Edit tour

Windows Analysis Report
xyyDAUDPeYEH.exe

Overview

General Information

Sample name:	xyyDAUDPeYEH.exe
Analysis ID:	1429948
MD5:	8d153b783c87021dcfbea00799e18337
SHA1:	e38881fd2848bcfad84e81eba5695db628f9e985
SHA256:	83c7ff1ebde9eea24cb5a82b436fa076dc18296fd4933ae220596716cab27601
Tags:	exenjRat
Infos:

Detection

Njrat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Snort IDS alert for network traffic

Yara detected Njrat

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

C2 URLs / IPs found in malware configuration

Contains functionality to log keystrokes (.Net Source)

Machine Learning detection for sample

Self deletion via cmd or bat file

Uses dynamic DNS services

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Classification

Process Tree

System is w10x64

xyyDAUDPeYEH.exe (PID: 5676 cmdline: "C:\Users\user\Desktop\xyyDAUDPeYEH.exe" MD5: 8D153B783C87021DCFBEA00799E18337)

cmd.exe (PID: 2988 cmdline: cmd.exe /C Y /N /D Y /T 1 & Del "C:\Users\user\Desktop\xyyDAUDPeYEH.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
NjRAT	RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.	AQUATIC PANDA Earth Lusca Operation C-Major The Gorgon Group	http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/ http://blogs.360.cn/post/analysis-of-apt-c-37.html http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/ https://asec.ahnlab.com/1369	https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

Malware Configuration

Threatname: Njrat

{"Host": "rusia.duckdns.org", "Port": "1994", "Campaign ID": "NYAN CAT", "Network Seprator": "@!#&^%$", "Registry": "480cbbef1dc"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
xyyDAUDPeYEH.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000000.2055306278.0000000000A72000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000000.00000002.2272537772.0000000003091000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: xyyDAUDPeYEH.exe PID: 5676	JoeSecurity_Njrat	Yara detected Njrat	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.xyyDAUDPeYEH.exe.a70000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity Sending Screenshot (CAP) - Source IP: 192.168.2.6 - Destination IP: 46.246.6.20

Timestamp:	04/22/24-23:06:08.349405
SID:	2825565
Source Port:	49699
Destination Port:	1994
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) - Source IP: 192.168.2.6 - Destination IP: 46.246.6.20

Timestamp:	04/22/24-23:06:00.237668
SID:	2825563
Source Port:	49699
Destination Port:	1994
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) - Source IP: 192.168.2.6 - Destination IP: 46.246.6.20

Timestamp:	04/22/24-23:06:04.903826
SID:	2825564
Source Port:	49699
Destination Port:	1994
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.6 - Destination IP: 46.246.6.20

Timestamp:	04/22/24-23:05:59.852368
SID:	2033132
Source Port:	49699
Destination Port:	1994
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: xyyDAUDPeYEH.exe

Avira: detected

Found malware configuration

Source: 00000000.00000000.2055306278.0000000000A72000.00000002.00000001.01000000.00000003.sdmp

Malware Configuration Extractor: Njrat {"Host": "rusia.duckdns.org", "Port": "1994", "Campaign ID": "NYAN CAT", "Network Seprator": "@!#&^%$", "Registry": "480cbbef1dc"}

Yara detected Njrat

Source: Yara match	File source: xyyDAUDPeYEH.exe, type: SAMPLE
Source: Yara match	File source: 0.0.xyyDAUDPeYEH.exe.a70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2055306278.0000000000A72000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2272537772.0000000003091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: xyyDAUDPeYEH.exe PID: 5676, type: MEMORYSTR

Machine Learning detection for sample

Source: xyyDAUDPeYEH.exe

Joe Sandbox ML: detected

Source: xyyDAUDPeYEH.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: xyyDAUDPeYEH.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.6:49699 -> 46.246.6.20:1994
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.6:49699 -> 46.246.6.20:1994
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.6:49699 -> 46.246.6.20:1994
Source: Traffic	Snort IDS: 2825565 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity Sending Screenshot (CAP) 192.168.2.6:49699 -> 46.246.6.20:1994

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: rusia.duckdns.org

Uses dynamic DNS services

Source: unknown

DNS query: name: rusia.duckdns.org

Source: global traffic

TCP traffic: 192.168.2.6:49699 -> 46.246.6.20:1994

Source: Joe Sandbox View

ASN Name: PORTLANEwwwportlanecomSE PORTLANEwwwportlanecomSE

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: rusia.duckdns.org

Source: xyyDAUDPeYEH.exe, 00000000.00000002.2271966683.0000000001333000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.microsoft.
Source: xyyDAUDPeYEH.exe, 00000000.00000002.2271966683.0000000001333000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.microsoft.LinkId=42127

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: xyyDAUDPeYEH.exe, Keylogger.cs

.Net Code: VKCodeToUnicode

E-Banking Fraud

Yara detected Njrat

Source: Yara match	File source: xyyDAUDPeYEH.exe, type: SAMPLE
Source: Yara match	File source: 0.0.xyyDAUDPeYEH.exe.a70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2055306278.0000000000A72000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2272537772.0000000003091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: xyyDAUDPeYEH.exe PID: 5676, type: MEMORYSTR

Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe

Code function: 0_2_012A15C0

0_2_012A15C0

Source: xyyDAUDPeYEH.exe, 00000000.00000000.2055324097.0000000000A78000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameClient1994.exe4 vs xyyDAUDPeYEH.exe
Source: xyyDAUDPeYEH.exe, 00000000.00000002.2271966683.00000000012BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemscorwks.dllT vs xyyDAUDPeYEH.exe
Source: xyyDAUDPeYEH.exe	Binary or memory string: OriginalFilenameClient1994.exe4 vs xyyDAUDPeYEH.exe

Source: xyyDAUDPeYEH.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/1@1/1

Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Code function: 0_2_054222AA AdjustTokenPrivileges,		0_2_054222AA
Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Code function: 0_2_05422273 AdjustTokenPrivileges,		0_2_05422273

Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\xyyDAUDPeYEH.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1764:120:WilError_03
Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Mutant created: \Sessions\1\BaseNamedObjects\480cbbef1dc

Source: xyyDAUDPeYEH.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: xyyDAUDPeYEH.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%

Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\xyyDAUDPeYEH.exe "C:\Users\user\Desktop\xyyDAUDPeYEH.exe"
Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C Y /N /D Y /T 1 & Del "C:\Users\user\Desktop\xyyDAUDPeYEH.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C Y /N /D Y /T 1 & Del "C:\Users\user\Desktop\xyyDAUDPeYEH.exe"	Jump to behavior

Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Section loaded: windowscodecs.dll	Jump to behavior

Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: xyyDAUDPeYEH.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: xyyDAUDPeYEH.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: xyyDAUDPeYEH.exe, Program.cs

.Net Code: Plugin System.Reflection.Assembly.Load(byte[])

Hooking and other Techniques for Hiding and Protection

Self deletion via cmd or bat file

Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Process created: cmd.exe /C Y /N /D Y /T 1 & Del "C:\Users\user\Desktop\xyyDAUDPeYEH.exe"
Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Process created: cmd.exe /C Y /N /D Y /T 1 & Del "C:\Users\user\Desktop\xyyDAUDPeYEH.exe"			Jump to behavior

Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Memory allocated: 1210000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Memory allocated: 3090000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe	Memory allocated: 5090000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe

Window / User API: threadDelayed 844

Jump to behavior

Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe TID: 2444

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: xyyDAUDPeYEH.exe, 00000000.00000002.2271966683.0000000001333000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWetTcpContextBif
Source: xyyDAUDPeYEH.exe, 00000000.00000002.2271966683.0000000001333000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllP

Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: xyyDAUDPeYEH.exe, Program.cs	Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, cbName, ref lpszVer, 100)
Source: xyyDAUDPeYEH.exe, Keylogger.cs	Reference to suspicious API methods: MapVirtualKey(a, 0u)
Source: xyyDAUDPeYEH.exe, Keylogger.cs	Reference to suspicious API methods: GetAsyncKeyState(num2)

Source: xyyDAUDPeYEH.exe, 00000000.00000002.2272537772.0000000003091000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: xyyDAUDPeYEH.exe, 00000000.00000002.2272537772.0000000003091000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@9al

Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\xyyDAUDPeYEH.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Njrat

Source: Yara match	File source: xyyDAUDPeYEH.exe, type: SAMPLE
Source: Yara match	File source: 0.0.xyyDAUDPeYEH.exe.a70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2055306278.0000000000A72000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2272537772.0000000003091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: xyyDAUDPeYEH.exe PID: 5676, type: MEMORYSTR

Remote Access Functionality

Yara detected Njrat

Source: Yara match	File source: xyyDAUDPeYEH.exe, type: SAMPLE
Source: Yara match	File source: 0.0.xyyDAUDPeYEH.exe.a70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2055306278.0000000000A72000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2272537772.0000000003091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: xyyDAUDPeYEH.exe PID: 5676, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	1 Masquerading	1 Input Capture	1 Security Software Discovery	Remote Services	1 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	2 Process Injection	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Access Token Manipulation	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	21 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Process Injection	LSA Secrets	12 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
xyyDAUDPeYEH.exe	100%	Avira	TR/Dropper.Gen7
xyyDAUDPeYEH.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://go.microsoft.	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
rusia.duckdns.org	46.246.6.20	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
rusia.duckdns.org	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://go.microsoft.	xyyDAUDPeYEH.exe, 00000000.00000002.2271966683.0000000001333000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://go.microsoft.LinkId=42127	xyyDAUDPeYEH.exe, 00000000.00000002.2271966683.0000000001333000.00000004.00000020.00020000.00000000.sdmp	false		low

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
46.246.6.20	rusia.duckdns.org	Sweden		42708	PORTLANEwwwportlanecomSE	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1429948
Start date and time:	2024-04-22 23:05:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	xyyDAUDPeYEH.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@4/1@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 92 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: xyyDAUDPeYEH.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
46.246.6.20	xde47dUIgZDh.exe	Get hash	malicious	AsyncRAT	Browse
46.246.6.20	x7CwEiB9bHEP.exe	Get hash	malicious	Njrat	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
rusia.duckdns.org	x7RZVIWaDKb5.exe	Get hash	malicious	Njrat	Browse	46.246.14.17
	x7RZVIWaDKb5.exe	Get hash	malicious	Njrat	Browse	46.246.14.17
	bUBL.exe	Get hash	malicious	Njrat	Browse	46.246.14.17
	x6Xw7vcuD9zM.exe	Get hash	malicious	Njrat	Browse	46.246.14.23
	bTAB.exe	Get hash	malicious	Njrat	Browse	46.246.80.3
	xbd0vU3xnyOS.exe	Get hash	malicious	Njrat	Browse	46.246.6.7
	x38kbgLd6bPu.exe	Get hash	malicious	Njrat	Browse	46.246.12.24

