Edit tour

Windows Analysis Report
gKi3fKq4Kh.exe

Overview

General Information

Sample Name:	gKi3fKq4Kh.exe
Analysis ID:	651955
MD5:	ee24b7367c090788a5d86d24bceb27d2
SHA1:	b88a3bf151e935051c6731a42af97b523bf6c2fb
SHA256:	484310027c8e469f5154e53c9d3543095410b68730722158848b01d5a842642c
Tags:	exenjratRAT
Infos:

Detection

njRat, Xtreme RAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Xtreme RAT

Antivirus detection for dropped file

Snort IDS alert for network traffic

Multi AV Scanner detection for submitted file

Detected njRat

Malicious sample detected (through community Yara rule)

Yara detected Njrat

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for dropped file

Found evasive API chain (may stop execution after checking mutex)

Uses netsh to modify the Windows network and firewall settings

Drops PE files to the startup folder

Machine Learning detection for sample

Allocates memory in foreign processes

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Installs Xtreme RAT

Contains functionality to inject code into remote processes

Creates a thread in another existing process (thread injection)

Creates autostart registry keys with suspicious names

Drops executables to the windows directory (C:\Windows) and starts them

Uses dynamic DNS services

Writes to foreign memory regions

Protects its processes via BreakOnTermination flag

.NET source code references suspicious native API functions

Contains functionality to log keystrokes (.Net Source)

Contains functionality to register a low level keyboard hook

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Modifies the windows firewall

Contains functionality to inject threads in other processes

Antivirus or Machine Learning detection for unpacked file

One or more processes crash

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Found evasive API chain (date check)

Sample execution stops while process was sleeping (likely an evasion)

Stores files to the Windows start menu directory

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Checks if the current process is being debugged

Creates a start menu entry (Start Menu\Programs\Startup)

Contains functionality to retrieve information about pressed keystrokes

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Creates files inside the system directory

May infect USB drives

Internet Provider seen in connection with other malware

Found potential string decryption / allocating functions

Contains functionality to call native functions

Contains functionality to read the clipboard data

Contains functionality to upload files via FTP

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

Detected TCP or UDP traffic on non-standard ports

Potential key logger detected (key state polling based)

Found evaded block containing many API calls

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Classification

Process Tree

System is w10x64

gKi3fKq4Kh.exe (PID: 2576 cmdline: "C:\Users\user\Desktop\gKi3fKq4Kh.exe" MD5: EE24B7367C090788A5D86D24BCEB27D2)

svchost.exe (PID: 6456 cmdline: svchost.exe MD5: FA6C268A5B5BDA067A901764D203D433)

WerFault.exe (PID: 4056 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6456 -s 568 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

WerFault.exe (PID: 6548 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6456 -s 576 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

chrome.exe (PID: 3036 cmdline: C:\Program Files\Google\Chrome\Application\chrome.exe MD5: C139654B5C1438A95B321BB01AD63EF6)

794bab1182.exe (PID: 6504 cmdline: "C:\Users\user\AppData\Local\Temp\794bab1182.exe" MD5: 1858BBF45BE50E685409DB249B798996)

adobe.exe (PID: 5920 cmdline: "C:\Users\user\AppData\Local\Temp\adobe.exe" MD5: 1858BBF45BE50E685409DB249B798996)

netsh.exe (PID: 5152 cmdline: netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\adobe.exe" "adobe.exe" ENABLE MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)

conhost.exe (PID: 6700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

747MBR Regenerator v4.5.exe (PID: 6516 cmdline: "C:\Windows\747MBR Regenerator v4.5.exe" MD5: FCA2AA6D8039DD107AFF1A3CFBE97F7B)

adobe.exe (PID: 5524 cmdline: "C:\Users\user\AppData\Local\Temp\adobe.exe" .. MD5: 1858BBF45BE50E685409DB249B798996)

adobe.exe (PID: 4360 cmdline: "C:\Users\user\AppData\Local\Temp\adobe.exe" .. MD5: 1858BBF45BE50E685409DB249B798996)

adobe.exe (PID: 2980 cmdline: "C:\Users\user\AppData\Local\Temp\adobe.exe" .. MD5: 1858BBF45BE50E685409DB249B798996)

cleanup

Malware Configuration

Threatname: Njrat

{"Host": "babaloo.duckdns.org", "Port": "1182", "Version": "0.7d", "Campaign ID": "Ativado Windows 7", "Install Name": "adobe.exe", "Install Dir": "TEMP", "Network Seprator": "|'|'|"}

Threatname: Xtreme RAT

{"id": "Server", "group": "Servers", "version": "2.9", "mutex": "wzk5VL6RM0QU9blk", "installdir": "InstallDir", "installdirfile": "Server.exe", "ftp server": "ftp.ftpserver.com"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
gKi3fKq4Kh.exe	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>	0x45d8:$a: XTREME 0x9db8:$a: XTREME 0xab70:$a: XTREME 0xf380:$a: XTREME 0xf38e:$a: XTREME 0xbd74:$b: ServerStarted 0x89f0:$c: XtremeKeylogger 0x470c:$d: x.html 0x854a:$e: Xtreme RAT
gKi3fKq4Kh.exe	Xtreme_Sep17_1	Detects XTREME sample analyzed in September 2017	Florian Roth	0x5dcd:$x1: ServerKeyloggerU 0x51f69:$x2: TServerKeylogger 0x89f0:$x3: XtremeKeylogger 0xab70:$x4: XTREMEBINDER 0xf38e:$x4: XTREMEBINDER 0xa850:$s1: shellexecute= 0x6d4c:$s2: [Execute] 0xa796:$s3: ;open=RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\
gKi3fKq4Kh.exe	JoeSecurity_XtremeRat	Yara detected Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
gKi3fKq4Kh.exe	xtremrat	Xtrem RAT v3.5	Jean-Philippe Teissier / @Jipe_	0x45d8:$a: XTREME 0x9db8:$a: XTREME 0xab70:$a: XTREME 0xf380:$a: XTREME 0xf38e:$a: XTREME 0xab70:$b: XTREMEBINDER 0xf38e:$b: XTREMEBINDER 0x9dcc:$c: STARTSERVERBUFFER 0xcbb4:$d: SOFTWARE\XtremeRAT 0x89f0:$f: XtremeKeylogger 0x854a:$h: Xtreme RAT

