Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
xVcsGL5R1Nbh.exe

Overview

General Information

Sample name:xVcsGL5R1Nbh.exe
Analysis ID:1429973
MD5:cbe87d6abf69bdd3877821f493e6f6b1
SHA1:4099bc3848634a8d5ca58cd8c0fe029748b368e9
SHA256:76bd193c0535e6109143d35950e045e03fb25c4ab8419ca6fa69c4fbea4cd085
Tags:exenjRat
Infos:

Detection

Njrat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Snort IDS alert for network traffic
Yara detected Njrat
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Machine Learning detection for sample
Self deletion via cmd or bat file
Uses dynamic DNS services
Allocates memory with a write watch (potentially for evading sandboxes)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64
  • xVcsGL5R1Nbh.exe (PID: 6844 cmdline: "C:\Users\user\Desktop\xVcsGL5R1Nbh.exe" MD5: CBE87D6ABF69BDD3877821F493E6F6B1)
    • cmd.exe (PID: 5164 cmdline: cmd.exe /C Y /N /D Y /T 1 & Del "C:\Users\user\Desktop\xVcsGL5R1Nbh.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
NjRATRedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.
  • AQUATIC PANDA
  • Earth Lusca
  • Operation C-Major
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

Malware Configuration

Threatname: Njrat

{"Host": "patria.duckdns.org", "Port": "1994", "Campaign ID": "NYAN CAT", "Network Seprator": "@!#&^%$", "Registry": "4ee9f9af7e9"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
xVcsGL5R1Nbh.exeJoeSecurity_NjratYara detected NjratJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000000.1701540964.0000000000352000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_NjratYara detected NjratJoe Security
      00000000.00000002.2420818601.0000000002B31000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_NjratYara detected NjratJoe Security
        Process Memory Space: xVcsGL5R1Nbh.exe PID: 6844JoeSecurity_NjratYara detected NjratJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.0.xVcsGL5R1Nbh.exe.350000.0.unpackJoeSecurity_NjratYara detected NjratJoe Security

            Sigma Signatures

            No Sigma rule has matched

            Snort Signatures

            Timestamp:04/23/24-00:07:13.366284
            SID:2825564
            Source Port:49730
            Destination Port:1994
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:04/23/24-00:06:12.129270
            SID:2033132
            Source Port:49730
            Destination Port:1994
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:04/23/24-00:06:12.504132
            SID:2825563
            Source Port:49730
            Destination Port:1994
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:04/23/24-00:07:13.518261
            SID:2825565
            Source Port:49730
            Destination Port:1994
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: xVcsGL5R1Nbh.exeAvira: detected
            Found malware configuration
            Source: 00000000.00000000.1701540964.0000000000352000.00000002.00000001.01000000.00000003.sdmpMalware Configuration Extractor: Njrat {"Host": "patria.duckdns.org", "Port": "1994", "Campaign ID": "NYAN CAT", "Network Seprator": "@!#&^%$", "Registry": "4ee9f9af7e9"}
            Yara detected Njrat
            Source: Yara matchFile source: xVcsGL5R1Nbh.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.xVcsGL5R1Nbh.exe.350000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.1701540964.0000000000352000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2420818601.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: xVcsGL5R1Nbh.exe PID: 6844, type: MEMORYSTR
            Machine Learning detection for sample
            Source: xVcsGL5R1Nbh.exeJoe Sandbox ML: detected
            Source: xVcsGL5R1Nbh.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
            Source: xVcsGL5R1Nbh.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Networking

            barindex
            Snort IDS alert for network traffic
            Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49730 -> 46.246.6.20:1994
            Source: TrafficSnort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49730 -> 46.246.6.20:1994
            Source: TrafficSnort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49730 -> 46.246.6.20:1994
            Source: TrafficSnort IDS: 2825565 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity Sending Screenshot (CAP) 192.168.2.4:49730 -> 46.246.6.20:1994
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: patria.duckdns.org
            Uses dynamic DNS services
            Source: unknownDNS query: name: patria.duckdns.org
            Source: global trafficTCP traffic: 192.168.2.4:49730 -> 46.246.6.20:1994
            Source: Joe Sandbox ViewASN Name: PORTLANEwwwportlanecomSE PORTLANEwwwportlanecomSE
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownDNS traffic detected: queries for: patria.duckdns.org
            Source: xVcsGL5R1Nbh.exe, 00000000.00000002.2420110756.0000000000883000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoft.
            Source: xVcsGL5R1Nbh.exe, 00000000.00000002.2420110756.0000000000883000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoft.LinkId=42127

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Contains functionality to log keystrokes (.Net Source)
            Source: xVcsGL5R1Nbh.exe, Keylogger.cs.Net Code: VKCodeToUnicode

            E-Banking Fraud

            barindex
            Yara detected Njrat
            Source: Yara matchFile source: xVcsGL5R1Nbh.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.xVcsGL5R1Nbh.exe.350000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.1701540964.0000000000352000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2420818601.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: xVcsGL5R1Nbh.exe PID: 6844, type: MEMORYSTR
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeCode function: 0_2_011B19F00_2_011B19F0
            Source: xVcsGL5R1Nbh.exe, 00000000.00000000.1701553439.0000000000358000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameClient.exe4 vs xVcsGL5R1Nbh.exe
            Source: xVcsGL5R1Nbh.exe, 00000000.00000002.2420110756.000000000081E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs xVcsGL5R1Nbh.exe
            Source: xVcsGL5R1Nbh.exeBinary or memory string: OriginalFilenameClient.exe4 vs xVcsGL5R1Nbh.exe
            Source: xVcsGL5R1Nbh.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@4/1@1/1
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeCode function: 0_2_04D0255A AdjustTokenPrivileges,0_2_04D0255A
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeCode function: 0_2_04D02523 AdjustTokenPrivileges,0_2_04D02523
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\xVcsGL5R1Nbh.exe.logJump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeMutant created: \Sessions\1\BaseNamedObjects\4ee9f9af7e9
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeMutant created: NULL
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7064:120:WilError_03
            Source: xVcsGL5R1Nbh.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: xVcsGL5R1Nbh.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\xVcsGL5R1Nbh.exe "C:\Users\user\Desktop\xVcsGL5R1Nbh.exe"
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C Y /N /D Y /T 1 & Del "C:\Users\user\Desktop\xVcsGL5R1Nbh.exe"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C Y /N /D Y /T 1 & Del "C:\Users\user\Desktop\xVcsGL5R1Nbh.exe"Jump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeSection loaded: shfolder.dllJump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeSection loaded: avicap32.dllJump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeSection loaded: msvfw32.dllJump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
            Source: xVcsGL5R1Nbh.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
            Source: xVcsGL5R1Nbh.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Data Obfuscation

            barindex
            .NET source code contains potential unpacker
            Source: xVcsGL5R1Nbh.exe, Program.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])

            Hooking and other Techniques for Hiding and Protection

            barindex
            Self deletion via cmd or bat file
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeProcess created: cmd.exe /C Y /N /D Y /T 1 & Del "C:\Users\user\Desktop\xVcsGL5R1Nbh.exe"
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeProcess created: cmd.exe /C Y /N /D Y /T 1 & Del "C:\Users\user\Desktop\xVcsGL5R1Nbh.exe"Jump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeMemory allocated: DE0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeMemory allocated: 2B30000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeMemory allocated: FE0000 memory commit | memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeWindow / User API: threadDelayed 1333Jump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeWindow / User API: threadDelayed 3777Jump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeWindow / User API: threadDelayed 4383Jump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeWindow / User API: foregroundWindowGot 1767Jump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exe TID: 6860Thread sleep time: -1333000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exe TID: 6860Thread sleep time: -4383000s >= -30000sJump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: xVcsGL5R1Nbh.exe, 00000000.00000002.2420110756.0000000000883000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllontextBindingCollectionElement, System.WorkflowServices, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            .NET source code references suspicious native API functions
            Source: xVcsGL5R1Nbh.exe, Program.csReference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, cbName, ref lpszVer, 100)
            Source: xVcsGL5R1Nbh.exe, Keylogger.csReference to suspicious API methods: MapVirtualKey(a, 0u)
            Source: xVcsGL5R1Nbh.exe, Keylogger.csReference to suspicious API methods: GetAsyncKeyState(num2)
            Source: xVcsGL5R1Nbh.exe, 00000000.00000002.2420818601.0000000002BA9000.00000004.00000800.00020000.00000000.sdmp, xVcsGL5R1Nbh.exe, 00000000.00000002.2420818601.0000000002C05000.00000004.00000800.00020000.00000000.sdmp, xVcsGL5R1Nbh.exe, 00000000.00000002.2420818601.0000000002C25000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
            Source: xVcsGL5R1Nbh.exe, 00000000.00000002.2420818601.0000000002BA9000.00000004.00000800.00020000.00000000.sdmp, xVcsGL5R1Nbh.exe, 00000000.00000002.2420818601.0000000002C05000.00000004.00000800.00020000.00000000.sdmp, xVcsGL5R1Nbh.exe, 00000000.00000002.2420818601.0000000002C25000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager@9
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\xVcsGL5R1Nbh.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected Njrat
            Source: Yara matchFile source: xVcsGL5R1Nbh.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.xVcsGL5R1Nbh.exe.350000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.1701540964.0000000000352000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2420818601.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: xVcsGL5R1Nbh.exe PID: 6844, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected Njrat
            Source: Yara matchFile source: xVcsGL5R1Nbh.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.xVcsGL5R1Nbh.exe.350000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.1701540964.0000000000352000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2420818601.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: xVcsGL5R1Nbh.exe PID: 6844, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Native API            		1
            DLL Side-Loading            		1
            Access Token Manipulation            		1
            Masquerading            		1
            Input Capture            		1
            Security Software Discovery            		Remote Services1
            Input Capture            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts2
            Process Injection            		2
            Virtualization/Sandbox Evasion            		LSASS Memory2
            Virtualization/Sandbox Evasion            		Remote Desktop Protocol1
            Archive Collected Data            		1
            Non-Standard Port            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Disable or Modify Tools            		Security Account Manager1
            Process Discovery            		SMB/Windows Admin SharesData from Network Shared Drive1
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            Access Token Manipulation            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput Capture21
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
            Process Injection            		LSA Secrets12
            System Information Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Software Packing            		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            DLL Side-Loading            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            File Deletion            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            xVcsGL5R1Nbh.exe100%AviraTR/Dropper.Gen7
            xVcsGL5R1Nbh.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://go.microsoft.0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            patria.duckdns.org
            		46.246.6.20
            		truetrue
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              patria.duckdns.orgtrue
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://go.microsoft.xVcsGL5R1Nbh.exe, 00000000.00000002.2420110756.0000000000883000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://go.microsoft.LinkId=42127xVcsGL5R1Nbh.exe, 00000000.00000002.2420110756.0000000000883000.00000004.00000020.00020000.00000000.sdmpfalse
                  		low

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  46.246.6.20
                  		patria.duckdns.orgSweden
                  		42708PORTLANEwwwportlanecomSEtrue

                  General Information

                  Joe Sandbox version:40.0.0 Tourmaline
                  Analysis ID:1429973
                  Start date and time:2024-04-23 00:05:09 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 4m 18s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:8
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:xVcsGL5R1Nbh.exe
                  Detection:MAL
                  Classification:mal100.troj.spyw.evad.winEXE@4/1@1/1
                  EGA Information:
                  • Successful, ratio: 100%
                  HCA Information:
                  • Successful, ratio: 100%
                  • Number of executed functions: 89
                  • Number of non-executed functions: 0
                  Cookbook Comments:
                  • Found application associated with file extension: .exe

                  Warnings

                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • VT rate limit hit for: xVcsGL5R1Nbh.exe

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  00:06:40API Interceptor22062x Sleep call for process: xVcsGL5R1Nbh.exe modified

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  46.246.6.20xyyDAUDPeYEH.exeGet hashmaliciousNjratBrowse
                    xde47dUIgZDh.exeGet hashmaliciousAsyncRATBrowse
                      x7CwEiB9bHEP.exeGet hashmaliciousNjratBrowse

                        Domains

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        patria.duckdns.orgbUBD.exeGet hashmaliciousNjratBrowse
                        • 46.246.14.22
                        x5gJuYmvL7m2.exeGet hashmaliciousNjratBrowse
                        • 46.246.82.18
                        bTFU.exeGet hashmaliciousNjratBrowse
                        • 46.246.14.2
                        bTDk.exeGet hashmaliciousNjratBrowse
                        • 46.246.80.3
                        bT6H.exeGet hashmaliciousNjratBrowse
                        • 46.246.12.4
                        bT6q.exeGet hashmaliciousNjratBrowse
                        • 46.246.12.14
                        bT5A.exeGet hashmaliciousNjratBrowse
                        • 46.246.80.9
                        bT57.exeGet hashmaliciousNjratBrowse
                        • 46.246.80.9
                        bT5b.exeGet hashmaliciousNjratBrowse
                        • 46.246.80.9
                        bT3v.exeGet hashmaliciousNjratBrowse
                        • 46.246.84.15

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        PORTLANEwwwportlanecomSExyyDAUDPeYEH.exeGet hashmaliciousNjratBrowse
                        • 46.246.6.20
                        xzcQo6GenFVf.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                        • 46.246.14.5
                        tajma.x86-20240422-0535.elfGet hashmaliciousMirai, OkiruBrowse
                        • 188.126.69.245
                        x7RZVIWaDKb5.exeGet hashmaliciousNjratBrowse
                        • 46.246.14.17
                        x7RZVIWaDKb5.exeGet hashmaliciousNjratBrowse
                        • 46.246.14.17
                        bUBL.exeGet hashmaliciousNjratBrowse
                        • 46.246.14.17
                        bUBD.exeGet hashmaliciousNjratBrowse
                        • 46.246.14.22
                        xutnF2gKGTTy.exeGet hashmaliciousAsyncRATBrowse
                        • 46.246.4.3
                        8ubQTzsAqG.exeGet hashmaliciousUnknownBrowse
                        • 185.117.88.39
                        8ubQTzsAqG.exeGet hashmaliciousUnknownBrowse
                        • 185.117.88.39

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\xVcsGL5R1Nbh.exe.log

                        Download File
                        Process:C:\Users\user\Desktop\xVcsGL5R1Nbh.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):907
                        Entropy (8bit):5.243019596074263
                        Encrypted:false
                        SSDEEP:24:MLF2CpI329Iz52VMzffup26KTnKoO2+b2hHAa/:MwQd9IzoaXuY6Ux+SF/
                        MD5:48A0572426885EBDE53CA62C7F2E194E
                        SHA1:035628CDF6276367F6C83E9F4AA2172933850AA8
                        SHA-256:4C68E10691304CAC8DA65A05CF2580728EC0E294104F267840712AF1C46A6538
                        SHA-512:DEFE728C2312918D94BD43C98908C08CCCA5EBFB77F873779DCA784F14C607B33A4E29AC5ECB798F2F741668B7692F72BCB60DEFD536EA86B296B64FA359C42D
                        Malicious:false
                        Reputation:moderate, very likely benign file
                        Preview:1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7d443c6c007fe8696f9aa6ff1da53ef7\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\53992d421e2c7ecf6609c62b3510a6f0\System.Configuration.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\74774597e319a738b792e6a6c06d3559\System.Xml.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\1bd56c432cb9ff27e335d97f404caf8f\System.Management.ni.dll",0..