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
PORTLANEwwwportlanecomSE	xzcQo6GenFVf.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	46.246.14.5
	tajma.x86-20240422-0535.elf	Get hash	malicious	Mirai, Okiru	Browse	188.126.69.245
	x7RZVIWaDKb5.exe	Get hash	malicious	Njrat	Browse	46.246.14.17
	x7RZVIWaDKb5.exe	Get hash	malicious	Njrat	Browse	46.246.14.17
	bUBL.exe	Get hash	malicious	Njrat	Browse	46.246.14.17
	bUBD.exe	Get hash	malicious	Njrat	Browse	46.246.14.22
	xutnF2gKGTTy.exe	Get hash	malicious	AsyncRAT	Browse	46.246.4.3
	8ubQTzsAqG.exe	Get hash	malicious	Unknown	Browse	185.117.88.39
	8ubQTzsAqG.exe	Get hash	malicious	Unknown	Browse	185.117.88.39
	ODOCVzwXq5.elf	Get hash	malicious	Mirai	Browse	195.190.218.30

Process:	C:\Users\user\Desktop\xyyDAUDPeYEH.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	907
Entropy (8bit):	5.243019596074263
Encrypted:	false
SSDEEP:	24:MLF2CpI329Iz52VMzffup26KTnKoO2+b2hHAa/:MwQd9IzoaXuY6Ux+SF/
MD5:	48A0572426885EBDE53CA62C7F2E194E
SHA1:	035628CDF6276367F6C83E9F4AA2172933850AA8
SHA-256:	4C68E10691304CAC8DA65A05CF2580728EC0E294104F267840712AF1C46A6538
SHA-512:	DEFE728C2312918D94BD43C98908C08CCCA5EBFB77F873779DCA784F14C607B33A4E29AC5ECB798F2F741668B7692F72BCB60DEFD536EA86B296B64FA359C42D
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7d443c6c007fe8696f9aa6ff1da53ef7\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\53992d421e2c7ecf6609c62b3510a6f0\System.Configuration.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\74774597e319a738b792e6a6c06d3559\System.Xml.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\1bd56c432cb9ff27e335d97f404caf8f\System.Management.ni.dll",0..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	3.806573958683294
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.79% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Win16/32 Executable Delphi generic (2074/23) 0.01%
File name:	xyyDAUDPeYEH.exe
File size:	32'768 bytes
MD5:	8d153b783c87021dcfbea00799e18337
SHA1:	e38881fd2848bcfad84e81eba5695db628f9e985
SHA256:	83c7ff1ebde9eea24cb5a82b436fa076dc18296fd4933ae220596716cab27601
SHA512:	bd63d270b30fca9153fe49e1e6331d1fd25087817601a79ea14bc2ead47a172661db890c06a95b350386481b6bb08f3a1614c9fb20415b16d21d2e56fb97ceac
SSDEEP:	384:20bUe5XB4e0XIgONDixBr/QdWTStTUFQqzFsObba:XT9BuGdifrYfGba
TLSH:	BBE2F84A7BB94125C2BC2AFC8CB313210772E3478532EB5F5CDC98CA4B676D04251AEA
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...3.&f.................P... ......ng... ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x40676e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6626C433 [Mon Apr 22 20:10:27 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6718	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8000	0x2b0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x4774	0x5000	9760357bbc8c8c45870dbc698dcbbf21	False	0.475341796875	data	5.297427455385716	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x8000	0x2b0	0x1000	b5a4502eac901202af7dd46d217cb488	False	0.077880859375	data	0.6886353743137013	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xa000	0xc	0x1000	34585954bedb30c5084980db7d41ad8f	False	0.0087890625	data	0.013126943721219527	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x8058	0x254	data			0.46308724832214765

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/22/24-23:06:08.349405	TCP	2825565	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity Sending Screenshot (CAP)	49699	1994	192.168.2.6	46.246.6.20
04/22/24-23:06:00.237668	TCP	2825563	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)	49699	1994	192.168.2.6	46.246.6.20
04/22/24-23:06:04.903826	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49699	1994	192.168.2.6	46.246.6.20
04/22/24-23:05:59.852368	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49699	1994	192.168.2.6	46.246.6.20

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 22, 2024 23:05:59.503415108 CEST	49699	1994	192.168.2.6	46.246.6.20
Apr 22, 2024 23:05:59.775785923 CEST	1994	49699	46.246.6.20	192.168.2.6
Apr 22, 2024 23:05:59.775960922 CEST	49699	1994	192.168.2.6	46.246.6.20
Apr 22, 2024 23:05:59.852368116 CEST	49699	1994	192.168.2.6	46.246.6.20
Apr 22, 2024 23:06:00.237524033 CEST	1994	49699	46.246.6.20	192.168.2.6
Apr 22, 2024 23:06:00.237668037 CEST	49699	1994	192.168.2.6	46.246.6.20
Apr 22, 2024 23:06:00.749492884 CEST	1994	49699	46.246.6.20	192.168.2.6
Apr 22, 2024 23:06:04.903825998 CEST	49699	1994	192.168.2.6	46.246.6.20
Apr 22, 2024 23:06:05.347239017 CEST	1994	49699	46.246.6.20	192.168.2.6
Apr 22, 2024 23:06:07.261504889 CEST	1994	49699	46.246.6.20	192.168.2.6
Apr 22, 2024 23:06:07.309811115 CEST	49699	1994	192.168.2.6	46.246.6.20
Apr 22, 2024 23:06:07.962886095 CEST	49699	1994	192.168.2.6	46.246.6.20
Apr 22, 2024 23:06:08.244626045 CEST	1994	49699	46.246.6.20	192.168.2.6
Apr 22, 2024 23:06:08.294102907 CEST	49699	1994	192.168.2.6	46.246.6.20
Apr 22, 2024 23:06:08.349335909 CEST	1994	49699	46.246.6.20	192.168.2.6
Apr 22, 2024 23:06:08.349405050 CEST	49699	1994	192.168.2.6	46.246.6.20
Apr 22, 2024 23:06:08.747384071 CEST	1994	49699	46.246.6.20	192.168.2.6
Apr 22, 2024 23:06:11.658678055 CEST	1994	49699	46.246.6.20	192.168.2.6
Apr 22, 2024 23:06:11.709407091 CEST	49699	1994	192.168.2.6	46.246.6.20
Apr 22, 2024 23:06:12.044612885 CEST	1994	49699	46.246.6.20	192.168.2.6
Apr 22, 2024 23:06:12.277844906 CEST	1994	49699	46.246.6.20	192.168.2.6
Apr 22, 2024 23:06:12.304861069 CEST	49699	1994	192.168.2.6	46.246.6.20

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 22, 2024 23:05:58.861859083 CEST	59342	53	192.168.2.6	1.1.1.1
Apr 22, 2024 23:05:59.500998974 CEST	53	59342	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 22, 2024 23:05:58.861859083 CEST	192.168.2.6	1.1.1.1	0x7560	Standard query (0)	rusia.duckdns.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 22, 2024 23:05:59.500998974 CEST	1.1.1.1	192.168.2.6	0x7560	No error (0)	rusia.duckdns.org		46.246.6.20	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	23:05:50
Start date:	22/04/2024
Path:	C:\Users\user\Desktop\xyyDAUDPeYEH.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\xyyDAUDPeYEH.exe"
Imagebase:	0xa70000
File size:	32'768 bytes
MD5 hash:	8D153B783C87021DCFBEA00799E18337
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000000.2055306278.0000000000A72000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000002.2272537772.0000000003091000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	23:06:11
Start date:	22/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C Y /N /D Y /T 1 & Del "C:\Users\user\Desktop\xyyDAUDPeYEH.exe"
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	23:06:11
Start date:	22/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	14.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	2%
Total number of Nodes:	148
Total number of Limit Nodes:	8

Executed Functions

Function 012A15C0 Relevance: 12.6, Strings: 9, Instructions: 1396
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

:@:l, xrefs: 012A1C41
:@:l, xrefs: 012A2B9F
:@:l, xrefs: 012A1ABC
:@:l, xrefs: 012A1B62
:@:l, xrefs: 012A1EE4
, xrefs: 012A2270
:@:l, xrefs: 012A208B
, xrefs: 012A227A
:@:l, xrefs: 012A1FF8

Memory Dump Source

Source File: 00000000.00000002.2271923972.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12a0000_xyyDAUDPeYEH.jbxd

Similarity

API ID:
String ID: $ $:@:l$:@:l$:@:l$:@:l$:@:l$:@:l$:@:l
API String ID: 0-3686863120
Opcode ID: bb496171432e85915bfd2657223e3b27ba331ef65e4a76d1341f546f5e8bb6a7
Instruction ID: 91221a1e73b9b9c84922362bfdc585d9969eb815f3505c33f6c7cf3f6912944b
Opcode Fuzzy Hash: bb496171432e85915bfd2657223e3b27ba331ef65e4a76d1341f546f5e8bb6a7
Instruction Fuzzy Hash: B3C2B834B002159FDB18DF64C854BAEB7F2FB88304F5180A9E509AB7A1DF399D85CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05422273 Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 054222F3

Memory Dump Source

Source File: 00000000.00000002.2273138604.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_xyyDAUDPeYEH.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 4063eaa3a39f751edb05fbf79a938575780b69591538d368ee84dcebdd075073
Instruction ID: 6becaf7c2638c7a47f66cdb807dd71eddd06faaf3f0a40507a5e1ee15cd13fb2
Opcode Fuzzy Hash: 4063eaa3a39f751edb05fbf79a938575780b69591538d368ee84dcebdd075073
Instruction Fuzzy Hash: B82191755097809FDB228F25DC44B92BFF4EF06310F0985DAE9858F563D2719908DB61

Uniqueness

Uniqueness Score: -1.00%

Function 054222AA Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 054222F3

Memory Dump Source

Source File: 00000000.00000002.2273138604.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_xyyDAUDPeYEH.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: b0c73813fd4e3ed4d96741fdb33d125071e5e5e1ee60a03e423c94dedbfb069b
Instruction ID: 60f8f48137ae594987c26db5ed6bb6c5b9fe0a4926ce44a5d34af73b688bc596
Opcode Fuzzy Hash: b0c73813fd4e3ed4d96741fdb33d125071e5e5e1ee60a03e423c94dedbfb069b
Instruction Fuzzy Hash: C0119E765042009FDB20CF65D844BA6FBE4FF08220F08C4AAED468B651D771E418DF61

Uniqueness

Uniqueness Score: -1.00%

Function 0106A140 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 71
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

send.WS2_32(?,?,?,?), ref: 0106A1C1

Strings

X<l, xrefs: 0106A1DD

Memory Dump Source

Source File: 00000000.00000002.2271184772.000000000106A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_106a000_xyyDAUDPeYEH.jbxd

Similarity

API ID: send
String ID: X<l
API String ID: 2809346765-1623157627
Opcode ID: e03cfe9f9acb6cb240041be84ef4e705f8f7a7204491769d8d509490c1b7bd98
Instruction ID: 596ec868b25b9c5dd495e7c574ec7d509aa68114a42e57a7173e697943aa628d
Opcode Fuzzy Hash: e03cfe9f9acb6cb240041be84ef4e705f8f7a7204491769d8d509490c1b7bd98
Instruction Fuzzy Hash: A121AF3140D3C09FC7238B658C54A52BFB4EF07220F0A85DBD9858F163C269A809DB72