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\adobe.exe	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x4d46:$x1: cmd.exe /c ping 0 -n 2 & del " 0x4e9e:$s3: Executed As 0x4e80:$s6: Download ERROR
C:\Users\user\AppData\Local\Temp\adobe.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Users\user\AppData\Local\Temp\adobe.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x4cd8:$s1: netsh firewall delete allowedprogram 0x4db4:$s2: netsh firewall add allowedprogram 0x4d46:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x4e5c:$s4: Execute ERROR 0x4eb8:$s4: Execute ERROR 0x4e80:$s5: Download ERROR 0x4fe4:$s6: [kl]
C:\Users\user\AppData\Local\Temp\adobe.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4db4:$a1: netsh firewall add allowedprogram 0x4d84:$a2: SEE_MASK_NOZONECHECKS 0x502e:$b1: [TAP] 0x4d46:$c3: cmd.exe /c ping
C:\Users\user\AppData\Local\Temp\adobe.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4d84:$reg: SEE_MASK_NOZONECHECKS 0x4e5c:$msg: Execute ERROR 0x4eb8:$msg: Execute ERROR 0x4d46:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Users\user\AppData\Local\Temp\794bab1182.exe	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x4d46:$x1: cmd.exe /c ping 0 -n 2 & del " 0x4e9e:$s3: Executed As 0x4e80:$s6: Download ERROR
C:\Users\user\AppData\Local\Temp\794bab1182.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Users\user\AppData\Local\Temp\794bab1182.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x4cd8:$s1: netsh firewall delete allowedprogram 0x4db4:$s2: netsh firewall add allowedprogram 0x4d46:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x4e5c:$s4: Execute ERROR 0x4eb8:$s4: Execute ERROR 0x4e80:$s5: Download ERROR 0x4fe4:$s6: [kl]
C:\Users\user\AppData\Local\Temp\794bab1182.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4db4:$a1: netsh firewall add allowedprogram 0x4d84:$a2: SEE_MASK_NOZONECHECKS 0x502e:$b1: [TAP] 0x4d46:$c3: cmd.exe /c ping
C:\Users\user\AppData\Local\Temp\794bab1182.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4d84:$reg: SEE_MASK_NOZONECHECKS 0x4e5c:$msg: Execute ERROR 0x4eb8:$msg: Execute ERROR 0x4d46:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1f777f760b787dc4d8cfb3fe867defca.exe	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x4d46:$x1: cmd.exe /c ping 0 -n 2 & del " 0x4e9e:$s3: Executed As 0x4e80:$s6: Download ERROR
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1f777f760b787dc4d8cfb3fe867defca.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1f777f760b787dc4d8cfb3fe867defca.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x4cd8:$s1: netsh firewall delete allowedprogram 0x4db4:$s2: netsh firewall add allowedprogram 0x4d46:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x4e5c:$s4: Execute ERROR 0x4eb8:$s4: Execute ERROR 0x4e80:$s5: Download ERROR 0x4fe4:$s6: [kl]
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1f777f760b787dc4d8cfb3fe867defca.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4db4:$a1: netsh firewall add allowedprogram 0x4d84:$a2: SEE_MASK_NOZONECHECKS 0x502e:$b1: [TAP] 0x4d46:$c3: cmd.exe /c ping
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1f777f760b787dc4d8cfb3fe867defca.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4d84:$reg: SEE_MASK_NOZONECHECKS 0x4e5c:$msg: Execute ERROR 0x4eb8:$msg: Execute ERROR 0x4d46:$ping: cmd.exe /c ping 0 -n 2 & del
Click to see the 10 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000017.00000000.506871291.0000000000112000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000017.00000000.506871291.0000000000112000.00000002.00000001.01000000.0000000A.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4bb4:$a1: netsh firewall add allowedprogram 0x4b84:$a2: SEE_MASK_NOZONECHECKS 0x4e2e:$b1: [TAP] 0x4b46:$c3: cmd.exe /c ping
00000017.00000000.506871291.0000000000112000.00000002.00000001.01000000.0000000A.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4b84:$reg: SEE_MASK_NOZONECHECKS 0x4c5c:$msg: Execute ERROR 0x4cb8:$msg: Execute ERROR 0x4b46:$ping: cmd.exe /c ping 0 -n 2 & del
00000001.00000002.385106851.0000000010047000.00000040.00000400.00020000.00000000.sdmp	xtremrat	Xtrem RAT v3.5	Jean-Philippe Teissier / @Jipe_	0x1380:$a: XTREME 0x138e:$a: XTREME 0x138e:$b: XTREMEBINDER
00000013.00000000.466457674.00000000008E2000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000013.00000000.466457674.00000000008E2000.00000002.00000001.01000000.0000000A.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4bb4:$a1: netsh firewall add allowedprogram 0x4b84:$a2: SEE_MASK_NOZONECHECKS 0x4e2e:$b1: [TAP] 0x4b46:$c3: cmd.exe /c ping
00000013.00000000.466457674.00000000008E2000.00000002.00000001.01000000.0000000A.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4b84:$reg: SEE_MASK_NOZONECHECKS 0x4c5c:$msg: Execute ERROR 0x4cb8:$msg: Execute ERROR 0x4b46:$ping: cmd.exe /c ping 0 -n 2 & del
00000000.00000003.387263414.0000000002809000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000000.00000003.387263414.0000000002809000.00000004.00000800.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x5228:$a1: netsh firewall add allowedprogram 0x51f8:$a2: SEE_MASK_NOZONECHECKS 0x54a2:$b1: [TAP] 0x51ba:$c3: cmd.exe /c ping
00000000.00000003.387263414.0000000002809000.00000004.00000800.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x51f8:$reg: SEE_MASK_NOZONECHECKS 0x52d0:$msg: Execute ERROR 0x532c:$msg: Execute ERROR 0x51ba:$ping: cmd.exe /c ping 0 -n 2 & del
00000000.00000002.389161206.00000000004FA000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000000.00000002.389161206.00000000004FA000.00000004.00000020.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x355e0:$a1: netsh firewall add allowedprogram 0x355b0:$a2: SEE_MASK_NOZONECHECKS 0x3585a:$b1: [TAP] 0x35572:$c3: cmd.exe /c ping
00000000.00000002.389161206.00000000004FA000.00000004.00000020.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x355b0:$reg: SEE_MASK_NOZONECHECKS 0x35688:$msg: Execute ERROR 0x356e4:$msg: Execute ERROR 0x35572:$ping: cmd.exe /c ping 0 -n 2 & del
0000000A.00000002.640869740.0000000000482000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0000000A.00000002.640869740.0000000000482000.00000002.00000001.01000000.0000000A.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4bb4:$a1: netsh firewall add allowedprogram 0x4b84:$a2: SEE_MASK_NOZONECHECKS 0x4e2e:$b1: [TAP] 0x4b46:$c3: cmd.exe /c ping
0000000A.00000002.640869740.0000000000482000.00000002.00000001.01000000.0000000A.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4b84:$reg: SEE_MASK_NOZONECHECKS 0x4c5c:$msg: Execute ERROR 0x4cb8:$msg: Execute ERROR 0x4b46:$ping: cmd.exe /c ping 0 -n 2 & del
00000014.00000002.501246127.0000000000072000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000014.00000002.501246127.0000000000072000.00000002.00000001.01000000.0000000A.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4bb4:$a1: netsh firewall add allowedprogram 0x4b84:$a2: SEE_MASK_NOZONECHECKS 0x4e2e:$b1: [TAP] 0x4b46:$c3: cmd.exe /c ping
00000014.00000002.501246127.0000000000072000.00000002.00000001.01000000.0000000A.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4b84:$reg: SEE_MASK_NOZONECHECKS 0x4c5c:$msg: Execute ERROR 0x4cb8:$msg: Execute ERROR 0x4b46:$ping: cmd.exe /c ping 0 -n 2 & del
00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>	0x41d8:$a: XTREME 0x99b8:$a: XTREME 0xa770:$a: XTREME 0xb974:$b: ServerStarted 0x85f0:$c: XtremeKeylogger 0x430c:$d: x.html 0x814a:$e: Xtreme RAT
00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_XtremeRat	Yara detected Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp	xtremrat	Xtrem RAT v3.5	Jean-Philippe Teissier / @Jipe_	0x41d8:$a: XTREME 0x99b8:$a: XTREME 0xa770:$a: XTREME 0xa770:$b: XTREMEBINDER 0x99cc:$c: STARTSERVERBUFFER 0xc7b4:$d: SOFTWARE\XtremeRAT 0x85f0:$f: XtremeKeylogger 0x814a:$h: Xtreme RAT
00000000.00000003.377265205.00000000026C8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000000.00000003.377265205.00000000026C8000.00000004.00000800.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x5228:$a1: netsh firewall add allowedprogram 0x51f8:$a2: SEE_MASK_NOZONECHECKS 0x54a2:$b1: [TAP] 0x51ba:$c3: cmd.exe /c ping
00000000.00000003.377265205.00000000026C8000.00000004.00000800.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x51f8:$reg: SEE_MASK_NOZONECHECKS 0x52d0:$msg: Execute ERROR 0x532c:$msg: Execute ERROR 0x51ba:$ping: cmd.exe /c ping 0 -n 2 & del
0000000A.00000000.412306049.0000000000482000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0000000A.00000000.412306049.0000000000482000.00000002.00000001.01000000.0000000A.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4bb4:$a1: netsh firewall add allowedprogram 0x4b84:$a2: SEE_MASK_NOZONECHECKS 0x4e2e:$b1: [TAP] 0x4b46:$c3: cmd.exe /c ping
0000000A.00000000.412306049.0000000000482000.00000002.00000001.01000000.0000000A.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4b84:$reg: SEE_MASK_NOZONECHECKS 0x4c5c:$msg: Execute ERROR 0x4cb8:$msg: Execute ERROR 0x4b46:$ping: cmd.exe /c ping 0 -n 2 & del
00000000.00000000.368594046.0000000010047000.00000002.00000001.01000000.00000003.sdmp	xtremrat	Xtrem RAT v3.5	Jean-Philippe Teissier / @Jipe_	0x1380:$a: XTREME 0x138e:$a: XTREME 0x138e:$b: XTREMEBINDER
00000000.00000003.377615498.0000000002949000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000000.00000003.377615498.0000000002949000.00000004.00000800.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4dd8:$a1: netsh firewall add allowedprogram 0x4da8:$a2: SEE_MASK_NOZONECHECKS 0x5052:$b1: [TAP] 0x4d6a:$c3: cmd.exe /c ping
00000000.00000003.377615498.0000000002949000.00000004.00000800.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4da8:$reg: SEE_MASK_NOZONECHECKS 0x4e80:$msg: Execute ERROR 0x4edc:$msg: Execute ERROR 0x4d6a:$ping: cmd.exe /c ping 0 -n 2 & del
00000013.00000002.479265241.00000000008E2000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000013.00000002.479265241.00000000008E2000.00000002.00000001.01000000.0000000A.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4bb4:$a1: netsh firewall add allowedprogram 0x4b84:$a2: SEE_MASK_NOZONECHECKS 0x4e2e:$b1: [TAP] 0x4b46:$c3: cmd.exe /c ping
00000013.00000002.479265241.00000000008E2000.00000002.00000001.01000000.0000000A.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4b84:$reg: SEE_MASK_NOZONECHECKS 0x4c5c:$msg: Execute ERROR 0x4cb8:$msg: Execute ERROR 0x4b46:$ping: cmd.exe /c ping 0 -n 2 & del
00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmp	xtremrat	Xtrem RAT v3.5	Jean-Philippe Teissier / @Jipe_	0x1380:$a: XTREME 0x138e:$a: XTREME 0x138e:$b: XTREMEBINDER
00000001.00000000.375422528.0000000010047000.00000040.00000400.00020000.00000000.sdmp	xtremrat	Xtrem RAT v3.5	Jean-Philippe Teissier / @Jipe_	0x1380:$a: XTREME 0x138e:$a: XTREME 0x138e:$b: XTREMEBINDER
00000001.00000002.385046170.0000000010000000.00000040.00000400.00020000.00000000.sdmp	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>	0x51d8:$a: XTREME 0xa9b8:$a: XTREME 0xb770:$a: XTREME 0xc974:$b: ServerStarted 0x95f0:$c: XtremeKeylogger 0x530c:$d: x.html 0x914a:$e: Xtreme RAT
00000001.00000002.385046170.0000000010000000.00000040.00000400.00020000.00000000.sdmp	Xtreme_Sep17_1	Detects XTREME sample analyzed in September 2017	Florian Roth	0x69cd:$x1: ServerKeyloggerU 0x95f0:$x3: XtremeKeylogger 0xb770:$x4: XTREMEBINDER 0xb450:$s1: shellexecute= 0x794c:$s2: [Execute] 0xb396:$s3: ;open=RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\
00000001.00000002.385046170.0000000010000000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_XtremeRat	Yara detected Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
00000001.00000002.385046170.0000000010000000.00000040.00000400.00020000.00000000.sdmp	xtremrat	Xtrem RAT v3.5	Jean-Philippe Teissier / @Jipe_	0x51d8:$a: XTREME 0xa9b8:$a: XTREME 0xb770:$a: XTREME 0xb770:$b: XTREMEBINDER 0xa9cc:$c: STARTSERVERBUFFER 0xd7b4:$d: SOFTWARE\XtremeRAT 0x95f0:$f: XtremeKeylogger 0x914a:$h: Xtreme RAT
0000000A.00000000.412702627.0000000000482000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0000000A.00000000.413119228.0000000000482000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0000000A.00000000.413119228.0000000000482000.00000002.00000001.01000000.0000000A.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4bb4:$a1: netsh firewall add allowedprogram 0x4b84:$a2: SEE_MASK_NOZONECHECKS 0x4e2e:$b1: [TAP] 0x4b46:$c3: cmd.exe /c ping
0000000A.00000000.413119228.0000000000482000.00000002.00000001.01000000.0000000A.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4b84:$reg: SEE_MASK_NOZONECHECKS 0x4c5c:$msg: Execute ERROR 0x4cb8:$msg: Execute ERROR 0x4b46:$ping: cmd.exe /c ping 0 -n 2 & del
0000000A.00000000.412702627.0000000000482000.00000002.00000001.01000000.0000000A.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4bb4:$a1: netsh firewall add allowedprogram 0x4b84:$a2: SEE_MASK_NOZONECHECKS 0x4e2e:$b1: [TAP] 0x4b46:$c3: cmd.exe /c ping
0000000A.00000000.412702627.0000000000482000.00000002.00000001.01000000.0000000A.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4b84:$reg: SEE_MASK_NOZONECHECKS 0x4c5c:$msg: Execute ERROR 0x4cb8:$msg: Execute ERROR 0x4b46:$ping: cmd.exe /c ping 0 -n 2 & del
00000017.00000002.519357389.0000000000112000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000017.00000002.519357389.0000000000112000.00000002.00000001.01000000.0000000A.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4bb4:$a1: netsh firewall add allowedprogram 0x4b84:$a2: SEE_MASK_NOZONECHECKS 0x4e2e:$b1: [TAP] 0x4b46:$c3: cmd.exe /c ping
00000017.00000002.519357389.0000000000112000.00000002.00000001.01000000.0000000A.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4b84:$reg: SEE_MASK_NOZONECHECKS 0x4c5c:$msg: Execute ERROR 0x4cb8:$msg: Execute ERROR 0x4b46:$ping: cmd.exe /c ping 0 -n 2 & del
00000007.00000002.414543592.0000000000CF2000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000007.00000002.414543592.0000000000CF2000.00000002.00000001.01000000.00000006.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4bb4:$a1: netsh firewall add allowedprogram 0x4b84:$a2: SEE_MASK_NOZONECHECKS 0x4e2e:$b1: [TAP] 0x4b46:$c3: cmd.exe /c ping
00000007.00000002.414543592.0000000000CF2000.00000002.00000001.01000000.00000006.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4b84:$reg: SEE_MASK_NOZONECHECKS 0x4c5c:$msg: Execute ERROR 0x4cb8:$msg: Execute ERROR 0x4b46:$ping: cmd.exe /c ping 0 -n 2 & del
