted Code Coverage:	85.4%
Signature Coverage:	2%
Total number of Nodes:	151
Total number of Limit Nodes:	8

Executed Functions

Function 05171930 Relevance: 3.9, Strings: 2, Instructions: 1396
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 051725EA
, xrefs: 051725E0

Memory Dump Source

Source File: 00000000.00000002.2479621151.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5170000_xuI8pQHlxExL.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: a28827373a1b5ce52b60033a73094638dee8d032b31c090824b425eb0775c685
Instruction ID: 76d72baf9bab959e47ca4879714bf5f4a19397efec40678cd3ca04e75ae5de1b
Opcode Fuzzy Hash: a28827373a1b5ce52b60033a73094638dee8d032b31c090824b425eb0775c685
Instruction Fuzzy Hash: 16C26B34B002149FCB24DF78C954BADB7B3BB88304F1184A9D919AB7A1DF399D85CB91

Uniqueness

Uniqueness Score: -1.00%

Function 052C3367 Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 052C33E7

Memory Dump Source

Source File: 00000000.00000002.2479927522.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52c0000_xuI8pQHlxExL.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 422008da6024f8538dcfe5c40114f2e3333d6f51768be6c604ec6802303aa762
Instruction ID: 893ae2d816d0fa8fa43df8252d1586c58fb7fbed6b76e1c25757aa0bfdfc2cd0
Opcode Fuzzy Hash: 422008da6024f8538dcfe5c40114f2e3333d6f51768be6c604ec6802303aa762
Instruction Fuzzy Hash: 6721BF765093809FDB22CF25DC40B62BFF4FF16310F0889DAE9858B563D275A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 052C339E Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 052C33E7

Memory Dump Source

Source File: 00000000.00000002.2479927522.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52c0000_xuI8pQHlxExL.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 51a7209c39cc13b902301826e07ee1aa3f158b29ae3dd778a876da3502480b56
Instruction ID: 3e647c3bff6fc9610dc8c0d506903a400bf62471a2c58e322f324e2cfbbed77e
Opcode Fuzzy Hash: 51a7209c39cc13b902301826e07ee1aa3f158b29ae3dd778a876da3502480b56
Instruction Fuzzy Hash: B2119E316102009FDB21CF15D984B66FFE4FF04220F08C9AEED4A8BA52D775E418CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 051703F8 Relevance: 1.6, APIs: 1, Instructions: 104
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 0517041F

Memory Dump Source

Source File: 00000000.00000002.2479621151.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5170000_xuI8pQHlxExL.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 0f1892f9b78ef80ab93717fcbc69cdc5f9c4e0e43cf5f092a545df5df4f6a52c
Instruction ID: 733afd976f7b2c99d736bcbfef9daed9c29e47d1a9a19dc17585ba2b442c0e03
Opcode Fuzzy Hash: 0f1892f9b78ef80ab93717fcbc69cdc5f9c4e0e43cf5f092a545df5df4f6a52c
Instruction Fuzzy Hash: 12314C71A002048FCB24DF78D98859DB7F2EF88214B6485B9D809EB35ADB39DD45CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 010BB5DE Relevance: 1.6, APIs: 1, Instructions: 103
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 010BB69D

Memory Dump Source

Source File: 00000000.00000002.2476763037.00000000010BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ba000_xuI8pQHlxExL.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 7a08035f898b87a1320b127d9df494f64f0f4e3bb3aba07bc99929ca36d8e5eb
Instruction ID: c7f8c662557e3a6b9c3ab9bde69e79235f8ef86f558367763f2f4bd6b0e315cb
Opcode Fuzzy Hash: 7a08035f898b87a1320b127d9df494f64f0f4e3bb3aba07bc99929ca36d8e5eb
Instruction Fuzzy Hash: 8131A571505380AFE722CF65DD44BA2BFF8EF0A314F08889AE9848B652D375E909D771

Uniqueness

Uniqueness Score: -1.00%

Function 051703E8 Relevance: 1.6, APIs: 1, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 0517041F

Memory Dump Source

Source File: 00000000.00000002.2479621151.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5170000_xuI8pQHlxExL.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: e30709ec1d0bbf750772b546529708e68d2f87e760ed71ee4c215068f4da4e7a
Instruction ID: 3fcceb534150b990fe6f610fcd81f5c17ddc272f266fad311b2d5f0ae203925d
Opcode Fuzzy Hash: e30709ec1d0bbf750772b546529708e68d2f87e760ed71ee4c215068f4da4e7a
Instruction Fuzzy Hash: 8C313271A002058FCB14DF78C99859EB7F6EF88204F5484A9D809EB359DB39DD41CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 052C202E Relevance: 1.6, APIs: 1, Instructions: 99
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 052C20F5

Memory Dump Source

Source File: 00000000.00000002.2479927522.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52c0000_xuI8pQHlxExL.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 6459b309b8ac20a9a0fb0f09c86743b2564508d45d55101c0fd5b68ca0cde6fa
Instruction ID: 219e0a5ee71fa0e4c2189fc343618b7bc199ea4e27cc8182a3481d7fb3a128ff
Opcode Fuzzy Hash: 6459b309b8ac20a9a0fb0f09c86743b2564508d45d55101c0fd5b68ca0cde6fa
Instruction Fuzzy Hash: 85318F76504344AFE722CB65CC44FA7BFFCFF15210F08859AE9898B662D724E908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 010BBB4B Relevance: 1.6, APIs: 1, Instructions: 98
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 010BBC12

Memory Dump Source

Source File: 00000000.00000002.2476763037.00000000010BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ba000_xuI8pQHlxExL.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 98bf0cd66defb3a7f9d391bc92082584ec8bcaab6ba8300051a4e6f897565d43
Instruction ID: de2fb57fac870b16dfb441a8cf57d830cba824be9306e1a62ac410164d9f84f9
Opcode Fuzzy Hash: 98bf0cd66defb3a7f9d391bc92082584ec8bcaab6ba8300051a4e6f897565d43
Instruction Fuzzy Hash: 7F317C6510E7C0AFD3138B258C61A61BFB4EF47610F0E45DBD8C48F6A3D269A909D7B2

Uniqueness

Uniqueness Score: -1.00%

Function 010BA7C7 Relevance: 1.6, APIs: 1, Instructions: 95
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 010BA879

Memory Dump Source

Source File: 00000000.00000002.2476763037.00000000010BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ba000_xuI8pQHlxExL.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 57c9bec1f1bc3c75a93d1fe9a2ad5459f92c593ba202c6ad67cf91db1eff93e4
Instruction ID: 5a88ed14c251d3ba01ec858c08fe0307aa98977db0770a5f0babcce25071dabc
Opcode Fuzzy Hash: 57c9bec1f1bc3c75a93d1fe9a2ad5459f92c593ba202c6ad67cf91db1eff93e4
Instruction Fuzzy Hash: DC31C772508380AFE7228B55DC44FA7BFFCEF16214F04849AE980CB653D268E90AC771

Uniqueness

Uniqueness Score: -1.00%

Function 052C099C Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32(?,00000E24), ref: 052C0A63

Memory Dump Source

Source File: 00000000.00000002.2479927522.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52c0000_xuI8pQHlxExL.jbxd

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: 110a336813002f8ff3ea57686f14d86658615aa7d69f383ea0686649a66f43ff
Instruction ID: bc1d34db99d7a9def5f697137226cf5c3134dda8c02d7ed43a69b8113e15cd6c
Opcode Fuzzy Hash: 110a336813002f8ff3ea57686f14d86658615aa7d69f383ea0686649a66f43ff
Instruction Fuzzy Hash: 1E31B1B1504340AFE721CB51CC44FA6FBACEF15724F04889AFA889B682D375E949CB71

Uniqueness

Uniqueness Score: -1.00%

Function 052C3786 Relevance: 1.6, APIs: 1, Instructions: 90
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegEnumValueW.KERNELBASE(?,00000E24,?,?), ref: 052C383E

Memory Dump Source

Source File: 00000000.00000002.2479927522.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52c0000_xuI8pQHlxExL.jbxd

Similarity

API ID: EnumValue
String ID:
API String ID: 2814608202-0
Opcode ID: 6ed55b94bdfc5900ad56f64d34a804edacb1e72186995a05b8a4b9ec80e3a32c
Instruction ID: 740e4c5be8b9c9335f34aa334b67827d10a8497722769625f37267a936b0ee0f
Opcode Fuzzy Hash: 6ed55b94bdfc5900ad56f64d34a804edacb1e72186995a05b8a4b9ec80e3a32c
Instruction Fuzzy Hash: C731E87150D3C06FD3138B219C61A61BFB4EF47614F0E84CBD8848B6A3D125690AD7B2

Uniqueness

Uniqueness Score: -1.00%

Function 010BA612 Relevance: 1.6, APIs: 1, Instructions: 89
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 010BA6B9

Memory Dump Source

Source File: 00000000.00000002.2476763037.00000000010BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ba000_xuI8pQHlxExL.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 43fb6281e272b1fbcd62a91d7e51002e8353de675145d82f8e14357083fe7e73
Instruction ID: 94e097579b62b720d159d8416d4a97551cf13945040a5b44660cef52930ea833
Opcode Fuzzy Hash: 43fb6281e272b1fbcd62a91d7e51002e8353de675145d82f8e14357083fe7e73
Instruction Fuzzy Hash: D23193B15093809FE722CB25DC85B96BFF8EF06214F08849AE984CB693D375E909C761