Uniqueness

Uniqueness Score: -1.00%

Function 0106A186 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

send.WS2_32(?,?,?,?), ref: 0106A1C1

Strings

X<l, xrefs: 0106A1DD

Memory Dump Source

Source File: 00000000.00000002.2271184772.000000000106A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_106a000_xyyDAUDPeYEH.jbxd

Similarity

API ID: send
String ID: X<l
API String ID: 2809346765-1623157627
Opcode ID: 6e5b9feaba00368eb93ecd7f81f4764e329e0e9002d0a306e8a7724a61651f73
Instruction ID: 95c9c1f9d44491c832cb45e9a1a15541b014ea11206a36ab656da17a64711894
Opcode Fuzzy Hash: 6e5b9feaba00368eb93ecd7f81f4764e329e0e9002d0a306e8a7724a61651f73
Instruction Fuzzy Hash: CD019E71504240DFDB60EF95D884B66FBE4FF04720F08C4AADD899F612C375A458CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 012A03F8 Relevance: 1.6, APIs: 1, Instructions: 104
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 012A041F

Memory Dump Source

Source File: 00000000.00000002.2271923972.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12a0000_xyyDAUDPeYEH.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: f015dd4fcb5eef7d0d64339d537284bd1936516e049df66f0c20153b1e3f7c37
Instruction ID: 8a68424d3f3dbd582fc28100e5684645ce9bce8f152ed789debe8632984a0ce3
Opcode Fuzzy Hash: f015dd4fcb5eef7d0d64339d537284bd1936516e049df66f0c20153b1e3f7c37
Instruction Fuzzy Hash: 0E319E71A002058FCB04DFB9D88459DB7F6FF88304B988069D908EB35ADB35DD45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0106B5DE Relevance: 1.6, APIs: 1, Instructions: 103
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0106B69D

Memory Dump Source

Source File: 00000000.00000002.2271184772.000000000106A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_106a000_xyyDAUDPeYEH.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 70ab6e451271b9849564ebf0ce3adbe52f2460d3419b5b71f906c56fb9747e10
Instruction ID: b52a0facaf8bc0f5b383135498eb267641a1faff9886d2a97bdaf564dabf0717
Opcode Fuzzy Hash: 70ab6e451271b9849564ebf0ce3adbe52f2460d3419b5b71f906c56fb9747e10
Instruction Fuzzy Hash: 5731A4B1508380AFE712CB65CC44B62BFF8EF06214F08449AE9858B652D375E809DB71

Uniqueness

Uniqueness Score: -1.00%

Function 012A03E8 Relevance: 1.6, APIs: 1, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 012A041F

Memory Dump Source

Source File: 00000000.00000002.2271923972.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12a0000_xyyDAUDPeYEH.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 1cb0a2e07e121b83caa79cddcec0f6dc50a00e0bb92753068a4f64549a419077
Instruction ID: af6afc86bfa4c0b271e68cc8d1bae6182aca0328e170d5d25a786127fe4ade64
Opcode Fuzzy Hash: 1cb0a2e07e121b83caa79cddcec0f6dc50a00e0bb92753068a4f64549a419077
Instruction Fuzzy Hash: 44318071A102018FCB04DF78D89459ABBF2FF88304B988069D948EB359EB39DD41CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 05421D7E Relevance: 1.6, APIs: 1, Instructions: 99
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 05421E45

Memory Dump Source

Source File: 00000000.00000002.2273138604.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_xyyDAUDPeYEH.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: a2b2214769a46fc7557dfb763a9987e0d5fe0d0decaed89cf637817d3bc35080
Instruction ID: f8daf52b308c5ecdc813c65712acb84abaf052510adca332b3e23df9506a0074
Opcode Fuzzy Hash: a2b2214769a46fc7557dfb763a9987e0d5fe0d0decaed89cf637817d3bc35080
Instruction Fuzzy Hash: 16315272504344AFD721CF55CC44FA7BBFCEF05614F04459AE985DB662D324E908CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0106BB4B Relevance: 1.6, APIs: 1, Instructions: 98
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 0106BC12

Memory Dump Source

Source File: 00000000.00000002.2271184772.000000000106A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_106a000_xyyDAUDPeYEH.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: cb1125318ac294184e783c87269e576f6a2a9f57b4aca1a2195ab3ec3ad5c5b2
Instruction ID: 126bf92abf0d03fa15346063dd255f43b604401d3cf8dcc7c0c2a0408b239e2d
Opcode Fuzzy Hash: cb1125318ac294184e783c87269e576f6a2a9f57b4aca1a2195ab3ec3ad5c5b2
Instruction Fuzzy Hash: D6318D7510E3C06FD3138B258C61A61BFB4EF47610B0E85CBE8C48F6A3D2296909C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 0106A7C7 Relevance: 1.6, APIs: 1, Instructions: 95
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 0106A879

Memory Dump Source

Source File: 00000000.00000002.2271184772.000000000106A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_106a000_xyyDAUDPeYEH.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: d2b0137d680894de6e44f59a77f6f7aef753929be00ecdd77334ca35499be382
Instruction ID: 6e359b4f76d552551935430532f382a26ab4ae6676a04bf1ad857f19006483d8
Opcode Fuzzy Hash: d2b0137d680894de6e44f59a77f6f7aef753929be00ecdd77334ca35499be382
Instruction Fuzzy Hash: A731C4B2508380AFE7228B51CC44FA7BFFCEF06214F08849AE984DB653D224A909C771

Uniqueness

Uniqueness Score: -1.00%

Function 0542099C Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000E24), ref: 05420A63

Memory Dump Source

Source File: 00000000.00000002.2273138604.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_xyyDAUDPeYEH.jbxd

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: ef7f5d0e4487ef855258f3268fcba1f27653f6a94c14ddee3c5ca22a63cf9503
Instruction ID: 2e929b2ad2e9c07a4fc91475d93520cce6bbc9f0e9df81aaeba8ada8d5360646
Opcode Fuzzy Hash: ef7f5d0e4487ef855258f3268fcba1f27653f6a94c14ddee3c5ca22a63cf9503
Instruction Fuzzy Hash: 3231AFB2404340AFE721CB50CC84FA7FBBCEB04714F04489AFA489B691D374A9098B61

Uniqueness

Uniqueness Score: -1.00%

Function 0106A612 Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0106A6B9

Memory Dump Source

Source File: 00000000.00000002.2271184772.000000000106A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_106a000_xyyDAUDPeYEH.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 8826246cafc00a6623283b5ebb5bd88c241535d51c58ae5bfe210002b5835093
Instruction ID: 4d59b50cc015c1b80c40997f0c9ac2afa1a1b7ab5f170baa0aea68c22da00c72
Opcode Fuzzy Hash: 8826246cafc00a6623283b5ebb5bd88c241535d51c58ae5bfe210002b5835093
Instruction Fuzzy Hash: 4F31A4B15093805FE712CB65CC45B56BFF8EF06210F0884DAE984DF292D375E909C761

Uniqueness

Uniqueness Score: -1.00%

Function 05420190 Relevance: 1.6, APIs: 1, Instructions: 89COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 05420227

Memory Dump Source

Source File: 00000000.00000002.2273138604.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_xyyDAUDPeYEH.jbxd

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: ac4f240051e220e054d367dc5ea280f0c871686a1e82d8f220723cb5d49b33e5
Instruction ID: a9bcc450bc00b9ca4660ea85cdd8d0aa3cd3347701b26c970ada8078be774e79
Opcode Fuzzy Hash: ac4f240051e220e054d367dc5ea280f0c871686a1e82d8f220723cb5d49b33e5
Instruction Fuzzy Hash: FE318171504384AFEB21CB65DC45FA7BBF8EF05610F08849AE944DB652D324A908CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05420894 Relevance: 1.6, APIs: 1, Instructions: 89timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E24,C14570BB,00000000,00000000,00000000,00000000), ref: 05420931

Memory Dump Source

Source File: 00000000.00000002.2273138604.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_xyyDAUDPeYEH.jbxd

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: dd514303fc3883fd62d425cd86b7e1f1d1f3fc8351552e30bca10acac0f96b7b
Instruction ID: e9122cc66b45a85465eca30d3e89fd5d8959bda4fd97d975b9969af228f1f3bf
Opcode Fuzzy Hash: dd514303fc3883fd62d425cd86b7e1f1d1f3fc8351552e30bca10acac0f96b7b
Instruction Fuzzy Hash: 8931B4B24097806FE7128F60DC45FA6BFB8EF06314F0884DAE985CB5A3D2259909C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 05421DAA Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 05421E45

Memory Dump Source

Source File: 00000000.00000002.2273138604.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_xyyDAUDPeYEH.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: bb5d66fbe02d99a7439ee4aa43afeac2f28331b288f3428ff7a8f18b1b35cdc0
Instruction ID: b3d4d844f3d050adba4693b9745e8ee6d02d7ef9319f54df957dfdf1136c493b
Opcode Fuzzy Hash: bb5d66fbe02d99a7439ee4aa43afeac2f28331b288f3428ff7a8f18b1b35cdc0
Instruction Fuzzy Hash: A0216DB2504214AFEB21DF55CC84FA7FBFCEF08614F04855AE945DBA51D720E909CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 054209BE Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000E24), ref: 05420A63

Memory Dump Source

Source File: 00000000.00000002.2273138604.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_xyyDAUDPeYEH.jbxd

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: c8d64a18e4a3153102e2e0324c7a910a0cd9839104424b44441c01ae07751914
Instruction ID: 33b85b18a7470b66c6a294ce4bf3a78752bb2d0e591f46a14426e9c3327a3af3
Opcode Fuzzy Hash: c8d64a18e4a3153102e2e0324c7a910a0cd9839104424b44441c01ae07751914
Instruction Fuzzy Hash: D421A372500204AFEB20DB50CC85FE6F7ECEF04714F04845AFA499A691D775A5498BB5

Uniqueness

Uniqueness Score: -1.00%

Function 05420D10 Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

GetVolumeInformationA.KERNELBASE(?,00000E24,?,?), ref: 05420DB6

Memory Dump Source

Source File: 00000000.00000002.2273138604.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_xyyDAUDPeYEH.jbxd

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: fde5ed6d0516d0832599711f6f5294a24b7ca78da3a1721a33f5f7857a75e1d7
Instruction ID: c1cef6881bfad3d011054da1a35dc828e2f08f00fd1be1036fd5160e004b9685
Opcode Fuzzy Hash: fde5ed6d0516d0832599711f6f5294a24b7ca78da3a1721a33f5f7857a75e1d7
Instruction Fuzzy Hash: DF319E7150E3C06FD312CB258C55B62BFB8EF47610F1980DBE884DF6A3D225A949C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0106B6F4 Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,C14570BB,00000000,00000000,00000000,00000000), ref: 0106B789

Memory Dump Source

Source File: 00000000.00000002.2271184772.000000000106A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_106a000_xyyDAUDPeYEH.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 7292aa65583e5d1a5b71f3f51a2c7bdb4e31764a87acddbfd49c03ed73fadb80
Instruction ID: 5529aae58459cf92abb37b4257d732ce53fcf6c1d8aafafe7de5ecefef296380
Opcode Fuzzy Hash: 7292aa65583e5d1a5b71f3f51a2c7bdb4e31764a87acddbfd49c03ed73fadb80
Instruction Fuzzy Hash: 7021F8B54097806FD7128B259C85BA2BFBCEF47724F0880D6ED848B693D2649909C771