00000001.00000000.375372033.0000000010000000.00000040.00000400.00020000.00000000.sdmp	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>	0x51d8:$a: XTREME 0xa9b8:$a: XTREME 0xb770:$a: XTREME 0xc974:$b: ServerStarted 0x95f0:$c: XtremeKeylogger 0x530c:$d: x.html 0x914a:$e: Xtreme RAT
00000001.00000000.375372033.0000000010000000.00000040.00000400.00020000.00000000.sdmp	Xtreme_Sep17_1	Detects XTREME sample analyzed in September 2017	Florian Roth	0x69cd:$x1: ServerKeyloggerU 0x95f0:$x3: XtremeKeylogger 0xb770:$x4: XTREMEBINDER 0xb450:$s1: shellexecute= 0x794c:$s2: [Execute] 0xb396:$s3: ;open=RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\
00000001.00000000.375372033.0000000010000000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_XtremeRat	Yara detected Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
00000001.00000000.375372033.0000000010000000.00000040.00000400.00020000.00000000.sdmp	xtremrat	Xtrem RAT v3.5	Jean-Philippe Teissier / @Jipe_	0x51d8:$a: XTREME 0xa9b8:$a: XTREME 0xb770:$a: XTREME 0xb770:$b: XTREMEBINDER 0xa9cc:$c: STARTSERVERBUFFER 0xd7b4:$d: SOFTWARE\XtremeRAT 0x95f0:$f: XtremeKeylogger 0x914a:$h: Xtreme RAT
00000007.00000002.415926103.0000000003365000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000007.00000002.415926103.0000000003365000.00000004.00000800.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x126c:$a1: netsh firewall add allowedprogram 0x7308:$a1: netsh firewall add allowedprogram 0x121c:$a2: SEE_MASK_NOZONECHECKS 0x72d8:$a2: SEE_MASK_NOZONECHECKS 0x7582:$b1: [TAP] 0x729a:$c3: cmd.exe /c ping
00000007.00000002.415926103.0000000003365000.00000004.00000800.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x121c:$reg: SEE_MASK_NOZONECHECKS 0x72d8:$reg: SEE_MASK_NOZONECHECKS 0x73b0:$msg: Execute ERROR 0x740c:$msg: Execute ERROR 0x729a:$ping: cmd.exe /c ping 0 -n 2 & del
00000007.00000000.382812726.0000000000CF2000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000007.00000000.382812726.0000000000CF2000.00000002.00000001.01000000.00000006.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4bb4:$a1: netsh firewall add allowedprogram 0x4b84:$a2: SEE_MASK_NOZONECHECKS 0x4e2e:$b1: [TAP] 0x4b46:$c3: cmd.exe /c ping
00000007.00000000.382812726.0000000000CF2000.00000002.00000001.01000000.00000006.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4b84:$reg: SEE_MASK_NOZONECHECKS 0x4c5c:$msg: Execute ERROR 0x4cb8:$msg: Execute ERROR 0x4b46:$ping: cmd.exe /c ping 0 -n 2 & del
0000000A.00000000.412039638.0000000000482000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0000000A.00000000.412039638.0000000000482000.00000002.00000001.01000000.0000000A.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4bb4:$a1: netsh firewall add allowedprogram 0x4b84:$a2: SEE_MASK_NOZONECHECKS 0x4e2e:$b1: [TAP] 0x4b46:$c3: cmd.exe /c ping
0000000A.00000000.412039638.0000000000482000.00000002.00000001.01000000.0000000A.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4b84:$reg: SEE_MASK_NOZONECHECKS 0x4c5c:$msg: Execute ERROR 0x4cb8:$msg: Execute ERROR 0x4b46:$ping: cmd.exe /c ping 0 -n 2 & del
00000014.00000000.488787385.0000000000072000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000014.00000000.488787385.0000000000072000.00000002.00000001.01000000.0000000A.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4bb4:$a1: netsh firewall add allowedprogram 0x4b84:$a2: SEE_MASK_NOZONECHECKS 0x4e2e:$b1: [TAP] 0x4b46:$c3: cmd.exe /c ping
00000014.00000000.488787385.0000000000072000.00000002.00000001.01000000.0000000A.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4b84:$reg: SEE_MASK_NOZONECHECKS 0x4c5c:$msg: Execute ERROR 0x4cb8:$msg: Execute ERROR 0x4b46:$ping: cmd.exe /c ping 0 -n 2 & del
00000000.00000000.368576082.0000000010001000.00000020.00000001.01000000.00000003.sdmp	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>	0x41d8:$a: XTREME 0x99b8:$a: XTREME 0xa770:$a: XTREME 0xb974:$b: ServerStarted 0x85f0:$c: XtremeKeylogger 0x430c:$d: x.html 0x814a:$e: Xtreme RAT
00000000.00000000.368576082.0000000010001000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_XtremeRat	Yara detected Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
00000000.00000000.368576082.0000000010001000.00000020.00000001.01000000.00000003.sdmp	xtremrat	Xtrem RAT v3.5	Jean-Philippe Teissier / @Jipe_	0x41d8:$a: XTREME 0x99b8:$a: XTREME 0xa770:$a: XTREME 0xa770:$b: XTREMEBINDER 0x99cc:$c: STARTSERVERBUFFER 0xc7b4:$d: SOFTWARE\XtremeRAT 0x85f0:$f: XtremeKeylogger 0x814a:$h: Xtreme RAT
Process Memory Space: gKi3fKq4Kh.exe PID: 2576	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: 794bab1182.exe PID: 6504	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: adobe.exe PID: 5920	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: adobe.exe PID: 5524	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: adobe.exe PID: 4360	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: adobe.exe PID: 2980	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Click to see the 73 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
10.0.adobe.exe.480000.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x4d46:$x1: cmd.exe /c ping 0 -n 2 & del " 0x4e9e:$s3: Executed As 0x4e80:$s6: Download ERROR
10.0.adobe.exe.480000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
10.0.adobe.exe.480000.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x4cd8:$s1: netsh firewall delete allowedprogram 0x4db4:$s2: netsh firewall add allowedprogram 0x4d46:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x4e5c:$s4: Execute ERROR 0x4eb8:$s4: Execute ERROR 0x4e80:$s5: Download ERROR 0x4fe4:$s6: [kl]
10.0.adobe.exe.480000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4db4:$a1: netsh firewall add allowedprogram 0x4d84:$a2: SEE_MASK_NOZONECHECKS 0x502e:$b1: [TAP] 0x4d46:$c3: cmd.exe /c ping
10.0.adobe.exe.480000.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4d84:$reg: SEE_MASK_NOZONECHECKS 0x4e5c:$msg: Execute ERROR 0x4eb8:$msg: Execute ERROR 0x4d46:$ping: cmd.exe /c ping 0 -n 2 & del
0.3.gKi3fKq4Kh.exe.2809474.5.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x2f46:$x1: cmd.exe /c ping 0 -n 2 & del " 0x309e:$s3: Executed As 0x3080:$s6: Download ERROR
0.3.gKi3fKq4Kh.exe.2809474.5.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0.3.gKi3fKq4Kh.exe.2809474.5.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ed8:$s1: netsh firewall delete allowedprogram 0x2fb4:$s2: netsh firewall add allowedprogram 0x2f46:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x305c:$s4: Execute ERROR 0x30b8:$s4: Execute ERROR 0x3080:$s5: Download ERROR 0x31e4:$s6: [kl]
0.3.gKi3fKq4Kh.exe.2809474.5.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2fb4:$a1: netsh firewall add allowedprogram 0x2f84:$a2: SEE_MASK_NOZONECHECKS 0x322e:$b1: [TAP] 0x2f46:$c3: cmd.exe /c ping
0.3.gKi3fKq4Kh.exe.2809474.5.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2f84:$reg: SEE_MASK_NOZONECHECKS 0x305c:$msg: Execute ERROR 0x30b8:$msg: Execute ERROR 0x2f46:$ping: cmd.exe /c ping 0 -n 2 & del
19.2.adobe.exe.8e0000.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x4d46:$x1: cmd.exe /c ping 0 -n 2 & del " 0x4e9e:$s3: Executed As 0x4e80:$s6: Download ERROR
19.2.adobe.exe.8e0000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
19.2.adobe.exe.8e0000.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x4cd8:$s1: netsh firewall delete allowedprogram 0x4db4:$s2: netsh firewall add allowedprogram 0x4d46:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x4e5c:$s4: Execute ERROR 0x4eb8:$s4: Execute ERROR 0x4e80:$s5: Download ERROR 0x4fe4:$s6: [kl]
19.2.adobe.exe.8e0000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4db4:$a1: netsh firewall add allowedprogram 0x4d84:$a2: SEE_MASK_NOZONECHECKS 0x502e:$b1: [TAP] 0x4d46:$c3: cmd.exe /c ping
19.2.adobe.exe.8e0000.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4d84:$reg: SEE_MASK_NOZONECHECKS 0x4e5c:$msg: Execute ERROR 0x4eb8:$msg: Execute ERROR 0x4d46:$ping: cmd.exe /c ping 0 -n 2 & del
20.2.adobe.exe.70000.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x4d46:$x1: cmd.exe /c ping 0 -n 2 & del " 0x4e9e:$s3: Executed As 0x4e80:$s6: Download ERROR
20.2.adobe.exe.70000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
20.2.adobe.exe.70000.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x4cd8:$s1: netsh firewall delete allowedprogram 0x4db4:$s2: netsh firewall add allowedprogram 0x4d46:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x4e5c:$s4: Execute ERROR 0x4eb8:$s4: Execute ERROR 0x4e80:$s5: Download ERROR 0x4fe4:$s6: [kl]
20.2.adobe.exe.70000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4db4:$a1: netsh firewall add allowedprogram 0x4d84:$a2: SEE_MASK_NOZONECHECKS 0x502e:$b1: [TAP] 0x4d46:$c3: cmd.exe /c ping
20.2.adobe.exe.70000.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4d84:$reg: SEE_MASK_NOZONECHECKS 0x4e5c:$msg: Execute ERROR 0x4eb8:$msg: Execute ERROR 0x4d46:$ping: cmd.exe /c ping 0 -n 2 & del
10.0.adobe.exe.480000.2.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x4d46:$x1: cmd.exe /c ping 0 -n 2 & del " 0x4e9e:$s3: Executed As 0x4e80:$s6: Download ERROR
10.0.adobe.exe.480000.2.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
10.0.adobe.exe.480000.2.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x4cd8:$s1: netsh firewall delete allowedprogram 0x4db4:$s2: netsh firewall add allowedprogram 0x4d46:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x4e5c:$s4: Execute ERROR 0x4eb8:$s4: Execute ERROR 0x4e80:$s5: Download ERROR 0x4fe4:$s6: [kl]
10.0.adobe.exe.480000.2.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4db4:$a1: netsh firewall add allowedprogram 0x4d84:$a2: SEE_MASK_NOZONECHECKS 0x502e:$b1: [TAP] 0x4d46:$c3: cmd.exe /c ping
10.0.adobe.exe.480000.2.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4d84:$reg: SEE_MASK_NOZONECHECKS 0x4e5c:$msg: Execute ERROR 0x4eb8:$msg: Execute ERROR 0x4d46:$ping: cmd.exe /c ping 0 -n 2 & del
7.2.794bab1182.exe.3367554.1.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x2f46:$x1: cmd.exe /c ping 0 -n 2 & del " 0x309e:$s3: Executed As 0x3080:$s6: Download ERROR
7.2.794bab1182.exe.3367554.1.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
7.2.794bab1182.exe.3367554.1.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2ed8:$s1: netsh firewall delete allowedprogram 0x2fb4:$s2: netsh firewall add allowedprogram 0x2f46:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x305c:$s4: Execute ERROR 0x30b8:$s4: Execute ERROR 0x3080:$s5: Download ERROR 0x31e4:$s6: [kl]
7.2.794bab1182.exe.3367554.1.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2fb4:$a1: netsh firewall add allowedprogram 0x2f84:$a2: SEE_MASK_NOZONECHECKS 0x322e:$b1: [TAP] 0x2f46:$c3: cmd.exe /c ping
7.2.794bab1182.exe.3367554.1.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2f84:$reg: SEE_MASK_NOZONECHECKS 0x305c:$msg: Execute ERROR 0x30b8:$msg: Execute ERROR 0x2f46:$ping: cmd.exe /c ping 0 -n 2 & del
10.0.adobe.exe.480000.3.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x4d46:$x1: cmd.exe /c ping 0 -n 2 & del " 0x4e9e:$s3: Executed As 0x4e80:$s6: Download ERROR
10.0.adobe.exe.480000.3.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
10.0.adobe.exe.480000.3.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x4cd8:$s1: netsh firewall delete allowedprogram 0x4db4:$s2: netsh firewall add allowedprogram 0x4d46:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x4e5c:$s4: Execute ERROR 0x4eb8:$s4: Execute ERROR 0x4e80:$s5: Download ERROR 0x4fe4:$s6: [kl]
10.0.adobe.exe.480000.3.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4db4:$a1: netsh firewall add allowedprogram 0x4d84:$a2: SEE_MASK_NOZONECHECKS 0x502e:$b1: [TAP] 0x4d46:$c3: cmd.exe /c ping
10.0.adobe.exe.480000.3.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4d84:$reg: SEE_MASK_NOZONECHECKS 0x4e5c:$msg: Execute ERROR 0x4eb8:$msg: Execute ERROR 0x4d46:$ping: cmd.exe /c ping 0 -n 2 & del
7.0.794bab1182.exe.cf0000.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x4d46:$x1: cmd.exe /c ping 0 -n 2 & del " 0x4e9e:$s3: Executed As 0x4e80:$s6: Download ERROR
7.0.794bab1182.exe.cf0000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
7.0.794bab1182.exe.cf0000.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x4cd8:$s1: netsh firewall delete allowedprogram 0x4db4:$s2: netsh firewall add allowedprogram 0x4d46:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x4e5c:$s4: Execute ERROR 0x4eb8:$s4: Execute ERROR 0x4e80:$s5: Download ERROR 0x4fe4:$s6: [kl]
7.0.794bab1182.exe.cf0000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4db4:$a1: netsh firewall add allowedprogram 0x4d84:$a2: SEE_MASK_NOZONECHECKS 0x502e:$b1: [TAP] 0x4d46:$c3: cmd.exe /c ping
7.0.794bab1182.exe.cf0000.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4d84:$reg: SEE_MASK_NOZONECHECKS 0x4e5c:$msg: Execute ERROR 0x4eb8:$msg: Execute ERROR 0x4d46:$ping: cmd.exe /c ping 0 -n 2 & del
7.2.794bab1182.exe.cf0000.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x4d46:$x1: cmd.exe /c ping 0 -n 2 & del " 0x4e9e:$s3: Executed As 0x4e80:$s6: Download ERROR
7.2.794bab1182.exe.cf0000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
7.2.794bab1182.exe.cf0000.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x4cd8:$s1: netsh firewall delete allowedprogram 0x4db4:$s2: netsh firewall add allowedprogram 0x4d46:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x4e5c:$s4: Execute ERROR 0x4eb8:$s4: Execute ERROR 0x4e80:$s5: Download ERROR 0x4fe4:$s6: [kl]
7.2.794bab1182.exe.cf0000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4db4:$a1: netsh firewall add allowedprogram 0x4d84:$a2: SEE_MASK_NOZONECHECKS 0x502e:$b1: [TAP] 0x4d46:$c3: cmd.exe /c ping
7.2.794bab1182.exe.cf0000.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4d84:$reg: SEE_MASK_NOZONECHECKS 0x4e5c:$msg: Execute ERROR 0x4eb8:$msg: Execute ERROR 0x4d46:$ping: cmd.exe /c ping 0 -n 2 & del
23.0.adobe.exe.110000.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x4d46:$x1: cmd.exe /c ping 0 -n 2 & del " 0x4e9e:$s3: Executed As 0x4e80:$s6: Download ERROR
23.0.adobe.exe.110000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
23.0.adobe.exe.110000.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x4cd8:$s1: netsh firewall delete allowedprogram 0x4db4:$s2: netsh firewall add allowedprogram 0x4d46:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x4e5c:$s4: Execute ERROR 0x4eb8:$s4: Execute ERROR 0x4e80:$s5: Download ERROR 0x4fe4:$s6: [kl]
23.0.adobe.exe.110000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4db4:$a1: netsh firewall add allowedprogram 0x4d84:$a2: SEE_MASK_NOZONECHECKS 0x502e:$b1: [TAP] 0x4d46:$c3: cmd.exe /c ping