Uniqueness

Uniqueness Score: -1.00%

Function 052C0190 Relevance: 1.6, APIs: 1, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 052C0227

Memory Dump Source

Source File: 00000000.00000002.2479927522.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52c0000_xuI8pQHlxExL.jbxd

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 2497ed83c9c4e7be7ede79171f744007a1669803299e38f92786aa54bb3c408c
Instruction ID: 27579ab4aef853f13d815b4f953c42fae1365f3bf052ff40a5f4af88c6304974
Opcode Fuzzy Hash: 2497ed83c9c4e7be7ede79171f744007a1669803299e38f92786aa54bb3c408c
Instruction Fuzzy Hash: 6831B471504344AFEB21CB65DC45FA7BFE8EF05210F0884AAE945DB652D224E908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 052C0894 Relevance: 1.6, APIs: 1, Instructions: 88
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessTimes.KERNELBASE(?,00000E24,9ECD5732,00000000,00000000,00000000,00000000), ref: 052C0931

Memory Dump Source

Source File: 00000000.00000002.2479927522.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52c0000_xuI8pQHlxExL.jbxd

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: ac3ab44ecc5fe1c896002f8b9813d955694c734dbc9d8fca4af928ce713c2b6a
Instruction ID: 45661f9a525415661284cf03bff51df5fe7fc34167e7b931686e9eef45545452
Opcode Fuzzy Hash: ac3ab44ecc5fe1c896002f8b9813d955694c734dbc9d8fca4af928ce713c2b6a
Instruction Fuzzy Hash: 6E31F9724053809FE722CF54DC45F96BFB8EF06314F0489DAE9848F553D225A909C771

Uniqueness

Uniqueness Score: -1.00%

Function 052C205A Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 052C20F5

Memory Dump Source

Source File: 00000000.00000002.2479927522.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52c0000_xuI8pQHlxExL.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: ad33dfb5881a378e13562107b68922f7ce309dd908e1d6d6bcd5fb37b6f00283
Instruction ID: f3bcd8aed3349dc1092bbaf68b4a820ac9358e4eb87bf984feac0f76eb787668
Opcode Fuzzy Hash: ad33dfb5881a378e13562107b68922f7ce309dd908e1d6d6bcd5fb37b6f00283
Instruction Fuzzy Hash: D521C176500304EFEB31CE15CC44FA7BBECFF18610F04856AE989C6A52DB74E408CA61

Uniqueness

Uniqueness Score: -1.00%

Function 052C09BE Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000E24), ref: 052C0A63

Memory Dump Source

Source File: 00000000.00000002.2479927522.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52c0000_xuI8pQHlxExL.jbxd

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: d6e1471481250abbb59471e03b42997ef39e7129bdd8498cee27858de7b5ede5
Instruction ID: 048ff5363fe5d65333734f7e3c593dc78d01789aaba9be19767abf37a2cc6ae8
Opcode Fuzzy Hash: d6e1471481250abbb59471e03b42997ef39e7129bdd8498cee27858de7b5ede5
Instruction Fuzzy Hash: 5221B171111200AEFB30DB55CC44FAAFBACEF14714F04886AEA489A681D7B5E5498B71

Uniqueness

Uniqueness Score: -1.00%

Function 052C0FC0 Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

GetVolumeInformationA.KERNELBASE(?,00000E24,?,?), ref: 052C1066

Memory Dump Source

Source File: 00000000.00000002.2479927522.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52c0000_xuI8pQHlxExL.jbxd

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: e144a04259d888b8d8cf6207472aeadc04af1dac0eaf571a4b6d7520134f9450
Instruction ID: d1bda9367d5ffd961e471a2ef4630f1bddf802b6ecae9fcf9be2fe06c57733d2
Opcode Fuzzy Hash: e144a04259d888b8d8cf6207472aeadc04af1dac0eaf571a4b6d7520134f9450
Instruction Fuzzy Hash: D331C17150E3C06FD3128B258C51B62BFB8EF47210F0981DBE884DF693D225A949C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 010BA370 Relevance: 1.6, APIs: 1, Instructions: 80registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,9ECD5732,00000000,00000000,00000000,00000000), ref: 010BA40C

Memory Dump Source

Source File: 00000000.00000002.2476763037.00000000010BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ba000_xuI8pQHlxExL.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 37e5b2a7d17fb902975d3230e198f783fa93a2397afed7ae74519996eec4522c
Instruction ID: 76b9c178b842123b9301f1f9ecc98fd1b078fdc7cee50300d32495a5e91ecb78
Opcode Fuzzy Hash: 37e5b2a7d17fb902975d3230e198f783fa93a2397afed7ae74519996eec4522c
Instruction Fuzzy Hash: 19218D71605340AFE721CF15CC84FA6BBF8EF45620F08849AE985CB652D364E949CB71

Uniqueness

Uniqueness Score: -1.00%

Function 052C22CD Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

select.WS2_32(?,?,?,?,?), ref: 052C235C

Memory Dump Source

Source File: 00000000.00000002.2479927522.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52c0000_xuI8pQHlxExL.jbxd

Similarity

API ID: select
String ID:
API String ID: 1274211008-0
Opcode ID: 7671c776cbbbcf84cf791d7b1cde5ea996517324b31e076c9edadeb4377cd540
Instruction ID: cb966d043742a468d8e128a36d4f6ece32ab054c02ac8e0dda89c2c84fda04bd
Opcode Fuzzy Hash: 7671c776cbbbcf84cf791d7b1cde5ea996517324b31e076c9edadeb4377cd540
Instruction Fuzzy Hash: 02216D755093849FD722CF25DC44A62BFF8EF06210F0984DAE988CF263D225A949DB61

Uniqueness

Uniqueness Score: -1.00%

Function 052C34E9 Relevance: 1.6, APIs: 1, Instructions: 79COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E24,9ECD5732,00000000,00000000,00000000,00000000), ref: 052C3570

Memory Dump Source

Source File: 00000000.00000002.2479927522.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52c0000_xuI8pQHlxExL.jbxd

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: 705bc8a547992cb1961d45f87a1d2861fb4fbb240191cb4f91d44a8d347d70c2
Instruction ID: 676d40347353d549bd59040a1b369b404a3f643b83e29e509886ee73fa499529
Opcode Fuzzy Hash: 705bc8a547992cb1961d45f87a1d2861fb4fbb240191cb4f91d44a8d347d70c2
Instruction Fuzzy Hash: B021A4715093806FE712CB15DC45F96BFB8EF46324F0884EAE944DF693D268A909C771

Uniqueness

Uniqueness Score: -1.00%

Function 010BBC3E Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 010BBCCA

Memory Dump Source

Source File: 00000000.00000002.2476763037.00000000010BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ba000_xuI8pQHlxExL.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: aa07aab6db96d21741bef575de943f22218a5ef609bc86eb2f16ec0c7d0a5093
Instruction ID: 4d7b234a5c4a19ac2bbf55bed09336bc0359929a5a3e46b2c317ccd7efb5ff37
Opcode Fuzzy Hash: aa07aab6db96d21741bef575de943f22218a5ef609bc86eb2f16ec0c7d0a5093
Instruction Fuzzy Hash: D021B171509380AFE722CF55DC45F96FFF8EF05220F0888AEE9858B652D375A509CB62

Uniqueness

Uniqueness Score: -1.00%

Function 010BA462 Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E24,9ECD5732,00000000,00000000,00000000,00000000), ref: 010BA4F8

Memory Dump Source

Source File: 00000000.00000002.2476763037.00000000010BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ba000_xuI8pQHlxExL.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 10e6a8813089aab0ff67dad1c68f8235c25a8515ad4369c02b1e279161277b80
Instruction ID: 5397794110c39b99f68dda5c0567bc48b986d2da9d8b92557961bc3d41708e5f
Opcode Fuzzy Hash: 10e6a8813089aab0ff67dad1c68f8235c25a8515ad4369c02b1e279161277b80
Instruction Fuzzy Hash: 2C21B272504380AFE7228F15DC84FA7BFF8EF46620F08849AE985CB652D364E949C771

Uniqueness

Uniqueness Score: -1.00%

Function 052C0346 Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 052C03DA

Memory Dump Source

Source File: 00000000.00000002.2479927522.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52c0000_xuI8pQHlxExL.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 0d18a5ecb858a34957c6013d73ebbba887f910f2c8872e9da3cf9c64f1c7e0d3
Instruction ID: db038b1009d699effc1c3b3fd86b0714011e1ef79a482fb0ebcfeb66d10aa981
Opcode Fuzzy Hash: 0d18a5ecb858a34957c6013d73ebbba887f910f2c8872e9da3cf9c64f1c7e0d3
Instruction Fuzzy Hash: B821BF71505384AFE722CB15DD44F96FFF8EF09224F0488AEE9848B652D375A909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 010BB61E Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 010BB69D