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Entropy (8bit):3.79842206282092
                        TrID:
                        • Win32 Executable (generic) Net Framework (10011505/4) 49.79%
                        • Win32 Executable (generic) a (10002005/4) 49.75%
                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                        • Windows Screen Saver (13104/52) 0.07%
                        • Win16/32 Executable Delphi generic (2074/23) 0.01%
                        File name:xVcsGL5R1Nbh.exe
                        File size:32'768 bytes
                        MD5:cbe87d6abf69bdd3877821f493e6f6b1
                        SHA1:4099bc3848634a8d5ca58cd8c0fe029748b368e9
                        SHA256:76bd193c0535e6109143d35950e045e03fb25c4ab8419ca6fa69c4fbea4cd085
                        SHA512:3c762fe9283dea8e9b007d477e0e979dd157bc271e8da4b68e5af8762245d0335283284eeec90246c767e9c31f8e456871ecfe392b350c6236be83819dcb4a5a
                        SSDEEP:384:h0bUe5XB4e0XvOb7w0Q0mS03AWTxtTUFQqzFzObbt:6T9Bum455dRbt
                        TLSH:69E218467BE94215D6BC1AFC8CB313214772E3838532EB6F9CDC98CA4B676D00245EE9
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....&f.................P... ......ng... ........@.. ....................................@................................

                        File Icon

                        Icon Hash:90cececece8e8eb0

                        Static PE Info

                        General

                        Entrypoint:0x40676e
                        Entrypoint Section:.text
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Time Stamp:0x6626DA9A [Mon Apr 22 21:46:02 2024 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:4
                        OS Version Minor:0
                        File Version Major:4
                        File Version Minor:0
                        Subsystem Version Major:4
                        Subsystem Version Minor:0
                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                        Entrypoint Preview

                        Instruction
                        jmp dword ptr [00402000h]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x67140x57.text
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x80000x2a0.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xa0000xc.reloc
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x20000x47740x5000b00b74176e982e3c39043b9036e20959False0.474853515625data5.288956411742384IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        .rsrc0x80000x2a00x100072e29550a9764ae2ca0bc9263e829114False0.07666015625data0.6655850551657312IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .reloc0xa0000xc0x100034585954bedb30c5084980db7d41ad8fFalse0.0087890625data0.013126943721219527IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                        Resources

                        NameRVASizeTypeLanguageCountryZLIB Complexity
                        RT_VERSION0x80580x244data0.46379310344827585

                        Imports

                        DLLImport
                        mscoree.dll_CorExeMain

                        Network Behavior

                        Snort IDS Alerts

                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                        04/23/24-00:07:13.366284TCP2825564ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)497301994192.168.2.446.246.6.20
                        04/23/24-00:06:12.129270TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)497301994192.168.2.446.246.6.20
                        04/23/24-00:06:12.504132TCP2825563ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)497301994192.168.2.446.246.6.20
                        04/23/24-00:07:13.518261TCP2825565ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity Sending Screenshot (CAP)497301994192.168.2.446.246.6.20

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Apr 23, 2024 00:06:11.752430916 CEST497301994192.168.2.446.246.6.20
                        Apr 23, 2024 00:06:12.026603937 CEST19944973046.246.6.20192.168.2.4
                        Apr 23, 2024 00:06:12.026868105 CEST497301994192.168.2.446.246.6.20
                        Apr 23, 2024 00:06:12.129270077 CEST497301994192.168.2.446.246.6.20
                        Apr 23, 2024 00:06:12.503940105 CEST19944973046.246.6.20192.168.2.4
                        Apr 23, 2024 00:06:12.504132032 CEST497301994192.168.2.446.246.6.20
                        Apr 23, 2024 00:06:13.003900051 CEST19944973046.246.6.20192.168.2.4
                        Apr 23, 2024 00:06:17.612581968 CEST497301994192.168.2.446.246.6.20
                        Apr 23, 2024 00:06:18.106451035 CEST19944973046.246.6.20192.168.2.4
                        Apr 23, 2024 00:06:20.896636963 CEST19944973046.246.6.20192.168.2.4
                        Apr 23, 2024 00:06:20.900985956 CEST497301994192.168.2.446.246.6.20
                        Apr 23, 2024 00:06:21.315797091 CEST19944973046.246.6.20192.168.2.4
                        Apr 23, 2024 00:06:39.006707907 CEST19944973046.246.6.20192.168.2.4
                        Apr 23, 2024 00:06:39.007106066 CEST497301994192.168.2.446.246.6.20
                        Apr 23, 2024 00:06:39.407672882 CEST19944973046.246.6.20192.168.2.4
                        Apr 23, 2024 00:06:56.483587980 CEST19944973046.246.6.20192.168.2.4
                        Apr 23, 2024 00:06:56.483974934 CEST497301994192.168.2.446.246.6.20
                        Apr 23, 2024 00:06:56.815632105 CEST19944973046.246.6.20192.168.2.4
                        Apr 23, 2024 00:07:05.753369093 CEST497301994192.168.2.446.246.6.20
                        Apr 23, 2024 00:07:06.119800091 CEST19944973046.246.6.20192.168.2.4
                        Apr 23, 2024 00:07:07.269557953 CEST497301994192.168.2.446.246.6.20
                        Apr 23, 2024 00:07:07.606569052 CEST19944973046.246.6.20192.168.2.4
                        Apr 23, 2024 00:07:10.333960056 CEST19944973046.246.6.20192.168.2.4
                        Apr 23, 2024 00:07:10.377898932 CEST497301994192.168.2.446.246.6.20
                        Apr 23, 2024 00:07:10.412349939 CEST497301994192.168.2.446.246.6.20
                        Apr 23, 2024 00:07:10.817898035 CEST19944973046.246.6.20192.168.2.4
                        Apr 23, 2024 00:07:11.972057104 CEST497301994192.168.2.446.246.6.20
                        Apr 23, 2024 00:07:12.315212965 CEST19944973046.246.6.20192.168.2.4
                        Apr 23, 2024 00:07:12.315299034 CEST497301994192.168.2.446.246.6.20
                        Apr 23, 2024 00:07:12.707153082 CEST19944973046.246.6.20192.168.2.4
                        Apr 23, 2024 00:07:13.128427982 CEST497301994192.168.2.446.246.6.20
                        Apr 23, 2024 00:07:13.366101980 CEST19944973046.246.6.20192.168.2.4
                        Apr 23, 2024 00:07:13.366283894 CEST497301994192.168.2.446.246.6.20
                        Apr 23, 2024 00:07:13.518167973 CEST19944973046.246.6.20192.168.2.4
                        Apr 23, 2024 00:07:13.518260956 CEST497301994192.168.2.446.246.6.20
                        Apr 23, 2024 00:07:13.719157934 CEST19944973046.246.6.20192.168.2.4
                        Apr 23, 2024 00:07:13.719350100 CEST497301994192.168.2.446.246.6.20
                        Apr 23, 2024 00:07:13.920140028 CEST19944973046.246.6.20192.168.2.4
                        Apr 23, 2024 00:07:13.920216084 CEST497301994192.168.2.446.246.6.20
                        Apr 23, 2024 00:07:14.107163906 CEST19944973046.246.6.20192.168.2.4
                        Apr 23, 2024 00:07:14.107275963 CEST497301994192.168.2.446.246.6.20
                        Apr 23, 2024 00:07:14.297291040 CEST497301994192.168.2.446.246.6.20
                        Apr 23, 2024 00:07:14.384402037 CEST19944973046.246.6.20192.168.2.4
                        Apr 23, 2024 00:07:14.384676933 CEST497301994192.168.2.446.246.6.20
                        Apr 23, 2024 00:07:14.587399006 CEST19944973046.246.6.20192.168.2.4
                        Apr 23, 2024 00:07:14.587798119 CEST497301994192.168.2.446.246.6.20
                        Apr 23, 2024 00:07:14.768400908 CEST497301994192.168.2.446.246.6.20
                        Apr 23, 2024 00:07:14.818304062 CEST19944973046.246.6.20192.168.2.4
                        Apr 23, 2024 00:07:14.818516970 CEST497301994192.168.2.446.246.6.20
                        Apr 23, 2024 00:07:14.993105888 CEST497301994192.168.2.446.246.6.20
                        Apr 23, 2024 00:07:15.019443035 CEST19944973046.246.6.20192.168.2.4
                        Apr 23, 2024 00:07:15.019602060 CEST497301994192.168.2.446.246.6.20
                        Apr 23, 2024 00:07:15.051496983 CEST19944973046.246.6.20192.168.2.4
                        Apr 23, 2024 00:07:15.051826000 CEST497301994192.168.2.446.246.6.20
                        Apr 23, 2024 00:07:15.206361055 CEST19944973046.246.6.20192.168.2.4
                        Apr 23, 2024 00:07:15.206583977 CEST497301994192.168.2.446.246.6.20
                        Apr 23, 2024 00:07:15.267344952 CEST19944973046.246.6.20192.168.2.4
                        Apr 23, 2024 00:07:15.267471075 CEST497301994192.168.2.446.246.6.20
                        Apr 23, 2024 00:07:15.349406004 CEST19944973046.246.6.20192.168.2.4
                        Apr 23, 2024 00:07:15.349543095 CEST497301994192.168.2.446.246.6.20
                        Apr 23, 2024 00:07:15.518618107 CEST497301994192.168.2.446.246.6.20
                        Apr 23, 2024 00:07:15.518821955 CEST19944973046.246.6.20192.168.2.4
                        Apr 23, 2024 00:07:15.565484047 CEST497301994192.168.2.446.246.6.20
                        Apr 23, 2024 00:07:15.626679897 CEST19944973046.246.6.20192.168.2.4
                        Apr 23, 2024 00:07:15.626913071 CEST497301994192.168.2.446.246.6.20
                        Apr 23, 2024 00:07:15.796655893 CEST19944973046.246.6.20192.168.2.4
                        Apr 23, 2024 00:07:15.796674967 CEST19944973046.246.6.20192.168.2.4
                        Apr 23, 2024 00:07:15.796782970 CEST497301994192.168.2.446.246.6.20
                        Apr 23, 2024 00:07:16.061517954 CEST497301994192.168.2.446.246.6.20
                        Apr 23, 2024 00:07:16.073595047 CEST19944973046.246.6.20192.168.2.4
                        Apr 23, 2024 00:07:16.114614010 CEST19944973046.246.6.20192.168.2.4
                        Apr 23, 2024 00:07:16.114707947 CEST497301994192.168.2.446.246.6.20
                        Apr 23, 2024 00:07:16.143233061 CEST497301994192.168.2.446.246.6.20
                        Apr 23, 2024 00:07:16.338680029 CEST19944973046.246.6.20192.168.2.4
                        Apr 23, 2024 00:07:16.338699102 CEST19944973046.246.6.20192.168.2.4
                        Apr 23, 2024 00:07:16.338756084 CEST497301994192.168.2.446.246.6.20
                        Apr 23, 2024 00:07:16.338757038 CEST497301994192.168.2.446.246.6.20
                        Apr 23, 2024 00:07:16.401595116 CEST19944973046.246.6.20192.168.2.4
                        Apr 23, 2024 00:07:16.401660919 CEST497301994192.168.2.446.246.6.20

                        UDP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Apr 23, 2024 00:06:11.604895115 CEST5697953192.168.2.41.1.1.1
                        Apr 23, 2024 00:06:11.749433041 CEST53569791.1.1.1192.168.2.4

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                        Apr 23, 2024 00:06:11.604895115 CEST192.168.2.41.1.1.10x3a9aStandard query (0)patria.duckdns.orgA (IP address)IN (0x0001)false

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Apr 23, 2024 00:06:11.749433041 CEST1.1.1.1192.168.2.40x3a9aNo error (0)patria.duckdns.org46.246.6.20A (IP address)IN (0x0001)false

                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Target ID:0
                        Start time:00:06:03
                        Start date:23/04/2024
                        Path:C:\Users\user\Desktop\xVcsGL5R1Nbh.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\xVcsGL5R1Nbh.exe"
                        Imagebase:0x350000
                        File size:32'768 bytes
                        MD5 hash:CBE87D6ABF69BDD3877821F493E6F6B1
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000000.1701540964.0000000000352000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000002.2420818601.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:5
                        Start time:00:07:14
                        Start date:23/04/2024
                        Path:C:\Windows\SysWOW64\cmd.exe
                        Wow64 process (32bit):true
                        Commandline:cmd.exe /C Y /N /D Y /T 1 & Del "C:\Users\user\Desktop\xVcsGL5R1Nbh.exe"
                        Imagebase:0x240000
                        File size:236'544 bytes
                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:6
                        Start time:00:07:14
                        Start date:23/04/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        Disassembly