23.0.adobe.exe.110000.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4d84:$reg: SEE_MASK_NOZONECHECKS 0x4e5c:$msg: Execute ERROR 0x4eb8:$msg: Execute ERROR 0x4d46:$ping: cmd.exe /c ping 0 -n 2 & del
0.3.gKi3fKq4Kh.exe.26c8474.0.raw.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x4d46:$x1: cmd.exe /c ping 0 -n 2 & del " 0x4e9e:$s3: Executed As 0x4e80:$s6: Download ERROR
0.3.gKi3fKq4Kh.exe.26c8474.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0.3.gKi3fKq4Kh.exe.26c8474.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x4cd8:$s1: netsh firewall delete allowedprogram 0x4db4:$s2: netsh firewall add allowedprogram 0x4d46:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x4e5c:$s4: Execute ERROR 0x4eb8:$s4: Execute ERROR 0x4e80:$s5: Download ERROR 0x4fe4:$s6: [kl]
0.3.gKi3fKq4Kh.exe.26c8474.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4db4:$a1: netsh firewall add allowedprogram 0x4d84:$a2: SEE_MASK_NOZONECHECKS 0x502e:$b1: [TAP] 0x4d46:$c3: cmd.exe /c ping
0.3.gKi3fKq4Kh.exe.26c8474.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4d84:$reg: SEE_MASK_NOZONECHECKS 0x4e5c:$msg: Execute ERROR 0x4eb8:$msg: Execute ERROR 0x4d46:$ping: cmd.exe /c ping 0 -n 2 & del
0.3.gKi3fKq4Kh.exe.2809474.5.raw.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x4d46:$x1: cmd.exe /c ping 0 -n 2 & del " 0x4e9e:$s3: Executed As 0x4e80:$s6: Download ERROR
0.3.gKi3fKq4Kh.exe.2809474.5.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0.3.gKi3fKq4Kh.exe.2809474.5.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x4cd8:$s1: netsh firewall delete allowedprogram 0x4db4:$s2: netsh firewall add allowedprogram 0x4d46:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x4e5c:$s4: Execute ERROR 0x4eb8:$s4: Execute ERROR 0x4e80:$s5: Download ERROR 0x4fe4:$s6: [kl]
0.3.gKi3fKq4Kh.exe.2809474.5.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4db4:$a1: netsh firewall add allowedprogram 0x4d84:$a2: SEE_MASK_NOZONECHECKS 0x502e:$b1: [TAP] 0x4d46:$c3: cmd.exe /c ping
0.3.gKi3fKq4Kh.exe.2809474.5.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4d84:$reg: SEE_MASK_NOZONECHECKS 0x4e5c:$msg: Execute ERROR 0x4eb8:$msg: Execute ERROR 0x4d46:$ping: cmd.exe /c ping 0 -n 2 & del
23.2.adobe.exe.110000.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x4d46:$x1: cmd.exe /c ping 0 -n 2 & del " 0x4e9e:$s3: Executed As 0x4e80:$s6: Download ERROR
23.2.adobe.exe.110000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
23.2.adobe.exe.110000.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x4cd8:$s1: netsh firewall delete allowedprogram 0x4db4:$s2: netsh firewall add allowedprogram 0x4d46:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x4e5c:$s4: Execute ERROR 0x4eb8:$s4: Execute ERROR 0x4e80:$s5: Download ERROR 0x4fe4:$s6: [kl]
23.2.adobe.exe.110000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4db4:$a1: netsh firewall add allowedprogram 0x4d84:$a2: SEE_MASK_NOZONECHECKS 0x502e:$b1: [TAP] 0x4d46:$c3: cmd.exe /c ping
23.2.adobe.exe.110000.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4d84:$reg: SEE_MASK_NOZONECHECKS 0x4e5c:$msg: Execute ERROR 0x4eb8:$msg: Execute ERROR 0x4d46:$ping: cmd.exe /c ping 0 -n 2 & del
20.0.adobe.exe.70000.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x4d46:$x1: cmd.exe /c ping 0 -n 2 & del " 0x4e9e:$s3: Executed As 0x4e80:$s6: Download ERROR
20.0.adobe.exe.70000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
20.0.adobe.exe.70000.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x4cd8:$s1: netsh firewall delete allowedprogram 0x4db4:$s2: netsh firewall add allowedprogram 0x4d46:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x4e5c:$s4: Execute ERROR 0x4eb8:$s4: Execute ERROR 0x4e80:$s5: Download ERROR 0x4fe4:$s6: [kl]
20.0.adobe.exe.70000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4db4:$a1: netsh firewall add allowedprogram 0x4d84:$a2: SEE_MASK_NOZONECHECKS 0x502e:$b1: [TAP] 0x4d46:$c3: cmd.exe /c ping
20.0.adobe.exe.70000.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4d84:$reg: SEE_MASK_NOZONECHECKS 0x4e5c:$msg: Execute ERROR 0x4eb8:$msg: Execute ERROR 0x4d46:$ping: cmd.exe /c ping 0 -n 2 & del
7.2.794bab1182.exe.3367554.1.raw.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x4d46:$x1: cmd.exe /c ping 0 -n 2 & del " 0x4e9e:$s3: Executed As 0x4e80:$s6: Download ERROR
7.2.794bab1182.exe.3367554.1.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
7.2.794bab1182.exe.3367554.1.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x4cd8:$s1: netsh firewall delete allowedprogram 0x4db4:$s2: netsh firewall add allowedprogram 0x4d46:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x4e5c:$s4: Execute ERROR 0x4eb8:$s4: Execute ERROR 0x4e80:$s5: Download ERROR 0x4fe4:$s6: [kl]
7.2.794bab1182.exe.3367554.1.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4db4:$a1: netsh firewall add allowedprogram 0x4d84:$a2: SEE_MASK_NOZONECHECKS 0x502e:$b1: [TAP] 0x4d46:$c3: cmd.exe /c ping
7.2.794bab1182.exe.3367554.1.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4d84:$reg: SEE_MASK_NOZONECHECKS 0x4e5c:$msg: Execute ERROR 0x4eb8:$msg: Execute ERROR 0x4d46:$ping: cmd.exe /c ping 0 -n 2 & del
10.0.adobe.exe.480000.1.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x4d46:$x1: cmd.exe /c ping 0 -n 2 & del " 0x4e9e:$s3: Executed As 0x4e80:$s6: Download ERROR
10.0.adobe.exe.480000.1.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
10.0.adobe.exe.480000.1.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x4cd8:$s1: netsh firewall delete allowedprogram 0x4db4:$s2: netsh firewall add allowedprogram 0x4d46:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x4e5c:$s4: Execute ERROR 0x4eb8:$s4: Execute ERROR 0x4e80:$s5: Download ERROR 0x4fe4:$s6: [kl]
10.0.adobe.exe.480000.1.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4db4:$a1: netsh firewall add allowedprogram 0x4d84:$a2: SEE_MASK_NOZONECHECKS 0x502e:$b1: [TAP] 0x4d46:$c3: cmd.exe /c ping
10.0.adobe.exe.480000.1.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4d84:$reg: SEE_MASK_NOZONECHECKS 0x4e5c:$msg: Execute ERROR 0x4eb8:$msg: Execute ERROR 0x4d46:$ping: cmd.exe /c ping 0 -n 2 & del
19.0.adobe.exe.8e0000.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x4d46:$x1: cmd.exe /c ping 0 -n 2 & del " 0x4e9e:$s3: Executed As 0x4e80:$s6: Download ERROR
19.0.adobe.exe.8e0000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
19.0.adobe.exe.8e0000.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x4cd8:$s1: netsh firewall delete allowedprogram 0x4db4:$s2: netsh firewall add allowedprogram 0x4d46:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x4e5c:$s4: Execute ERROR 0x4eb8:$s4: Execute ERROR 0x4e80:$s5: Download ERROR 0x4fe4:$s6: [kl]
19.0.adobe.exe.8e0000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4db4:$a1: netsh firewall add allowedprogram 0x4d84:$a2: SEE_MASK_NOZONECHECKS 0x502e:$b1: [TAP] 0x4d46:$c3: cmd.exe /c ping
19.0.adobe.exe.8e0000.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4d84:$reg: SEE_MASK_NOZONECHECKS 0x4e5c:$msg: Execute ERROR 0x4eb8:$msg: Execute ERROR 0x4d46:$ping: cmd.exe /c ping 0 -n 2 & del
1.0.svchost.exe.10000000.0.raw.unpack	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>	0x51d8:$a: XTREME 0xa9b8:$a: XTREME 0xb770:$a: XTREME 0xc974:$b: ServerStarted 0x95f0:$c: XtremeKeylogger 0x530c:$d: x.html 0x914a:$e: Xtreme RAT
1.0.svchost.exe.10000000.0.raw.unpack	Xtreme_Sep17_1	Detects XTREME sample analyzed in September 2017	Florian Roth	0x69cd:$x1: ServerKeyloggerU 0x95f0:$x3: XtremeKeylogger 0xb770:$x4: XTREMEBINDER 0xb450:$s1: shellexecute= 0x794c:$s2: [Execute] 0xb396:$s3: ;open=RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\
1.0.svchost.exe.10000000.0.raw.unpack	JoeSecurity_XtremeRat	Yara detected Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
1.0.svchost.exe.10000000.0.raw.unpack	xtremrat	Xtrem RAT v3.5	Jean-Philippe Teissier / @Jipe_	0x51d8:$a: XTREME 0xa9b8:$a: XTREME 0xb770:$a: XTREME 0xb770:$b: XTREMEBINDER 0xa9cc:$c: STARTSERVERBUFFER 0xd7b4:$d: SOFTWARE\XtremeRAT 0x95f0:$f: XtremeKeylogger 0x914a:$h: Xtreme RAT
10.2.adobe.exe.480000.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x4d46:$x1: cmd.exe /c ping 0 -n 2 & del " 0x4e9e:$s3: Executed As 0x4e80:$s6: Download ERROR
10.2.adobe.exe.480000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
10.2.adobe.exe.480000.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x4cd8:$s1: netsh firewall delete allowedprogram 0x4db4:$s2: netsh firewall add allowedprogram 0x4d46:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x4e5c:$s4: Execute ERROR 0x4eb8:$s4: Execute ERROR 0x4e80:$s5: Download ERROR 0x4fe4:$s6: [kl]
10.2.adobe.exe.480000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4db4:$a1: netsh firewall add allowedprogram 0x4d84:$a2: SEE_MASK_NOZONECHECKS 0x502e:$b1: [TAP] 0x4d46:$c3: cmd.exe /c ping
10.2.adobe.exe.480000.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4d84:$reg: SEE_MASK_NOZONECHECKS 0x4e5c:$msg: Execute ERROR 0x4eb8:$msg: Execute ERROR 0x4d46:$ping: cmd.exe /c ping 0 -n 2 & del
1.2.svchost.exe.10000000.0.raw.unpack	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>	0x51d8:$a: XTREME 0xa9b8:$a: XTREME 0xb770:$a: XTREME 0xc974:$b: ServerStarted 0x95f0:$c: XtremeKeylogger 0x530c:$d: x.html 0x914a:$e: Xtreme RAT
1.2.svchost.exe.10000000.0.raw.unpack	Xtreme_Sep17_1	Detects XTREME sample analyzed in September 2017	Florian Roth	0x69cd:$x1: ServerKeyloggerU 0x95f0:$x3: XtremeKeylogger 0xb770:$x4: XTREMEBINDER 0xb450:$s1: shellexecute= 0x794c:$s2: [Execute] 0xb396:$s3: ;open=RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\
1.2.svchost.exe.10000000.0.raw.unpack	JoeSecurity_XtremeRat	Yara detected Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
1.2.svchost.exe.10000000.0.raw.unpack	xtremrat	Xtrem RAT v3.5	Jean-Philippe Teissier / @Jipe_	0x51d8:$a: XTREME 0xa9b8:$a: XTREME 0xb770:$a: XTREME 0xb770:$b: XTREMEBINDER 0xa9cc:$c: STARTSERVERBUFFER 0xd7b4:$d: SOFTWARE\XtremeRAT 0x95f0:$f: XtremeKeylogger 0x914a:$h: Xtreme RAT
1.0.svchost.exe.10000000.0.unpack	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>	0x45d8:$a: XTREME 0x9db8:$a: XTREME 0xab70:$a: XTREME 0xf380:$a: XTREME 0xf38e:$a: XTREME 0xbd74:$b: ServerStarted 0x89f0:$c: XtremeKeylogger 0x470c:$d: x.html 0x854a:$e: Xtreme RAT
1.0.svchost.exe.10000000.0.unpack	Xtreme_Sep17_1	Detects XTREME sample analyzed in September 2017	Florian Roth	0x5dcd:$x1: ServerKeyloggerU 0x51f69:$x2: TServerKeylogger 0x89f0:$x3: XtremeKeylogger 0xab70:$x4: XTREMEBINDER 0xf38e:$x4: XTREMEBINDER 0xa850:$s1: shellexecute= 0x6d4c:$s2: [Execute] 0xa796:$s3: ;open=RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\
1.0.svchost.exe.10000000.0.unpack	JoeSecurity_XtremeRat	Yara detected Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
1.0.svchost.exe.10000000.0.unpack	xtremrat	Xtrem RAT v3.5	Jean-Philippe Teissier / @Jipe_	0x45d8:$a: XTREME 0x9db8:$a: XTREME 0xab70:$a: XTREME 0xf380:$a: XTREME 0xf38e:$a: XTREME 0xab70:$b: XTREMEBINDER 0xf38e:$b: XTREMEBINDER 0x9dcc:$c: STARTSERVERBUFFER 0xcbb4:$d: SOFTWARE\XtremeRAT 0x89f0:$f: XtremeKeylogger 0x854a:$h: Xtreme RAT
0.2.gKi3fKq4Kh.exe.10000000.0.unpack	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>	0x45d8:$a: XTREME 0x9db8:$a: XTREME 0xab70:$a: XTREME 0xf380:$a: XTREME 0xf38e:$a: XTREME 0xbd74:$b: ServerStarted 0x89f0:$c: XtremeKeylogger 0x470c:$d: x.html 0x854a:$e: Xtreme RAT
0.2.gKi3fKq4Kh.exe.10000000.0.unpack	Xtreme_Sep17_1	Detects XTREME sample analyzed in September 2017	Florian Roth	0x5dcd:$x1: ServerKeyloggerU 0x51f69:$x2: TServerKeylogger 0x89f0:$x3: XtremeKeylogger 0xab70:$x4: XTREMEBINDER 0xf38e:$x4: XTREMEBINDER 0xa850:$s1: shellexecute= 0x6d4c:$s2: [Execute] 0xa796:$s3: ;open=RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\
0.2.gKi3fKq4Kh.exe.10000000.0.unpack	JoeSecurity_XtremeRat	Yara detected Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
0.2.gKi3fKq4Kh.exe.10000000.0.unpack	xtremrat	Xtrem RAT v3.5	Jean-Philippe Teissier / @Jipe_	0x45d8:$a: XTREME 0x9db8:$a: XTREME 0xab70:$a: XTREME 0xf380:$a: XTREME 0xf38e:$a: XTREME 0xab70:$b: XTREMEBINDER 0xf38e:$b: XTREMEBINDER 0x9dcc:$c: STARTSERVERBUFFER 0xcbb4:$d: SOFTWARE\XtremeRAT 0x89f0:$f: XtremeKeylogger 0x854a:$h: Xtreme RAT
1.2.svchost.exe.10000000.0.unpack	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>	0x45d8:$a: XTREME 0x9db8:$a: XTREME 0xab70:$a: XTREME 0xf380:$a: XTREME 0xf38e:$a: XTREME 0xbd74:$b: ServerStarted 0x89f0:$c: XtremeKeylogger 0x470c:$d: x.html 0x854a:$e: Xtreme RAT
1.2.svchost.exe.10000000.0.unpack	Xtreme_Sep17_1	Detects XTREME sample analyzed in September 2017	Florian Roth	0x5dcd:$x1: ServerKeyloggerU 0x51f69:$x2: TServerKeylogger 0x89f0:$x3: XtremeKeylogger 0xab70:$x4: XTREMEBINDER 0xf38e:$x4: XTREMEBINDER 0xa850:$s1: shellexecute= 0x6d4c:$s2: [Execute] 0xa796:$s3: ;open=RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\
1.2.svchost.exe.10000000.0.unpack	JoeSecurity_XtremeRat	Yara detected Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
1.2.svchost.exe.10000000.0.unpack	xtremrat	Xtrem RAT v3.5	Jean-Philippe Teissier / @Jipe_	0x45d8:$a: XTREME 0x9db8:$a: XTREME 0xab70:$a: XTREME 0xf380:$a: XTREME 0xf38e:$a: XTREME 0xab70:$b: XTREMEBINDER 0xf38e:$b: XTREMEBINDER 0x9dcc:$c: STARTSERVERBUFFER 0xcbb4:$d: SOFTWARE\XtremeRAT 0x89f0:$f: XtremeKeylogger 0x854a:$h: Xtreme RAT
0.0.gKi3fKq4Kh.exe.10000000.0.unpack	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>	0x45d8:$a: XTREME 0x9db8:$a: XTREME 0xab70:$a: XTREME 0xf380:$a: XTREME 0xf38e:$a: XTREME 0xbd74:$b: ServerStarted 0x89f0:$c: XtremeKeylogger 0x470c:$d: x.html 0x854a:$e: Xtreme RAT
0.0.gKi3fKq4Kh.exe.10000000.0.unpack	Xtreme_Sep17_1	Detects XTREME sample analyzed in September 2017	Florian Roth	0x5dcd:$x1: ServerKeyloggerU 0x51f69:$x2: TServerKeylogger 0x89f0:$x3: XtremeKeylogger 0xab70:$x4: XTREMEBINDER 0xf38e:$x4: XTREMEBINDER 0xa850:$s1: shellexecute= 0x6d4c:$s2: [Execute] 0xa796:$s3: ;open=RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\
0.0.gKi3fKq4Kh.exe.10000000.0.unpack	JoeSecurity_XtremeRat	Yara detected Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
0.0.gKi3fKq4Kh.exe.10000000.0.unpack	xtremrat	Xtrem RAT v3.5	Jean-Philippe Teissier / @Jipe_	0x45d8:$a: XTREME 0x9db8:$a: XTREME 0xab70:$a: XTREME 0xf380:$a: XTREME 0xf38e:$a: XTREME 0xab70:$b: XTREMEBINDER 0xf38e:$b: XTREMEBINDER 0x9dcc:$c: STARTSERVERBUFFER 0xcbb4:$d: SOFTWARE\XtremeRAT 0x89f0:$f: XtremeKeylogger 0x854a:$h: Xtreme RAT
Click to see the 109 entries