Memory Dump Source

Source File: 00000000.00000002.2476763037.00000000010BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ba000_xuI8pQHlxExL.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 9236d76dc634f4bfc18059954e10444015c27131914d9683ba27e057465b73e0
Instruction ID: 4d6689aabe284a352f67eb4dd85731480b42b6929772fd057644dc6b2ce40d1f
Opcode Fuzzy Hash: 9236d76dc634f4bfc18059954e10444015c27131914d9683ba27e057465b73e0
Instruction Fuzzy Hash: 60219271600200AFE721CF69DD85FA6FBE8EF08224F048869E9858B751D779E908CB71

Uniqueness

Uniqueness Score: -1.00%

Function 052C01B6 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 052C0227

Memory Dump Source

Source File: 00000000.00000002.2479927522.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52c0000_xuI8pQHlxExL.jbxd

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 4bf78a31869aa40e911d8021722c293ab8c818ae1dfb179d37a5df0eecf33db8
Instruction ID: a04ecfcfa462072c809a90b31b2c5d861dbde9416484aa9fd315cac9c33316fe
Opcode Fuzzy Hash: 4bf78a31869aa40e911d8021722c293ab8c818ae1dfb179d37a5df0eecf33db8
Instruction Fuzzy Hash: B421D772500204EFEB20DF65DD45FABBBECEF04624F04886AE945DBA52D774E5088A72

Uniqueness

Uniqueness Score: -1.00%

Function 010BB6F4 Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,9ECD5732,00000000,00000000,00000000,00000000), ref: 010BB789

Memory Dump Source

Source File: 00000000.00000002.2476763037.00000000010BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ba000_xuI8pQHlxExL.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: af652e3c1e036a79d75cd009c52dfa2d06d9b8ba5232edf878ddfdf9087e10e2
Instruction ID: 09b7b83e125d504387f29e228c322e7fc697d6c3783dc87ffe7a8ddba8cb86b2
Opcode Fuzzy Hash: af652e3c1e036a79d75cd009c52dfa2d06d9b8ba5232edf878ddfdf9087e10e2
Instruction Fuzzy Hash: 82212CB54087806FE722CB15DC94BA3BFFCEF46724F0884DAE9958B653D224A909C771

Uniqueness

Uniqueness Score: -1.00%

Function 052C00AA Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,9ECD5732,00000000,00000000,00000000,00000000), ref: 052C013C

Memory Dump Source

Source File: 00000000.00000002.2479927522.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52c0000_xuI8pQHlxExL.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 85ced02a1291fa1895bfaa1b89563d1af685157e5e34af437e41b56787047a27
Instruction ID: 0e5f86d9455132644b453ebb59d257a0408b95b52f297d69a8ccf781311856bc
Opcode Fuzzy Hash: 85ced02a1291fa1895bfaa1b89563d1af685157e5e34af437e41b56787047a27
Instruction Fuzzy Hash: 4221BD72504340AFD722CB15CC84FA7FFF8EF05620F08899AE9458B652C264E949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 010BA7FA Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 010BA879

Memory Dump Source

Source File: 00000000.00000002.2476763037.00000000010BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ba000_xuI8pQHlxExL.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 413a4f598abe21bff59b6293375580e5e8bd99be9b9157b0a578670884880972
Instruction ID: 2d91b892963351186a2e0a1c653d4da50605c8e9cb5a75fb58bef5b5b26294e3
Opcode Fuzzy Hash: 413a4f598abe21bff59b6293375580e5e8bd99be9b9157b0a578670884880972
Instruction Fuzzy Hash: A5210472500300EEF7318B55CC84FABFBECEF14224F04886AE94087A41D738E4098AB1

Uniqueness

Uniqueness Score: -1.00%

Function 052C36B7 Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetProcessWorkingSetSize.KERNEL32(?,00000E24,9ECD5732,00000000,00000000,00000000,00000000), ref: 052C3733

Memory Dump Source

Source File: 00000000.00000002.2479927522.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52c0000_xuI8pQHlxExL.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: b45dcec3cc5430342d762a844567fc1421cadfa3bc9808daad60f1f2248afdd7
Instruction ID: 095a557bcabf1d9f4d965bea2b940b35ebd567a4b187ac5d1e246667af6990d5
Opcode Fuzzy Hash: b45dcec3cc5430342d762a844567fc1421cadfa3bc9808daad60f1f2248afdd7
Instruction Fuzzy Hash: 9721D4715053806FE722CB15DC45FABBFB8EF46220F08C8AAE944DB652D274A908CB71

Uniqueness

Uniqueness Score: -1.00%

Function 052C35D3 Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GetProcessWorkingSetSize.KERNEL32(?,00000E24,9ECD5732,00000000,00000000,00000000,00000000), ref: 052C364F

Memory Dump Source

Source File: 00000000.00000002.2479927522.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52c0000_xuI8pQHlxExL.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: b45dcec3cc5430342d762a844567fc1421cadfa3bc9808daad60f1f2248afdd7
Instruction ID: 73d95fd533e1507d8d478d018285dbb426e431bab41c8136e002c73c5bc81fd0
Opcode Fuzzy Hash: b45dcec3cc5430342d762a844567fc1421cadfa3bc9808daad60f1f2248afdd7
Instruction Fuzzy Hash: 8A21C2715053806FE722CB25DC48FA6BFA8EF45320F08C8AAE944DB652D274A908CB65

Uniqueness

Uniqueness Score: -1.00%

Function 010BA646 Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 010BA6B9

Memory Dump Source

Source File: 00000000.00000002.2476763037.00000000010BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ba000_xuI8pQHlxExL.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 792086baeef386a0a95fa89e87c488e77db512137b64b92e4fb2afad93fba91b
Instruction ID: 90598dbfd71bf730b8d04201cc87c6e1d782cf7206a6f9cb02c649cf146623be
Opcode Fuzzy Hash: 792086baeef386a0a95fa89e87c488e77db512137b64b92e4fb2afad93fba91b
Instruction Fuzzy Hash: C221A4B16042009FF721DF29DD85BA6FBE8EF08224F04C8A9E985CB741D775E509CA71

Uniqueness

Uniqueness Score: -1.00%

Function 052C05DD Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

shutdown.WS2_32(?,00000E24,9ECD5732,00000000,00000000,00000000,00000000), ref: 052C0660

Memory Dump Source

Source File: 00000000.00000002.2479927522.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52c0000_xuI8pQHlxExL.jbxd

Similarity

API ID: shutdown
String ID:
API String ID: 2510479042-0
Opcode ID: 581e0f307c26df1d8a47b4d3dbeba395c153f7243de9fa600f2f3b21915abd4e
Instruction ID: 97bcbeffa4a46ad3419fe57add75755216570ef1fb3d2386b87b046e1bec0e8a
Opcode Fuzzy Hash: 581e0f307c26df1d8a47b4d3dbeba395c153f7243de9fa600f2f3b21915abd4e
Instruction Fuzzy Hash: 2F21C571409380AFD722CB15CC44B56BFB8EF46224F0884DAE984DF652C378A949C761

Uniqueness

Uniqueness Score: -1.00%

Function 010BB9D6 Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000E24,9ECD5732,00000000,00000000,00000000,00000000), ref: 010BBA55

Memory Dump Source

Source File: 00000000.00000002.2476763037.00000000010BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ba000_xuI8pQHlxExL.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 81aab4fde8c70a5628db641e35f0af8b059e0ce6ba0eae95336480d85b6ffb4b
Instruction ID: 21f329f630aeeeec9e8d9df908d5163a70abbf792ea95c56d6b4b4f9b9be93b2
Opcode Fuzzy Hash: 81aab4fde8c70a5628db641e35f0af8b059e0ce6ba0eae95336480d85b6ffb4b
Instruction Fuzzy Hash: BF219271405340AFD722CF55DC84F97BFF8EF45720F08889AE9849B652C235A909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 010BA392 Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,9ECD5732,00000000,00000000,00000000,00000000), ref: 010BA40C

Memory Dump Source

Source File: 00000000.00000002.2476763037.00000000010BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ba000_xuI8pQHlxExL.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 52b30091a5dcce8012e113dec45dfc7fa1b3abd685c9ce7cfd567202abf9a8c2
Instruction ID: 87f2251a08961d97633f1e29831bd88a6de92a9e4af14e682d4e174a2972efc8
Opcode Fuzzy Hash: 52b30091a5dcce8012e113dec45dfc7fa1b3abd685c9ce7cfd567202abf9a8c2
Instruction Fuzzy Hash: AB218E75600204DFE731CE19CD84FA6BBECEF44620F04C4AAE9858B651DB78E949CA71

Uniqueness

Uniqueness Score: -1.00%

Function 010BA140 Relevance: 1.6, APIs: 1, Instructions: 69networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,?,?), ref: 010BA1C1

Memory Dump Source

Source File: 00000000.00000002.2476763037.00000000010BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ba000_xuI8pQHlxExL.jbxd

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: c40f08aff3b832ab89320c94e0a926f79838e4283f48a3f72b3291af1d2c19bd
Instruction ID: 3aeaad550f760ae10cfa663c3f2058e21e17be81cda9d93012e534b683c3c421
Opcode Fuzzy Hash: c40f08aff3b832ab89320c94e0a926f79838e4283f48a3f72b3291af1d2c19bd
Instruction Fuzzy Hash: 1721907140D3C09FD7238B21DC54A52BFB4EF07220F0A84DBD9848F563C269A849CB62