                        Reset < >

                          Execution Graph

                          Execution Coverage:16%
                          Dynamic/Decrypted Code Coverage:100%
                          Signature Coverage:2.1%
                          Total number of Nodes:144
                          Total number of Limit Nodes:7
                          execution_graph 6654 4d008d2 6657 4d00907 GetProcessTimes 6654->6657 6656 4d00939 6657->6656 6658 4d026d6 6659 4d0270b GetExitCodeProcess 6658->6659 6661 4d02734 6659->6661 6710 4d02896 6712 4d028cb SetProcessWorkingSetSize 6710->6712 6713 4d028f7 6712->6713 6714 4d03b16 6715 4d03b4b PostMessageW 6714->6715 6717 4d03b76 6714->6717 6716 4d03b60 6715->6716 6717->6715 6662 b1b736 6665 b1b76b GetFileType 6662->6665 6664 b1b798 6665->6664 6718 b1b9f6 6720 b1ba2b ReadFile 6718->6720 6721 b1ba5d 6720->6721 6666 4d023da 6669 4d02403 LookupPrivilegeValueW 6666->6669 6668 4d0242a 6669->6668 6670 4d0205a 6671 4d02092 RegCreateKeyExW 6670->6671 6673 4d02104 6671->6673 6674 4d0255a 6676 4d02589 AdjustTokenPrivileges 6674->6676 6677 4d025ab 6676->6677 6722 b1a7fa 6723 b1a832 RegOpenKeyExW 6722->6723 6725 b1a888 6723->6725 6730 b1bd62 6731 b1bd99 setsockopt 6730->6731 6733 b1bda4 6731->6733 6734 4d02306 6737 4d0232f select 6734->6737 6736 4d02364 6737->6736 6682 b1ac2a 6683 b1aca0 6682->6683 6684 b1ac68 DuplicateHandle 6682->6684 6683->6684 6685 b1ac76 6684->6685 6686 4d00e4e 6688 4d00e83 WSAConnect 6686->6688 6689 4d00ea2 6688->6689 6738 4d027b2 6739 4d027e7 GetProcessWorkingSetSize 6738->6739 6741 4d02813 6739->6741 6742 4d03db2 6743 4d03e07 6742->6743 6744 4d03dde DispatchMessageW 6742->6744 6743->6744 6745 4d03df3 6744->6745 6746 4d00032 6747 4d00082 GetComputerNameW 6746->6747 6748 4d00090 6747->6748 6690 b1a392 6692 b1a3c7 RegQueryValueExW 6690->6692 6693 b1a41b 6692->6693 6749 11b03f8 KiUserExceptionDispatcher 6750 11b042c 6749->6750 6751 4d001b6 6753 4d001ee ConvertStringSecurityDescriptorToSecurityDescriptorW 6751->6753 6754 4d0022f 6753->6754 6755 11b0972 6756 11b0622 6755->6756 6761 11b0a1a 6756->6761 6766 11b0a01 6756->6766 6771 11b0a13 6756->6771 6776 11b0998 6756->6776 6762 11b0a1f 6761->6762 6763 11b0ad7 6762->6763 6781 11b1068 6762->6781 6785 11b101c 6762->6785 6767 11b0a06 6766->6767 6768 11b0ad7 6767->6768 6769 11b1068 2 API calls 6767->6769 6770 11b101c 2 API calls 6767->6770 6769->6768 6770->6768 6772 11b0a18 6771->6772 6773 11b0ad7 6772->6773 6774 11b1068 2 API calls 6772->6774 6775 11b101c 2 API calls 6772->6775 6774->6773 6775->6773 6777 11b09d3 6776->6777 6778 11b0ad7 6777->6778 6779 11b1068 2 API calls 6777->6779 6780 11b101c 2 API calls 6777->6780 6779->6778 6780->6778 6783 11b1093 6781->6783 6782 11b10da 6782->6763 6783->6782 6789 11b1530 6783->6789 6786 11b1021 6785->6786 6787 11b1037 6786->6787 6788 11b1530 2 API calls 6786->6788 6787->6763 6788->6787 6790 11b1565 6789->6790 6791 11b15a3 6790->6791 6794 4d00fc0 6790->6794 6798 4d01016 6790->6798 6791->6782 6795 4d01016 GetVolumeInformationA 6794->6795 6797 4d0106e 6795->6797 6797->6791 6799 4d01066 GetVolumeInformationA 6798->6799 6800 4d0106e 6799->6800 6800->6791 6801 4d02e3a 6802 4d02e66 LoadLibraryShim 6801->6802 6804 4d02e94 6802->6804 6805 b1a2da 6806 b1a306 SetErrorMode 6805->6806 6807 b1a32f 6805->6807 6808 b1a31b 6806->6808 6807->6806 6809 4d009be 6810 4d009f9 getaddrinfo 6809->6810 6812 4d00a6b 6810->6812 6813 4d037be 6815 4d037f3 RegDeleteKeyW 6813->6815 6816 4d0382b 6815->6816 6694 b1b61e 6695 b1b656 CreateFileW 6694->6695 6697 b1b6a5 6695->6697 6817 b1bc5e 6819 b1bc96 WSASocketW 6817->6819 6820 b1bcd2 6819->6820 6821 4d012a2 6824 4d012dd LoadLibraryA 6821->6824 6823 4d0131a 6824->6823 6698 4d00366 6700 4d0039e MapViewOfFile 6698->6700 6701 4d003ed 6700->6701 6702 b1a486 6703 b1a4bb RegSetValueExW 6702->6703 6705 b1a507 6703->6705 6706 b1a186 6707 b1a1bb send 6706->6707 6709 b1a1f3 6706->6709 6708 b1a1c9 6707->6708 6709->6707 6828 b1a646 6830 b1a67e CreateMutexW 6828->6830 6831 b1a6c1 6830->6831 6832 4d0222a 6833 4d0225f ioctlsocket 6832->6833 6835 4d0228b 6833->6835 6836 b1adce 6837 b1ae30 6836->6837 6838 b1adfa closesocket 6836->6838 6837->6838 6839 b1ae08 6838->6839 6840 b1a74e 6841 b1a7b9 6840->6841 6842 b1a77a FindCloseChangeNotification 6840->6842 6841->6842 6843 b1a788 6842->6843