Snort Signatures

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.6 - Destination IP: 141.255.147.50

Timestamp:	192.168.2.6141.255.147.504977411822814856 06/24/22-17:57:22.268200
SID:	2814856
Source Port:	49774
Destination Port:	1182
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.6 - Destination IP: 141.255.147.50

Timestamp:	192.168.2.6141.255.147.504977411822033132 06/24/22-17:57:22.048969
SID:	2033132
Source Port:	49774
Destination Port:	1182
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) - Source IP: 192.168.2.6 - Destination IP: 141.255.147.50

Timestamp:	192.168.2.6141.255.147.504977411822825563 06/24/22-17:57:22.268200
SID:	2825563
Source Port:	49774
Destination Port:	1182
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) - Source IP: 192.168.2.6 - Destination IP: 141.255.147.50

Timestamp:	192.168.2.6141.255.147.504977411822814860 06/24/22-17:58:58.665134
SID:	2814860
Source Port:	49774
Destination Port:	1182
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) - Source IP: 192.168.2.6 - Destination IP: 141.255.147.50

Timestamp:	192.168.2.6141.255.147.504977411822825564 06/24/22-17:58:58.665134
SID:	2825564
Source Port:	49774
Destination Port:	1182
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\794bab1182.exe	Avira: detection malicious, Label: TR/Dropper.Gen7
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Avira: detection malicious, Label: TR/Dropper.Gen7
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1f777f760b787dc4d8cfb3fe867defca.exe	Avira: detection malicious, Label: TR/Dropper.Gen7

Multi AV Scanner detection for submitted file

Source: gKi3fKq4Kh.exe	Metadefender: Detection: 82%			Perma Link
Source: gKi3fKq4Kh.exe	ReversingLabs: Detection: 100%

Yara detected Njrat

Source: Yara match	File source: 10.0.adobe.exe.480000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.gKi3fKq4Kh.exe.2809474.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.adobe.exe.8e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.adobe.exe.70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.adobe.exe.480000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.794bab1182.exe.3367554.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.adobe.exe.480000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.794bab1182.exe.cf0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.794bab1182.exe.cf0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.adobe.exe.110000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.gKi3fKq4Kh.exe.26c8474.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.gKi3fKq4Kh.exe.2809474.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.adobe.exe.110000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.0.adobe.exe.70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.794bab1182.exe.3367554.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.adobe.exe.480000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.adobe.exe.8e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.adobe.exe.480000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000000.506871291.0000000000112000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.466457674.00000000008E2000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.387263414.0000000002809000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.389161206.00000000004FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.640869740.0000000000482000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.501246127.0000000000072000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.377265205.00000000026C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.412306049.0000000000482000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.377615498.0000000002949000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.479265241.00000000008E2000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.412702627.0000000000482000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.413119228.0000000000482000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.519357389.0000000000112000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.414543592.0000000000CF2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.415926103.0000000003365000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.382812726.0000000000CF2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.412039638.0000000000482000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000000.488787385.0000000000072000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: gKi3fKq4Kh.exe PID: 2576, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 794bab1182.exe PID: 6504, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 5920, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 5524, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 4360, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 2980, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\adobe.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\794bab1182.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1f777f760b787dc4d8cfb3fe867defca.exe, type: DROPPED

Antivirus / Scanner detection for submitted sample

Source: gKi3fKq4Kh.exe

Avira: detected

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\794bab1182.exe	Metadefender: Detection: 91%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\794bab1182.exe	ReversingLabs: Detection: 97%
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Metadefender: Detection: 91%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	ReversingLabs: Detection: 97%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1f777f760b787dc4d8cfb3fe867defca.exe	Metadefender: Detection: 91%	Perma Link
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1f777f760b787dc4d8cfb3fe867defca.exe	ReversingLabs: Detection: 97%

Machine Learning detection for sample

Source: gKi3fKq4Kh.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\794bab1182.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1f777f760b787dc4d8cfb3fe867defca.exe	Joe Sandbox ML: detected

Source: 7.0.794bab1182.exe.cf0000.0.unpack	Avira: Label: TR/Dropper.Gen7
Source: 1.2.svchost.exe.10000000.0.unpack	Avira: Label: TR/Agent.ssnsz
Source: 10.0.adobe.exe.480000.3.unpack	Avira: Label: TR/Dropper.Gen7
Source: 7.2.794bab1182.exe.cf0000.0.unpack	Avira: Label: TR/Dropper.Gen7
Source: 0.2.gKi3fKq4Kh.exe.10000000.0.unpack	Avira: Label: TR/Agent.ssnsz
Source: 10.0.adobe.exe.480000.1.unpack	Avira: Label: TR/Dropper.Gen7
Source: 10.2.adobe.exe.480000.0.unpack	Avira: Label: TR/Dropper.Gen7
Source: 20.2.adobe.exe.70000.0.unpack	Avira: Label: TR/Dropper.Gen7
Source: 10.0.adobe.exe.480000.2.unpack	Avira: Label: TR/Dropper.Gen7
Source: 19.0.adobe.exe.8e0000.0.unpack	Avira: Label: TR/Dropper.Gen7
Source: 0.0.gKi3fKq4Kh.exe.10000000.0.unpack	Avira: Label: TR/Agent.hklh
Source: 10.0.adobe.exe.480000.0.unpack	Avira: Label: TR/Dropper.Gen7
Source: 19.2.adobe.exe.8e0000.0.unpack	Avira: Label: TR/Dropper.Gen7
Source: 23.0.adobe.exe.110000.0.unpack	Avira: Label: TR/Dropper.Gen7
Source: 23.2.adobe.exe.110000.0.unpack	Avira: Label: TR/Dropper.Gen7
Source: 20.0.adobe.exe.70000.0.unpack	Avira: Label: TR/Dropper.Gen7
Source: 1.0.svchost.exe.10000000.0.unpack	Avira: Label: TR/Agent.ssnsz