Uniqueness

Uniqueness Score: -1.00%

Function 052C2207 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000E24,9ECD5732,00000000,00000000,00000000,00000000), ref: 052C2283

Memory Dump Source

Source File: 00000000.00000002.2479927522.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52c0000_xuI8pQHlxExL.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: 81b8b4883f1f273a936bc11c2427fe3c2e1f0d5b265354d1202d00f4cfe0068d
Instruction ID: c70d2ba4f31d6d95eeba8685d09b01c5188b914966b72ff664d5dd6af181f68a
Opcode Fuzzy Hash: 81b8b4883f1f273a936bc11c2427fe3c2e1f0d5b265354d1202d00f4cfe0068d
Instruction Fuzzy Hash: D921C671405380AFD722CF54DC44FA6BFB8EF45324F08C89AE9859B652C274A908C771

Uniqueness

Uniqueness Score: -1.00%

Function 010BBD23 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,?,?,?,?), ref: 010BBDA0

Memory Dump Source

Source File: 00000000.00000002.2476763037.00000000010BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ba000_xuI8pQHlxExL.jbxd

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: e5b8b655a811b3feee57591197443de6979a1ad0b5e8fa5900682402dc186852
Instruction ID: 5f4378d44a4c1f81ca8963531d194d4304cf69295fafc23933a25fb129c569e7
Opcode Fuzzy Hash: e5b8b655a811b3feee57591197443de6979a1ad0b5e8fa5900682402dc186852
Instruction Fuzzy Hash: 6E2190715093C09FD7128F65DC84A92BFB4EF07220F0989DAD9C48F563C229A959CB61

Uniqueness

Uniqueness Score: -1.00%

Function 010BBC5E Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 010BBCCA

Memory Dump Source

Source File: 00000000.00000002.2476763037.00000000010BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ba000_xuI8pQHlxExL.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 23dba652159c7cfd2bd8e5dd977ffb7550db351d4c5cc6f5980e719b14263d23
Instruction ID: 6c4ececcc6e10ab5e437f3531c581cc727c156087a099dc20e726f9d5507b540
Opcode Fuzzy Hash: 23dba652159c7cfd2bd8e5dd977ffb7550db351d4c5cc6f5980e719b14263d23
Instruction Fuzzy Hash: 5321D471500200AFE731DF59DD85B96FBE4EF08324F04886AE9858BA52D775E409CB72

Uniqueness

Uniqueness Score: -1.00%

Function 052C386A Relevance: 1.6, APIs: 1, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegDeleteKeyW.ADVAPI32(?,00000E24,9ECD5732,00000000,00000000,00000000,00000000), ref: 052C38E8

Memory Dump Source

Source File: 00000000.00000002.2479927522.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52c0000_xuI8pQHlxExL.jbxd

Similarity

API ID: Delete
String ID:
API String ID: 1035893169-0
Opcode ID: d1672120c4188542365250ae0d61d5ba8bc67b330672fbe354de913c4d0c7e01
Instruction ID: 7bec6d493f39aa2857941640a65387172ac0ff593ea525d9cb648f49506a48c5
Opcode Fuzzy Hash: d1672120c4188542365250ae0d61d5ba8bc67b330672fbe354de913c4d0c7e01
Instruction Fuzzy Hash: 1011D271505380AFD721CB15DC84FA7BFA8EF06620F08C89AE9449B252C268E908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 052C0366 Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 052C03DA

Memory Dump Source

Source File: 00000000.00000002.2479927522.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52c0000_xuI8pQHlxExL.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 65019155a8aeb350321d2818018715ec9961affe136308501416236e66c54f52
Instruction ID: 3f39835988b4e641aa01feba2c3f807bf82909dea58c154deaf8cc407bdc1e69
Opcode Fuzzy Hash: 65019155a8aeb350321d2818018715ec9961affe136308501416236e66c54f52
Instruction Fuzzy Hash: 1F21D171500204EFEB31CF15DD45FAAFBE8EF08224F0489ADE9458BA41D375E409CB61

Uniqueness

Uniqueness Score: -1.00%

Function 052C31F6 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 052C3266

Memory Dump Source

Source File: 00000000.00000002.2479927522.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52c0000_xuI8pQHlxExL.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 69d5d8554b8a6e97c4f1008683feb04da3cd107336cc5c2ea8571bf627484a0c
Instruction ID: e97b3c8c351bdf9e877a7c5f7ec0049f4cbad045a4aa2e3c36bc3d601ea9661b
Opcode Fuzzy Hash: 69d5d8554b8a6e97c4f1008683feb04da3cd107336cc5c2ea8571bf627484a0c
Instruction Fuzzy Hash: 722193715093805FDB21CB25DC54B62BFE8EF56620F0889DEED45DB652D225E804C761

Uniqueness

Uniqueness Score: -1.00%

Function 010BA710 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 010BA780

Memory Dump Source

Source File: 00000000.00000002.2476763037.00000000010BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ba000_xuI8pQHlxExL.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: db714f6e6ccd6f1bf4eece299267f4d264766ed5c1eb3b7e449e528747c9df6f
Instruction ID: 452d6ee003dfa0f0c18863cdc5d331a0821dd7ffb0face373b702d2f42969b1a
Opcode Fuzzy Hash: db714f6e6ccd6f1bf4eece299267f4d264766ed5c1eb3b7e449e528747c9df6f
Instruction Fuzzy Hash: 0521D2B55083809FD712CF15ED85792BFB8FF02324F0984EAED858B653D235A909DB61

Uniqueness

Uniqueness Score: -1.00%

Function 052C1282 Relevance: 1.6, APIs: 1, Instructions: 66libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00000E24), ref: 052C130B

Memory Dump Source

Source File: 00000000.00000002.2479927522.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52c0000_xuI8pQHlxExL.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 38fc93c727e498ad735d5d07c0a9d4401d9248aefe35525dc52f73e4fd09df8f
Instruction ID: 9123f448d99a9c370fd6d4469cbfa09f1ab7d77c0cbc53b39a8dbf722ce50a30
Opcode Fuzzy Hash: 38fc93c727e498ad735d5d07c0a9d4401d9248aefe35525dc52f73e4fd09df8f
Instruction Fuzzy Hash: 5E113671404340AFE721CB10CC85FA6FFB8EF46720F0484DAFD489B692C278A949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 010BA486 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E24,9ECD5732,00000000,00000000,00000000,00000000), ref: 010BA4F8

Memory Dump Source

Source File: 00000000.00000002.2476763037.00000000010BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ba000_xuI8pQHlxExL.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: ac9c8ef707a391a344f69064b2247ee991e96c4548a4f22dfd164abcd9a339af
Instruction ID: 7597d4c683c6c2f6756085f6e3657fdbc749bc7dc9b16ef7a384a21b26092589
Opcode Fuzzy Hash: ac9c8ef707a391a344f69064b2247ee991e96c4548a4f22dfd164abcd9a339af
Instruction Fuzzy Hash: CC11B472600300AFE7318E15DD85FA7BBECEF04624F04846AED858BA41D774E9488A71

Uniqueness

Uniqueness Score: -1.00%

Function 052C2869 Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 052C28E5

Memory Dump Source

Source File: 00000000.00000002.2479927522.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52c0000_xuI8pQHlxExL.jbxd

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: df9a0392487f4d6cfafef619685f650d37c8f0eecbfdc2ae14e95d2b11ed116d
Instruction ID: 8e7b558c6973bea66c14c3326b5cefb65995c89ca3ebc61caded508fac8a0323
Opcode Fuzzy Hash: df9a0392487f4d6cfafef619685f650d37c8f0eecbfdc2ae14e95d2b11ed116d
Instruction Fuzzy Hash: 632190B55093809FD722CA15DC84B62BFF8FF06614F0981CAED858B253D265E909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 052C00CA Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,9ECD5732,00000000,00000000,00000000,00000000), ref: 052C013C

Memory Dump Source

Source File: 00000000.00000002.2479927522.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52c0000_xuI8pQHlxExL.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: a89e3fd966d23ca189ea3bc2cca7793779eae8632516889c52f6010e9c695c75
Instruction ID: a393dad0c7eb4c1f9697eaa46c16b8ca71eae855638f870789ccc7e4e19fd54d
Opcode Fuzzy Hash: a89e3fd966d23ca189ea3bc2cca7793779eae8632516889c52f6010e9c695c75
Instruction Fuzzy Hash: 5711D2725002009FEB31CE15CC84FABFBE8EF04620F04C5AAE9458A652D7B4E909CA71

Uniqueness

Uniqueness Score: -1.00%

Function 052C08D2 Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E24,9ECD5732,00000000,00000000,00000000,00000000), ref: 052C0931

Memory Dump Source

Source File: 00000000.00000002.2479927522.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52c0000_xuI8pQHlxExL.jbxd

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: b6910c2b6383ac529202cb857c50a47f23558b7d60d462b31742eb4c71a86291
Instruction ID: a8cd22204d39e847e6273e855112eb4cbbdb41cf19daebed40a6465516a6f644
Opcode Fuzzy Hash: b6910c2b6383ac529202cb857c50a47f23558b7d60d462b31742eb4c71a86291
Instruction Fuzzy Hash: F511D372500200EFEB21CF55DD84FAABBE8EF04724F04C86AE9458AA51D774A908CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 052C0006 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32(?,00000E24,?,?), ref: 052C0082