Uniqueness

Uniqueness Score: -1.00%

Function 0106A370 Relevance: 1.6, APIs: 1, Instructions: 80registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,C14570BB,00000000,00000000,00000000,00000000), ref: 0106A40C

Memory Dump Source

Source File: 00000000.00000002.2271184772.000000000106A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_106a000_xyyDAUDPeYEH.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 807d88c919e7f0100f13da3ddc443d983bac0409ee7b082f7d2b88d55d47d167
Instruction ID: d7d2bc05a83f655386e014bc92ac369b18d834fbdc3d923d303b80f1bd96f7c5
Opcode Fuzzy Hash: 807d88c919e7f0100f13da3ddc443d983bac0409ee7b082f7d2b88d55d47d167
Instruction Fuzzy Hash: D1218BB5604740AFE721CF15CC84FA2BBFCEF45610F08849AE985DB692D364E908CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0542201D Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

select.WS2_32(?,?,?,?,?), ref: 054220AC

Memory Dump Source

Source File: 00000000.00000002.2273138604.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_xyyDAUDPeYEH.jbxd

Similarity

API ID: select
String ID:
API String ID: 1274211008-0
Opcode ID: 2fa607190a9ff93569393bb24cd726e1dab4e4ec5f2d32177dd93bb3e48d4cd4
Instruction ID: a53449f348f05508cde0a5e26c9ec8f65b6febdd9e64b7adb302a9ecd0d33765
Opcode Fuzzy Hash: 2fa607190a9ff93569393bb24cd726e1dab4e4ec5f2d32177dd93bb3e48d4cd4
Instruction Fuzzy Hash: 8B216F755093849FD722CF25CC44B92BFF8EF06610F0984DAE985CB262D265E949CB62

Uniqueness

Uniqueness Score: -1.00%

Function 054223F5 Relevance: 1.6, APIs: 1, Instructions: 79COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E24,C14570BB,00000000,00000000,00000000,00000000), ref: 0542247C

Memory Dump Source

Source File: 00000000.00000002.2273138604.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_xyyDAUDPeYEH.jbxd

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: 62b542204895987bcfb3bb779dccb015691d68d3c4be76691dacfc3b9d6e9457
Instruction ID: fe111046d00fa1b7ca4af5c326d9291e2b1685f03f7d856030f9160de567eaa7
Opcode Fuzzy Hash: 62b542204895987bcfb3bb779dccb015691d68d3c4be76691dacfc3b9d6e9457
Instruction Fuzzy Hash: AF21B3755093806FE712CB65DC45FA6BFB8EF42314F0884DBE984DF692D264A908C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 0106BC3E Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 0106BCCA

Memory Dump Source

Source File: 00000000.00000002.2271184772.000000000106A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_106a000_xyyDAUDPeYEH.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 162107e95948988e3d9b71407e066926216b1ed0df1287e03bdd154b9f949c30
Instruction ID: e49da9c0813b42faf601236020cb9950fe9973fe375c77d345208cde00aaf77c
Opcode Fuzzy Hash: 162107e95948988e3d9b71407e066926216b1ed0df1287e03bdd154b9f949c30
Instruction Fuzzy Hash: 7521A371409380AFD722CF55DC45F96FFF8EF05224F08889EE9858B652D375A508CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0106A462 Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E24,C14570BB,00000000,00000000,00000000,00000000), ref: 0106A4F8

Memory Dump Source

Source File: 00000000.00000002.2271184772.000000000106A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_106a000_xyyDAUDPeYEH.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: deb67a80e6c37fa9fe1ba1573fbaa9cff1d8ac56f808fc89330b3ab41fce7030
Instruction ID: 510b83f9637f333cebea6524c6c8628a86a10d13dea956974b6342d741e8a86b
Opcode Fuzzy Hash: deb67a80e6c37fa9fe1ba1573fbaa9cff1d8ac56f808fc89330b3ab41fce7030
Instruction Fuzzy Hash: B4219FB2108380AFD7229A15CC44F67BFFCEF46610F08849AE9859B652C364E908C771

Uniqueness

Uniqueness Score: -1.00%

Function 05420346 Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 054203DA

Memory Dump Source

Source File: 00000000.00000002.2273138604.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_xyyDAUDPeYEH.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: e89c5b5566ddc7544921a317951ae13c64ef33bb3829d0189fe4936e48e0918c
Instruction ID: 7cc9fa9f8b1be8740e447bb28e56c2812e42a1e7d5fe7978f54491964bdfbdec
Opcode Fuzzy Hash: e89c5b5566ddc7544921a317951ae13c64ef33bb3829d0189fe4936e48e0918c
Instruction Fuzzy Hash: 7B219171409384AFE722CF55DC44FA6FBF8EF09224F04849EE9858B652D375E508CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0106B61E Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0106B69D

Memory Dump Source

Source File: 00000000.00000002.2271184772.000000000106A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_106a000_xyyDAUDPeYEH.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 20d13bf77492fe1fb1fe6b1891d500f9d94215565e75783478487a50ba984574
Instruction ID: b765e4e4ff5f681e4f8a62f0e365387a311c072693acea5b73e38bb2014383e3
Opcode Fuzzy Hash: 20d13bf77492fe1fb1fe6b1891d500f9d94215565e75783478487a50ba984574
Instruction Fuzzy Hash: 3D21B0B1604200AFEB21DF65CD85F66FBE8EF08214F0884ADE985CB651D375E808CB72

Uniqueness

Uniqueness Score: -1.00%

Function 054220EC Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 05422172

Memory Dump Source

Source File: 00000000.00000002.2273138604.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_xyyDAUDPeYEH.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 995cdf70d9f5111fa17b189f5bcb1afb162b8d119983bbb3f79e7d32aa6e8fa3
Instruction ID: 068c7fb13f93562bb90957ebd2f9440272e0ea491509fe374281397acb356845
Opcode Fuzzy Hash: 995cdf70d9f5111fa17b189f5bcb1afb162b8d119983bbb3f79e7d32aa6e8fa3
Instruction Fuzzy Hash: 3421B2B65093805FD712CB25CC54BA6BFA8AF02210F0984DAE989CF253E265D909C771

Uniqueness

Uniqueness Score: -1.00%

Function 054201B6 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 05420227

Memory Dump Source

Source File: 00000000.00000002.2273138604.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_xyyDAUDPeYEH.jbxd

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 39bd3a5dda790e15dd47c6b99842878270a9ec8ebd6db75ff4e2c0c45e394dc6
Instruction ID: 8c6272a26d1dfe0f39baa86b1c073b7c92c1faca3ee997544ab41f4f74ea05d5
Opcode Fuzzy Hash: 39bd3a5dda790e15dd47c6b99842878270a9ec8ebd6db75ff4e2c0c45e394dc6
Instruction Fuzzy Hash: 8321C272500214AFEB20DF65DC45FABFBECEF04614F04846BE949DB651D770E9098AB1

Uniqueness

Uniqueness Score: -1.00%

Function 054200AA Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,C14570BB,00000000,00000000,00000000,00000000), ref: 0542013C

Memory Dump Source

Source File: 00000000.00000002.2273138604.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_xyyDAUDPeYEH.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: e5b20ec0a589b35c72e7d6dd01845c83559907b03b98797f7d473a88286580ca
Instruction ID: e5a521b86548ab737514020b3fb8e36a74dcf171cf61e305f2b9a40899f6f269
Opcode Fuzzy Hash: e5b20ec0a589b35c72e7d6dd01845c83559907b03b98797f7d473a88286580ca
Instruction Fuzzy Hash: 49219D72509744AFD722CF51CC88FA7FBF8EF05610F08849AE9498B692D365E948CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0106A7FA Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 0106A879

Memory Dump Source

Source File: 00000000.00000002.2271184772.000000000106A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_106a000_xyyDAUDPeYEH.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 179bbd01d3c764dcc942145d93a61d4681b263e9ef2d596066d97f1d7191729c
Instruction ID: 02ca274ef29b6ee1d4e8f95773093faa9e87c88e3150e8c9634961afc2516f10
Opcode Fuzzy Hash: 179bbd01d3c764dcc942145d93a61d4681b263e9ef2d596066d97f1d7191729c
Instruction Fuzzy Hash: 5721D172500204EFE7219F55CC84FABFBFCEF04614F04845AE9459BA51D724E9098AB1

Uniqueness

Uniqueness Score: -1.00%

Function 054225C3 Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetProcessWorkingSetSize.KERNEL32(?,00000E24,C14570BB,00000000,00000000,00000000,00000000), ref: 0542263F

Memory Dump Source

Source File: 00000000.00000002.2273138604.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_xyyDAUDPeYEH.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: 6e7b0cbdea36948551fb41fbd646d2143017a412e13e958925ee515dc952352f
Instruction ID: a0aeb7cbe9e4eda6c9fee9dd9048904fd2efcd4bd4938c91e42ee802cb78a6a7
Opcode Fuzzy Hash: 6e7b0cbdea36948551fb41fbd646d2143017a412e13e958925ee515dc952352f
Instruction Fuzzy Hash: B221C2B14093806FDB21CF51CC44FA7BFB8EF45214F08C4ABE944DB692D364A908CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 054224DF Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GetProcessWorkingSetSize.KERNEL32(?,00000E24,C14570BB,00000000,00000000,00000000,00000000), ref: 0542255B

Memory Dump Source

Source File: 00000000.00000002.2273138604.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_xyyDAUDPeYEH.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: 6e7b0cbdea36948551fb41fbd646d2143017a412e13e958925ee515dc952352f
Instruction ID: 9fb3c535693fe13e484175ebb4f3c24930304a253bc858e8587a210487e85b83
Opcode Fuzzy Hash: 6e7b0cbdea36948551fb41fbd646d2143017a412e13e958925ee515dc952352f
Instruction Fuzzy Hash: 6A21C2714093806FD721CB51CC45FABBFB8EF45210F08C4ABE944DB692D364A908CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0106A646 Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0106A6B9

Memory Dump Source

Source File: 00000000.00000002.2271184772.000000000106A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_106a000_xyyDAUDPeYEH.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 2d8414be298a52891fbe50b07bbbbd5915439b41cc821e3d684b84a91c5cb465
Instruction ID: f3c2f3c14e96c3e49514d8880c2db6357400fe30791d72a2155cfae0898bead1
Opcode Fuzzy Hash: 2d8414be298a52891fbe50b07bbbbd5915439b41cc821e3d684b84a91c5cb465
Instruction Fuzzy Hash: 8221C2B16042409FE710DF65CD85BA6FBECEF08214F0484AAE985DF741D775E809CA71