Source: 00000000.00000002.389161206.00000000004FA000.00000004.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: Njrat {"Host": "babaloo.duckdns.org", "Port": "1182", "Version": "0.7d", "Campaign ID": "Ativado Windows 7", "Install Name": "adobe.exe", "Install Dir": "TEMP", "Network Seprator": "\|'\|'\|"}
Source: 00000000.00000002.389161206.00000000004FA000.00000004.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: Xtreme RAT {"id": "Server", "group": "Servers", "version": "2.9", "mutex": "wzk5VL6RM0QU9blk", "installdir": "InstallDir", "installdirfile": "Server.exe", "ftp server": "ftp.ftpserver.com"}

Source: gKi3fKq4Kh.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Users\user\AppData\Local\Temp\794bab1182.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: gKi3fKq4Kh.exe	Binary or memory string: autorun.inf
Source: gKi3fKq4Kh.exe	Binary or memory string: [autorun] ;open=RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\
Source: gKi3fKq4Kh.exe	Binary or memory string: [autorun];open=RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\
Source: gKi3fKq4Kh.exe, 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: [autorun]
Source: gKi3fKq4Kh.exe, 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: autorun.inf
Source: svchost.exe	Binary or memory string: autorun.inf
Source: svchost.exe	Binary or memory string: [autorun] ;open=RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\
Source: svchost.exe	Binary or memory string: [autorun];open=RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\
Source: svchost.exe, 00000001.00000002.385046170.0000000010000000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: svchost.exe, 00000001.00000002.385046170.0000000010000000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: svchost.exe, 00000001.00000000.375372033.0000000010000000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: svchost.exe, 00000001.00000000.375372033.0000000010000000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: gKi3fKq4Kh.exe	Binary or memory string: [autorun]
Source: gKi3fKq4Kh.exe	Binary or memory string: autorun.inf

Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe

Code function: 0_2_10005CA4 FindFirstFileW,FindClose,

0_2_10005CA4

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.6:49774 -> 141.255.147.50:1182
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.6:49774 -> 141.255.147.50:1182
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.6:49774 -> 141.255.147.50:1182
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.6:49774 -> 141.255.147.50:1182
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.6:49774 -> 141.255.147.50:1182

Uses dynamic DNS services

Source: unknown

DNS query: name: babaloo.duckdns.org

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: babaloo.duckdns.org

Source: Joe Sandbox View

ASN Name: IELOIELOMainNetworkFR IELOIELOMainNetworkFR

Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe

Code function: 0_2_100068EC InternetOpenW,InternetConnectW,FtpSetCurrentDirectoryW,WaitForSingleObject,FtpPutFileW,InternetCloseHandle,InternetCloseHandle,

0_2_100068EC

Source: global traffic

TCP traffic: 192.168.2.6:49774 -> 141.255.147.50:1182

Source: 747MBR Regenerator v4.5.exe, 00000009.00000003.425486975.000000001BE7B000.00000004.00000020.00020000.00000000.sdmp, 747MBR Regenerator v4.5.exe, 00000009.00000003.425474373.000000001BE7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://en.w
Source: 747MBR Regenerator v4.5.exe, 00000009.00000003.418962747.000000001BE72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: 747MBR Regenerator v4.5.exe, 00000009.00000003.418962747.000000001BE72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.comicoM
Source: 747MBR Regenerator v4.5.exe, 00000009.00000003.427520259.000000001BE78000.00000004.00000020.00020000.00000000.sdmp, 747MBR Regenerator v4.5.exe, 00000009.00000003.427620869.000000001BE78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: 747MBR Regenerator v4.5.exe.0.dr	String found in binary or memory: http://www.smartassembly.com
Source: 747MBR Regenerator v4.5.exe, 00000009.00000003.435601484.000000001BEB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.de&

Source: unknown

DNS traffic detected: queries for: babaloo.duckdns.org

Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe

Code function: 0_2_10005F86 URLDownloadToCacheFileW,CopyFileW,

0_2_10005F86

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 794bab1182.exe.0.dr, kl.cs	.Net Code: VKCodeToUnicode
Source: adobe.exe.7.dr, kl.cs	.Net Code: VKCodeToUnicode
Source: 7.0.794bab1182.exe.cf0000.0.unpack, kl.cs	.Net Code: VKCodeToUnicode
Source: 7.2.794bab1182.exe.cf0000.0.unpack, kl.cs	.Net Code: VKCodeToUnicode
Source: 1f777f760b787dc4d8cfb3fe867defca.exe.10.dr, kl.cs	.Net Code: VKCodeToUnicode
Source: 10.0.adobe.exe.480000.3.unpack, kl.cs	.Net Code: VKCodeToUnicode
Source: 10.0.adobe.exe.480000.1.unpack, kl.cs	.Net Code: VKCodeToUnicode
Source: 10.2.adobe.exe.480000.0.unpack, kl.cs	.Net Code: VKCodeToUnicode
Source: 10.0.adobe.exe.480000.2.unpack, kl.cs	.Net Code: VKCodeToUnicode
Source: 10.0.adobe.exe.480000.0.unpack, kl.cs	.Net Code: VKCodeToUnicode
Source: 19.0.adobe.exe.8e0000.0.unpack, kl.cs	.Net Code: VKCodeToUnicode
Source: 19.2.adobe.exe.8e0000.0.unpack, kl.cs	.Net Code: VKCodeToUnicode
Source: 20.2.adobe.exe.70000.0.unpack, kl.cs	.Net Code: VKCodeToUnicode
Source: 20.0.adobe.exe.70000.0.unpack, kl.cs	.Net Code: VKCodeToUnicode
Source: 23.0.adobe.exe.110000.0.unpack, kl.cs	.Net Code: VKCodeToUnicode
Source: 23.2.adobe.exe.110000.0.unpack, kl.cs	.Net Code: VKCodeToUnicode

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe

Code function: 0_2_10008568 SetWindowsHookExW 0000000D,10008040,00000000,00000000

0_2_10008568

Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe

Code function: 0_2_10008040 GetKeyboardState,GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,VirtualAlloc,SendMessageA,CallNextHookEx,

0_2_10008040

Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe

Code function: 0_2_100069DC OpenClipboard,GetClipboardData,GlobalFix,GlobalSize,GlobalUnWire,CloseClipboard,

0_2_100069DC

Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe

Code function: 0_2_100069DC OpenClipboard,GetClipboardData,GlobalFix,GlobalSize,GlobalUnWire,CloseClipboard,

0_2_100069DC

Source: 794bab1182.exe, 00000007.00000002.415449347.00000000013F8000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe

Code function: 0_2_10006D04 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,

0_2_10006D04

E-Banking Fraud

Yara detected Njrat

Source: Yara match	File source: 10.0.adobe.exe.480000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.gKi3fKq4Kh.exe.2809474.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.adobe.exe.8e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.adobe.exe.70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.adobe.exe.480000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.794bab1182.exe.3367554.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.adobe.exe.480000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.794bab1182.exe.cf0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.794bab1182.exe.cf0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.adobe.exe.110000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.gKi3fKq4Kh.exe.26c8474.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.gKi3fKq4Kh.exe.2809474.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.adobe.exe.110000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.0.adobe.exe.70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.794bab1182.exe.3367554.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.adobe.exe.480000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.adobe.exe.8e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.adobe.exe.480000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000000.506871291.0000000000112000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.466457674.00000000008E2000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.387263414.0000000002809000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.389161206.00000000004FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.640869740.0000000000482000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.501246127.0000000000072000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.377265205.00000000026C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.412306049.0000000000482000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.377615498.0000000002949000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.479265241.00000000008E2000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.412702627.0000000000482000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.413119228.0000000000482000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.519357389.0000000000112000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.414543592.0000000000CF2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.415926103.0000000003365000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.382812726.0000000000CF2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.412039638.0000000000482000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000000.488787385.0000000000072000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: gKi3fKq4Kh.exe PID: 2576, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 794bab1182.exe PID: 6504, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 5920, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 5524, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 4360, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 2980, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\adobe.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\794bab1182.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1f777f760b787dc4d8cfb3fe867defca.exe, type: DROPPED

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\AppData\Local\Temp\adobe.exe

Process information set: 01 00 00 00

Jump to behavior

System Summary

Yara detected Xtreme RAT

Source: Yara match	File source: gKi3fKq4Kh.exe, type: SAMPLE
Source: Yara match	File source: 1.0.svchost.exe.10000000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.10000000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.svchost.exe.10000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.gKi3fKq4Kh.exe.10000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.10000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.gKi3fKq4Kh.exe.10000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.385046170.0000000010000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.375372033.0000000010000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.368576082.0000000010001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY

Malicious sample detected (through community Yara rule)