Memory Dump Source

Source File: 00000000.00000002.2479927522.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52c0000_xuI8pQHlxExL.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 8949a64d8746106afb893f120e835dcc7b476c81a2787e42c22e9db613f83397
Instruction ID: 12601dc89f37593c12e72f6ddb044340232c40ca7e34d567676de37956b3bad5
Opcode Fuzzy Hash: 8949a64d8746106afb893f120e835dcc7b476c81a2787e42c22e9db613f83397
Instruction Fuzzy Hash: B1110471545340AFD3118B15CC41F72BFF8EF86620F05819AEC489BA42D279BD1ACBB2

Uniqueness

Uniqueness Score: -1.00%

Function 052C3BA9 Relevance: 1.6, APIs: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 052C3C1D

Memory Dump Source

Source File: 00000000.00000002.2479927522.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52c0000_xuI8pQHlxExL.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 40524cf45ab854eec7dbe2ae56c7a2cecef231e9a1f00a31444d7422d3f13c95
Instruction ID: 1902412d26b075e48352bd78bb16f89cfe7f1f5323067cf1b4e6d8b54fb1e6f1
Opcode Fuzzy Hash: 40524cf45ab854eec7dbe2ae56c7a2cecef231e9a1f00a31444d7422d3f13c95
Instruction Fuzzy Hash: CF2190724093C09FDB138F25DC44A62BFB4EF17220F0985DAE9848F563D225A958DB62

Uniqueness

Uniqueness Score: -1.00%

Function 052C35F6 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

GetProcessWorkingSetSize.KERNEL32(?,00000E24,9ECD5732,00000000,00000000,00000000,00000000), ref: 052C364F

Memory Dump Source

Source File: 00000000.00000002.2479927522.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52c0000_xuI8pQHlxExL.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: 06f03b70aea99bbb4727b2088b00ece9a519a043ed685e2e0b532f4ea5d8c498
Instruction ID: 028e39964d97e4a7c88a9c8b6421ec84713a60720a1539f459ae4dba1d2ef13f
Opcode Fuzzy Hash: 06f03b70aea99bbb4727b2088b00ece9a519a043ed685e2e0b532f4ea5d8c498
Instruction Fuzzy Hash: 9311E2715003009FEB21CF15DD45BAABBE8EF04724F14CCAAE905CB741D778A908CAB5

Uniqueness

Uniqueness Score: -1.00%

Function 052C36DA Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SetProcessWorkingSetSize.KERNEL32(?,00000E24,9ECD5732,00000000,00000000,00000000,00000000), ref: 052C3733

Memory Dump Source

Source File: 00000000.00000002.2479927522.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52c0000_xuI8pQHlxExL.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: 06f03b70aea99bbb4727b2088b00ece9a519a043ed685e2e0b532f4ea5d8c498
Instruction ID: d1654f03a50042172b741894c4297650e9482592338633a9badc21347e424999
Opcode Fuzzy Hash: 06f03b70aea99bbb4727b2088b00ece9a519a043ed685e2e0b532f4ea5d8c498
Instruction Fuzzy Hash: C01104B1500200AFE721CF14DD45BAABBE8EF04724F04C8AAED04CB641D778A9088BB1

Uniqueness

Uniqueness Score: -1.00%

Function 010BAC03 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 010BAC6E

Memory Dump Source

Source File: 00000000.00000002.2476763037.00000000010BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ba000_xuI8pQHlxExL.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 4e0af473fb24308d38df81aa8bcc1f7fcd9866525724a89bcdae3bdbbb2ca847
Instruction ID: bd0b2dcfd49537d638787ba2624fb9b3643ba164253c70fa06d2b54877e8cd1a
Opcode Fuzzy Hash: 4e0af473fb24308d38df81aa8bcc1f7fcd9866525724a89bcdae3bdbbb2ca847
Instruction Fuzzy Hash: 7611B471509380AFDB228F55DC44A62FFF4EF4A320F0888DAED858B563C235A418DB61

Uniqueness

Uniqueness Score: -1.00%

Function 052C351A Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E24,9ECD5732,00000000,00000000,00000000,00000000), ref: 052C3570

Memory Dump Source

Source File: 00000000.00000002.2479927522.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52c0000_xuI8pQHlxExL.jbxd

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: 0a74d568b2a2d14a8c718400883ca679ad3df82cd74079d73b2e474dc9e6d161
Instruction ID: 0bde6440d350b070f2965eea8c2954f28a23d5241bcf9e165227819d0deb667c
Opcode Fuzzy Hash: 0a74d568b2a2d14a8c718400883ca679ad3df82cd74079d73b2e474dc9e6d161
Instruction Fuzzy Hash: CF11E7715002009FEB21CB15DD45BAABBE8EF04624F04C8AAED05DB741D678E9088AB1

Uniqueness

Uniqueness Score: -1.00%

Function 010BB9F6 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000E24,9ECD5732,00000000,00000000,00000000,00000000), ref: 010BBA55

Memory Dump Source

Source File: 00000000.00000002.2476763037.00000000010BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ba000_xuI8pQHlxExL.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 78e974c057ece1dce78c5377978f5dc002cf75ebcca00097e990fde42895814f
Instruction ID: f53699b64d513324fd529d241118c18163e9cf2049482d645103f1b751de4357
Opcode Fuzzy Hash: 78e974c057ece1dce78c5377978f5dc002cf75ebcca00097e990fde42895814f
Instruction Fuzzy Hash: 4211C871500300AFE731CF55DD84FAAFBE8EF04724F04C86AE9859B651C775A5098BB1

Uniqueness

Uniqueness Score: -1.00%

Function 052C0E2C Relevance: 1.6, APIs: 1, Instructions: 60networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 052C0E9A

Memory Dump Source

Source File: 00000000.00000002.2479927522.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52c0000_xuI8pQHlxExL.jbxd

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: cedeea4d3c21a2cb4065f8fce0bdac30d673104016600e77bb6c7784551dc782
Instruction ID: 30dcad123c5f58a5df16a09d6f07247c64d7f335f03e1dc7a66635e8c6ae87ee
Opcode Fuzzy Hash: cedeea4d3c21a2cb4065f8fce0bdac30d673104016600e77bb6c7784551dc782
Instruction Fuzzy Hash: E22190715093809FDB21CF55DC84A52FFF4FF06220F09899EE9898B662D375A858CB61

Uniqueness

Uniqueness Score: -1.00%

Function 052C222A Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000E24,9ECD5732,00000000,00000000,00000000,00000000), ref: 052C2283

Memory Dump Source

Source File: 00000000.00000002.2479927522.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52c0000_xuI8pQHlxExL.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: b249bbd39d5fdbe1afeea456704263deee8396504c261c23bb375a29a2b3d9cf
Instruction ID: 7cd996339b32f07f5d653dcee8984a333d9f6b09e8151213bcf22c28d69b2656
Opcode Fuzzy Hash: b249bbd39d5fdbe1afeea456704263deee8396504c261c23bb375a29a2b3d9cf
Instruction Fuzzy Hash: 4711E375500200AFEB31CF54DD44FAAFBE8EF44724F04C8AAE9859B641C778A5088AB2

Uniqueness

Uniqueness Score: -1.00%

Function 052C060A Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

shutdown.WS2_32(?,00000E24,9ECD5732,00000000,00000000,00000000,00000000), ref: 052C0660

Memory Dump Source

Source File: 00000000.00000002.2479927522.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52c0000_xuI8pQHlxExL.jbxd

Similarity

API ID: shutdown
String ID:
API String ID: 2510479042-0
Opcode ID: 9645d51b5ea462b45f0048a3ccd2311fb629e095f693c82692156c22da3cd589
Instruction ID: ff3387a414f6eafd6327a72f0c1e8bdb9e4a2cfa56127fc6901d74c1dfb89917
Opcode Fuzzy Hash: 9645d51b5ea462b45f0048a3ccd2311fb629e095f693c82692156c22da3cd589
Instruction Fuzzy Hash: 6411C671500200AFEB21DF15DD84BAABBE8EF44724F14C8AAED449F641D778A5498AB1

Uniqueness

Uniqueness Score: -1.00%

Function 052C388A Relevance: 1.6, APIs: 1, Instructions: 57registryCOMMON

Download Yara Rule

APIs

RegDeleteKeyW.ADVAPI32(?,00000E24,9ECD5732,00000000,00000000,00000000,00000000), ref: 052C38E8

Memory Dump Source

Source File: 00000000.00000002.2479927522.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52c0000_xuI8pQHlxExL.jbxd

Similarity

API ID: Delete
String ID:
API String ID: 1035893169-0
Opcode ID: fbd835725bd77674bc05fb8904b48fbf982d5c2a905fc61eecefb4914e9c76ba
Instruction ID: 6743f3bdb8ac4e21f1bda467a60768a5aa21943a726f90c3b91f474c71101b8d
Opcode Fuzzy Hash: fbd835725bd77674bc05fb8904b48fbf982d5c2a905fc61eecefb4914e9c76ba
Instruction Fuzzy Hash: DC11C272510200AFE720DA05DD85FA6BBECEF14624F04C9AAE9059B742D778E9088AB1