Uniqueness

Uniqueness Score: -1.00%

Function 0106A8C1 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

GetFileAttributesExW.KERNELBASE(?,?,?), ref: 0106A942

Memory Dump Source

Source File: 00000000.00000002.2271184772.000000000106A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_106a000_xyyDAUDPeYEH.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: ea797e846a37f5add704649a97329afc3428ee02e69f5464f3d1829670782b42
Instruction ID: 6268209e837b9cb10d4c0e5cd03175a37fce44344aa397763b53b9dd9e84b88b
Opcode Fuzzy Hash: ea797e846a37f5add704649a97329afc3428ee02e69f5464f3d1829670782b42
Instruction Fuzzy Hash: 5E21D0B65093809FDB12CB25DC44BA2BFE8EF06224F1984DAEC858B253D2749809CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0542357E Relevance: 1.6, APIs: 1, Instructions: 71registryCOMMON

Download Yara Rule

APIs

RegDeleteKeyW.ADVAPI32(?,00000E24,C14570BB,00000000,00000000,00000000,00000000), ref: 05423604

Memory Dump Source

Source File: 00000000.00000002.2273138604.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_xyyDAUDPeYEH.jbxd

Similarity

API ID: Delete
String ID:
API String ID: 1035893169-0
Opcode ID: c45cceebd8da3bac9c508b97dba89e03883eba4a52071843c4423950c1b5d418
Instruction ID: c4b7fb3874316725115053c7653ee3c726b5ca3f6e93b7c146c008fac90d12ad
Opcode Fuzzy Hash: c45cceebd8da3bac9c508b97dba89e03883eba4a52071843c4423950c1b5d418
Instruction Fuzzy Hash: 1C21A1715093806FD722CB51CC44FA7FFB8EF46610F0884DBE9448B692D268E949C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 0106B9D6 Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000E24,C14570BB,00000000,00000000,00000000,00000000), ref: 0106BA55

Memory Dump Source

Source File: 00000000.00000002.2271184772.000000000106A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_106a000_xyyDAUDPeYEH.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 46044755a5b5b6862f149913d65f8ab0d40baee763b63b309544bb546002de8a
Instruction ID: 32e4c69b1d824e1128826467e2a7d68d162fd4f9ad2b628f3d143d39c37c2563
Opcode Fuzzy Hash: 46044755a5b5b6862f149913d65f8ab0d40baee763b63b309544bb546002de8a
Instruction Fuzzy Hash: 69219271409380AFDB22CF51DC44F97FFF8EF45610F08849AE9859B552C224A508CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0106A392 Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,C14570BB,00000000,00000000,00000000,00000000), ref: 0106A40C

Memory Dump Source

Source File: 00000000.00000002.2271184772.000000000106A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_106a000_xyyDAUDPeYEH.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 2b5c3dd519606a09b5afd7d6da2e83205df42d4197877d55b6a9c9230853fed5
Instruction ID: fbe9acfe47302d5a77a0abdef0179b7564083e3fa545702d95f9cb60c9c92c74
Opcode Fuzzy Hash: 2b5c3dd519606a09b5afd7d6da2e83205df42d4197877d55b6a9c9230853fed5
Instruction Fuzzy Hash: 3421C075200200DFEB20DF55CC84FA6FBECEF44610F04C49AE985DB652D760E849CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 05421F57 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000E24,C14570BB,00000000,00000000,00000000,00000000), ref: 05421FD3

Memory Dump Source

Source File: 00000000.00000002.2273138604.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_xyyDAUDPeYEH.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: 400d41339bff8b37c23e4643f8d7fd1f35d0475813b30a6f936d48597fa6da9e
Instruction ID: 8c7337f09bf345703d026133dc975282f7142ecbb43347695e90583c43264f1a
Opcode Fuzzy Hash: 400d41339bff8b37c23e4643f8d7fd1f35d0475813b30a6f936d48597fa6da9e
Instruction Fuzzy Hash: 0121A1714093806FD722CF51CC48FA7FFB8EF45214F08849BE9459B652C374A508C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0106A710 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0106A780

Memory Dump Source

Source File: 00000000.00000002.2271184772.000000000106A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_106a000_xyyDAUDPeYEH.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 986ecaeb260950f165adaa148d909547bc4ee67489dc4366661b41bbcb6b06ce
Instruction ID: 88b15ff99271e03f3418c6ab2dfb58e5e8d8f6239c513790b38a71da30114614
Opcode Fuzzy Hash: 986ecaeb260950f165adaa148d909547bc4ee67489dc4366661b41bbcb6b06ce
Instruction Fuzzy Hash: 6221C0B55083809FDB128F25DD85B52BFB8EF02220F0984EAEC859B253D2359909DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0106BD23 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,?,?,?,?), ref: 0106BDA0

Memory Dump Source

Source File: 00000000.00000002.2271184772.000000000106A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_106a000_xyyDAUDPeYEH.jbxd

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: aba2e26564e50fc2b830a9f32d625ef1fddbaa2eb1cae3619f6d1f7f7ed14c7a
Instruction ID: 9c8396fa748604586bb158fe4509114ff520f2e5865be133fb03e587e92abfbb
Opcode Fuzzy Hash: aba2e26564e50fc2b830a9f32d625ef1fddbaa2eb1cae3619f6d1f7f7ed14c7a
Instruction Fuzzy Hash: AC219A710093C0AFDB128F65DC55AA2BFB4EF07320F0989DAD9C48F163C2359959DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0106BC5E Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 0106BCCA

Memory Dump Source

Source File: 00000000.00000002.2271184772.000000000106A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_106a000_xyyDAUDPeYEH.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 70e1b86d03dfe5599a111ebc069963e01ae2e259e21a266434bb28f4755abefb
Instruction ID: bb19b8125851a15444e19cd691e7e009687099b67901346577b92c5153a3e692
Opcode Fuzzy Hash: 70e1b86d03dfe5599a111ebc069963e01ae2e259e21a266434bb28f4755abefb
Instruction Fuzzy Hash: E921CFB1504200AFEB21DF95CC45BA6FBE8EF08224F14889EE9858A652D375E509CB62

Uniqueness

Uniqueness Score: -1.00%

Function 05420366 Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 054203DA

Memory Dump Source

Source File: 00000000.00000002.2273138604.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_xyyDAUDPeYEH.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 5bcc44cfe749c5333cbad435f642957ef0408c3dafa7b698c96bcb90ff8ab7d0
Instruction ID: 44c07f50f1dec62cf4900c6f40c0813eb28391fed80aaf3ff3ed0ce4a0634323
Opcode Fuzzy Hash: 5bcc44cfe749c5333cbad435f642957ef0408c3dafa7b698c96bcb90ff8ab7d0
Instruction Fuzzy Hash: 0521F071404214AFE721CF55CC88FA6FBE8EF08224F04849EE9498BB41D375E409CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 05420B6E Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 05420BEA

Memory Dump Source

Source File: 00000000.00000002.2273138604.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_xyyDAUDPeYEH.jbxd

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: 3aed6947ddd19f10e925c5310a033808e04451647c9db205a15d83ceba1ddc91
Instruction ID: 3eaeaa4ddf21cc9d25c9c14e8d7bcad791e59b60f86cd6fe5a6ae8e816a90202
Opcode Fuzzy Hash: 3aed6947ddd19f10e925c5310a033808e04451647c9db205a15d83ceba1ddc91
Instruction Fuzzy Hash: 22218071408380AFDB228F51DC44B62FFF4FF06310F0885DAE9898B262D235A819DB61

Uniqueness

Uniqueness Score: -1.00%

Function 05420FD2 Relevance: 1.6, APIs: 1, Instructions: 66libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00000E24), ref: 0542105B

Memory Dump Source

Source File: 00000000.00000002.2273138604.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_xyyDAUDPeYEH.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 7c867874065e32778a98121d757056a5122e2535067e437c2ced5a8a3bd77722
Instruction ID: 1c8ebbdf0d9be7ce9d507f5b90ea3b7e1a7595bb52d1bef2a53e470878b50420
Opcode Fuzzy Hash: 7c867874065e32778a98121d757056a5122e2535067e437c2ced5a8a3bd77722
Instruction Fuzzy Hash: 2111D6714093806FE721CB11DC85FA6FFB8EF45720F0480DAF9449B692D364A948CB66

Uniqueness

Uniqueness Score: -1.00%

Function 0106A486 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E24,C14570BB,00000000,00000000,00000000,00000000), ref: 0106A4F8

Memory Dump Source

Source File: 00000000.00000002.2271184772.000000000106A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_106a000_xyyDAUDPeYEH.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 8f1469231be1309fbea51180f8ba516fb03c80c8d17c36d74507c834b0c79695
Instruction ID: f14fba42ad65b2bd8a57049aaddd2261f863842f7fa1700e3ae5d9c6e0eadbc0
Opcode Fuzzy Hash: 8f1469231be1309fbea51180f8ba516fb03c80c8d17c36d74507c834b0c79695
Instruction Fuzzy Hash: 3C11D3B6600200EFEB21DE55CC44FA7FBECEF44614F04849AED859BA41D770E508CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 05422B59 Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 05422BD5

Memory Dump Source

Source File: 00000000.00000002.2273138604.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_xyyDAUDPeYEH.jbxd

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: 49de9dd1b344a689dfaba31dd7fba4a767e92be7a5612591bfec510686ffbb4e
Instruction ID: d51ddc09084860b781d02aae8a1d27e605da856c352cb21c89ced74a744937b1
Opcode Fuzzy Hash: 49de9dd1b344a689dfaba31dd7fba4a767e92be7a5612591bfec510686ffbb4e
Instruction Fuzzy Hash: 36218EB55093805FD7228E15DC44B63BFF8FF06610F0880CAED85CB2A2D265E909CB72

Uniqueness

Uniqueness Score: -1.00%

Function 054200CA Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,C14570BB,00000000,00000000,00000000,00000000), ref: 0542013C

Memory Dump Source

Source File: 00000000.00000002.2273138604.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_xyyDAUDPeYEH.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 18fa1e02e53b58cf4664d900cf73d83ab8712dc47613c024c1640eb9558c0567
Instruction ID: 1141446c70f5981e50d361c9b978e79e313dd298617901f37eefd01d1eeede41
Opcode Fuzzy Hash: 18fa1e02e53b58cf4664d900cf73d83ab8712dc47613c024c1640eb9558c0567
Instruction Fuzzy Hash: 2511B176500614AFE721CF52CC88FA7F7F8EF04610F04849AE94A8B752D361E909CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 054208D2 Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E24,C14570BB,00000000,00000000,00000000,00000000), ref: 05420931

Memory Dump Source

Source File: 00000000.00000002.2273138604.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_xyyDAUDPeYEH.jbxd

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 4fca15162481977b4aa05aecaba600649380a0329e79cb0500f109125c03018b
Instruction ID: bdca78fd56dbe0d4e8e47797030d9359c44562b7b72fccc8fdb86f68d20c54d0
Opcode Fuzzy Hash: 4fca15162481977b4aa05aecaba600649380a0329e79cb0500f109125c03018b
Instruction Fuzzy Hash: 38119372500200AFEB21DF55DC45FA7FBF8EF04724F0484AAE9498A651D774A509CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 05422502 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

GetProcessWorkingSetSize.KERNEL32(?,00000E24,C14570BB,00000000,00000000,00000000,00000000), ref: 0542255B