                          Executed Functions

                          Function 011B19F0 Relevance: 3.9, Strings: 2, Instructions: 1396COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 0 11b19f0-11b1a4c 4 11b2f39-11b2f5a 0->4 5 11b1a52-11b1a66 0->5 8 11b2f5c-11b2f66 4->8 9 11b2fc6-11b3002 4->9 10 11b1a68-11b1a6f 5->10 11 11b1a74-11b1a85 5->11 12 11b3069 8->12 13 11b2f6c-11b2fbc 8->13 28 11b304d-11b3052 9->28 29 11b3004-11b304b call 11b1720 9->29 14 11b306e-11b3075 10->14 18 11b1acc-11b1add 11->18 19 11b1a87-11b1ac7 call 11b1720 11->19 12->14 13->9 27 11b2fbe-11b2fc0 13->27 25 11b1ae3-11b1aed 18->25 26 11b1c12-11b1c23 18->26 19->14 25->4 30 11b1af3-11b1b07 25->30 37 11b1c29-11b1c33 26->37 38 11b1e61-11b1e72 26->38 27->9 44 11b305d-11b3067 28->44 29->44 39 11b1b3b-11b1b4c 30->39 40 11b1b09-11b1b13 30->40 37->4 41 11b1c39-11b1c40 37->41 52 11b2288-11b2299 38->52 53 11b1e78-11b1e82 38->53 57 11b1bdd-11b1bee 39->57 58 11b1b52-11b1b5c 39->58 40->4 47 11b1b19-11b1b26 40->47 41->4 42 11b1c46-11b1c4b 41->42 48 11b1d0d-11b1d36 42->48 49 11b1c51-11b1c7a 42->49 44->14 47->4 54 11b1b2c-11b1b36 call 11b1908 47->54 93 11b1d71-11b1d8d call 11b1720 48->93 82 11b1ccf-11b1d08 call 11b1720 * 2 49->82 83 11b1c7c-11b1ca0 49->83 68 11b229f-11b22a9 52->68 69 11b2583-11b2594 52->69 53->4 61 11b1e88-11b1eb8 call 11b0550 53->61 54->14 57->14 78 11b1bf4-11b1bfe 57->78 58->4 65 11b1b62-11b1b6f 58->65 61->4 101 11b1ebe-11b1edf 61->101 65->4 71 11b1b75-11b1bd8 call 11b1908 call 11b0550 call 11b1720 65->71 68->4 76 11b22af-11b22df call 11b0550 68->76 88 11b259a-11b2761 69->88 89 11b2932-11b2943 69->89 71->14 76->4 126 11b22e5-11b2306 76->126 78->4 84 11b1c04-11b1c0d 78->84 82->14 104 11b1cca 83->104 105 11b1ca2-11b1cc5 83->105 84->14 88->4 311 11b2767-11b277f 88->311 112 11b2949-11b2953 89->112 113 11b29fe-11b2a0f 89->113 93->4 128 11b1d93-11b1dfd call 11b1720 93->128 109 11b1f68-11b1f6f 101->109 110 11b1ee5-11b1f63 call 11b1720 101->110 104->82 105->93 117 11b2069-11b217e call 11b1720 109->117 118 11b1f75-11b1ff1 109->118 110->14 112->4 121 11b2959-11b296d 112->121 132 11b2c51-11b2c62 113->132 133 11b2a15-11b2a1f 113->133 117->4 347 11b2184-11b21c8 117->347 118->4 246 11b1ff7-11b202f 118->246 143 11b297a-11b298b 121->143 144 11b296f 121->144 135 11b238f-11b2396 126->135 136 11b230c-11b238a call 11b1720 126->136 128->14 157 11b2c68-11b2c6f 132->157 158 11b2de1-11b2df2 132->158 133->4 142 11b2a25-11b2a2c 133->142 139 11b241f-11b257e call 11b1720 * 2 135->139 140 11b239c-11b23e5 135->140 136->14 139->14 204 11b23eb-11b241a call 11b1908 140->204 205 11b2f34 140->205 142->4 150 11b2a32-11b2a37 142->150 173 11b298d-11b29ac 143->173 174 11b29b1-11b29c2 143->174 413 11b296f call 11b316c 144->413 414 11b296f call 11b31b2 144->414 415 11b296f call 11b3081 144->415 416 11b296f call 11b31a0 144->416 160 11b2aeb-11b2b1a 150->160 161 11b2a3d-11b2a80 150->161 168 11b2cfe-11b2d65 157->168 169 11b2c75-11b2c9e call 11b1720 157->169 158->14 185 11b2df8-11b2e3b 158->185 221 11b2b55-11b2c4c call 11b1720 * 2 160->221 226 11b2aad-11b2ae6 call 11b1720 * 2 161->226 227 11b2a82-11b2aa8 161->227 163 11b2975 163->14 168->4 234 11b2d6b-11b2d94 168->234 195 11b2cdc-11b2cf8 169->195 196 11b2ca0-11b2ca3 169->196 173->14 174->14 201 11b29c8-11b29f9 174->201 185->205 247 11b2e41-11b2f2f 185->247 195->14 195->168 196->205 207 11b2ca9-11b2cda 196->207 201->14 204->139 205->4 207->195 207->196 221->14 226->14 227->221 234->14 261 11b2d9a-11b2d9e 234->261 246->205 298 11b2035-11b2064 call 11b1908 246->298 247->14 261->4 270 11b2da4-11b2ddc 261->270 270->14 298->117 311->4 323 11b2785-11b289d call 11b3081 311->323 393 11b289f-11b28cb 323->393 394 11b28f3-11b28f7 323->394 364 11b21d4-11b223c 347->364 385 11b21ca 364->385 386 11b223e-11b2283 364->386 385->364 386->14 403 11b28cd-11b28cf 393->403 404 11b28d7-11b28da 393->404 397 11b28ff-11b2928 call 11b1758 394->397 411 11b292d 397->411 403->205 406 11b28d5 403->406 404->205 407 11b28e0-11b28f1 404->407 406->407 407->397 411->14 413->163 414->163 415->163 416->163
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2420781100.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_11b0000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID:
                          • String ID: $
                          • API String ID: 0-227171996
                          • Opcode ID: fde3ef65356cb098e279e0d77ddba1d9aa0f4c99193250fc574896f8ea76275c
                          • Instruction ID: 4e6fefd2e4abe46c9f540da4576afac1d129ec9873947dff5eee6177a3f05c6a
                          • Opcode Fuzzy Hash: fde3ef65356cb098e279e0d77ddba1d9aa0f4c99193250fc574896f8ea76275c
                          • Instruction Fuzzy Hash: CDC29D30B002249FDB18EB29C994BED77E6AF88308F1180A9E5099B7A5DF35DD45CF91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04D02523 Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                          Download Yara Rule
                          APIs
                          • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 04D025A3
                          Memory Dump Source
                          • Source File: 00000000.00000002.2421885024.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_4d00000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: AdjustPrivilegesToken
                          • String ID:
                          • API String ID: 2874748243-0
                          • Opcode ID: 329ed2822097e6f0325c17bff757981be7bf8051a6f9bdde2f7b693786a72379
                          • Instruction ID: 75883514b6966948ed62ce24830bb40dfdf9b8bf6354ba6327ef9e3fa5d0da83
                          • Opcode Fuzzy Hash: 329ed2822097e6f0325c17bff757981be7bf8051a6f9bdde2f7b693786a72379
                          • Instruction Fuzzy Hash: 35219F755097809FDB228F25DC58B52BFF4EF06310F0884DAE9858F5A3D275E908CB61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04D0255A Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                          Download Yara Rule
                          APIs
                          • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 04D025A3
                          Memory Dump Source
                          • Source File: 00000000.00000002.2421885024.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_4d00000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: AdjustPrivilegesToken
                          • String ID:
                          • API String ID: 2874748243-0
                          • Opcode ID: d8a9f048c09f63c8be1a6b979930d85cb3bc10bf3c58c3697d3bc60d7ebf60a0
                          • Instruction ID: b6cbf88bfa5c3429171f8f4259b6b2e97c98e01d8c1d6c86021a68d931603ec5
                          • Opcode Fuzzy Hash: d8a9f048c09f63c8be1a6b979930d85cb3bc10bf3c58c3697d3bc60d7ebf60a0
                          • Instruction Fuzzy Hash: 511173756012049FDB20CF55D948B56FBE4FF18320F08C4AADD458BA95D375E814DF61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 011B03E8 Relevance: 1.6, APIs: 1, Instructions: 105COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 561 11b03e8-11b03f6 562 11b03f8-11b0425 KiUserExceptionDispatcher 561->562 563 11b042c-11b0436 562->563 565 11b0439-11b043f 563->565 566 11b052d-11b053e 565->566 567 11b0445-11b0448 565->567 568 11b044a 567->568 596 11b044c call fd05df 568->596 597 11b044c call fd0606 568->597 570 11b0451-11b0472 573 11b04b9-11b04bc 570->573 574 11b0474-11b0476 570->574 573->566 575 11b04be-11b04c4 573->575 593 11b0478 call fd05df 574->593 594 11b0478 call fd0606 574->594 595 11b0478 call 11b0ce6 574->595 575->568 576 11b04c6-11b04cd 575->576 578 11b04cf-11b04e5 576->578 579 11b051e 576->579 577 11b047e-11b0485 580 11b0487-11b04ae 577->580 581 11b04b6 577->581 578->566 585 11b04e7-11b04ef 578->585 582 11b0528 579->582 580->581 581->573 582->565 586 11b04f1-11b04fc 585->586 587 11b0510-11b0516 585->587 586->566 589 11b04fe-11b0508 586->589 587->579 589->587 593->577 594->577 595->577 596->570 597->570
                          APIs
                          • KiUserExceptionDispatcher.NTDLL ref: 011B041F
                          Memory Dump Source
                          • Source File: 00000000.00000002.2420781100.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_11b0000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: DispatcherExceptionUser
                          • String ID:
                          • API String ID: 6842923-0
                          • Opcode ID: 19441b97515637d07f634651410d1108a64f756e4c05598223449adc9a8e95a9
                          • Instruction ID: 2ddd392513db6caae28398d2e6bf543872b9bd4275aebe48cbd7e3cf23eb3c8f
                          • Opcode Fuzzy Hash: 19441b97515637d07f634651410d1108a64f756e4c05598223449adc9a8e95a9
                          • Instruction Fuzzy Hash: 13319371A002018FDB18DF39C9C55DEB7F6EF88214B548069E809DB79ADB38DD46CBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 011B03F8 Relevance: 1.6, APIs: 1, Instructions: 104COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 598 11b03f8-11b0436 KiUserExceptionDispatcher 601 11b0439-11b043f 598->601 602 11b052d-11b053e 601->602 603 11b0445-11b0448 601->603 604 11b044a 603->604 629 11b044c call fd05df 604->629 630 11b044c call fd0606 604->630 606 11b0451-11b0472 609 11b04b9-11b04bc 606->609 610 11b0474-11b0476 606->610 609->602 611 11b04be-11b04c4 609->611 631 11b0478 call fd05df 610->631 632 11b0478 call fd0606 610->632 633 11b0478 call 11b0ce6 610->633 611->604 612 11b04c6-11b04cd 611->612 614 11b04cf-11b04e5 612->614 615 11b051e 612->615 613 11b047e-11b0485 616 11b0487-11b04ae 613->616 617 11b04b6 613->617 614->602 621 11b04e7-11b04ef 614->621 618 11b0528 615->618 616->617 617->609 618->601 622 11b04f1-11b04fc 621->622 623 11b0510-11b0516 621->623 622->602 625 11b04fe-11b0508 622->625 623->615 625->623 629->606 630->606 631->613 632->613 633->613
                          APIs
                          • KiUserExceptionDispatcher.NTDLL ref: 011B041F
                          Memory Dump Source
                          • Source File: 00000000.00000002.2420781100.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_11b0000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: DispatcherExceptionUser
                          • String ID:
                          • API String ID: 6842923-0
                          • Opcode ID: aa398d341969aa277f6e678147b5b04b658b7d4e922ad8daf76656cb7a499c2e
                          • Instruction ID: d04dc60947a0bfc07f0fa748d21a8d5b6505d4afc6ac22979b0c3027401245f0
                          • Opcode Fuzzy Hash: aa398d341969aa277f6e678147b5b04b658b7d4e922ad8daf76656cb7a499c2e
                          • Instruction Fuzzy Hash: 6D318D71A002008FCB18DF79C9C45DEB7F6EF88214B588069E809DB79ADB38DD45CBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B1B5DE Relevance: 1.6, APIs: 1, Instructions: 103fileCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 634 b1b5de-b1b676 638 b1b678 634->638 639 b1b67b-b1b687 634->639 638->639 640 b1b689 639->640 641 b1b68c-b1b695 639->641 640->641 642 b1b697-b1b6bb CreateFileW 641->642 643 b1b6e6-b1b6eb 641->643 646 b1b6ed-b1b6f2 642->646 647 b1b6bd-b1b6e3 642->647 643->642 646->647
                          APIs
                          • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00B1B69D
                          Memory Dump Source
                          • Source File: 00000000.00000002.2420315517.0000000000B1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b1a000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: CreateFile
                          • String ID:
                          • API String ID: 823142352-0
                          • Opcode ID: 1faff24e8affed70fae36168f619e19d796832284ddf48ff0604fc0db63b1f9b
                          • Instruction ID: 3a97598f686e0e4e46d584a8c709a529de845a72b303833ce8c0c33f9051636c
                          • Opcode Fuzzy Hash: 1faff24e8affed70fae36168f619e19d796832284ddf48ff0604fc0db63b1f9b
                          • Instruction Fuzzy Hash: 6731C3B1504780AFE712CF65CC44FA2BFE8EF16314F08849AE9848B652D335E809DB71
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04D0202E Relevance: 1.6, APIs: 1, Instructions: 99registryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 650 4d0202e-4d020b2 654 4d020b4 650->654 655 4d020b7-4d020c3 650->655 654->655 656 4d020c5 655->656 657 4d020c8-4d020d1 655->657 656->657 658 4d020d3 657->658 659 4d020d6-4d020ed 657->659 658->659 661 4d0212f-4d02134 659->661 662 4d020ef-4d02102 RegCreateKeyExW 659->662 661->662 663 4d02104-4d0212c 662->663 664 4d02136-4d0213b 662->664 664->663
                          APIs
                          • RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 04D020F5
                          Memory Dump Source
                          • Source File: 00000000.00000002.2421885024.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_4d00000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: Create
                          • String ID:
                          • API String ID: 2289755597-0
                          • Opcode ID: a636459a89549ddd2075c9d057161fa3b42c88e9e7b70dab7c91f596d5536251
                          • Instruction ID: 01cd3cdcce5830ac6faf3470749462729e3ecfda35d5225a091e305aba1e8f4c
                          • Opcode Fuzzy Hash: a636459a89549ddd2075c9d057161fa3b42c88e9e7b70dab7c91f596d5536251
                          • Instruction Fuzzy Hash: 65315072504744AFE7228F65CC44FA6BBFCEF15310F08859AE9459B692D324E908CB61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B1BB4B Relevance: 1.6, APIs: 1, Instructions: 98registryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 669 b1bb4b-b1bb6b 670 b1bb8d-b1bbbf 669->670 671 b1bb6d-b1bb8c 669->671 675 b1bbc2-b1bc1a RegQueryValueExW 670->675 671->670 677 b1bc20-b1bc36 675->677
                          APIs
                          • RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 00B1BC12
                          Memory Dump Source
                          • Source File: 00000000.00000002.2420315517.0000000000B1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b1a000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: QueryValue
                          • String ID:
                          • API String ID: 3660427363-0
                          • Opcode ID: 732eb3595b95f9f5578ebd7ebfbf0641f952c931a82f28c0749fee675944f7d6
                          • Instruction ID: 7b155efae500e0084fc75bf3dfd2b2e37e0428318e580938f7f3646a38b010a5
                          • Opcode Fuzzy Hash: 732eb3595b95f9f5578ebd7ebfbf0641f952c931a82f28c0749fee675944f7d6
                          • Instruction Fuzzy Hash: E3317E6510E7C06FD3138B358C61A62BFB4EF47610B0E85CBD8C49F6A3D219A909C7B2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B1A7C7 Relevance: 1.6, APIs: 1, Instructions: 95registryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 678 b1a7c7-b1a855 682 b1a857 678->682 683 b1a85a-b1a871 678->683 682->683 685 b1a8b3-b1a8b8 683->685 686 b1a873-b1a886 RegOpenKeyExW 683->686 685->686 687 b1a888-b1a8b0 686->687 688 b1a8ba-b1a8bf 686->688 688->687
                          APIs
                          • RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 00B1A879
                          Memory Dump Source
                          • Source File: 00000000.00000002.2420315517.0000000000B1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b1a000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: Open
                          • String ID:
                          • API String ID: 71445658-0
                          • Opcode ID: 33dd52d6321f35b3e34d86ade6b2bce0dbef192e7d7670f47ec26c0ccf249eeb
                          • Instruction ID: dfdd1f6762b166db0053e651d384030b1d5302d11770028a811cbe15df1a8818
                          • Opcode Fuzzy Hash: 33dd52d6321f35b3e34d86ade6b2bce0dbef192e7d7670f47ec26c0ccf249eeb
                          • Instruction Fuzzy Hash: 7331B5B14083806FE7228B51CC44FA7BFE8EF16310F08849AE9848B693D264E909C771
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04D0099C Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 693 4d0099c-4d00a5b 699 4d00aad-4d00ab2 693->699 700 4d00a5d-4d00a65 getaddrinfo 693->700 699->700 702 4d00a6b-4d00a7d 700->702 703 4d00ab4-4d00ab9 702->703 704 4d00a7f-4d00aaa 702->704 703->704
                          APIs
                          • getaddrinfo.WS2_32(?,00000E24), ref: 04D00A63
                          Memory Dump Source
                          • Source File: 00000000.00000002.2421885024.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_4d00000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: getaddrinfo
                          • String ID:
                          • API String ID: 300660673-0
                          • Opcode ID: 7d54de7bf9cad54ce472467827e39068d3ed24be02ddf500f3d7f997b44341de
                          • Instruction ID: 21fb3a1de900346013b14d29e41bf4d5f477a38eb7263e67ed8a02e7e31ab05f
                          • Opcode Fuzzy Hash: 7d54de7bf9cad54ce472467827e39068d3ed24be02ddf500f3d7f997b44341de
                          • Instruction Fuzzy Hash: B831C2B2500340AFE721CF51DD44FA6FBACEF44314F04889AFA499B682D374A948CB71
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04D00894 Relevance: 1.6, APIs: 1, Instructions: 92timeCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 708 4d00894-4d00929 714 4d00976-4d0097b 708->714 715 4d0092b-4d00933 GetProcessTimes 708->715 714->715 716 4d00939-4d0094b 715->716 718 4d0097d-4d00982 716->718 719 4d0094d-4d00973 716->719 718->719
                          APIs
                          • GetProcessTimes.KERNELBASE(?,00000E24,D366EE2A,00000000,00000000,00000000,00000000), ref: 04D00931
                          Memory Dump Source
                          • Source File: 00000000.00000002.2421885024.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_4d00000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: ProcessTimes
                          • String ID:
                          • API String ID: 1995159646-0
                          • Opcode ID: ee0c075b6a5af14a0d5d06e1399b738fcdaa0b64d9911587cfd181ef3d1c9c0f
                          • Instruction ID: f5bdb6372efa010a29c29f1ad676571c5e2251b61fba5fc1962d6d0c22f4a4af
                          • Opcode Fuzzy Hash: ee0c075b6a5af14a0d5d06e1399b738fcdaa0b64d9911587cfd181ef3d1c9c0f
                          • Instruction Fuzzy Hash: 7731C8725057806FE7228F21DC44B96BFB8EF57324F09C4DAE9849F193D225A909C771
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04D00190 Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 738 4d00190-4d00211 742 4d00213 738->742 743 4d00216-4d0021f 738->743 742->743 744 4d00221-4d00229 ConvertStringSecurityDescriptorToSecurityDescriptorW 743->744 745 4d00277-4d0027c 743->745 747 4d0022f-4d00241 744->747 745->744 748 4d00243-4d00274 747->748 749 4d0027e-4d00283 747->749 749->748
                          APIs
                          • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 04D00227