Uniqueness

Uniqueness Score: -1.00%

Function 010BA2AE Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 010BA30C

Memory Dump Source

Source File: 00000000.00000002.2476763037.00000000010BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ba000_xuI8pQHlxExL.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: be4b9b5d8302c11e9016cbccab97dc9c217182b6e6c05132a045ee72287cd1f8
Instruction ID: 053909cc6d6d38d0dc0ad519c2b01b09c8613fccd2e4302d55b3a003c7361a49
Opcode Fuzzy Hash: be4b9b5d8302c11e9016cbccab97dc9c217182b6e6c05132a045ee72287cd1f8
Instruction Fuzzy Hash: A71191715093C0AFDB238B15DC946A2BFB4DF47624F0980CBED848F663D266A848C772

Uniqueness

Uniqueness Score: -1.00%

Function 052C3FA9 Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 052C4009

Memory Dump Source

Source File: 00000000.00000002.2479927522.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52c0000_xuI8pQHlxExL.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 0eac98ce5e7f3c75e0d4f74b63860a1b87c2e0d1e1de10d76806aa7ed43d5c15
Instruction ID: f5163869b6bcfa3f83383d6b8a492d60f3c82a8b53341d3a14fc34f4d9517452
Opcode Fuzzy Hash: 0eac98ce5e7f3c75e0d4f74b63860a1b87c2e0d1e1de10d76806aa7ed43d5c15
Instruction Fuzzy Hash: 5C1104715093809FDB228F11DC44A52FFB4EF06220F08C4DEED858B663C275A818CB61

Uniqueness

Uniqueness Score: -1.00%

Function 052C12A2 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00000E24), ref: 052C130B

Memory Dump Source

Source File: 00000000.00000002.2479927522.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52c0000_xuI8pQHlxExL.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 5542bfa0207e87fc7c1e2aef38e0d98f4fe37e13432b9f32ede2549675bd815c
Instruction ID: 3dfcdf6a7f67f734a94cb613e5042ed92d1409ee0f2565ad7c08f6b3f0c7c2c5
Opcode Fuzzy Hash: 5542bfa0207e87fc7c1e2aef38e0d98f4fe37e13432b9f32ede2549675bd815c
Instruction Fuzzy Hash: 6B110231910200AEE720CB15DD42FB6FBA8DF04724F1484A9EE085BB82C2B9A549CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 052C2306 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

select.WS2_32(?,?,?,?,?), ref: 052C235C

Memory Dump Source

Source File: 00000000.00000002.2479927522.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52c0000_xuI8pQHlxExL.jbxd

Similarity

API ID: select
String ID:
API String ID: 1274211008-0
Opcode ID: 28b09a6c0833a74ed38a0bd7de45de6bb676317e667db38d4a1503e62b79b6d4
Instruction ID: 023562d3f3bb91158a7861b76a29b6d89192ccb6e9c2f31a12c4b8e00dc5f78d
Opcode Fuzzy Hash: 28b09a6c0833a74ed38a0bd7de45de6bb676317e667db38d4a1503e62b79b6d4
Instruction Fuzzy Hash: F3116D79614244CFDB20CF15D984B62FBE8EF04620F0885AADD89CB652D774E948CB61

Uniqueness

Uniqueness Score: -1.00%

Function 010BAD9F Relevance: 1.6, APIs: 1, Instructions: 54comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 010BAE00

Memory Dump Source

Source File: 00000000.00000002.2476763037.00000000010BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ba000_xuI8pQHlxExL.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 45ba7c9c792473f503c124a605a6bea3a371f2f9224735b5450ff53c8f1bc51c
Instruction ID: 6a55fbef5d1b5609fec92cb1fa52060e8f3adcf543a383c09b3690968931acad
Opcode Fuzzy Hash: 45ba7c9c792473f503c124a605a6bea3a371f2f9224735b5450ff53c8f1bc51c
Instruction Fuzzy Hash: 6F119D715493809FDB12CB15DC84B52BFB4EF06224F0884DAED848F693D279A808CB62

Uniqueness

Uniqueness Score: -1.00%

Function 052C321E Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 052C3266

Memory Dump Source

Source File: 00000000.00000002.2479927522.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52c0000_xuI8pQHlxExL.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 7024b08d87f0c033912c7ce0be70cc6e0f494cc7728f0d5133605611f4bdf5a7
Instruction ID: 6f71379182233f547223414799f63e68d7981e880e281c35e704b15faab71516
Opcode Fuzzy Hash: 7024b08d87f0c033912c7ce0be70cc6e0f494cc7728f0d5133605611f4bdf5a7
Instruction Fuzzy Hash: B111A9726142018FEB20CF19D844B56FFE8EF54620F08CDAEDD4ADB742D674E904CA62

Uniqueness

Uniqueness Score: -1.00%

Function 010BB736 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,9ECD5732,00000000,00000000,00000000,00000000), ref: 010BB789

Memory Dump Source

Source File: 00000000.00000002.2476763037.00000000010BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ba000_xuI8pQHlxExL.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: b7646669b99675678d49a059c9e7c07011e39e211c37d8e5871e7ab34674e6ba
Instruction ID: d1e38a1c7bed538e14424634dd93d2b3fdd5a834f3ea0d04b601f7f22132ea05
Opcode Fuzzy Hash: b7646669b99675678d49a059c9e7c07011e39e211c37d8e5871e7ab34674e6ba
Instruction Fuzzy Hash: AE01C071540200AFE721CB19DD85BAAF7E8EF04624F08C4A6EE449BB41D778E9498AA1

Uniqueness

Uniqueness Score: -1.00%

Function 052C0E4E Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 052C0E9A

Memory Dump Source

Source File: 00000000.00000002.2479927522.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52c0000_xuI8pQHlxExL.jbxd

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: 78c4f193cd251fbff75d802dea8f401632cadca98c66a796e9bfba619d52f13d
Instruction ID: b6668f8a735422823b7427effc7ff23cf56bb7fef54c547f4b315bf6249feb5d
Opcode Fuzzy Hash: 78c4f193cd251fbff75d802dea8f401632cadca98c66a796e9bfba619d52f13d
Instruction Fuzzy Hash: 3A117C75510600DFDB20CF55D988B66FBE5FF09320F08C9AADD898BA22D375E458CB61

Uniqueness

Uniqueness Score: -1.00%

Function 052C3E5C Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 052C3EB0

Memory Dump Source

Source File: 00000000.00000002.2479927522.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52c0000_xuI8pQHlxExL.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: f0308041767b9137e80e5ca175851446863aafc8938aa5ca7c47821d04f05b03
Instruction ID: a25a602116d9152080c7f94d5d9d12350765e76a02a07e2c2e29dd9552516fe7
Opcode Fuzzy Hash: f0308041767b9137e80e5ca175851446863aafc8938aa5ca7c47821d04f05b03
Instruction Fuzzy Hash: DA11A171509384AFD7128B15DC44B62FFB4EF46624F08C4CAED858B653D275A808CB72

Uniqueness

Uniqueness Score: -1.00%

Function 052C1016 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetVolumeInformationA.KERNELBASE(?,00000E24,?,?), ref: 052C1066

Memory Dump Source

Source File: 00000000.00000002.2479927522.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52c0000_xuI8pQHlxExL.jbxd

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: bfa5069489e3f040cd1ad557ffd5b31976ac0252218f715ad109c4912b26d803
Instruction ID: 1d4675429d85c6d094abe03eae3becd27511a3fe94ae34afaf87f137df27a0fd
Opcode Fuzzy Hash: bfa5069489e3f040cd1ad557ffd5b31976ac0252218f715ad109c4912b26d803
Instruction Fuzzy Hash: 3E01B171600200AFD310DF16DD46B66FBE8FB88A20F14852AED089BB41D735F955CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 052C289A Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 052C28E5

Memory Dump Source

Source File: 00000000.00000002.2479927522.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52c0000_xuI8pQHlxExL.jbxd

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: b2517dc3b8b4f6b4923e77bba5fd6015439acef22f67fb436ac95b6c23ea1a61
Instruction ID: 54e190b9fe7a32ee24f19f7f7a7809253afd6622a1c2a31372519a9c728bc4ae
Opcode Fuzzy Hash: b2517dc3b8b4f6b4923e77bba5fd6015439acef22f67fb436ac95b6c23ea1a61
Instruction Fuzzy Hash: BC016D75514200DFDB20CE19D984B22FBE4EF04620F08C6AADD898B752D675E448CB71

Uniqueness

Uniqueness Score: -1.00%

Function 010BAC2A Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 010BAC6E

Memory Dump Source

Source File: 00000000.00000002.2476763037.00000000010BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ba000_xuI8pQHlxExL.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 3e16e0257fa8e21270111e5ed1e847faeb106c6f0a013bc3e438f07d9683ac0b
Instruction ID: 03a564af37ca1e12b6f115dd6c2a75132e8fa704eae9fe3b6495c022dc64a0e2
Opcode Fuzzy Hash: 3e16e0257fa8e21270111e5ed1e847faeb106c6f0a013bc3e438f07d9683ac0b
Instruction Fuzzy Hash: 9B016132500604DFDB21CF55D984B66FBE0EF48720F08C9AADD894BA56C375E418DF61