Memory Dump Source

Source File: 00000000.00000002.2273138604.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_xyyDAUDPeYEH.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: 62f4db5fd749b545e66c52cdaa66f947b5b7b442546f51dc12c5ee49cb0ecf6e
Instruction ID: 8f64f69f474ec561609e4648441de8c665ffee7de2150f98e3e015d3d9fb57cc
Opcode Fuzzy Hash: 62f4db5fd749b545e66c52cdaa66f947b5b7b442546f51dc12c5ee49cb0ecf6e
Instruction Fuzzy Hash: C411BFB5504200AFEB20CF55DC85FAABBA8EF44624F04C4AAED458B641D774A9498AB1

Uniqueness

Uniqueness Score: -1.00%

Function 05420006 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32(?,00000E24,?,?), ref: 05420082

Memory Dump Source

Source File: 00000000.00000002.2273138604.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_xyyDAUDPeYEH.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 7882b40670c6f3d06583cd980e59c87aacb6926e747e30b07ad2ae6788bf8eda
Instruction ID: 306f1433b0fffc1389f6d9e02722f5afacc21b39fa5a0a46ec57b8b997defd8d
Opcode Fuzzy Hash: 7882b40670c6f3d06583cd980e59c87aacb6926e747e30b07ad2ae6788bf8eda
Instruction Fuzzy Hash: 8211C1B15443406FD311CB16DC41F72BFF8EB8AA20F19819AFC489BA42D265B915CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 054238C5 Relevance: 1.6, APIs: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 05423939

Memory Dump Source

Source File: 00000000.00000002.2273138604.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_xyyDAUDPeYEH.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 2068ddf71fe689f0318d18872adea1dc6735a668d0c2d2cbcd2d6fa856413996
Instruction ID: d7cf77f048c19d14ed31a928543b517a245162315bde9057250c50ada1e76933
Opcode Fuzzy Hash: 2068ddf71fe689f0318d18872adea1dc6735a668d0c2d2cbcd2d6fa856413996
Instruction Fuzzy Hash: 14219D714093C09FDB238F25CC44AA2BFB4EF07210F0984DBE9848F263D225A958DB62

Uniqueness

Uniqueness Score: -1.00%

Function 054225E6 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SetProcessWorkingSetSize.KERNEL32(?,00000E24,C14570BB,00000000,00000000,00000000,00000000), ref: 0542263F

Memory Dump Source

Source File: 00000000.00000002.2273138604.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_xyyDAUDPeYEH.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: 62f4db5fd749b545e66c52cdaa66f947b5b7b442546f51dc12c5ee49cb0ecf6e
Instruction ID: 69de20da0d1495afdf445c33233392439044eb893bc34e666d915d867dfad86e
Opcode Fuzzy Hash: 62f4db5fd749b545e66c52cdaa66f947b5b7b442546f51dc12c5ee49cb0ecf6e
Instruction Fuzzy Hash: F811C4B6504200AFEB20CF55DC45FA7F7E8EF04624F04C46AED45CB641D774A5098AB1

Uniqueness

Uniqueness Score: -1.00%

Function 0106AC03 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0106AC6E

Memory Dump Source

Source File: 00000000.00000002.2271184772.000000000106A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_106a000_xyyDAUDPeYEH.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 5a630a0689584fcf21a082033d7143c392bf2cbdaf13069c3377beafaaee983d
Instruction ID: 9b5b5956830908d20523e3bc1b9aa5f3f09f31175429ee6a63164bdd67eb55f6
Opcode Fuzzy Hash: 5a630a0689584fcf21a082033d7143c392bf2cbdaf13069c3377beafaaee983d
Instruction Fuzzy Hash: 6611A271409380AFDB228F55DC44B62FFF8EF4A320F0888DAED858B162C235A519DB61

Uniqueness

Uniqueness Score: -1.00%

Function 05422426 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E24,C14570BB,00000000,00000000,00000000,00000000), ref: 0542247C

Memory Dump Source

Source File: 00000000.00000002.2273138604.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_xyyDAUDPeYEH.jbxd

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: cff731149fb4e30f2c52be71db11fdc655b532d8ca0ffbfd7db1bced4721ca91
Instruction ID: 61335956deaeea739acaa0ff9ff8aa2e2e4cfc1eb5105faeba0f8faec800a046
Opcode Fuzzy Hash: cff731149fb4e30f2c52be71db11fdc655b532d8ca0ffbfd7db1bced4721ca91
Instruction Fuzzy Hash: 91112375504210AFEB10CF55DC84FABB7E8EF00224F04C4AAED44CF741D774A8088AB1

Uniqueness

Uniqueness Score: -1.00%

Function 0106B9F6 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000E24,C14570BB,00000000,00000000,00000000,00000000), ref: 0106BA55

Memory Dump Source

Source File: 00000000.00000002.2271184772.000000000106A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_106a000_xyyDAUDPeYEH.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: efa380f1130267847ac059247c1a0733d3489832e3970bdaaf10bbf0d91d4afd
Instruction ID: 00e641fc9820c7434c2c7c8818c0b3dc279bb6779c980904076377981ae886c0
Opcode Fuzzy Hash: efa380f1130267847ac059247c1a0733d3489832e3970bdaaf10bbf0d91d4afd
Instruction Fuzzy Hash: FF11C4B1504200AFEB21DF55DC44FAAFBFCEF04715F04845AED859B651C775A5088BB1

Uniqueness

Uniqueness Score: -1.00%

Function 05421F7A Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000E24,C14570BB,00000000,00000000,00000000,00000000), ref: 05421FD3

Memory Dump Source

Source File: 00000000.00000002.2273138604.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_xyyDAUDPeYEH.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: e72a3999226064b68546591b274ee5fcf50b716e17022479605313d7919b12bc
Instruction ID: 0419864cd15a37859100bbbbc7384ca0d7a1eef1ca7103a0c0a939f088b36bfa
Opcode Fuzzy Hash: e72a3999226064b68546591b274ee5fcf50b716e17022479605313d7919b12bc
Instruction Fuzzy Hash: E711E371404200AFEB20DF91CC84FA6FBE8EF04724F0484AAED459F641D774A509CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 054235A6 Relevance: 1.6, APIs: 1, Instructions: 57registryCOMMON

Download Yara Rule

APIs

RegDeleteKeyW.ADVAPI32(?,00000E24,C14570BB,00000000,00000000,00000000,00000000), ref: 05423604

Memory Dump Source

Source File: 00000000.00000002.2273138604.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_xyyDAUDPeYEH.jbxd

Similarity

API ID: Delete
String ID:
API String ID: 1035893169-0
Opcode ID: 3b9fc6f73a98d075427c70c3c0295ea5f0432d2a0056431ac53760ad07bade95
Instruction ID: cd0c80bbf3c328d0f5accec73b95221e368be093e2155b3e5515dd2b5678933d
Opcode Fuzzy Hash: 3b9fc6f73a98d075427c70c3c0295ea5f0432d2a0056431ac53760ad07bade95
Instruction Fuzzy Hash: 4111A071504210AFE720DE51DC85FA7F7ACEF04624F18C49AED058B781D668E8498AB1

Uniqueness

Uniqueness Score: -1.00%

Function 0106A2AE Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0106A30C

Memory Dump Source

Source File: 00000000.00000002.2271184772.000000000106A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_106a000_xyyDAUDPeYEH.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 773cfb72e74e28ec3f050773befb5a9117d7f95e818898a683610b313725054f
Instruction ID: 5f6b2f0c770f812b6ea2f6803f86289a4dc681fe9a67c32460d4031741dcf7a5
Opcode Fuzzy Hash: 773cfb72e74e28ec3f050773befb5a9117d7f95e818898a683610b313725054f
Instruction Fuzzy Hash: 07118F715093C0AFDB238B15DC54A62BFB8DF47624F0880DBED848F263D265A908C772

Uniqueness

Uniqueness Score: -1.00%

Function 05423A3D Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 05423A9D

Memory Dump Source

Source File: 00000000.00000002.2273138604.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_xyyDAUDPeYEH.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: a031e8c0ea7c7f257877a7ff8e793e6e009560d8fcc5c72ab116339197c5fe36
Instruction ID: 2d376bcc50caf612661c74af09cbc38986f3fe2d6804ee3aae9d0f89a044700b
Opcode Fuzzy Hash: a031e8c0ea7c7f257877a7ff8e793e6e009560d8fcc5c72ab116339197c5fe36
Instruction Fuzzy Hash: 9F11C475509780AFDB228F11DC44A52FFB4EF06320F08C4DEED858B662D365A918CB62

Uniqueness

Uniqueness Score: -1.00%

Function 05420FF2 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00000E24), ref: 0542105B

Memory Dump Source

Source File: 00000000.00000002.2273138604.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_xyyDAUDPeYEH.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: ec57e9147f346aaaaf70227611223e474c5c4bf71c1751b467635d78b6fc41ea
Instruction ID: 5d9915977640c599a360ac33bbf95a63bcb4b62e7f05ae0f57021602c02be866
Opcode Fuzzy Hash: ec57e9147f346aaaaf70227611223e474c5c4bf71c1751b467635d78b6fc41ea
Instruction Fuzzy Hash: 86112571104240AFE720DB11CC81FF6FBA8EF04724F14809AED045AB81C3B4A949CAA6

Uniqueness

Uniqueness Score: -1.00%

Function 05422056 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

select.WS2_32(?,?,?,?,?), ref: 054220AC

Memory Dump Source

Source File: 00000000.00000002.2273138604.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_xyyDAUDPeYEH.jbxd

Similarity

API ID: select
String ID:
API String ID: 1274211008-0
Opcode ID: 52b4eb6814cae6c0a08fac418a49aeef3afa80c34877c84545f0ddce7aed7708
Instruction ID: 09d033923e730e3320b4d793218714ac002a322b7035cb606657659f8c866bd3
Opcode Fuzzy Hash: 52b4eb6814cae6c0a08fac418a49aeef3afa80c34877c84545f0ddce7aed7708
Instruction Fuzzy Hash: B4115B795042149FDB20CF55C884FA6FBE8EF04610F4884AADE4ACB251D3B0E949CA62

Uniqueness

Uniqueness Score: -1.00%

Function 0106AD9F Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 0106AE00

Memory Dump Source

Source File: 00000000.00000002.2271184772.000000000106A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_106a000_xyyDAUDPeYEH.jbxd

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: efc9e39dc27fb7f8fd403385a3fc9c84b834590f28fb69d4d52ea3725ede40d8
Instruction ID: 21f79d232559cf189e2c9e4a6346a8835112a6fe56d0d8b09480c0fd21beff99
Opcode Fuzzy Hash: efc9e39dc27fb7f8fd403385a3fc9c84b834590f28fb69d4d52ea3725ede40d8
Instruction Fuzzy Hash: 67116D714493C0AFDB12CB15DC49B52BFB4EF06224F0884DAED859F293D275A949CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0542212A Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 05422172