                          Memory Dump Source
                          • Source File: 00000000.00000002.2421885024.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_4d00000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: DescriptorSecurity$ConvertString
                          • String ID:
                          • API String ID: 3907675253-0
                          • Opcode ID: e5d076ddd1615537731cd7c761b0676266bd4d2daa4a0c171dc721449b0a3fdf
                          • Instruction ID: d75c8df9dd9062357f0482ee3c9215c4f62f8683cac20b0bb53f1eaaa7e4be16
                          • Opcode Fuzzy Hash: e5d076ddd1615537731cd7c761b0676266bd4d2daa4a0c171dc721449b0a3fdf
                          • Instruction Fuzzy Hash: 64319172504384AFEB22CF65DC45FA7BBE8EF45210F08849AE944DB692D324E948CB71
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B1A612 Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 722 b1a612-b1a695 726 b1a697 722->726 727 b1a69a-b1a6a3 722->727 726->727 728 b1a6a5 727->728 729 b1a6a8-b1a6b1 727->729 728->729 730 b1a6b3-b1a6d7 CreateMutexW 729->730 731 b1a702-b1a707 729->731 734 b1a709-b1a70e 730->734 735 b1a6d9-b1a6ff 730->735 731->730 734->735
                          APIs
                          • CreateMutexW.KERNELBASE(?,?), ref: 00B1A6B9
                          Memory Dump Source
                          • Source File: 00000000.00000002.2420315517.0000000000B1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b1a000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: CreateMutex
                          • String ID:
                          • API String ID: 1964310414-0
                          • Opcode ID: 24924953df064d5cf84ce9c030bd9636ce6bcdad7fdc08d95e8e691e31e8bf0e
                          • Instruction ID: 2b2ecc7097f5f46103af6c6573822897da40d832545770af3d5f54877423b289
                          • Opcode Fuzzy Hash: 24924953df064d5cf84ce9c030bd9636ce6bcdad7fdc08d95e8e691e31e8bf0e
                          • Instruction Fuzzy Hash: A031AFB15097806FE712CB25CC85B96BFF8EF16310F08849AE984DB292D374E909C762
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04D0205A Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 753 4d0205a-4d020b2 756 4d020b4 753->756 757 4d020b7-4d020c3 753->757 756->757 758 4d020c5 757->758 759 4d020c8-4d020d1 757->759 758->759 760 4d020d3 759->760 761 4d020d6-4d020ed 759->761 760->761 763 4d0212f-4d02134 761->763 764 4d020ef-4d02102 RegCreateKeyExW 761->764 763->764 765 4d02104-4d0212c 764->765 766 4d02136-4d0213b 764->766 766->765
                          APIs
                          • RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 04D020F5
                          Memory Dump Source
                          • Source File: 00000000.00000002.2421885024.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_4d00000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: Create
                          • String ID:
                          • API String ID: 2289755597-0
                          • Opcode ID: ff10bde0a5bc63613653e95700766afbc27561610c156df6a4499d8ecaa919bf
                          • Instruction ID: 8aad6d21b8fe13b459fd3fb2e1ce80f8fbf797eb5f0c5343b576aad28ad9eb19
                          • Opcode Fuzzy Hash: ff10bde0a5bc63613653e95700766afbc27561610c156df6a4499d8ecaa919bf
                          • Instruction Fuzzy Hash: AB217EB2600704AEEB219E55CC44FA7BBECEF18714F04C45AE945D7A91E324F948CB61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04D009BE Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                          Download Yara Rule
                          APIs
                          • getaddrinfo.WS2_32(?,00000E24), ref: 04D00A63
                          Memory Dump Source
                          • Source File: 00000000.00000002.2421885024.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_4d00000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: getaddrinfo
                          • String ID:
                          • API String ID: 300660673-0
                          • Opcode ID: dda1987d300236e4d0327527c6435860cc0c97471b4719ef0e841d97d2308ae5
                          • Instruction ID: ddbbb8fff1c15475961b9212799072b705e05297d17d58fec8ab46c97098909b
                          • Opcode Fuzzy Hash: dda1987d300236e4d0327527c6435860cc0c97471b4719ef0e841d97d2308ae5
                          • Instruction Fuzzy Hash: 3121BFB2100200AEEB219F51DD84FAAF7ECEB14314F04885AFA499B681D774E5488B71
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04D00FC0 Relevance: 1.6, APIs: 1, Instructions: 81COMMON
                          Download Yara Rule
                          APIs
                          • GetVolumeInformationA.KERNELBASE(?,00000E24,?,?), ref: 04D01066
                          Memory Dump Source
                          • Source File: 00000000.00000002.2421885024.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_4d00000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: InformationVolume
                          • String ID:
                          • API String ID: 2039140958-0
                          • Opcode ID: 0fea6dcbfb5ee35ce7d5c9a9378feb18dcf037b954a310cb8b12353fd4ccecc0
                          • Instruction ID: 5b9e0842da4904d199e1a326c3cbb9b3209045fb56fec662ef9e604616bca637
                          • Opcode Fuzzy Hash: 0fea6dcbfb5ee35ce7d5c9a9378feb18dcf037b954a310cb8b12353fd4ccecc0
                          • Instruction Fuzzy Hash: D631917150D3C16FD3128B258C55B62BFB8EF87610F0980DBE884DF693D225A948C7A2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04D022CD Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2421885024.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_4d00000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: select
                          • String ID:
                          • API String ID: 1274211008-0
                          • Opcode ID: e386c2e25e83ac759aafc82865a913504409a14a069060298bc78864ea07ddc9
                          • Instruction ID: 9d93330a73ff4e7b6530b7ff5509af65a64809cb066979a6144b63dddbae07fd
                          • Opcode Fuzzy Hash: e386c2e25e83ac759aafc82865a913504409a14a069060298bc78864ea07ddc9
                          • Instruction Fuzzy Hash: 74216B715093849FDB22CF25DC44B52BFF8EF0A310F0884DAE984CF1A2D264A909CB62
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B1A370 Relevance: 1.6, APIs: 1, Instructions: 80registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegQueryValueExW.KERNELBASE(?,00000E24,D366EE2A,00000000,00000000,00000000,00000000), ref: 00B1A40C
                          Memory Dump Source
                          • Source File: 00000000.00000002.2420315517.0000000000B1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b1a000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: QueryValue
                          • String ID:
                          • API String ID: 3660427363-0
                          • Opcode ID: 9a6e0978bd7201b54dc630c57d861dce8e4c84927b5e1a0f34fbab1f18bdbf0f
                          • Instruction ID: 1b9e0207907968e66132c65e233cd36a8c0e0f7cbb78dd0c941247e45d622b47
                          • Opcode Fuzzy Hash: 9a6e0978bd7201b54dc630c57d861dce8e4c84927b5e1a0f34fbab1f18bdbf0f
                          • Instruction Fuzzy Hash: 26217AB1605740AFD721CF15DC84FA6BBF8EF15620F08849AE985DB292D364F948CB62
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B1B6F4 Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                          Download Yara Rule
                          APIs
                          • GetFileType.KERNELBASE(?,00000E24,D366EE2A,00000000,00000000,00000000,00000000), ref: 00B1B789
                          Memory Dump Source
                          • Source File: 00000000.00000002.2420315517.0000000000B1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b1a000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: FileType
                          • String ID:
                          • API String ID: 3081899298-0
                          • Opcode ID: 9870b047160dab0b48834b8d2edcd2e38f0876805b26c2009e62dcaf67482456
                          • Instruction ID: ec014f6b5c5d104f19df067bf97b9bb0940abf2d7e908c9fe7c76e0fca15efad
                          • Opcode Fuzzy Hash: 9870b047160dab0b48834b8d2edcd2e38f0876805b26c2009e62dcaf67482456
                          • Instruction Fuzzy Hash: F921F8B55097806FE7128B25DC81BA2BFACEF57720F0980D6ED849B293D264AD09C771
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04D026A5 Relevance: 1.6, APIs: 1, Instructions: 79COMMON
                          Download Yara Rule
                          APIs
                          • GetExitCodeProcess.KERNELBASE(?,00000E24,D366EE2A,00000000,00000000,00000000,00000000), ref: 04D0272C
                          Memory Dump Source
                          • Source File: 00000000.00000002.2421885024.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_4d00000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: CodeExitProcess
                          • String ID:
                          • API String ID: 3861947596-0
                          • Opcode ID: 5181e9631946277f3abea66b7f8137df8e9f9b60c8065cb686ed6f3dac22d4ec
                          • Instruction ID: 7ebee4d481a9bf84b97c84a8b74ba5a4144e8e990ac11f780928d8246651ef2c
                          • Opcode Fuzzy Hash: 5181e9631946277f3abea66b7f8137df8e9f9b60c8065cb686ed6f3dac22d4ec
                          • Instruction Fuzzy Hash: 1821C1B15093806FE712CB24DC44B96BFA8EF46320F0884DAE944DF292D264A908C771
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04D00346 Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2421885024.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_4d00000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: FileView
                          • String ID:
                          • API String ID: 3314676101-0
                          • Opcode ID: d0d3526f2f3a9c1c09a4d1a4118e84d06672e91f91fcbf2a77ff0ab5537d0eaf
                          • Instruction ID: 6de27596a1204217d4d3bd541ecb05d500afacd470107b85d9377541f2ada943
                          • Opcode Fuzzy Hash: d0d3526f2f3a9c1c09a4d1a4118e84d06672e91f91fcbf2a77ff0ab5537d0eaf
                          • Instruction Fuzzy Hash: 2C21ADB1504384AFE722CF55DC44F96FBF8EF19224F08849AE9849B692D375F508CB61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B1BC3E Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON
                          Download Yara Rule
                          APIs
                          • WSASocketW.WS2_32(?,?,?,?,?), ref: 00B1BCCA
                          Memory Dump Source
                          • Source File: 00000000.00000002.2420315517.0000000000B1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b1a000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: Socket
                          • String ID:
                          • API String ID: 38366605-0
                          • Opcode ID: fa5df2441bfd38e360ea46490613ebac405be2082b864da0cf42501574f55c0b
                          • Instruction ID: f40e047245708678dc07db98b8ab703e89a727d355071fabdd628422e8efd7db
                          • Opcode Fuzzy Hash: fa5df2441bfd38e360ea46490613ebac405be2082b864da0cf42501574f55c0b
                          • Instruction Fuzzy Hash: 6E21D071505380AFE722CF51DC44F96FFF8EF05220F08889EE9858B692C375A808CB61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B1A462 Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegSetValueExW.KERNELBASE(?,00000E24,D366EE2A,00000000,00000000,00000000,00000000), ref: 00B1A4F8
                          Memory Dump Source
                          • Source File: 00000000.00000002.2420315517.0000000000B1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b1a000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: Value
                          • String ID:
                          • API String ID: 3702945584-0
                          • Opcode ID: c3b87455d3d155f4a6db11950429488e2ed589004606ac8de0638620b7a81bab
                          • Instruction ID: dfcf68eb6e5fe81b0c6904a20a25903622cd8f29d1105dfe805e0edb43b53301
                          • Opcode Fuzzy Hash: c3b87455d3d155f4a6db11950429488e2ed589004606ac8de0638620b7a81bab
                          • Instruction Fuzzy Hash: 3B21B2B25057806FE7228F11CC44FA7BFF8EF56220F08849AE945DB692D264E848C771
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04D0239C Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                          Download Yara Rule
                          APIs
                          • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 04D02422
                          Memory Dump Source
                          • Source File: 00000000.00000002.2421885024.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_4d00000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: LookupPrivilegeValue
                          • String ID:
                          • API String ID: 3899507212-0
                          • Opcode ID: 08cafeb6291d745e58ff05ae5423799f95ccf5d9a03a73de34e85114d666f70b
                          • Instruction ID: 599f66edc6d4d18cb32a17ad3ed8021294372d77f31f3e12a6a73a0c91652838
                          • Opcode Fuzzy Hash: 08cafeb6291d745e58ff05ae5423799f95ccf5d9a03a73de34e85114d666f70b
                          • Instruction Fuzzy Hash: 422165B15093805FD7128F25DC55B52BFA8AF56314F09C4DAED49CF293D225E809C761
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04D001B6 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                          Download Yara Rule
                          APIs
                          • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 04D00227
                          Memory Dump Source
                          • Source File: 00000000.00000002.2421885024.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_4d00000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: DescriptorSecurity$ConvertString
                          • String ID:
                          • API String ID: 3907675253-0
                          • Opcode ID: 2a9d2ac1dca726ddc2d2062cd38b534ef602dafb319986f96eec4e4366c1a658
                          • Instruction ID: b86c4f84cb11ce7c596ae36a87b21d412d9f7346d0ecb93ab2da32d7b7274c13
                          • Opcode Fuzzy Hash: 2a9d2ac1dca726ddc2d2062cd38b534ef602dafb319986f96eec4e4366c1a658
                          • Instruction Fuzzy Hash: A621D172600204AFEB21DF65DD44FAABBECEF14214F04C46AED48DB681D374E5088B71
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B1B61E Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00B1B69D
                          Memory Dump Source
                          • Source File: 00000000.00000002.2420315517.0000000000B1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b1a000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: CreateFile
                          • String ID:
                          • API String ID: 823142352-0
                          • Opcode ID: 7d02863969c1b7df2fa9e6e6b6408b3ca29e9d57dc9edd44e6008a4043c1fb43
                          • Instruction ID: 6771011f4d19b1438f4b330cd85298bb4d643330c827e6cb00d41f780983ebbb
                          • Opcode Fuzzy Hash: 7d02863969c1b7df2fa9e6e6b6408b3ca29e9d57dc9edd44e6008a4043c1fb43
                          • Instruction Fuzzy Hash: B3219071600600AFE721CF65CD85FA6FBE8EF28324F0884A9E9499B651D375E848CB71
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04D000AA Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegQueryValueExW.KERNELBASE(?,00000E24,D366EE2A,00000000,00000000,00000000,00000000), ref: 04D0013C
                          Memory Dump Source
                          • Source File: 00000000.00000002.2421885024.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_4d00000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: QueryValue
                          • String ID:
                          • API String ID: 3660427363-0
                          • Opcode ID: 2034cac66d4cfb4d6b18ca2b1b2b77d4864223b0c092ba99e5f9ff0282cfc01c
                          • Instruction ID: 6d5e608d212783593ed58bba58a35fd19b56cbb04f5259fad4bf0f8aca47b041
                          • Opcode Fuzzy Hash: 2034cac66d4cfb4d6b18ca2b1b2b77d4864223b0c092ba99e5f9ff0282cfc01c
                          • Instruction Fuzzy Hash: 42219AB2504744AFD722CF11DC84FA7BBF8EF15620F08849AE945DB692D364F908CB62
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B1BD23 Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                          Download Yara Rule
                          APIs
                          • setsockopt.WS2_32(?,?,?,?,?), ref: 00B1BDA0
                          Memory Dump Source
                          • Source File: 00000000.00000002.2420315517.0000000000B1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b1a000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: setsockopt
                          • String ID:
                          • API String ID: 3981526788-0
                          • Opcode ID: b32a6222fb9d7e9996b39907e462656afae5ece92e0d40fbce99c9e566a52054
                          • Instruction ID: e7a9c8fa101c3373935071f97d4ff041322f41828ee3e38f726aa8bd115b4e52
                          • Opcode Fuzzy Hash: b32a6222fb9d7e9996b39907e462656afae5ece92e0d40fbce99c9e566a52054
                          • Instruction Fuzzy Hash: DD217E755493C09FDB228F619C84B96BFB0EF17320F0D84DAD9848F563D2299958CB62
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B1A7FA Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 00B1A879
                          Memory Dump Source
                          • Source File: 00000000.00000002.2420315517.0000000000B1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b1a000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: Open
                          • String ID:
                          • API String ID: 71445658-0
                          • Opcode ID: 9a1745a6bf7eaa97bdb9ced92e9158cbd69f751fea94815982bb669c8edf7702
                          • Instruction ID: f400e89fcd4d85acc24c6bf2524d190ccb94941f4d206eed70e3a1f180421ccd
                          • Opcode Fuzzy Hash: 9a1745a6bf7eaa97bdb9ced92e9158cbd69f751fea94815982bb669c8edf7702
                          • Instruction Fuzzy Hash: 7E21D1B2500204AEE7218F51CC84FABFBECEF24314F04845AED459B641D364F8498BB2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04D0278F Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                          Download Yara Rule
                          APIs
                          • GetProcessWorkingSetSize.KERNEL32(?,00000E24,D366EE2A,00000000,00000000,00000000,00000000), ref: 04D0280B
                          Memory Dump Source
                          • Source File: 00000000.00000002.2421885024.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_4d00000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: ProcessSizeWorking