Uniqueness

Uniqueness Score: -1.00%

Function 010BA74E Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 010BA780

Memory Dump Source

Source File: 00000000.00000002.2476763037.00000000010BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ba000_xuI8pQHlxExL.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 48bc1accac90dff17af1deedce40cd46de00ee833c30b9c950377661c5f31738
Instruction ID: c634e6ea9b0b3ef8fb4d9d6d7e7c46297df6c008fb0e7c03f1e1c229dc70351e
Opcode Fuzzy Hash: 48bc1accac90dff17af1deedce40cd46de00ee833c30b9c950377661c5f31738
Instruction Fuzzy Hash: 9F01D471604200DFEB10CF19DD847A6FBE4EF04220F08C4ABDD868FB42D679E448CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 010BBBC2 Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 010BBC12

Memory Dump Source

Source File: 00000000.00000002.2476763037.00000000010BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ba000_xuI8pQHlxExL.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: b16ef9e5350d08f11511d27e83fb9bf23a968267f33df670c93310b5083c8c7d
Instruction ID: 0a351c51ab79452308f96bebce8c15aed04f9e32d952bbeb713b0005e79c84df
Opcode Fuzzy Hash: b16ef9e5350d08f11511d27e83fb9bf23a968267f33df670c93310b5083c8c7d
Instruction Fuzzy Hash: 4E01A271500200ABD210DF1ADD46B66FBE8FB88A20F14811AED089BB41D775F956CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 010BBD62 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,?,?,?,?), ref: 010BBDA0

Memory Dump Source

Source File: 00000000.00000002.2476763037.00000000010BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ba000_xuI8pQHlxExL.jbxd

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: 85afd3e60da91f7d33f1c2e5954fabb9a4b039eefb249079c102ec833be0130d
Instruction ID: 4a81e739c5cc347a1b1de7572a757df6ade51496728dc49f5042c3433311e450
Opcode Fuzzy Hash: 85afd3e60da91f7d33f1c2e5954fabb9a4b039eefb249079c102ec833be0130d
Instruction Fuzzy Hash: 5C019232500200DFDB21DF55D984B96FBE0EF04320F08C8AADD854BA12D379E458CB62

Uniqueness

Uniqueness Score: -1.00%

Function 052C0032 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32(?,00000E24,?,?), ref: 052C0082

Memory Dump Source

Source File: 00000000.00000002.2479927522.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52c0000_xuI8pQHlxExL.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 4a177dd9947a8bb4eace30fc61d271066713873fe215ecbfad425e4047535625
Instruction ID: 8950e16d9e6ed7a6ee584c9809adcc654f50c3030d09cd6f99b9b88f4d029f28
Opcode Fuzzy Hash: 4a177dd9947a8bb4eace30fc61d271066713873fe215ecbfad425e4047535625
Instruction Fuzzy Hash: 3801D671500200AFD310DF1ADD46B66FBE8FB88A20F148159ED089BB41D775F956CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 052C37EE Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegEnumValueW.KERNELBASE(?,00000E24,?,?), ref: 052C383E

Memory Dump Source

Source File: 00000000.00000002.2479927522.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52c0000_xuI8pQHlxExL.jbxd

Similarity

API ID: EnumValue
String ID:
API String ID: 2814608202-0
Opcode ID: f4b966fae24f6d98a17aa1027ae51e646546b4931f0833ab7dd05c3eb089b954
Instruction ID: d1bc0fea7d568e6aab2739243e3849a8deae667f2f1ef482a197ec161705bd7e
Opcode Fuzzy Hash: f4b966fae24f6d98a17aa1027ae51e646546b4931f0833ab7dd05c3eb089b954
Instruction Fuzzy Hash: 4F01A271500200ABD210DF1ADD46B66FBE8FB88A20F14811AED089BB41D775F956CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 010BA186 Relevance: 1.5, APIs: 1, Instructions: 42networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,?,?), ref: 010BA1C1

Memory Dump Source

Source File: 00000000.00000002.2476763037.00000000010BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ba000_xuI8pQHlxExL.jbxd

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: c4b197d2fa97073e6ea7b4d2cb136b478dc2de290ce15ffdbcda25283a233392
Instruction ID: 6d015e60f0c7b45a3dc9044bda6c4fbbd937925c92e3919d23f6fdb0cb1d5395
Opcode Fuzzy Hash: c4b197d2fa97073e6ea7b4d2cb136b478dc2de290ce15ffdbcda25283a233392
Instruction Fuzzy Hash: 38019231504240DFDB60CF59D984B96FBE0EF04320F08C8AADD854BA12C279A448CB61

Uniqueness

Uniqueness Score: -1.00%

Function 052C3FCE Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 052C4009

Memory Dump Source

Source File: 00000000.00000002.2479927522.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52c0000_xuI8pQHlxExL.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: d201138cddde56a5e5cbad53b796d85cfc5fb9a5c95ebb74777b15089fc4f37a
Instruction ID: 4159caff03f6032af34a6f2fec8a36eff83999c43906ae4b21be24f7c1b0f1b9
Opcode Fuzzy Hash: d201138cddde56a5e5cbad53b796d85cfc5fb9a5c95ebb74777b15089fc4f37a
Instruction Fuzzy Hash: 2401BC32910200CFEB209F15D884B66FFE0EF04325F08C5AEDE494BA62C675E458CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 010BADCE Relevance: 1.5, APIs: 1, Instructions: 39comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 010BAE00

Memory Dump Source

Source File: 00000000.00000002.2476763037.00000000010BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ba000_xuI8pQHlxExL.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: dfdbee3b325e1d6920b38f294423322d2fd1c24c887015cad48c3e02d8abb254
Instruction ID: 46a84a556c1608e9c8b3a390d69d3c49e2ab954241af91cca751b2dc4081292a
Opcode Fuzzy Hash: dfdbee3b325e1d6920b38f294423322d2fd1c24c887015cad48c3e02d8abb254
Instruction Fuzzy Hash: 5401D671A00240DFDB20CF19D9847A6FBE4EF44320F08C4AADD899F756D279E448CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 052C3BE2 Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 052C3C1D

Memory Dump Source

Source File: 00000000.00000002.2479927522.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52c0000_xuI8pQHlxExL.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 9a899118941b86b794c8afa25cd4a146d232674586f9fddb45bc1ad7207ad8e7
Instruction ID: 1f09d5ea5549aec6c1a41f0fd99596a8e13d9a1c22e75d7afc5e726eefce0988
Opcode Fuzzy Hash: 9a899118941b86b794c8afa25cd4a146d232674586f9fddb45bc1ad7207ad8e7
Instruction Fuzzy Hash: DE017C32410240DFDB20CF05D985B65FFE1FF14620F18C9AEDD494AA52C276E558CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 010BA2DA Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 010BA30C

Memory Dump Source

Source File: 00000000.00000002.2476763037.00000000010BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ba000_xuI8pQHlxExL.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 4c7794f9a95af781e9e3fef44e1200c88f69c52711ba746a4287b2bbc4a3e4b8
Instruction ID: 3bf3492d22e9d54016da2e9ae04bb0dca27588cef41dfe77542e6433b598add3
Opcode Fuzzy Hash: 4c7794f9a95af781e9e3fef44e1200c88f69c52711ba746a4287b2bbc4a3e4b8
Instruction Fuzzy Hash: 16F0A475505240CFDB20CF09D9847A5FBE0EF04A24F08C0AADD454F752D3B9E448CA62

Uniqueness

Uniqueness Score: -1.00%

Function 052C3E7E Relevance: 1.5, APIs: 1, Instructions: 35windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 052C3EB0

Memory Dump Source

Source File: 00000000.00000002.2479927522.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52c0000_xuI8pQHlxExL.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: c813f58a8d36a560a36bc7d27a1c442b3fc9bb5ef1b8daaf36b127a4cb88eda9
Instruction ID: f80a6cad7caea7516eb6d71c3ba2555e4f9b7a0e6f3c7ed24e30a82bfe06c900
Opcode Fuzzy Hash: c813f58a8d36a560a36bc7d27a1c442b3fc9bb5ef1b8daaf36b127a4cb88eda9
Instruction Fuzzy Hash: 33F08C359142448FDB20CF05D984B62FFE0EF15624F08C9EADD494BB52D2B9A448CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0143075C Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2477521088.0000000001430000.00000040.00000020.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_xuI8pQHlxExL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f78ba6f152ca2456b9ccb7a0846d093fec3e5cfb301d49647b4ea18d7a63606a
Instruction ID: 944ebd0e071f2d4e91d8b229e4cc89424213eac4fc1bad8f1cc626a5402918b2
Opcode Fuzzy Hash: f78ba6f152ca2456b9ccb7a0846d093fec3e5cfb301d49647b4ea18d7a63606a
Instruction Fuzzy Hash: 6C311E3414E3C08FC7178B2489607557FB1AF47614F1D86DBD8858F6A3C239981AD762

Uniqueness

Uniqueness Score: -1.00%

Function 05771F4C Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2480262197.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5770000_xuI8pQHlxExL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 653d626ea530183e808c068113ce7fb49819bfd05fd5d2f9aadc56c2b47abe83
Instruction ID: b856ce67ada596a7979b67db5c32cf839ccfe1b0fcb17a4c11108a714dc56689
Opcode Fuzzy Hash: 653d626ea530183e808c068113ce7fb49819bfd05fd5d2f9aadc56c2b47abe83
Instruction Fuzzy Hash: 5311C9B5948341AFD350CF19D880A5BFBE4FB88664F14896EF998D7311D235E9088FA2