Memory Dump Source

Source File: 00000000.00000002.2273138604.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_xyyDAUDPeYEH.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: b51e2f3c70503e30bae68b1abed60e724d127e5b41b536803c3ebc8678b222e5
Instruction ID: 4ee2ccbc538a7ae94c87bf7a1c3cb7a6a219ab1e758bd6f420bcc4de4b6fc0fd
Opcode Fuzzy Hash: b51e2f3c70503e30bae68b1abed60e724d127e5b41b536803c3ebc8678b222e5
Instruction Fuzzy Hash: AE1170756042509FDB10DF56D885BABBBE8EF04620F08C4AADD49CB751D670D404CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0106B736 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,C14570BB,00000000,00000000,00000000,00000000), ref: 0106B789

Memory Dump Source

Source File: 00000000.00000002.2271184772.000000000106A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_106a000_xyyDAUDPeYEH.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 3724c2d4cbeb1f23dabe1d50e75b1f1f70c298ea85b7fc9ea8b9519ac92bd336
Instruction ID: 947cd2c6e16b0653a77d354c3d330029922aa4c825cf72231694283798233269
Opcode Fuzzy Hash: 3724c2d4cbeb1f23dabe1d50e75b1f1f70c298ea85b7fc9ea8b9519ac92bd336
Instruction Fuzzy Hash: C501D6B5504200AFE720DF55DC84FA6F7ECEF44624F18C09AED458B741D778E5088AB5

Uniqueness

Uniqueness Score: -1.00%

Function 05423790 Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

WaitForInputIdle.USER32(?,?), ref: 054237E7

Memory Dump Source

Source File: 00000000.00000002.2273138604.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_xyyDAUDPeYEH.jbxd

Similarity

API ID: IdleInputWait
String ID:
API String ID: 2200289081-0
Opcode ID: 9bd494649692dcef262f67fee860d2622a2ceb7ece44e5db1a30fcdd70c8407b
Instruction ID: f1732fe9b99fab0efe842704d4d40e02568385916a31147dbc9876a777ab2fa6
Opcode Fuzzy Hash: 9bd494649692dcef262f67fee860d2622a2ceb7ece44e5db1a30fcdd70c8407b
Instruction Fuzzy Hash: E61191714083809FDB118F55DC44B52FFF4EF06220F0984DAED858F262D279A904CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0106A902 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

GetFileAttributesExW.KERNELBASE(?,?,?), ref: 0106A942

Memory Dump Source

Source File: 00000000.00000002.2271184772.000000000106A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_106a000_xyyDAUDPeYEH.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 622a0585564b89b67d86b65990b70c99368e3c0230a406fd7deeded71e1d9b72
Instruction ID: b35f3e69cc3011b58f6ba10fb1ebd7c643d5ac0d0948ede22b2c57d23703277f
Opcode Fuzzy Hash: 622a0585564b89b67d86b65990b70c99368e3c0230a406fd7deeded71e1d9b72
Instruction Fuzzy Hash: F901C076600200CFDB60DF69D885B6AFBE8EF04220F18C4AADD89DB752D235E408CE71

Uniqueness

Uniqueness Score: -1.00%

Function 05420B9E Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 05420BEA

Memory Dump Source

Source File: 00000000.00000002.2273138604.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_xyyDAUDPeYEH.jbxd

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: 1036cdff69a092fef17e14fa8b9a8b9c7599dd7998203f377f2b0d7ad2b1cc24
Instruction ID: 8c79cda385dce3b52c6776fcda95700df85652982ae48d3903967ef6e8e3abda
Opcode Fuzzy Hash: 1036cdff69a092fef17e14fa8b9a8b9c7599dd7998203f377f2b0d7ad2b1cc24
Instruction Fuzzy Hash: 6D1170714006549FDB20CF95D888BA6FBF5FF08710F08C8AADD898B621D335E459DB61

Uniqueness

Uniqueness Score: -1.00%

Function 05420D66 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetVolumeInformationA.KERNELBASE(?,00000E24,?,?), ref: 05420DB6

Memory Dump Source

Source File: 00000000.00000002.2273138604.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_xyyDAUDPeYEH.jbxd

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: 6675e9385d931ce37cedaa03c2a19e49069f62266b65e1c673b2c6972437061d
Instruction ID: e004677ab502b86e323ec265967c075c27c8814209cda0739da93b261151331b
Opcode Fuzzy Hash: 6675e9385d931ce37cedaa03c2a19e49069f62266b65e1c673b2c6972437061d
Instruction Fuzzy Hash: 4C017171500200AFD350DF16DD86B66FBE8FB88A20F14856AED489BB41D731B915CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 05422B8A Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 05422BD5

Memory Dump Source

Source File: 00000000.00000002.2273138604.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_xyyDAUDPeYEH.jbxd

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: e277a4b87981a1f6dcf493d6ef3e4ae3184f67c1f2e288a7d8eebbf9fec7c0b2
Instruction ID: a6abedfe1c81b8d269d1083ea6eba13e0252a5bbdbc25644f3c479eaeeee3f9f
Opcode Fuzzy Hash: e277a4b87981a1f6dcf493d6ef3e4ae3184f67c1f2e288a7d8eebbf9fec7c0b2
Instruction Fuzzy Hash: 88016D795086508FDB60DE55D848B62FBE4FF04620F48C09ADD49CB751D2B5E508CA72

Uniqueness

Uniqueness Score: -1.00%

Function 0106AC2A Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0106AC6E

Memory Dump Source

Source File: 00000000.00000002.2271184772.000000000106A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_106a000_xyyDAUDPeYEH.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d66a08146f72038dd5c7b9203e214a23782776b20cd403071a0250d1aaba6865
Instruction ID: 2d11e2bd64ab6203dfc80af5e158d718b7302c0cd59468bd6a5cd4a75d98484f
Opcode Fuzzy Hash: d66a08146f72038dd5c7b9203e214a23782776b20cd403071a0250d1aaba6865
Instruction Fuzzy Hash: AC018B32500204DFDB219F95D844B66FBE4EF48720F08C89ADE899B656C335E418DF62

Uniqueness

Uniqueness Score: -1.00%

Function 0106BBC2 Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 0106BC12

Memory Dump Source

Source File: 00000000.00000002.2271184772.000000000106A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_106a000_xyyDAUDPeYEH.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 33259aa74a52cdccaf609dad9ec5f929d778644c7478bb3e1e11299d91efc319
Instruction ID: 9f1c39f90d6053baae16b73d74709a4e54e25a352f8bfcd9bea3e0423290e08b
Opcode Fuzzy Hash: 33259aa74a52cdccaf609dad9ec5f929d778644c7478bb3e1e11299d91efc319
Instruction Fuzzy Hash: 2101A271500200ABD210DF16CC86B66FBF8FB88A20F14815AEC089BB41D771F915CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 0106A74E Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0106A780

Memory Dump Source

Source File: 00000000.00000002.2271184772.000000000106A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_106a000_xyyDAUDPeYEH.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 57f1460dd145eb3a3eb6e45b85e41866429e4cba9962aa3a342d531069f07c31
Instruction ID: 35fa3ad12696bef95aa532ce1b216c1621a9837c2c3c6e199e285196248679fb
Opcode Fuzzy Hash: 57f1460dd145eb3a3eb6e45b85e41866429e4cba9962aa3a342d531069f07c31
Instruction Fuzzy Hash: 0801DF75600240CFDB50DF59DD85766FBE8EF00620F08C4ABDC8A9F752D278E408CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 0106BD62 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,?,?,?,?), ref: 0106BDA0

Memory Dump Source

Source File: 00000000.00000002.2271184772.000000000106A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_106a000_xyyDAUDPeYEH.jbxd

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: f85060750d21da842a52feefa815c1c276dfa55b78766a1c712519dd97b58f15
Instruction ID: 0f009f87c538ea8e77acd620afbdc0eeb074d28cb8572182ddbfa31d9d790da7
Opcode Fuzzy Hash: f85060750d21da842a52feefa815c1c276dfa55b78766a1c712519dd97b58f15
Instruction Fuzzy Hash: BF018CB6500240DFDB21DF95D844B66FBE4EF14720F08C8AADD898E612D375A418CB62

Uniqueness

Uniqueness Score: -1.00%

Function 05420032 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32(?,00000E24,?,?), ref: 05420082

Memory Dump Source

Source File: 00000000.00000002.2273138604.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_xyyDAUDPeYEH.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 99ce746694d9ea85d36078adb4ea961fd079766f6494bef8bde0b72a2d602de0
Instruction ID: a6c704a082a3d1da2f7a1dd5e8eb7db656c436bcda6e22408211f9fad319ffc5
Opcode Fuzzy Hash: 99ce746694d9ea85d36078adb4ea961fd079766f6494bef8bde0b72a2d602de0
Instruction Fuzzy Hash: 2101D171600200ABD310DF1ACC86B66FBF8FB88A20F14815AEC089BB41D731F915CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 05423A62 Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 05423A9D

Memory Dump Source

Source File: 00000000.00000002.2273138604.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_xyyDAUDPeYEH.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 5550ea1bd9b5bf00d4584c988d8a980a77f5a4d05c53accfad59e0331745df84
Instruction ID: 1ddda36dd9e29ad61ee7b4039c02f78a412adf03da486e8bb640719a76ed9260
Opcode Fuzzy Hash: 5550ea1bd9b5bf00d4584c988d8a980a77f5a4d05c53accfad59e0331745df84
Instruction Fuzzy Hash: 45017C76500650DFDB20CF55D884BA6FBF4EF04620F08C8AEDD4A8A762D375E459CB62

Uniqueness

Uniqueness Score: -1.00%

Function 054237B2 Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

WaitForInputIdle.USER32(?,?), ref: 054237E7

Memory Dump Source

Source File: 00000000.00000002.2273138604.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_xyyDAUDPeYEH.jbxd

Similarity

API ID: IdleInputWait
String ID:
API String ID: 2200289081-0
Opcode ID: 8aa356a088f00c3dcb0724ef129e654885c5924a126fe08283a129a32920f36d
Instruction ID: 906f9cafba83bb4d4aa811ed823eca7b82135d58ac96049867892994eaf1127f
Opcode Fuzzy Hash: 8aa356a088f00c3dcb0724ef129e654885c5924a126fe08283a129a32920f36d
Instruction Fuzzy Hash: F7018F718042509FDB10DF55D885BA6FBE4EF04620F48C8AADD498F752D279E805CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0106ADCE Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 0106AE00

Memory Dump Source

Source File: 00000000.00000002.2271184772.000000000106A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_106a000_xyyDAUDPeYEH.jbxd

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: bbb868fc9b91e8009ab8da74100a08f72ffebc5aa1d4d08f068556f79b811f9a
Instruction ID: 7614a2b3dbb3dd15cfe1c61742ec8d3f43e23d621c162092ba7faf6b18b2d9e9
Opcode Fuzzy Hash: bbb868fc9b91e8009ab8da74100a08f72ffebc5aa1d4d08f068556f79b811f9a
Instruction Fuzzy Hash: 2901AD71900240DFDB50EF55D888B66FBE8EF04721F08C4AADD899F252D275A448CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 054238FE Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 05423939