                          • String ID:
                          • API String ID: 3584180929-0
                          • Opcode ID: eb87f893c4716ef27812f93f1d615f76b1c95a43a9f761fb0caa4fa7df578542
                          • Instruction ID: 970ff74f673b8d6d42c5c601527e64112e92f2d41f66801c6ef5bea6fe48e9b2
                          • Opcode Fuzzy Hash: eb87f893c4716ef27812f93f1d615f76b1c95a43a9f761fb0caa4fa7df578542
                          • Instruction Fuzzy Hash: 5C21C2B15053806FE722CF21CC44FA7BFA8EF45220F08C49AE944DB292D264E908CB61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04D02873 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                          Download Yara Rule
                          APIs
                          • SetProcessWorkingSetSize.KERNEL32(?,00000E24,D366EE2A,00000000,00000000,00000000,00000000), ref: 04D028EF
                          Memory Dump Source
                          • Source File: 00000000.00000002.2421885024.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_4d00000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: ProcessSizeWorking
                          • String ID:
                          • API String ID: 3584180929-0
                          • Opcode ID: eb87f893c4716ef27812f93f1d615f76b1c95a43a9f761fb0caa4fa7df578542
                          • Instruction ID: 6b9072402d3777212d11b33bb1ef438c8a469ef8741176b0b9ce2f3ec891c143
                          • Opcode Fuzzy Hash: eb87f893c4716ef27812f93f1d615f76b1c95a43a9f761fb0caa4fa7df578542
                          • Instruction Fuzzy Hash: 2D21C2B15053806FE712CF21DC44FA6BFA8EF46220F08C49AE944DB292D264E908CB61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B1A646 Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                          Download Yara Rule
                          APIs
                          • CreateMutexW.KERNELBASE(?,?), ref: 00B1A6B9
                          Memory Dump Source
                          • Source File: 00000000.00000002.2420315517.0000000000B1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b1a000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: CreateMutex
                          • String ID:
                          • API String ID: 1964310414-0
                          • Opcode ID: 6053af03004080cfd158533e8b5f4ad9346d4e3e0e84a608722a23c16f804b32
                          • Instruction ID: fb616415987cebced37d99b61c964ca516ca9755166f6117e505c06f2d5be9d2
                          • Opcode Fuzzy Hash: 6053af03004080cfd158533e8b5f4ad9346d4e3e0e84a608722a23c16f804b32
                          • Instruction Fuzzy Hash: D42180B16012009FE710DF65CD85BA6FBE8EF15324F0884AAE948DB681D375F949CB62
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04D03796 Relevance: 1.6, APIs: 1, Instructions: 71registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegDeleteKeyW.ADVAPI32(?,00000E24,D366EE2A,00000000,00000000,00000000,00000000), ref: 04D0381C
                          Memory Dump Source
                          • Source File: 00000000.00000002.2421885024.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_4d00000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: Delete
                          • String ID:
                          • API String ID: 1035893169-0
                          • Opcode ID: 85c5de2b79361f8deb713c06aeb7d90429b0826589aa13dae84edb40c2c0f60c
                          • Instruction ID: f0cbc36e0b44ed12e056c5f87f46bd1895de31203f6951dc0af563c5d7251c00
                          • Opcode Fuzzy Hash: 85c5de2b79361f8deb713c06aeb7d90429b0826589aa13dae84edb40c2c0f60c
                          • Instruction Fuzzy Hash: F721A1B15093806FD7228B51DC45FA6BFA8EF46220F08C0DBE9449B692D264F908C761
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B1B9D6 Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON
                          Download Yara Rule
                          APIs
                          • ReadFile.KERNELBASE(?,00000E24,D366EE2A,00000000,00000000,00000000,00000000), ref: 00B1BA55
                          Memory Dump Source
                          • Source File: 00000000.00000002.2420315517.0000000000B1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b1a000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: FileRead
                          • String ID:
                          • API String ID: 2738559852-0
                          • Opcode ID: e28435b25a859fdd2298399e33e3543e84e900194e259b9fad5f9d1bb9dd5f56
                          • Instruction ID: d1ab49c378ad54efb74b5ca610cda1126eb5e27902d47873f8179522e5141ea3
                          • Opcode Fuzzy Hash: e28435b25a859fdd2298399e33e3543e84e900194e259b9fad5f9d1bb9dd5f56
                          • Instruction Fuzzy Hash: 27219F71505780AFDB22CF51DC44FA7BFB8EF55320F08849AE9859B652D225A908CBB1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B1A140 Relevance: 1.6, APIs: 1, Instructions: 70networkCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2420315517.0000000000B1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b1a000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: send
                          • String ID:
                          • API String ID: 2809346765-0
                          • Opcode ID: 48fe0aa1cb92268fbb172e3a8302ac30bbaf00760eaae2237e1ec5e2309609ac
                          • Instruction ID: 3ff054450a047a6facc1da904b125dfd2244acca3cbb803340780ce4c9d5a1dd
                          • Opcode Fuzzy Hash: 48fe0aa1cb92268fbb172e3a8302ac30bbaf00760eaae2237e1ec5e2309609ac
                          • Instruction Fuzzy Hash: E821BA3150D3C09FD7128B61CC54A92BFB0EF47220F0A84DBD9848F5A3D229A919CB62
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04D02207 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                          Download Yara Rule
                          APIs
                          • ioctlsocket.WS2_32(?,00000E24,D366EE2A,00000000,00000000,00000000,00000000), ref: 04D02283
                          Memory Dump Source
                          • Source File: 00000000.00000002.2421885024.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_4d00000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: ioctlsocket
                          • String ID:
                          • API String ID: 3577187118-0
                          • Opcode ID: 6f6a415218493b7d6428f6a93ae2c648ae858893de598b588ef1e94b162aa149
                          • Instruction ID: 0de410ab13c2c47a52451e453c6872efb09075de624a1cd6fdb0858a456ee431
                          • Opcode Fuzzy Hash: 6f6a415218493b7d6428f6a93ae2c648ae858893de598b588ef1e94b162aa149
                          • Instruction Fuzzy Hash: C321A1B15097806FD722CF51CC44FA6BFA8EF55320F08C49AE9449B692D274A908C7B1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B1A392 Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegQueryValueExW.KERNELBASE(?,00000E24,D366EE2A,00000000,00000000,00000000,00000000), ref: 00B1A40C
                          Memory Dump Source
                          • Source File: 00000000.00000002.2420315517.0000000000B1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b1a000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: QueryValue
                          • String ID:
                          • API String ID: 3660427363-0
                          • Opcode ID: de8ffdbee4527716cb658626266d79c81ee48004cbdc77408ffb8d8453e7762f
                          • Instruction ID: 4583e813a06d4a3a90524135298f0bec79d89ad7d0f18feabb18b1e0d53e63b8
                          • Opcode Fuzzy Hash: de8ffdbee4527716cb658626266d79c81ee48004cbdc77408ffb8d8453e7762f
                          • Instruction Fuzzy Hash: 7621AEB16006009FE720CE15DC84FA6B7ECEF14710F48C4AAE945DB791D360F948CA72
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04D00366 Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2421885024.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_4d00000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: FileView
                          • String ID:
                          • API String ID: 3314676101-0
                          • Opcode ID: 8d0ce4bff46edebf354d14c33efd12729928157a0f49e1d2ce799f7e7e5de36c
                          • Instruction ID: 98cea06f179b2787cb71446765f1395306c85be66961d84a9d0034f26f6ecc90
                          • Opcode Fuzzy Hash: 8d0ce4bff46edebf354d14c33efd12729928157a0f49e1d2ce799f7e7e5de36c
                          • Instruction Fuzzy Hash: 7B21F0B1500204AFEB22CF15DD84FA6FBE8EF28224F04C45AE9459B681E375F408CBA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B1BC5E Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON
                          Download Yara Rule
                          APIs
                          • WSASocketW.WS2_32(?,?,?,?,?), ref: 00B1BCCA
                          Memory Dump Source
                          • Source File: 00000000.00000002.2420315517.0000000000B1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b1a000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: Socket
                          • String ID:
                          • API String ID: 38366605-0
                          • Opcode ID: e0660edcbbbb5770633e5831da69421311265b1a7339bf05b9e589fedb5968f3
                          • Instruction ID: d95dd047585638722db19cf14ffc4384c735d056d438f26a16dbea7d24828cb9
                          • Opcode Fuzzy Hash: e0660edcbbbb5770633e5831da69421311265b1a7339bf05b9e589fedb5968f3
                          • Instruction Fuzzy Hash: F621D171500600AFEB21CF55DD84FA6FBE8EF18320F1488AAE9458B691D375E408CBB2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04D01282 Relevance: 1.6, APIs: 1, Instructions: 66libraryCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNELBASE(?,00000E24), ref: 04D0130B
                          Memory Dump Source
                          • Source File: 00000000.00000002.2421885024.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_4d00000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: LibraryLoad
                          • String ID:
                          • API String ID: 1029625771-0
                          • Opcode ID: 30ae0805912f6a7a80dca6ced1075d9f61caf3bee3de08768c30f07190b5566f
                          • Instruction ID: 4aa23d9f99b657cc498f53c05271dda9af624c1f3be99e9df08dced57edcc277
                          • Opcode Fuzzy Hash: 30ae0805912f6a7a80dca6ced1075d9f61caf3bee3de08768c30f07190b5566f
                          • Instruction Fuzzy Hash: 5A11B1715043406FE721CF11DC85FA6FBA8EF46720F08809AF9449B692D265B948CB66
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B1A710 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                          Download Yara Rule
                          APIs
                          • FindCloseChangeNotification.KERNELBASE(?), ref: 00B1A780
                          Memory Dump Source
                          • Source File: 00000000.00000002.2420315517.0000000000B1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b1a000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: ChangeCloseFindNotification
                          • String ID:
                          • API String ID: 2591292051-0
                          • Opcode ID: 1528c38994cea46809309f942d6a0cae9ebca836c3f7c0776bab08d0cf12fa0d
                          • Instruction ID: 64e91e7cb573cca21a6cf868e6354f297ae03ffa8412090158de58587b4c9455
                          • Opcode Fuzzy Hash: 1528c38994cea46809309f942d6a0cae9ebca836c3f7c0776bab08d0cf12fa0d
                          • Instruction Fuzzy Hash: 4021D2B59053809FD7118F15DD85B92BFB4EF02324F0884EAEC458B693D335AA09DBA2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04D000CA Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegQueryValueExW.KERNELBASE(?,00000E24,D366EE2A,00000000,00000000,00000000,00000000), ref: 04D0013C
                          Memory Dump Source
                          • Source File: 00000000.00000002.2421885024.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_4d00000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: QueryValue
                          • String ID:
                          • API String ID: 3660427363-0
                          • Opcode ID: 0f3f007d93a6e186990f8e54f84202bfa79b24368acf2f5fffc07db63032f38d
                          • Instruction ID: 13eebb0554e3a7c4849480eaeaac1532cd3ef326707804a2046c1b317306e68c
                          • Opcode Fuzzy Hash: 0f3f007d93a6e186990f8e54f84202bfa79b24368acf2f5fffc07db63032f38d
                          • Instruction Fuzzy Hash: 78116D72600604AEE722CE15DC85FA7B7E8EF14620F08C45AE945DB692D364F508CA62
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04D02E09 Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryShim.MSCOREE(?,?,?,?), ref: 04D02E85
                          Memory Dump Source
                          • Source File: 00000000.00000002.2421885024.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_4d00000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: LibraryLoadShim
                          • String ID:
                          • API String ID: 1475914169-0
                          • Opcode ID: c94ce3df336a6d7e0aa5fdfaae231cd5de6564e46b26ccf6ffae25e2d18326fb
                          • Instruction ID: b2218ea92276bc589a7589322c8d86aae60d9fc08da5a1a2c127b1027a75a8d5
                          • Opcode Fuzzy Hash: c94ce3df336a6d7e0aa5fdfaae231cd5de6564e46b26ccf6ffae25e2d18326fb
                          • Instruction Fuzzy Hash: 61218EB15093809FD7228E15DC44B62BFF8EF46314F0980CAED848B293D265A908CB61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B1A486 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegSetValueExW.KERNELBASE(?,00000E24,D366EE2A,00000000,00000000,00000000,00000000), ref: 00B1A4F8
                          Memory Dump Source
                          • Source File: 00000000.00000002.2420315517.0000000000B1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b1a000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: Value
                          • String ID:
                          • API String ID: 3702945584-0
                          • Opcode ID: b8b82662667df609aef3b7090762a49c607719b9dbaa8604d651ff68c1acd43e
                          • Instruction ID: bc1c7ea0b839ac47116fc7c7861e5fc2d3a41cd2e25f2facfd9ca106ad255136
                          • Opcode Fuzzy Hash: b8b82662667df609aef3b7090762a49c607719b9dbaa8604d651ff68c1acd43e
                          • Instruction Fuzzy Hash: 6A1181B6600600AFE7218E15DC45FA7BBECEF24724F04849AED45DA791D374F948CA72
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04D008D2 Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessTimes.KERNELBASE(?,00000E24,D366EE2A,00000000,00000000,00000000,00000000), ref: 04D00931
                          Memory Dump Source
                          • Source File: 00000000.00000002.2421885024.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_4d00000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: ProcessTimes
                          • String ID:
                          • API String ID: 1995159646-0
                          • Opcode ID: df066e68ce5e6f61f29d19a0d6f4a3c8a4c3ebf766fb6b7d4fe53fa7fe54b1d8
                          • Instruction ID: ac6211f0fcb7922e514122722ebd044b4f73d0871d071795de630b410a698d53
                          • Opcode Fuzzy Hash: df066e68ce5e6f61f29d19a0d6f4a3c8a4c3ebf766fb6b7d4fe53fa7fe54b1d8
                          • Instruction Fuzzy Hash: C7119672600600AFE7218F55EC44FA6B7E8EF15324F08C45AEA459B691D375F508CBB1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04D03ADD Relevance: 1.6, APIs: 1, Instructions: 62windowCOMMON
                          Download Yara Rule
                          APIs
                          • PostMessageW.USER32(?,?,?,?), ref: 04D03B51
                          Memory Dump Source
                          • Source File: 00000000.00000002.2421885024.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_4d00000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: MessagePost
                          • String ID:
                          • API String ID: 410705778-0
                          • Opcode ID: 48e82f6cf7ae421330adabb35c0dd83838207dcc70f93f4c7a53113db0c4a036
                          • Instruction ID: 32cbaeeac194ede3913d09cc652dda7ba99a79be4f6fc9efccd452624f76024e
                          • Opcode Fuzzy Hash: 48e82f6cf7ae421330adabb35c0dd83838207dcc70f93f4c7a53113db0c4a036
                          • Instruction Fuzzy Hash: 70219A715093C09FDB238F25CC44A52BFB4EF17224F0984DBED848F5A3D225A818DB62
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04D02896 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                          Download Yara Rule
                          APIs
                          • SetProcessWorkingSetSize.KERNEL32(?,00000E24,D366EE2A,00000000,00000000,00000000,00000000), ref: 04D028EF
                          Memory Dump Source
                          • Source File: 00000000.00000002.2421885024.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_4d00000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: ProcessSizeWorking
                          • String ID:
                          • API String ID: 3584180929-0
                          • Opcode ID: 3ea0b35430bfc3ea984a918e4735423e845e0fd376a1f1d4a77ec70bac7a2d89
                          • Instruction ID: e2f6418dd419fc4b3b8d6cc271c511c555210ce38a2e582105357359e06e7b6f
                          • Opcode Fuzzy Hash: 3ea0b35430bfc3ea984a918e4735423e845e0fd376a1f1d4a77ec70bac7a2d89
                          • Instruction Fuzzy Hash: 7711C4B16012049FEB21CF55DC44BAAB7A8EF15324F08C4AAED45DB681D374F908CBB1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04D027B2 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                          Download Yara Rule
                          APIs
                          • GetProcessWorkingSetSize.KERNEL32(?,00000E24,D366EE2A,00000000,00000000,00000000,00000000), ref: 04D0280B
                          Memory Dump Source
                          • Source File: 00000000.00000002.2421885024.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_4d00000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: ProcessSizeWorking
                          • String ID:
                          • API String ID: 3584180929-0
                          • Opcode ID: 3ea0b35430bfc3ea984a918e4735423e845e0fd376a1f1d4a77ec70bac7a2d89
                          • Instruction ID: 84f222dbcfee4899fa1a9d5e5068f9f9f9347d3b28e2ab459f08202c49884633
                          • Opcode Fuzzy Hash: 3ea0b35430bfc3ea984a918e4735423e845e0fd376a1f1d4a77ec70bac7a2d89
                          • Instruction Fuzzy Hash: 5111C4756002009FE721CF55DC84BAAF7A8EF14324F04C4AAED45DB681D374F9088BB1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04D026D6 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                          Download Yara Rule