Uniqueness

Uniqueness Score: -1.00%

Function 014307C4 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2477521088.0000000001430000.00000040.00000020.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_xuI8pQHlxExL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd1397426344945601be3cd36346de19e63f1cc88174b3bf917048ad1027d300
Instruction ID: 7ca4d8037c0d77a53f75bbb913121d9f00bc534598ae576b1997a3a87abce67e
Opcode Fuzzy Hash: fd1397426344945601be3cd36346de19e63f1cc88174b3bf917048ad1027d300
Instruction Fuzzy Hash: 6311A230204280DFD719CB14D540B16BBA5ABCC718F24CAAEE5491BB63C77BD853CA91

Uniqueness

Uniqueness Score: -1.00%

Function 05771DF0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2480262197.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5770000_xuI8pQHlxExL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81388e343b9943d4957b5ba2723149d91e3450835af642b38c2753c6bddaad60
Instruction ID: 1d9ee8e264be003123db5a0c0417d485d63352ae64e7aeae4ed3712f43ea133f
Opcode Fuzzy Hash: 81388e343b9943d4957b5ba2723149d91e3450835af642b38c2753c6bddaad60
Instruction Fuzzy Hash: ED11FEB5508301AFD350CF09DC80E57FBE8EB88660F14892EF95897711D235E9088FA2

Uniqueness

Uniqueness Score: -1.00%

Function 010CB0A4 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2476871383.00000000010CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ca000_xuI8pQHlxExL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 727387f9c2007519eff3fef4efc15dc4633f0453438c3cf0dc9eb2414f731fda
Instruction ID: 5a2a36ee79ffc7047a02f14c4781c04c3a996e096ed2edb5d2753c551bd6345c
Opcode Fuzzy Hash: 727387f9c2007519eff3fef4efc15dc4633f0453438c3cf0dc9eb2414f731fda
Instruction Fuzzy Hash: D311FEB5548301AFD350CF09DC40E57FBE8EB88660F14892EF95897711D235E9088FA2

Uniqueness

Uniqueness Score: -1.00%

Function 014305E0 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2477521088.0000000001430000.00000040.00000020.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_xuI8pQHlxExL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35fb5661cec4669a538950135271f953f74cd00ddb81a36d38b8350c873386fd
Instruction ID: bf7326feb3a162dd4e997e3cd14e87f9c63245449a04c3986858cdc95414356b
Opcode Fuzzy Hash: 35fb5661cec4669a538950135271f953f74cd00ddb81a36d38b8350c873386fd
Instruction Fuzzy Hash: 3A0162755497809FC7118F19AC41892BBE8EF4663070984ABED498B612C235A959CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01430880 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2477521088.0000000001430000.00000040.00000020.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_xuI8pQHlxExL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74b9f174851936b42c91253ba0377f3a0e724fe011995a5d7daf0febe73ee2ff
Instruction ID: 70b825e357d72134cee76062946a89f55afa039a8b4e6deef2ea5d5dcc158ef4
Opcode Fuzzy Hash: 74b9f174851936b42c91253ba0377f3a0e724fe011995a5d7daf0febe73ee2ff
Instruction Fuzzy Hash: DBF0BB35144644DFC716CB44D540B16FBA2EB89718F24CAADE94917B62C737D813DA81

Uniqueness

Uniqueness Score: -1.00%

Function 01430606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2477521088.0000000001430000.00000040.00000020.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_xuI8pQHlxExL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca7b7a956808c8d8e05bc7bce81307601f2dea4fb329f749c1666dc5fa4a39c5
Instruction ID: 8f5fc919a2d15ffc8575e3ddffff3db819a993526b59de1ff4e742ff94136a9f
Opcode Fuzzy Hash: ca7b7a956808c8d8e05bc7bce81307601f2dea4fb329f749c1666dc5fa4a39c5
Instruction Fuzzy Hash: F6E092B66006008B9650CF0AFC81452F7D8EB88630718C47FDC0D8B711D23AB948CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 05771863 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2480262197.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5770000_xuI8pQHlxExL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1acd7daedafc13b4aa70eb6bbc80995a5b02767d826f76137ccfc44f3c8361c2
Instruction ID: cb436693c8fcf19ff17a11ea8a676ddd50d634929fd1313af25dcff3baba96b7
Opcode Fuzzy Hash: 1acd7daedafc13b4aa70eb6bbc80995a5b02767d826f76137ccfc44f3c8361c2
Instruction Fuzzy Hash: 2EE0D8B255020067D210DE06AC46F53FBD8DB40A30F14C467ED085B701D176B514C9E1

Uniqueness

Uniqueness Score: -1.00%

Function 05771E3F Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2480262197.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5770000_xuI8pQHlxExL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00ee28dd77dad7264a6d00e667fc729d2aa84d773cbad29bf866f413dbb376d2
Instruction ID: 3c53c744c5b494a8d0fdff288f0034b6f6f8cb99ff3a2e3cae6d23bef52107ec
Opcode Fuzzy Hash: 00ee28dd77dad7264a6d00e667fc729d2aa84d773cbad29bf866f413dbb376d2
Instruction Fuzzy Hash: 36E0D8B254020467D2509E06AC85F53FBD8DB40A31F14C567ED081B702D176B50489F1

Uniqueness

Uniqueness Score: -1.00%

Function 05771FB7 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2480262197.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5770000_xuI8pQHlxExL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fbc330596482f8c7c49d1b7e0d58bb0f91b0f675d681188c08c7467e39b3768
Instruction ID: 02d8e172de874391adbcaa5c836ef888d20a306e29a18446a2a65efba9fa2c50
Opcode Fuzzy Hash: 5fbc330596482f8c7c49d1b7e0d58bb0f91b0f675d681188c08c7467e39b3768
Instruction Fuzzy Hash: F9E0D8B255020067D2108E06AC45F52FBDCDB54A31F14C467ED081B741D176B51889E1

Uniqueness

Uniqueness Score: -1.00%

Function 010CB0F3 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2476871383.00000000010CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ca000_xuI8pQHlxExL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ba0e4d0a9e3e854ec24eb67ab82acea018b67010adbdf5178e55dbeeefefd87
Instruction ID: 060de3885bf1e786092d5537c9e00760ddefe8282006f67548e6e0576b964492
Opcode Fuzzy Hash: 4ba0e4d0a9e3e854ec24eb67ab82acea018b67010adbdf5178e55dbeeefefd87
Instruction Fuzzy Hash: 91E0D8B2540204A7D2108E06AC45F62F7D8DB54A31F14C567ED085B702D176B50489F1

Uniqueness

Uniqueness Score: -1.00%

Function 010B23F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2476714408.00000000010B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10b2000_xuI8pQHlxExL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8ff6188f22d350e96afd4e1f3c46b1a25d79bc6068f1b38b1c1d7acd4d26407
Instruction ID: fd27fafc747675fecac3b3e3c377e3c124cc274b0008a96e191afa0256f742c2
Opcode Fuzzy Hash: a8ff6188f22d350e96afd4e1f3c46b1a25d79bc6068f1b38b1c1d7acd4d26407
Instruction Fuzzy Hash: A7D02E79200AC04FE3228A0CC2A4BC53FE4AF40704F0A04F9A840CBB63CB2CE5C0C200

Uniqueness

Uniqueness Score: -1.00%

Function 010B23BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2476714408.00000000010B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10b2000_xuI8pQHlxExL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f24676892c9361de50bf2c45b6845837d7e7d58ce114a9ca81b4a9f707a1997a
Instruction ID: 55479f43bcab5be59d98ecd5fc6947eed9b9b7afa6095328cb11a298bc08cb51
Opcode Fuzzy Hash: f24676892c9361de50bf2c45b6845837d7e7d58ce114a9ca81b4a9f707a1997a
Instruction Fuzzy Hash: 19D05E342012814BD725DA0CC2D4F997BD4AB44B14F0684F8AC508B762C7B4E8C0DA00

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report xuI8pQHlxExL.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Njrat

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\xuI8pQHlxExL.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
xuI8pQHlxExL.exe

Function 05171930 Relevance: 3.9, Strings: 2, Instructions: 1396
COMMON

Function 051703F8 Relevance: 1.6, APIs: 1, Instructions: 104
COMMON

Function 010BB5DE Relevance: 1.6, APIs: 1, Instructions: 103
fileCOMMON

Function 051703E8 Relevance: 1.6, APIs: 1, Instructions: 102
COMMON

Function 052C202E Relevance: 1.6, APIs: 1, Instructions: 99
registryCOMMON

Function 010BBB4B Relevance: 1.6, APIs: 1, Instructions: 98
registryCOMMON

Function 010BA7C7 Relevance: 1.6, APIs: 1, Instructions: 95
registryCOMMON

Function 052C099C Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Function 052C3786 Relevance: 1.6, APIs: 1, Instructions: 90
registryCOMMON

Function 010BA612 Relevance: 1.6, APIs: 1, Instructions: 89
synchronizationCOMMON

Function 052C0190 Relevance: 1.6, APIs: 1, Instructions: 89
COMMON

Function 052C0894 Relevance: 1.6, APIs: 1, Instructions: 88
timeCOMMON