Memory Dump Source

Source File: 00000000.00000002.2273138604.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5420000_xyyDAUDPeYEH.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: d9d89a09f741408f9a9f8d6743ba54ebee0614c8e8c23ccd0f80899ad6306bbe
Instruction ID: f6b8dd03e1b0a35baae5411e7706590bb234e82197156c0660d23333d897b985
Opcode Fuzzy Hash: d9d89a09f741408f9a9f8d6743ba54ebee0614c8e8c23ccd0f80899ad6306bbe
Instruction Fuzzy Hash: DD017C75400250DFDB20CF45D884BA6FBF0EF05620F08C49ADE494A762C376E459CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 0106A2DA Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0106A30C

Memory Dump Source

Source File: 00000000.00000002.2271184772.000000000106A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_106a000_xyyDAUDPeYEH.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 7ea4853fe5c29c9e5012a9de5c0c5d69423e7acd17a2c4a1bc6e70099bd95c94
Instruction ID: 92607624efe03228d7efa8cbab0a56c582adda213dff43b8814c74922bb8b8ea
Opcode Fuzzy Hash: 7ea4853fe5c29c9e5012a9de5c0c5d69423e7acd17a2c4a1bc6e70099bd95c94
Instruction Fuzzy Hash: 37F0AF75504240CFDB20EF46D888766FBE4EF04620F08C0DAED895F752D3B5E948CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 05821C60 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2273562762.0000000005820000.00000040.00000800.00020000.00000000.sdmp, Offset: 05820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5820000_xyyDAUDPeYEH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a95e73d4731948cb58aa435e32e8e4f716b4dda3c3959f9192bdc7b326480291
Instruction ID: 7685c5e1f246b81b18f4ce935c8fad64258127ddd16b2452209cea4d2e6ddf89
Opcode Fuzzy Hash: a95e73d4731948cb58aa435e32e8e4f716b4dda3c3959f9192bdc7b326480291
Instruction Fuzzy Hash: 1D11CCB5908341AFD350CF19D840A5BFBE4FB88664F14896EF998D7311D331E9048FA2

Uniqueness

Uniqueness Score: -1.00%

Function 012407C4 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2271792151.0000000001240000.00000040.00000020.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_xyyDAUDPeYEH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a72580ddcc7ae7e7efb5e8b5bd198e0a6f203f2f6038a110b0f370b00bab1e1
Instruction ID: 2b83a0c9098bedae0cb9bcbe89e11e4c989540119b78df42f9d09a26d31963d6
Opcode Fuzzy Hash: 1a72580ddcc7ae7e7efb5e8b5bd198e0a6f203f2f6038a110b0f370b00bab1e1
Instruction Fuzzy Hash: 3311E430218280DFE719CB54CA40B65BBA5EB88708F24C5ACFA491B693C777D843CA85

Uniqueness

Uniqueness Score: -1.00%

Function 0107ADEC Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2271253788.000000000107A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_107a000_xyyDAUDPeYEH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9c8a15b47a9661bdb34b621199b46977ea5525a8057093f2e6b9b09993fda76
Instruction ID: 6834a42044533804d3bfec604f77778f0b188746fbe2bcbc4e6acf2925e566f3
Opcode Fuzzy Hash: e9c8a15b47a9661bdb34b621199b46977ea5525a8057093f2e6b9b09993fda76
Instruction Fuzzy Hash: E611FAB5908301AFD350CF49DC44E5BFBE8EB88660F14C92EF95997311D231E9088FA2

Uniqueness

Uniqueness Score: -1.00%

Function 0124075C Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2271792151.0000000001240000.00000040.00000020.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_xyyDAUDPeYEH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf23046d8d1ef077dae9d2699e9332a752919f302ee13883dbf5063cd27f7eff
Instruction ID: 818994d5462e2d8ccd4f2f6f062be14189a94cba6c3dea26afc509e883db7492
Opcode Fuzzy Hash: cf23046d8d1ef077dae9d2699e9332a752919f302ee13883dbf5063cd27f7eff
Instruction Fuzzy Hash: 9B112B3510D3C0DFD307CB20C950B51BFB1AF46214F2986DBE5848B6A3C23A9816CB52

Uniqueness

Uniqueness Score: -1.00%

Function 012405E0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2271792151.0000000001240000.00000040.00000020.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_xyyDAUDPeYEH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 475a8d95868f752ae1cb80800377adeb8176afa00d849da3427d3f47057e329e
Instruction ID: 3dc0a8565900e26e4ea22ae20a9539c5d340c1d73391fe468fd2ca230d4087e3
Opcode Fuzzy Hash: 475a8d95868f752ae1cb80800377adeb8176afa00d849da3427d3f47057e329e
Instruction Fuzzy Hash: A301ADB61087806FC7118B06EC40893FFF8EF8663070984ABE8488B652D125B909CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 012407B1 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2271792151.0000000001240000.00000040.00000020.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_xyyDAUDPeYEH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1391cc17e0c4571f807ebb784cb6cf624ad6db558595e3ce85a5a74694f9cd4a
Instruction ID: 53a50253246735855ee416a30025b9866fed18ba207265fe3fcf5a679499b80e
Opcode Fuzzy Hash: 1391cc17e0c4571f807ebb784cb6cf624ad6db558595e3ce85a5a74694f9cd4a
Instruction Fuzzy Hash: A31182311087C1DFD716CB04CA40B55BBB5EB4A708F28C6EEEA494B6A3C376D852DB81

Uniqueness

Uniqueness Score: -1.00%

Function 01240880 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2271792151.0000000001240000.00000040.00000020.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_xyyDAUDPeYEH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3892dbd386058fb4e9b4385dfaca58d4fcf48128a75afda9f01e1b9ff9c535c3
Instruction ID: 31ce8da3d5df73f7f3e823d3322a6679188cb6f1ecf226a7dcfc6d431f0ccd1d
Opcode Fuzzy Hash: 3892dbd386058fb4e9b4385dfaca58d4fcf48128a75afda9f01e1b9ff9c535c3
Instruction Fuzzy Hash: 0FF01D35108645DFD306CF04DA40B65FBA2EB89718F24C6ADEA4917B62C737E813DA85

Uniqueness

Uniqueness Score: -1.00%

Function 01240606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2271792151.0000000001240000.00000040.00000020.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1240000_xyyDAUDPeYEH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4da0dcabe079cf2c01be262982b05b5e93c3b90cb7ac31e175318eee73283bac
Instruction ID: d00c1107be83dafd48fa4021d41efd843d6c65a01f911a164f133cc4093a812b
Opcode Fuzzy Hash: 4da0dcabe079cf2c01be262982b05b5e93c3b90cb7ac31e175318eee73283bac
Instruction Fuzzy Hash: 17E092B66006004B9650DF0BED45466F7E8EB84630718C47FDC0D8B711D235B508CAA6

Uniqueness

Uniqueness Score: -1.00%

Function 0107AE3B Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2271253788.000000000107A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_107a000_xyyDAUDPeYEH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 865c897ebc01c20133a17ef71a123869accb71ec747f39a14b4de6661a933bdb
Instruction ID: eb86a0d29f569629264c85c097f8daeec7912482937b3b47c921671fcfde7242
Opcode Fuzzy Hash: 865c897ebc01c20133a17ef71a123869accb71ec747f39a14b4de6661a933bdb
Instruction Fuzzy Hash: 36E0D8B254020467D250DE069C45F53FB98DB40931F08C56BED095F741D175B50489F1

Uniqueness

Uniqueness Score: -1.00%

Function 05821CCB Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2273562762.0000000005820000.00000040.00000800.00020000.00000000.sdmp, Offset: 05820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5820000_xyyDAUDPeYEH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fb070350b47d4269c75fb65b207c5bc9dd50d77d4a4dc3ccf2bfd412b4fb1fc
Instruction ID: 1f87dacff6ed092dc523e023dad88bb2d8d09102b0cce274fd1c88c691f2f88d
Opcode Fuzzy Hash: 3fb070350b47d4269c75fb65b207c5bc9dd50d77d4a4dc3ccf2bfd412b4fb1fc
Instruction Fuzzy Hash: B2E0D8F254030067D250DE069C45F53FBD8DB44931F08C46BED085F741D171B51489F1

Uniqueness

Uniqueness Score: -1.00%

Function 05821577 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2273562762.0000000005820000.00000040.00000800.00020000.00000000.sdmp, Offset: 05820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5820000_xyyDAUDPeYEH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26ba86500b1936bec480bbda6c3d61f5ca71bf42e7b69a590de54e05fa0b2987
Instruction ID: 1674c12d361013cfbf274525aba77852bf7fd0751d27cae6abfd205be65c8d96
Opcode Fuzzy Hash: 26ba86500b1936bec480bbda6c3d61f5ca71bf42e7b69a590de54e05fa0b2987
Instruction Fuzzy Hash: 3CE0D8B250020067D250DE069C45F53FBD8DB40931F08C46BED095F741D172B514C9F1

Uniqueness

Uniqueness Score: -1.00%

Function 010623F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2271163703.0000000001062000.00000040.00000800.00020000.00000000.sdmp, Offset: 01062000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1062000_xyyDAUDPeYEH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 957c5d2e252d419fc23502efd5d44fd17b137f65f1ceaa18772719c4ef73bb01
Instruction ID: b969a8db5ff215670b69a7098f8f8fb9c93b210f2e8d3fcca3d65de86f7dcdd8
Opcode Fuzzy Hash: 957c5d2e252d419fc23502efd5d44fd17b137f65f1ceaa18772719c4ef73bb01
Instruction Fuzzy Hash: 13D05E792056C14FE3169A1CC1A8BA53BE8AF51714F4A44FDA8408BB63CB68E5D5D600

Uniqueness

Uniqueness Score: -1.00%

Function 010623BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2271163703.0000000001062000.00000040.00000800.00020000.00000000.sdmp, Offset: 01062000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1062000_xyyDAUDPeYEH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 043197e7e63cfabad1cc69aa60a01bdc3b4424563c502036dbc05e7aa97f5e4a
Instruction ID: 470d724bbc9d4e5abeb55f424e0946132d82b88ba3d803de948d0ab36268e7e8
Opcode Fuzzy Hash: 043197e7e63cfabad1cc69aa60a01bdc3b4424563c502036dbc05e7aa97f5e4a
Instruction Fuzzy Hash: D1D05E342002814BD715DB0CC2D4F593BE8AF40714F1A84EDAC508F762C7A4E8C1CA00

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report xyyDAUDPeYEH.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Njrat

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\xyyDAUDPeYEH.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
xyyDAUDPeYEH.exe

Function 012A15C0 Relevance: 12.6, Strings: 9, Instructions: 1396
COMMON

Function 0106A140 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 71
networkCOMMON

Function 0106A186 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
networkCOMMON

Function 012A03F8 Relevance: 1.6, APIs: 1, Instructions: 104
COMMON

Function 0106B5DE Relevance: 1.6, APIs: 1, Instructions: 103
fileCOMMON

Function 012A03E8 Relevance: 1.6, APIs: 1, Instructions: 102
COMMON

Function 05421D7E Relevance: 1.6, APIs: 1, Instructions: 99
registryCOMMON

Function 0106BB4B Relevance: 1.6, APIs: 1, Instructions: 98
registryCOMMON

Function 0106A7C7 Relevance: 1.6, APIs: 1, Instructions: 95
registryCOMMON