                          APIs
                          • GetExitCodeProcess.KERNELBASE(?,00000E24,D366EE2A,00000000,00000000,00000000,00000000), ref: 04D0272C
                          Memory Dump Source
                          • Source File: 00000000.00000002.2421885024.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_4d00000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: CodeExitProcess
                          • String ID:
                          • API String ID: 3861947596-0
                          • Opcode ID: 6d22eb2741e1f2a39266f2049044687d6515545b13c7a7e2f697bc950f6b07ef
                          • Instruction ID: 790b2d015aea8c9b28d8e06b4565a41d56421b325efee703d1278ae11bb432f7
                          • Opcode Fuzzy Hash: 6d22eb2741e1f2a39266f2049044687d6515545b13c7a7e2f697bc950f6b07ef
                          • Instruction Fuzzy Hash: 6011E371600200AFEB118F15DC48BAAB7ECEF54324F04C4AAED45DB685E374F9088BB1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04D00007 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                          Download Yara Rule
                          APIs
                          • GetComputerNameW.KERNEL32(?,00000E24,?,?), ref: 04D00082
                          Memory Dump Source
                          • Source File: 00000000.00000002.2421885024.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_4d00000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: ComputerName
                          • String ID:
                          • API String ID: 3545744682-0
                          • Opcode ID: 0db785b0e3b2eca2dac3b88230c43d2d328e846dc977382a102903d54a945312
                          • Instruction ID: dc4fa6ea3b9f15b23d42778a56c0241745eec09826aab9fbe237897d58edbc0a
                          • Opcode Fuzzy Hash: 0db785b0e3b2eca2dac3b88230c43d2d328e846dc977382a102903d54a945312
                          • Instruction Fuzzy Hash: 2511B6715097806FD3118B25CC45B66BFB4EF86610F1981CFE8489B693D225B919CBA2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B1AC03 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                          Download Yara Rule
                          APIs
                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00B1AC6E
                          Memory Dump Source
                          • Source File: 00000000.00000002.2420315517.0000000000B1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b1a000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: DuplicateHandle
                          • String ID:
                          • API String ID: 3793708945-0
                          • Opcode ID: 7c615285f44c9d4869ff64c3d7d3cbdf7cfbbba026845c1ef76f5e8514a37f7e
                          • Instruction ID: e4459895d7858387767713a926af24828ae2a50dfcc57ccd242ad2660d7dd2f3
                          • Opcode Fuzzy Hash: 7c615285f44c9d4869ff64c3d7d3cbdf7cfbbba026845c1ef76f5e8514a37f7e
                          • Instruction Fuzzy Hash: 17118471509380AFDB228F51DC44B62FFF4EF4A320F0884DAED858B562D275A918DB61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04D00E2C Relevance: 1.6, APIs: 1, Instructions: 60networkCOMMON
                          Download Yara Rule
                          APIs
                          • WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 04D00E9A
                          Memory Dump Source
                          • Source File: 00000000.00000002.2421885024.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_4d00000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: Connect
                          • String ID:
                          • API String ID: 3144859779-0
                          • Opcode ID: 4f9e4ea0b2595c4f02062ee45c102c81d45ac4d09faf85fcec1203ad2df6d1f0
                          • Instruction ID: 8d5676862f63747f661e03791482ece32d8f12c56fc47988ba9c3c9a8d5f7097
                          • Opcode Fuzzy Hash: 4f9e4ea0b2595c4f02062ee45c102c81d45ac4d09faf85fcec1203ad2df6d1f0
                          • Instruction Fuzzy Hash: D8219D71504380AFDB22CF61DC84B52FFF4FF09220F08889AED898B562D375A918CB61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B1B9F6 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                          Download Yara Rule
                          APIs
                          • ReadFile.KERNELBASE(?,00000E24,D366EE2A,00000000,00000000,00000000,00000000), ref: 00B1BA55
                          Memory Dump Source
                          • Source File: 00000000.00000002.2420315517.0000000000B1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b1a000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: FileRead
                          • String ID:
                          • API String ID: 2738559852-0
                          • Opcode ID: b07d61d82f330d74419c63e200854e3f701ce04480750977c29dd21b0042f142
                          • Instruction ID: 71bb51619dcbafba14271159c0dc509b0a57f96720a5c71e09e4b900731551fc
                          • Opcode Fuzzy Hash: b07d61d82f330d74419c63e200854e3f701ce04480750977c29dd21b0042f142
                          • Instruction Fuzzy Hash: 6D11B271500600AFEB21CF51DC44FA6FBE8EF24324F14849AE9459A651D775E5488BB1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04D0222A Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                          Download Yara Rule
                          APIs
                          • ioctlsocket.WS2_32(?,00000E24,D366EE2A,00000000,00000000,00000000,00000000), ref: 04D02283
                          Memory Dump Source
                          • Source File: 00000000.00000002.2421885024.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_4d00000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: ioctlsocket
                          • String ID:
                          • API String ID: 3577187118-0
                          • Opcode ID: 62bfad2d2714342ff581fb75374ed1839a75ab08adca179ab6eb9b948ea1f6ae
                          • Instruction ID: 0033175a93359b09e7d8553397d03087f85980ea369384e1c202d7f81dd7c498
                          • Opcode Fuzzy Hash: 62bfad2d2714342ff581fb75374ed1839a75ab08adca179ab6eb9b948ea1f6ae
                          • Instruction Fuzzy Hash: A211A371500600AFEB21CF51DD44BA6FBA8EF65324F14C89AED459B685D374F9088BB1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04D037BE Relevance: 1.6, APIs: 1, Instructions: 57registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegDeleteKeyW.ADVAPI32(?,00000E24,D366EE2A,00000000,00000000,00000000,00000000), ref: 04D0381C
                          Memory Dump Source
                          • Source File: 00000000.00000002.2421885024.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_4d00000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: Delete
                          • String ID:
                          • API String ID: 1035893169-0
                          • Opcode ID: 953bafab987c24f9307bd2ecfaeb31c13ab3c6acff47f866dbc0f87225ece2ae
                          • Instruction ID: 517ee24a7f14e7a95ca9d2a64f4e38989a8e88f4b14a4e6718d06a4c8fe617e7
                          • Opcode Fuzzy Hash: 953bafab987c24f9307bd2ecfaeb31c13ab3c6acff47f866dbc0f87225ece2ae
                          • Instruction Fuzzy Hash: EF1182B1600600AEE7218F16DC45BA6BBDCEF55624F08C09AED459B681E764F508CAB5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04D03EDD Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON
                          Download Yara Rule
                          APIs
                          • PostMessageW.USER32(?,?,?,?), ref: 04D03F3D
                          Memory Dump Source
                          • Source File: 00000000.00000002.2421885024.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_4d00000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: MessagePost
                          • String ID:
                          • API String ID: 410705778-0
                          • Opcode ID: bda65719a506692749e533ffefdb35b6bee72226c1a6553a16d73f13ca84c6a9
                          • Instruction ID: 76f0ee34428e51c553bf6afa3f2f4dacd41cdb9cb6ae0cc661d36831d317e086
                          • Opcode Fuzzy Hash: bda65719a506692749e533ffefdb35b6bee72226c1a6553a16d73f13ca84c6a9
                          • Instruction Fuzzy Hash: F411C475509780AFDB228F15DC44B52FFB4EF16220F08849EED858B5A3D275A818CB61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04D012A2 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNELBASE(?,00000E24), ref: 04D0130B
                          Memory Dump Source
                          • Source File: 00000000.00000002.2421885024.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_4d00000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: LibraryLoad
                          • String ID:
                          • API String ID: 1029625771-0
                          • Opcode ID: a8e73c9bed01d9fbf855e3b1e04c5b9f6f3c823645427de5a77ba04f1a3290bd
                          • Instruction ID: 391434873f96ae8236265b5c8afea759833d3fd8146221aa5e71b9e137a8b8d9
                          • Opcode Fuzzy Hash: a8e73c9bed01d9fbf855e3b1e04c5b9f6f3c823645427de5a77ba04f1a3290bd
                          • Instruction Fuzzy Hash: 0111E571600200AEEB20CF11DD41FAAF7A8DF15724F14C09AFE445BBD1D2B5F548CA65
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B1A2AE Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                          Download Yara Rule
                          APIs
                          • SetErrorMode.KERNELBASE(?), ref: 00B1A30C
                          Memory Dump Source
                          • Source File: 00000000.00000002.2420315517.0000000000B1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b1a000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: ErrorMode
                          • String ID:
                          • API String ID: 2340568224-0
                          • Opcode ID: 84dcca6981d6f6137e51b596be2c05817f1a3d8e6fdf651d39c4bec1ba30fde9
                          • Instruction ID: 4f381ed4ee06a12a253bc5aca3edf840e545ae7bb694d78df92b14078618e7e8
                          • Opcode Fuzzy Hash: 84dcca6981d6f6137e51b596be2c05817f1a3d8e6fdf651d39c4bec1ba30fde9
                          • Instruction Fuzzy Hash: 1A118F715093C06FDB228B25DC54BA2BFB4DF57224F0980CBED848F6A3D265A958C762
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04D02306 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2421885024.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_4d00000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: select
                          • String ID:
                          • API String ID: 1274211008-0
                          • Opcode ID: b8263aee4b01473c4dfcc2a7d3ab16a869b78e68a029b0e791b9f239889d4d9b
                          • Instruction ID: 423e341ee2222a98134b77785019890bb2f168a0e625329b2ec7516e15d4b79c
                          • Opcode Fuzzy Hash: b8263aee4b01473c4dfcc2a7d3ab16a869b78e68a029b0e791b9f239889d4d9b
                          • Instruction Fuzzy Hash: C8116D716012448FEB20CF55D888B56F7E8EF18320F08C4AADD49CB6A2D334F948CB62
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B1AD9F Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2420315517.0000000000B1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b1a000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: closesocket
                          • String ID:
                          • API String ID: 2781271927-0
                          • Opcode ID: e18abf1654d8a8f3bb404028b46a4c3e1699c6802cf699d66396fd5e6e2c7546
                          • Instruction ID: 44468d80b9df531cd53bc18599a2e825920a24721c16ca644d05a13d296b575f
                          • Opcode Fuzzy Hash: e18abf1654d8a8f3bb404028b46a4c3e1699c6802cf699d66396fd5e6e2c7546
                          • Instruction Fuzzy Hash: 07119D715493809FDB128F11DC44B52BFB4EF46224F1884DAED858F293D279A908CB62
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04D023DA Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                          Download Yara Rule
                          APIs
                          • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 04D02422
                          Memory Dump Source
                          • Source File: 00000000.00000002.2421885024.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_4d00000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: LookupPrivilegeValue
                          • String ID:
                          • API String ID: 3899507212-0
                          • Opcode ID: d0612235cc3d239f5ab1fff3b6b0ff5c5c22b640650af296483233abb49db55b
                          • Instruction ID: 5b0b1539de0553ea70f2286ed3690ca744df3559eba96db57ca7138c62691ef2
                          • Opcode Fuzzy Hash: d0612235cc3d239f5ab1fff3b6b0ff5c5c22b640650af296483233abb49db55b
                          • Instruction Fuzzy Hash: BE1165716012008FEB50CF15DC89766FBD8FF25720F08C4AADD49CB792E274E904CA61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B1B736 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                          Download Yara Rule
                          APIs
                          • GetFileType.KERNELBASE(?,00000E24,D366EE2A,00000000,00000000,00000000,00000000), ref: 00B1B789
                          Memory Dump Source
                          • Source File: 00000000.00000002.2420315517.0000000000B1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b1a000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: FileType
                          • String ID:
                          • API String ID: 3081899298-0
                          • Opcode ID: c58485ea36d1c4821cfd7b3315b0bfce58ca693c550b1c9aa60cde37cd66677e
                          • Instruction ID: a13bd84b0a69f27f1ae7255d2e0aada8129347406f1413255c2446de50f59f18
                          • Opcode Fuzzy Hash: c58485ea36d1c4821cfd7b3315b0bfce58ca693c550b1c9aa60cde37cd66677e
                          • Instruction Fuzzy Hash: 2D01C071500600AEE720CB15DD84FA6FBE8DF65724F18C096EE059B781D374E9488BA2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04D03D90 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON
                          Download Yara Rule
                          APIs
                          • DispatchMessageW.USER32(?), ref: 04D03DE4
                          Memory Dump Source
                          • Source File: 00000000.00000002.2421885024.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_4d00000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: DispatchMessage
                          • String ID:
                          • API String ID: 2061451462-0
                          • Opcode ID: aade4b1df44516a05aa663df9f9dae0058cfd434d900dc0c3f7b6e92f154d72f
                          • Instruction ID: e2ce7ccdb49eca279e122f006df155b5843df5051e861abb1305837b0bf6b521
                          • Opcode Fuzzy Hash: aade4b1df44516a05aa663df9f9dae0058cfd434d900dc0c3f7b6e92f154d72f
                          • Instruction Fuzzy Hash: 63116171509384AFD7128F15DC44B62FFB4EF46624F0880DAED858F693D275A948CBB2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04D00E4E Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON
                          Download Yara Rule
                          APIs
                          • WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 04D00E9A
                          Memory Dump Source
                          • Source File: 00000000.00000002.2421885024.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_4d00000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: Connect
                          • String ID:
                          • API String ID: 3144859779-0
                          • Opcode ID: 6f332f61c4673fbe7bed44a38424101424381d139af7d957c51624a208707520
                          • Instruction ID: 7248089485bb2c70741cb8bd2886cf8f6bb19a99dd14c31592f06ec213026031
                          • Opcode Fuzzy Hash: 6f332f61c4673fbe7bed44a38424101424381d139af7d957c51624a208707520
                          • Instruction Fuzzy Hash: 87117C75600200AFEB21CF55D844B66FBE4FF18320F08C8AADD899B6A2D375E518DB61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04D01016 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                          Download Yara Rule
                          APIs
                          • GetVolumeInformationA.KERNELBASE(?,00000E24,?,?), ref: 04D01066
                          Memory Dump Source
                          • Source File: 00000000.00000002.2421885024.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_4d00000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: InformationVolume
                          • String ID:
                          • API String ID: 2039140958-0
                          • Opcode ID: 5f899a359e450ac4992bfb22ea3cf1a2614e8c55dd02760559a03884fbba5cf3
                          • Instruction ID: 40fd090fa0086df97d66b6da9f99664aec1a58fc99bf923fc37a73e6b1496189
                          • Opcode Fuzzy Hash: 5f899a359e450ac4992bfb22ea3cf1a2614e8c55dd02760559a03884fbba5cf3
                          • Instruction Fuzzy Hash: FB01B171600600AFD310DF16CC46B66FBE8FB88A20F14855AED089BB41D731F915CBE1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04D02E3A Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryShim.MSCOREE(?,?,?,?), ref: 04D02E85
                          Memory Dump Source
                          • Source File: 00000000.00000002.2421885024.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_4d00000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: LibraryLoadShim
                          • String ID:
                          • API String ID: 1475914169-0
                          • Opcode ID: 20cf6d13fc8c4ac98b7377feeba00bf0ebb6a995ee7bdea9c91a890b57e785a1
                          • Instruction ID: 33adefd5f3424931c79001a03402545e31d3eb715530a81707ba066b10799864
                          • Opcode Fuzzy Hash: 20cf6d13fc8c4ac98b7377feeba00bf0ebb6a995ee7bdea9c91a890b57e785a1
                          • Instruction Fuzzy Hash: C40140716412409FDB60CE15D949B56FBE8FF15720F08C09ADD498B792D375F808CA61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B1AC2A Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                          Download Yara Rule
                          APIs
                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00B1AC6E
                          Memory Dump Source
                          • Source File: 00000000.00000002.2420315517.0000000000B1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b1a000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: DuplicateHandle
                          • String ID:
                          • API String ID: 3793708945-0
                          • Opcode ID: 5424f9e5f0d9ce255089ab190d623efafb42fcc2a065303e141b41bfb7579893
                          • Instruction ID: 3dc64749e99ddae05a338e8c7c3c5ae6e11cedd4ffac02677d4a1b3b5374a424
                          • Opcode Fuzzy Hash: 5424f9e5f0d9ce255089ab190d623efafb42fcc2a065303e141b41bfb7579893
                          • Instruction Fuzzy Hash: 18016D329006009FDB218F55DD84B66FBE4EF58720F08889ADD498AA52D375E458DFA2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04D00032 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                          Download Yara Rule
                          APIs
                          • GetComputerNameW.KERNEL32(?,00000E24,?,?), ref: 04D00082
                          Memory Dump Source
                          • Source File: 00000000.00000002.2421885024.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_4d00000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: ComputerName
                          • String ID:
                          • API String ID: 3545744682-0
                          • Opcode ID: 7881755690d82a24aa56e054225f6ffbc2e295395f22a13bc61a95f15a18b6c5
                          • Instruction ID: fc6a5395e73bd4a8ec953dd813f29cba22e1bbf2eae6b65bca2311f50d90c550
                          • Opcode Fuzzy Hash: 7881755690d82a24aa56e054225f6ffbc2e295395f22a13bc61a95f15a18b6c5
                          • Instruction Fuzzy Hash: 4E01AD71600600AFD310DF16CC86B66FBE8FB88A20F14815AED089BB41E731F915CBE6
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B1BD62 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                          Download Yara Rule
                          APIs
                          • setsockopt.WS2_32(?,?,?,?,?), ref: 00B1BDA0
                          Memory Dump Source
                          • Source File: 00000000.00000002.2420315517.0000000000B1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b1a000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: setsockopt
                          • String ID:
                          • API String ID: 3981526788-0
                          • Opcode ID: 1e61c4be5df0538d431c26fba55f6ef7a5aae6fae62979f7cfc0d8e92a91eb37
                          • Instruction ID: f7d4ee1bdcd8fe7af900169577376938003279018b203502c7af12194cc27365
                          • Opcode Fuzzy Hash: 1e61c4be5df0538d431c26fba55f6ef7a5aae6fae62979f7cfc0d8e92a91eb37
                          • Instruction Fuzzy Hash: 7C019E325002009FEB20CF55E984BA6FBE4EF18320F0884AADD898B656D375E458DB62
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B1BBC2 Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 00B1BC12
                          Memory Dump Source
                          • Source File: 00000000.00000002.2420315517.0000000000B1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b1a000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: QueryValue
                          • String ID:
                          • API String ID: 3660427363-0
                          • Opcode ID: b125afecb2f58f8beb5eaf9bcce5a57c6c39748da40212156fdf3e558b906761
                          • Instruction ID: 00974b7aed3d113037183905fa599dfe477af9100594b1d20187b31acecbcfc7
                          • Opcode Fuzzy Hash: b125afecb2f58f8beb5eaf9bcce5a57c6c39748da40212156fdf3e558b906761
                          • Instruction Fuzzy Hash: F0018F71600600AFD310DF16CC46B66FBE8FB88A20F14815AED089BB41D771F915CAE5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B1A74E Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                          Download Yara Rule
                          APIs
                          • FindCloseChangeNotification.KERNELBASE(?), ref: 00B1A780
                          Memory Dump Source
                          • Source File: 00000000.00000002.2420315517.0000000000B1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b1a000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: ChangeCloseFindNotification
                          • String ID:
                          • API String ID: 2591292051-0
                          • Opcode ID: 35d38afececdcffc46cc79d2d77d1b58b58a0df3369ce5634f60a1ff9feaa0a8
                          • Instruction ID: b57dbc6bff7c8032eca5f7b1afd7bd8d66c83bd5c357127c3342b5fbdee8188c
                          • Opcode Fuzzy Hash: 35d38afececdcffc46cc79d2d77d1b58b58a0df3369ce5634f60a1ff9feaa0a8
                          • Instruction Fuzzy Hash: 0A01D4716012008FEB108F55D9847A6FBE4DF15320F08C4EBDC498F786D274E944CAA2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04D03F02 Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON
                          Download Yara Rule
                          APIs
                          • PostMessageW.USER32(?,?,?,?), ref: 04D03F3D
                          Memory Dump Source
                          • Source File: 00000000.00000002.2421885024.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_4d00000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: MessagePost
                          • String ID:
                          • API String ID: 410705778-0
                          • Opcode ID: d5fdcd827b82d23a4fb35e8b11ac09b9ebd408e45848a8c60eb03d8b2ef31abd
                          • Instruction ID: d5b65713918a7f7e01fcdf7af154f2ef5cf87341f3c74e1b10cf81059000e0e2
                          • Opcode Fuzzy Hash: d5fdcd827b82d23a4fb35e8b11ac09b9ebd408e45848a8c60eb03d8b2ef31abd
                          • Instruction Fuzzy Hash: 1A0171756006409FDB208F16D884B66FFE4EF15620F08C49EDD468B6A2D375E458DB61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B1A186 Relevance: 1.5, APIs: 1, Instructions: 42networkCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2420315517.0000000000B1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b1a000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: send
                          • String ID:
                          • API String ID: 2809346765-0
                          • Opcode ID: 420055ce1768bcfcaa1ec6c5f6bc32042cd63f189e19a37b15d8fa59281fbb8f
                          • Instruction ID: 86e5ed4bbaf060625be3112d113af9d4b583289090c4690fa52ff8407754c141
                          • Opcode Fuzzy Hash: 420055ce1768bcfcaa1ec6c5f6bc32042cd63f189e19a37b15d8fa59281fbb8f
                          • Instruction Fuzzy Hash: D701F1329002409FEB20CF55D884BA2FBE0FF19320F08C49ADD498F652C375E858CBA2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B1ADCE Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2420315517.0000000000B1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b1a000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: closesocket
                          • String ID:
                          • API String ID: 2781271927-0
                          • Opcode ID: cf2cb4a699d130ae9fb43861835262d531873362b334ac7a2b51532ac51c5f06
                          • Instruction ID: c8467a8615e6c7f05a12a34d638e60f51e39ad375304a64163a9397078fd23de
                          • Opcode Fuzzy Hash: cf2cb4a699d130ae9fb43861835262d531873362b334ac7a2b51532ac51c5f06
                          • Instruction Fuzzy Hash: 1501D1719012408FEB10CF15D9847A6FBE4EF54320F58C4EADD498F756D279E988CAA2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04D03B16 Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON
                          Download Yara Rule
                          APIs
                          • PostMessageW.USER32(?,?,?,?), ref: 04D03B51
                          Memory Dump Source
                          • Source File: 00000000.00000002.2421885024.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_4d00000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: MessagePost
                          • String ID:
                          • API String ID: 410705778-0
                          • Opcode ID: dde50d954b71a53cdd55c87b14c6d8f43960804ea6d496e9468ea794ab7528d9
                          • Instruction ID: 65d2b9812d474f5503c96ba884929d72a078c6a4abffad66762c1ec3d03bbd30
                          • Opcode Fuzzy Hash: dde50d954b71a53cdd55c87b14c6d8f43960804ea6d496e9468ea794ab7528d9
                          • Instruction Fuzzy Hash: F6018F315046049FDB208F06D984B65FBE0EF18224F08C09ADD490B6A2D375E418DBA2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04D03DB2 Relevance: 1.5, APIs: 1, Instructions: 35windowCOMMON
                          Download Yara Rule
                          APIs
                          • DispatchMessageW.USER32(?), ref: 04D03DE4
                          Memory Dump Source
                          • Source File: 00000000.00000002.2421885024.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_4d00000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: DispatchMessage
                          • String ID:
                          • API String ID: 2061451462-0
                          • Opcode ID: 4f56009d68e27cda7a33182222753d991ab71d68329acaed24c23b8e314a50b6
                          • Instruction ID: b0297f08680b83b9a86046f684d90a14eb307e827f68607a3c3ed3761e1a37e7
                          • Opcode Fuzzy Hash: 4f56009d68e27cda7a33182222753d991ab71d68329acaed24c23b8e314a50b6
                          • Instruction Fuzzy Hash: 26F0AF35A002409FEB108F06D985765FBE4EF15224F08C19ADD494F792E279F448CAB2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B1A2DA Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                          Download Yara Rule
                          APIs
                          • SetErrorMode.KERNELBASE(?), ref: 00B1A30C
                          Memory Dump Source
                          • Source File: 00000000.00000002.2420315517.0000000000B1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b1a000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID: ErrorMode
                          • String ID:
                          • API String ID: 2340568224-0
                          • Opcode ID: d2ec78ee0b96bbcc5b6c4e3262e7e9bc32a47ade0b408f39db6982a222140f95
                          • Instruction ID: 01b2fd6f5ad6d7fac7146830dcb016040715d9f2cf48a06b07fb3d480b1cc06d
                          • Opcode Fuzzy Hash: d2ec78ee0b96bbcc5b6c4e3262e7e9bc32a47ade0b408f39db6982a222140f95
                          • Instruction Fuzzy Hash: 12F08C359052408FEB208F06E9847A6FBE4EF15720F58C0DADD094F752D379E948DAA2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05101F4C Relevance: .1, Instructions: 60COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2422003047.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5100000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4d7fa50bd6c97ec648a6f835897b2d57a744894774d83a05be26a617fabcc4e8
                          • Instruction ID: e609aae85626c9079f38eab976107a6aeac48f3dbb2f4518ad4b4a09c0c0a9a2
                          • Opcode Fuzzy Hash: 4d7fa50bd6c97ec648a6f835897b2d57a744894774d83a05be26a617fabcc4e8
                          • Instruction Fuzzy Hash: C411BAB5A08341AFD340CF19D840A5BFBE4FB98664F04895EF998D7311D235E9148FA2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00FD07C4 Relevance: .1, Instructions: 59COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2420639508.0000000000FD0000.00000040.00000020.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_fd0000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ad150d8956dc4c8efa7372dd7570e3bca53c311014264e2ac4edb2014d1cfaec
                          • Instruction ID: 328f57a5279e2429701475fe8d5ace9a86a1f00615029f252f512cca2bc79594
                          • Opcode Fuzzy Hash: ad150d8956dc4c8efa7372dd7570e3bca53c311014264e2ac4edb2014d1cfaec
                          • Instruction Fuzzy Hash: D4110631604280DFD315CB10D540F15F796EB89718F28C5AEE8491BB93CB7BD803EA91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B2B0A4 Relevance: .1, Instructions: 52COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2420357256.0000000000B2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b2a000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5ca4c28c531179ec98658edf85f035ef00cf71113bda18d036ebb8c6eab3ea98
                          • Instruction ID: 07c87417b4cd17e25da82e77040394e4262411bf8d18a51348c1ef0a62b61ec1
                          • Opcode Fuzzy Hash: 5ca4c28c531179ec98658edf85f035ef00cf71113bda18d036ebb8c6eab3ea98
                          • Instruction Fuzzy Hash: 5B11CCB5A48301AFD350CF09DC41E5BFBE8EB98660F04895EF95997711D271E908CFA2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00FD07AF Relevance: .0, Instructions: 45COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2420639508.0000000000FD0000.00000040.00000020.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_fd0000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 50ad9bdd71b84053d7b94d808bdac088b321021701233f6e798d3bd9f5f11fad
                          • Instruction ID: 062fc6dde16a914abd4411b37f12e2fcf6793d72eb9d8cd18924d665679d4689
                          • Opcode Fuzzy Hash: 50ad9bdd71b84053d7b94d808bdac088b321021701233f6e798d3bd9f5f11fad
                          • Instruction Fuzzy Hash: 3A1151356492C0DFC712CB14D940B15BBA2EF8A728F2C85DED8894B753C736D816EB91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00FD05DF Relevance: .0, Instructions: 44COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2420639508.0000000000FD0000.00000040.00000020.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_fd0000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 61cc1f30f50030f4a9719171364b7b2a5ddcf8d9503aa70da3d29d539646ee35
                          • Instruction ID: 980748c0904f76302a12a3f9f65b1225eff13fd950b206390ab5d7775ce85d71
                          • Opcode Fuzzy Hash: 61cc1f30f50030f4a9719171364b7b2a5ddcf8d9503aa70da3d29d539646ee35
                          • Instruction Fuzzy Hash: 0101F9B51493806FD7118F16EC50893BFF8EF8623070984ABEC898B612D135B918CB71
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00FD0880 Relevance: .0, Instructions: 31COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2420639508.0000000000FD0000.00000040.00000020.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_fd0000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0b6e4d9588c8b3b536dc49aa3ff0406202024c598795a04b4f4794c20a664ee6
                          • Instruction ID: f18405ec876ddf85dac7778f8bee45721fc35c4d2b059654968f8d75d888e4cf
                          • Opcode Fuzzy Hash: 0b6e4d9588c8b3b536dc49aa3ff0406202024c598795a04b4f4794c20a664ee6
                          • Instruction Fuzzy Hash: 42F01D35544684DFC316CF00D540B15FBA2EB89718F28CAADE9491BB62C737E813EB81
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00FD0606 Relevance: .0, Instructions: 27COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2420639508.0000000000FD0000.00000040.00000020.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_fd0000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 68b54fbb2a988e610bbcfd4a8d050664726d91a6e0e16d6f841c83bab183eeb1
                          • Instruction ID: aed5705038a392ea3e7308936a33fca5077b97716031265fa641d3617a606219
                          • Opcode Fuzzy Hash: 68b54fbb2a988e610bbcfd4a8d050664726d91a6e0e16d6f841c83bab183eeb1
                          • Instruction Fuzzy Hash: D3E092B66006004FD750CF0AEC41452F7D8EB98630B08C07FDC0D8B701E276B508CAA5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B2B0F3 Relevance: .0, Instructions: 26COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2420357256.0000000000B2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b2a000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a8bf5f00a848e26476da919c71252917859ce0953d6339e28357d9df28932dd3
                          • Instruction ID: a068986d105db666d452c75ea7896ef1e95abe3772beb3151c8ab3e4e0aac42b
                          • Opcode Fuzzy Hash: a8bf5f00a848e26476da919c71252917859ce0953d6339e28357d9df28932dd3
                          • Instruction Fuzzy Hash: 1AE0DFB2A402046BD2109E06EC46F63FB98EB64A71F08C56BED095B752E172B6048AF1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05101863 Relevance: .0, Instructions: 26COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2422003047.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5100000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 18f050eb151d7106bf435a878bc93e1f9e0c4a71e0e8f1e5595e7bce645d42ef
                          • Instruction ID: 3a3fd2d601e6b64a5ac3957e5dd16850f6939b85b0707f80534a37ce6cbb345d
                          • Opcode Fuzzy Hash: 18f050eb151d7106bf435a878bc93e1f9e0c4a71e0e8f1e5595e7bce645d42ef
                          • Instruction Fuzzy Hash: E3E0D8B26402006BD2109E06DC45F53FB98DB54971F08C457ED0D1B742E172B514CAE1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05101FB7 Relevance: .0, Instructions: 26COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2422003047.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5100000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 60119fdc0772e05615a66b044d42c3c722abec673e1f7dbd1f8b6c21c9868c49
                          • Instruction ID: 8caa1501f412bdeb09b7092e3a431452e99611ae32e37ae14812495aa256d5e8
                          • Opcode Fuzzy Hash: 60119fdc0772e05615a66b044d42c3c722abec673e1f7dbd1f8b6c21c9868c49
                          • Instruction Fuzzy Hash: 01E0D8B26402046BD3108E06DC45F53FB98DB64971F08C467ED081B742E176B5148AE1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B123F4 Relevance: .0, Instructions: 15COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2420302143.0000000000B12000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B12000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b12000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2e6b18b957b4e152c16f381207fb8dca6fd092406a329c45ec9f85add17b0b15
                          • Instruction ID: bbec2597d772ce79351ed08973746be62914f8d96b50e56d10339620bb170f74
                          • Opcode Fuzzy Hash: 2e6b18b957b4e152c16f381207fb8dca6fd092406a329c45ec9f85add17b0b15
                          • Instruction Fuzzy Hash: BED05E792056C18FD3169B1CC1A5BD537D4AB65714F8A44F9A8008B763C768E9D1D600
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B123BC Relevance: .0, Instructions: 14COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2420302143.0000000000B12000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B12000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b12000_xVcsGL5R1Nbh.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d0493120d92c022a8dc1a95d6457451f861a16f96c575bc953cb7a9c3772caf0
                          • Instruction ID: a9dc39a4d39b9b1eb401d0336d010187302bee5a7d15ab8940674e739d1a688e
                          • Opcode Fuzzy Hash: d0493120d92c022a8dc1a95d6457451f861a16f96c575bc953cb7a9c3772caf0
                          • Instruction Fuzzy Hash: 11D05E342002814FD715DB0CD6D4F9937D4AB54B14F4A44E8AC208B762C7A8D8D0DA00
                          Uniqueness

                          Uniqueness Score: -1.00%