Source: gKi3fKq4Kh.exe, type: SAMPLE	Matched rule: Detects Xtreme RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: gKi3fKq4Kh.exe, type: SAMPLE	Matched rule: Detects XTREME sample analyzed in September 2017 Author: Florian Roth
Source: gKi3fKq4Kh.exe, type: SAMPLE	Matched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
Source: 10.0.adobe.exe.480000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 10.0.adobe.exe.480000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 10.0.adobe.exe.480000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 10.0.adobe.exe.480000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.3.gKi3fKq4Kh.exe.2809474.5.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.3.gKi3fKq4Kh.exe.2809474.5.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.3.gKi3fKq4Kh.exe.2809474.5.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.3.gKi3fKq4Kh.exe.2809474.5.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 19.2.adobe.exe.8e0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 19.2.adobe.exe.8e0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 19.2.adobe.exe.8e0000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 19.2.adobe.exe.8e0000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 20.2.adobe.exe.70000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 20.2.adobe.exe.70000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 20.2.adobe.exe.70000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 20.2.adobe.exe.70000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 10.0.adobe.exe.480000.2.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 10.0.adobe.exe.480000.2.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 10.0.adobe.exe.480000.2.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 10.0.adobe.exe.480000.2.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.794bab1182.exe.3367554.1.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 7.2.794bab1182.exe.3367554.1.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 7.2.794bab1182.exe.3367554.1.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 7.2.794bab1182.exe.3367554.1.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 10.0.adobe.exe.480000.3.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 10.0.adobe.exe.480000.3.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 10.0.adobe.exe.480000.3.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 10.0.adobe.exe.480000.3.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.794bab1182.exe.cf0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 7.0.794bab1182.exe.cf0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 7.0.794bab1182.exe.cf0000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 7.0.794bab1182.exe.cf0000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.794bab1182.exe.cf0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 7.2.794bab1182.exe.cf0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 7.2.794bab1182.exe.cf0000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 7.2.794bab1182.exe.cf0000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 23.0.adobe.exe.110000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 23.0.adobe.exe.110000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 23.0.adobe.exe.110000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 23.0.adobe.exe.110000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.3.gKi3fKq4Kh.exe.26c8474.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.3.gKi3fKq4Kh.exe.26c8474.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.3.gKi3fKq4Kh.exe.26c8474.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.3.gKi3fKq4Kh.exe.26c8474.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.3.gKi3fKq4Kh.exe.2809474.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.3.gKi3fKq4Kh.exe.2809474.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.3.gKi3fKq4Kh.exe.2809474.5.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.3.gKi3fKq4Kh.exe.2809474.5.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 23.2.adobe.exe.110000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 23.2.adobe.exe.110000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 23.2.adobe.exe.110000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 23.2.adobe.exe.110000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 20.0.adobe.exe.70000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 20.0.adobe.exe.70000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 20.0.adobe.exe.70000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 20.0.adobe.exe.70000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.794bab1182.exe.3367554.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 7.2.794bab1182.exe.3367554.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 7.2.794bab1182.exe.3367554.1.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 7.2.794bab1182.exe.3367554.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 10.0.adobe.exe.480000.1.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 10.0.adobe.exe.480000.1.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 10.0.adobe.exe.480000.1.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 10.0.adobe.exe.480000.1.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 19.0.adobe.exe.8e0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 19.0.adobe.exe.8e0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 19.0.adobe.exe.8e0000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 19.0.adobe.exe.8e0000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.svchost.exe.10000000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Xtreme RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.0.svchost.exe.10000000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects XTREME sample analyzed in September 2017 Author: Florian Roth
Source: 1.0.svchost.exe.10000000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
Source: 10.2.adobe.exe.480000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 10.2.adobe.exe.480000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 10.2.adobe.exe.480000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 10.2.adobe.exe.480000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.svchost.exe.10000000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Xtreme RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.svchost.exe.10000000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects XTREME sample analyzed in September 2017 Author: Florian Roth
Source: 1.2.svchost.exe.10000000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
Source: 1.0.svchost.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Xtreme RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.0.svchost.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects XTREME sample analyzed in September 2017 Author: Florian Roth
Source: 1.0.svchost.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
Source: 0.2.gKi3fKq4Kh.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Xtreme RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.gKi3fKq4Kh.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects XTREME sample analyzed in September 2017 Author: Florian Roth
Source: 0.2.gKi3fKq4Kh.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
Source: 1.2.svchost.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Xtreme RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.svchost.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects XTREME sample analyzed in September 2017 Author: Florian Roth
Source: 1.2.svchost.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
Source: 0.0.gKi3fKq4Kh.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Xtreme RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.0.gKi3fKq4Kh.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects XTREME sample analyzed in September 2017 Author: Florian Roth
Source: 0.0.gKi3fKq4Kh.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
Source: 00000017.00000000.506871291.0000000000112000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000017.00000000.506871291.0000000000112000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.385106851.0000000010047000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
Source: 00000013.00000000.466457674.00000000008E2000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000013.00000000.466457674.00000000008E2000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000003.387263414.0000000002809000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000003.387263414.0000000002809000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.389161206.00000000004FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000002.389161206.00000000004FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.640869740.0000000000482000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000A.00000002.640869740.0000000000482000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000002.501246127.0000000000072000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000014.00000002.501246127.0000000000072000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects Xtreme RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
Source: 00000000.00000003.377265205.00000000026C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000003.377265205.00000000026C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000000.412306049.0000000000482000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000A.00000000.412306049.0000000000482000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000000.368594046.0000000010047000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
Source: 00000000.00000003.377615498.0000000002949000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000003.377615498.0000000002949000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000002.479265241.00000000008E2000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000013.00000002.479265241.00000000008E2000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
Source: 00000001.00000000.375422528.0000000010047000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
Source: 00000001.00000002.385046170.0000000010000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Xtreme RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.385046170.0000000010000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects XTREME sample analyzed in September 2017 Author: Florian Roth
Source: 00000001.00000002.385046170.0000000010000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
Source: 0000000A.00000000.413119228.0000000000482000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000A.00000000.413119228.0000000000482000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000000.412702627.0000000000482000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000A.00000000.412702627.0000000000482000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000017.00000002.519357389.0000000000112000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000017.00000002.519357389.0000000000112000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.414543592.0000000000CF2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000007.00000002.414543592.0000000000CF2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000000.375372033.0000000010000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Xtreme RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000000.375372033.0000000010000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects XTREME sample analyzed in September 2017 Author: Florian Roth
Source: 00000001.00000000.375372033.0000000010000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
Source: 00000007.00000002.415926103.0000000003365000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000007.00000002.415926103.0000000003365000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.382812726.0000000000CF2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000007.00000000.382812726.0000000000CF2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000000.412039638.0000000000482000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000A.00000000.412039638.0000000000482000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000000.488787385.0000000000072000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000014.00000000.488787385.0000000000072000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000000.368576082.0000000010001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects Xtreme RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000000.368576082.0000000010001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
Source: C:\Users\user\AppData\Local\Temp\adobe.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\adobe.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\adobe.exe, type: DROPPED	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\Users\user\AppData\Local\Temp\adobe.exe, type: DROPPED	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Local\Temp\794bab1182.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\794bab1182.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\794bab1182.exe, type: DROPPED	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\Users\user\AppData\Local\Temp\794bab1182.exe, type: DROPPED	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1f777f760b787dc4d8cfb3fe867defca.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1f777f760b787dc4d8cfb3fe867defca.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1f777f760b787dc4d8cfb3fe867defca.exe, type: DROPPED	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1f777f760b787dc4d8cfb3fe867defca.exe, type: DROPPED	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group

Installs Xtreme RAT

Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe

Key created: HKEY_CURRENT_USER\SOFTWARE\XtremeRAT

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6456 -s 568

Source: gKi3fKq4Kh.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: gKi3fKq4Kh.exe, type: SAMPLE	Matched rule: RAT_Xtreme date = 01.04.2014, filetype = exe, ver = 2.9, 3.1, 3.2, 3.5, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects Xtreme RAT, reference = http://malwareconfig.com/stats/Xtreme
Source: gKi3fKq4Kh.exe, type: SAMPLE	Matched rule: Xtreme_Sep17_1 date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6, author = Florian Roth, description = Detects XTREME sample analyzed in September 2017, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: gKi3fKq4Kh.exe, type: SAMPLE	Matched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
Source: 10.0.adobe.exe.480000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.0.adobe.exe.480000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 10.0.adobe.exe.480000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 10.0.adobe.exe.480000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.3.gKi3fKq4Kh.exe.2809474.5.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.3.gKi3fKq4Kh.exe.2809474.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.3.gKi3fKq4Kh.exe.2809474.5.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.3.gKi3fKq4Kh.exe.2809474.5.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 19.2.adobe.exe.8e0000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.adobe.exe.8e0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 19.2.adobe.exe.8e0000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 19.2.adobe.exe.8e0000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 20.2.adobe.exe.70000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 20.2.adobe.exe.70000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 20.2.adobe.exe.70000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 20.2.adobe.exe.70000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 10.0.adobe.exe.480000.2.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.0.adobe.exe.480000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 10.0.adobe.exe.480000.2.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 10.0.adobe.exe.480000.2.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 7.2.794bab1182.exe.3367554.1.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.794bab1182.exe.3367554.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 7.2.794bab1182.exe.3367554.1.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 7.2.794bab1182.exe.3367554.1.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 10.0.adobe.exe.480000.3.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.0.adobe.exe.480000.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 10.0.adobe.exe.480000.3.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 10.0.adobe.exe.480000.3.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 7.0.794bab1182.exe.cf0000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.794bab1182.exe.cf0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 7.0.794bab1182.exe.cf0000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 7.0.794bab1182.exe.cf0000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 7.2.794bab1182.exe.cf0000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.794bab1182.exe.cf0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 7.2.794bab1182.exe.cf0000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 7.2.794bab1182.exe.cf0000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 23.0.adobe.exe.110000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 23.0.adobe.exe.110000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 23.0.adobe.exe.110000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 23.0.adobe.exe.110000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.3.gKi3fKq4Kh.exe.26c8474.0.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.3.gKi3fKq4Kh.exe.26c8474.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.3.gKi3fKq4Kh.exe.26c8474.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.3.gKi3fKq4Kh.exe.26c8474.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.3.gKi3fKq4Kh.exe.2809474.5.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.3.gKi3fKq4Kh.exe.2809474.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.3.gKi3fKq4Kh.exe.2809474.5.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.3.gKi3fKq4Kh.exe.2809474.5.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 23.2.adobe.exe.110000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 23.2.adobe.exe.110000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 23.2.adobe.exe.110000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 23.2.adobe.exe.110000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 20.0.adobe.exe.70000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 20.0.adobe.exe.70000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 20.0.adobe.exe.70000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 20.0.adobe.exe.70000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 7.2.794bab1182.exe.3367554.1.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.794bab1182.exe.3367554.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 7.2.794bab1182.exe.3367554.1.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 7.2.794bab1182.exe.3367554.1.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 10.0.adobe.exe.480000.1.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.0.adobe.exe.480000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 10.0.adobe.exe.480000.1.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 10.0.adobe.exe.480000.1.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 19.0.adobe.exe.8e0000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.0.adobe.exe.8e0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 19.0.adobe.exe.8e0000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 19.0.adobe.exe.8e0000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 1.0.svchost.exe.10000000.0.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_Xtreme date = 01.04.2014, filetype = exe, ver = 2.9, 3.1, 3.2, 3.5, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects Xtreme RAT, reference = http://malwareconfig.com/stats/Xtreme
Source: 1.0.svchost.exe.10000000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Xtreme_Sep17_1 date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6, author = Florian Roth, description = Detects XTREME sample analyzed in September 2017, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.svchost.exe.10000000.0.raw.unpack, type: UNPACKEDPE	Matched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
Source: 10.2.adobe.exe.480000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.adobe.exe.480000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 10.2.adobe.exe.480000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 10.2.adobe.exe.480000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 1.2.svchost.exe.10000000.0.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_Xtreme date = 01.04.2014, filetype = exe, ver = 2.9, 3.1, 3.2, 3.5, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects Xtreme RAT, reference = http://malwareconfig.com/stats/Xtreme
Source: 1.2.svchost.exe.10000000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Xtreme_Sep17_1 date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6, author = Florian Roth, description = Detects XTREME sample analyzed in September 2017, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.svchost.exe.10000000.0.raw.unpack, type: UNPACKEDPE	Matched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
Source: 1.0.svchost.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_Xtreme date = 01.04.2014, filetype = exe, ver = 2.9, 3.1, 3.2, 3.5, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects Xtreme RAT, reference = http://malwareconfig.com/stats/Xtreme
Source: 1.0.svchost.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Xtreme_Sep17_1 date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6, author = Florian Roth, description = Detects XTREME sample analyzed in September 2017, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.svchost.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
Source: 0.2.gKi3fKq4Kh.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_Xtreme date = 01.04.2014, filetype = exe, ver = 2.9, 3.1, 3.2, 3.5, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects Xtreme RAT, reference = http://malwareconfig.com/stats/Xtreme
Source: 0.2.gKi3fKq4Kh.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Xtreme_Sep17_1 date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6, author = Florian Roth, description = Detects XTREME sample analyzed in September 2017, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.gKi3fKq4Kh.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
Source: 1.2.svchost.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_Xtreme date = 01.04.2014, filetype = exe, ver = 2.9, 3.1, 3.2, 3.5, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects Xtreme RAT, reference = http://malwareconfig.com/stats/Xtreme
Source: 1.2.svchost.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Xtreme_Sep17_1 date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6, author = Florian Roth, description = Detects XTREME sample analyzed in September 2017, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.svchost.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
Source: 0.0.gKi3fKq4Kh.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_Xtreme date = 01.04.2014, filetype = exe, ver = 2.9, 3.1, 3.2, 3.5, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects Xtreme RAT, reference = http://malwareconfig.com/stats/Xtreme
Source: 0.0.gKi3fKq4Kh.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Xtreme_Sep17_1 date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6, author = Florian Roth, description = Detects XTREME sample analyzed in September 2017, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.0.gKi3fKq4Kh.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
Source: 00000017.00000000.506871291.0000000000112000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000017.00000000.506871291.0000000000112000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000001.00000002.385106851.0000000010047000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
Source: 00000013.00000000.466457674.00000000008E2000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000013.00000000.466457674.00000000008E2000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000000.00000003.387263414.0000000002809000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000003.387263414.0000000002809000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000000.00000002.389161206.00000000004FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000002.389161206.00000000004FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000A.00000002.640869740.0000000000482000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000A.00000002.640869740.0000000000482000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000014.00000002.501246127.0000000000072000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000014.00000002.501246127.0000000000072000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: RAT_Xtreme date = 01.04.2014, filetype = exe, ver = 2.9, 3.1, 3.2, 3.5, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects Xtreme RAT, reference = http://malwareconfig.com/stats/Xtreme
Source: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
Source: 00000000.00000003.377265205.00000000026C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000003.377265205.00000000026C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000A.00000000.412306049.0000000000482000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000A.00000000.412306049.0000000000482000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000000.00000000.368594046.0000000010047000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
Source: 00000000.00000003.377615498.0000000002949000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000003.377615498.0000000002949000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000013.00000002.479265241.00000000008E2000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000013.00000002.479265241.00000000008E2000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
Source: 00000001.00000000.375422528.0000000010047000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
Source: 00000001.00000002.385046170.0000000010000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: RAT_Xtreme date = 01.04.2014, filetype = exe, ver = 2.9, 3.1, 3.2, 3.5, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects Xtreme RAT, reference = http://malwareconfig.com/stats/Xtreme
Source: 00000001.00000002.385046170.0000000010000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Xtreme_Sep17_1 date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6, author = Florian Roth, description = Detects XTREME sample analyzed in September 2017, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000002.385046170.0000000010000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
Source: 0000000A.00000000.413119228.0000000000482000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000A.00000000.413119228.0000000000482000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000A.00000000.412702627.0000000000482000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000A.00000000.412702627.0000000000482000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000017.00000002.519357389.0000000000112000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000017.00000002.519357389.0000000000112000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000007.00000002.414543592.0000000000CF2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000007.00000002.414543592.0000000000CF2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000001.00000000.375372033.0000000010000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: RAT_Xtreme date = 01.04.2014, filetype = exe, ver = 2.9, 3.1, 3.2, 3.5, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects Xtreme RAT, reference = http://malwareconfig.com/stats/Xtreme
Source: 00000001.00000000.375372033.0000000010000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Xtreme_Sep17_1 date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6, author = Florian Roth, description = Detects XTREME sample analyzed in September 2017, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000000.375372033.0000000010000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
Source: 00000007.00000002.415926103.0000000003365000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000007.00000002.415926103.0000000003365000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000007.00000000.382812726.0000000000CF2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000007.00000000.382812726.0000000000CF2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000A.00000000.412039638.0000000000482000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000A.00000000.412039638.0000000000482000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000014.00000000.488787385.0000000000072000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000014.00000000.488787385.0000000000072000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000000.00000000.368576082.0000000010001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: RAT_Xtreme date = 01.04.2014, filetype = exe, ver = 2.9, 3.1, 3.2, 3.5, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects Xtreme RAT, reference = http://malwareconfig.com/stats/Xtreme
Source: 00000000.00000000.368576082.0000000010001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
Source: C:\Users\user\AppData\Local\Temp\adobe.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\Users\user\AppData\Local\Temp\adobe.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Users\user\AppData\Local\Temp\adobe.exe, type: DROPPED	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\Users\user\AppData\Local\Temp\adobe.exe, type: DROPPED	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Users\user\AppData\Local\Temp\794bab1182.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\Users\user\AppData\Local\Temp\794bab1182.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Users\user\AppData\Local\Temp\794bab1182.exe, type: DROPPED	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\Users\user\AppData\Local\Temp\794bab1182.exe, type: DROPPED	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1f777f760b787dc4d8cfb3fe867defca.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1f777f760b787dc4d8cfb3fe867defca.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1f777f760b787dc4d8cfb3fe867defca.exe, type: DROPPED	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1f777f760b787dc4d8cfb3fe867defca.exe, type: DROPPED	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan

Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe

File created: C:\Windows\747MBR Regenerator v4.5.exe.exe

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 100037AC appears 177 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 10003B94 appears 94 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 10003A34 appears 95 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 10006D04 appears 88 times
Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe	Code function: String function: 100037AC appears 177 times
Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe	Code function: String function: 10003B94 appears 94 times
Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe	Code function: String function: 10003A34 appears 95 times
Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe	Code function: String function: 10006D04 appears 88 times

Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe	Code function: 0_2_1000649C NtdllDefWindowProc_A,	0_2_1000649C
Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe	Code function: 0_2_100064F4 NtdllDefWindowProc_A,	0_2_100064F4
Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe	Code function: 0_2_1000BD14 CreateProcessW,Sleep,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,SetThreadContext,ResumeThread,	0_2_1000BD14
Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe	Code function: 0_2_1000BD60 CreateProcessW,Sleep,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,SetThreadContext,ResumeThread,	0_2_1000BD60
Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe	Code function: 0_2_10008568 VirtualFree,WriteFile,UnhookWindowsHookEx,SetFilePointer,GetFileSize,ReadFile,SetFilePointer,SetFileAttributesW,DeleteFileW,CreateFileW,WriteFile,CloseHandle,GetModuleHandleA,SetWindowsHookExW,UnhookWindowsHookEx,UnhookWindowsHookEx,GetModuleHandleA,SetWindowsHookExW,WriteFile,SetFilePointer,SetEndOfFile,NtdllDefWindowProc_A,	0_2_10008568
Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe	Code function: 0_2_1000AF50 NtdllDefWindowProc_A,	0_2_1000AF50

Source: gKi3fKq4Kh.exe, 00000000.00000003.387263414.0000000002809000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMBR.exe@ vs gKi3fKq4Kh.exe
Source: gKi3fKq4Kh.exe, 00000000.00000003.377265205.00000000026C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMBR.exe@ vs gKi3fKq4Kh.exe
Source: gKi3fKq4Kh.exe, 00000000.00000003.382966085.00000000026C7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMBR.exe@ vs gKi3fKq4Kh.exe
Source: gKi3fKq4Kh.exe, 00000000.00000003.377615498.0000000002949000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMBR.exe@ vs gKi3fKq4Kh.exe
Source: gKi3fKq4Kh.exe, 00000000.00000003.387733109.00000000026C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMBR.exe@ vs gKi3fKq4Kh.exe
Source: gKi3fKq4Kh.exe, 00000000.00000003.383163151.0000000003031000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMBR.exe@ vs gKi3fKq4Kh.exe

Source: 747MBR Regenerator v4.5.exe.0.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\794bab1182.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\794bab1182.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.adwa.spyw.evad.winEXE@19/9@1/1

Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe

Code function: 0_2_100051E8 FindResourceW,SizeofResource,LoadResource,LockResource,FreeResource,

0_2_100051E8

Source: gKi3fKq4Kh.exe	Metadefender: Detection: 82%
Source: gKi3fKq4Kh.exe	ReversingLabs: Detection: 100%

Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\gKi3fKq4Kh.exe "C:\Users\user\Desktop\gKi3fKq4Kh.exe"
Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe	Process created: C:\Windows\SysWOW64\svchost.exe svchost.exe
Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6456 -s 568
Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe	Process created: C:\Users\user\AppData\Local\Temp\794bab1182.exe "C:\Users\user\AppData\Local\Temp\794bab1182.exe"
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6456 -s 576
Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe	Process created: C:\Windows\747MBR Regenerator v4.5.exe "C:\Windows\747MBR Regenerator v4.5.exe"
Source: C:\Users\user\AppData\Local\Temp\794bab1182.exe	Process created: C:\Users\user\AppData\Local\Temp\adobe.exe "C:\Users\user\AppData\Local\Temp\adobe.exe"
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\adobe.exe" "adobe.exe" ENABLE
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\adobe.exe "C:\Users\user\AppData\Local\Temp\adobe.exe" ..
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\adobe.exe "C:\Users\user\AppData\Local\Temp\adobe.exe" ..
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\adobe.exe "C:\Users\user\AppData\Local\Temp\adobe.exe" ..
Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe	Process created: C:\Windows\SysWOW64\svchost.exe svchost.exe	Jump to behavior
Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe	Jump to behavior
Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe	Process created: C:\Users\user\AppData\Local\Temp\794bab1182.exe "C:\Users\user\AppData\Local\Temp\794bab1182.exe"	Jump to behavior
Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe	Process created: C:\Windows\747MBR Regenerator v4.5.exe "C:\Windows\747MBR Regenerator v4.5.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\794bab1182.exe	Process created: C:\Users\user\AppData\Local\Temp\adobe.exe "C:\Users\user\AppData\Local\Temp\adobe.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\adobe.exe" "adobe.exe" ENABLE	Jump to behavior

Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe

File created: C:\Users\user\AppData\Local\Temp\x.html

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\794bab1182.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\794bab1182.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\794bab1182.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\077cf2bd55145d691314f0889d7a1997\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\wzk5VL6RM0QU9blkPERSIST
Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe	Mutant created: \Sessions\1\BaseNamedObjects\wzk5VL6RM0QU9blk
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6700:120:WilError_01

Source: C:\Users\user\AppData\Local\Temp\adobe.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\747MBR Regenerator v4.5.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\794bab1182.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: gKi3fKq4Kh.exe

Static file information: File size 1556992 > 1048576

Source: gKi3fKq4Kh.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x16d200

Data Obfuscation

.NET source code contains potential unpacker

Source: 794bab1182.exe.0.dr, OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 747MBR Regenerator v4.5.exe.0.dr, u0004/u0002.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: adobe.exe.7.dr, OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.794bab1182.exe.cf0000.0.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.794bab1182.exe.cf0000.0.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 9.0.747MBR Regenerator v4.5.exe.7b0000.0.unpack, u0004/u0002.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1f777f760b787dc4d8cfb3fe867defca.exe.10.dr, OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.0.adobe.exe.480000.3.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.0.adobe.exe.480000.1.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.2.adobe.exe.480000.0.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.0.adobe.exe.480000.2.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.0.adobe.exe.480000.0.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 19.0.adobe.exe.8e0000.0.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 19.2.adobe.exe.8e0000.0.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 20.2.adobe.exe.70000.0.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 20.0.adobe.exe.70000.0.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 23.0.adobe.exe.110000.0.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 23.2.adobe.exe.110000.0.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe	Code function: 0_2_1000C038 push 1000C064h; ret	0_2_1000C05C
Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe	Code function: 0_2_1000619C push 100061D4h; ret	0_2_100061CC
Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe	Code function: 0_2_100051A0 push 100051CCh; ret	0_2_100051C4
Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe	Code function: 0_2_100099C0 push 100099ECh; ret	0_2_100099E4
Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe	Code function: 0_2_1000A240 push 1000A26Ch; ret	0_2_1000A264
Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe	Code function: 0_2_100052B0 push 100052FCh; ret	0_2_100052F4
Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe	Code function: 0_2_10004AF8 push 10004B49h; ret	0_2_10004B41
Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe	Code function: 0_2_1000AB30 push 1000AB68h; ret	0_2_1000AB60
Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe	Code function: 0_2_1000AB74 push 1000ABA0h; ret	0_2_1000AB98
Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe	Code function: 0_2_10006464 push 10006490h; ret	0_2_10006488
Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe	Code function: 0_2_1000BC98 push 1000BD08h; ret	0_2_1000BD00
Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe	Code function: 0_2_1000A4A0 push 1000A4D3h; ret	0_2_1000A4CB
Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe	Code function: 0_2_1000BCA4 push 1000BD08h; ret	0_2_1000BD00
Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe	Code function: 0_2_1000BD14 push 1000BD08h; ret	0_2_1000BD00
Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe	Code function: 0_2_10004D28 push 10004D54h; ret	0_2_10004D4C
Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe	Code function: 0_2_10004D60 push 10004D8Ch; ret	0_2_10004D84
Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe	Code function: 0_2_10006630 push 1000665Ch; ret	0_2_10006654
Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe	Code function: 0_2_1000966C push 100096F4h; ret	0_2_100096EC
Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe	Code function: 0_2_1000B6C0 push 1000B6ECh; ret	0_2_1000B6E4
Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe	Code function: 0_2_100096F6 push 10009781h; ret	0_2_10009779
Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe	Code function: 0_2_100096F8 push 10009781h; ret	0_2_10009779
Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe	Code function: 0_2_1000AF90 push 1000AFBCh; ret	0_2_1000AFB4
Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe	Code function: 0_2_1000AFC8 push 1000AFBCh; ret	0_2_1000AFB4
Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe	Code function: 0_2_1000CFE0 push 1000D02Eh; ret	0_2_1000D026
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_1000C038 push 1000C064h; ret	1_2_1000C05C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_1000619C push 100061D4h; ret	1_2_100061CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_100051A0 push 100051CCh; ret	1_2_100051C4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_100099C0 push 100099ECh; ret	1_2_100099E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_1000A240 push 1000A26Ch; ret	1_2_1000A264
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_100052B0 push 100052FCh; ret	1_2_100052F4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_10004AF8 push 10004B49h; ret	1_2_10004B41

Source: adobe.exe.7.dr	Static PE information: real checksum: 0x0 should be: 0x12492
Source: 1f777f760b787dc4d8cfb3fe867defca.exe.10.dr	Static PE information: real checksum: 0x0 should be: 0x12492
Source: gKi3fKq4Kh.exe	Static PE information: real checksum: 0x5ccb1 should be: 0x17ef59
Source: 794bab1182.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x12492

Source: initial sample

Static PE information: section name: .text entropy: 7.966382769153741

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe

Executable created and started: C:\Windows\747MBR Regenerator v4.5.exe

Jump to behavior

Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe	File created: C:\Users\user\AppData\Local\Temp\794bab1182.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1f777f760b787dc4d8cfb3fe867defca.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\794bab1182.exe	File created: C:\Users\user\AppData\Local\Temp\adobe.exe	Jump to dropped file
Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe	File created: C:\Windows\747MBR Regenerator v4.5.exe	Jump to dropped file

Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe

File created: C:\Windows\747MBR Regenerator v4.5.exe

Jump to dropped file

Boot Survival

Drops PE files to the startup folder

Source: C:\Users\user\AppData\Local\Temp\adobe.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1f777f760b787dc4d8cfb3fe867defca.exe

Jump to dropped file

Creates autostart registry keys with suspicious names

Source: C:\Users\user\AppData\Local\Temp\adobe.exe

Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 1f777f760b787dc4d8cfb3fe867defca

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\adobe.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1f777f760b787dc4d8cfb3fe867defca.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\adobe.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1f777f760b787dc4d8cfb3fe867defca.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 1f777f760b787dc4d8cfb3fe867defca			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 1f777f760b787dc4d8cfb3fe867defca			Jump to behavior

Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes	Jump to behavior
Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes	Jump to behavior
Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes	Jump to behavior

Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\794bab1182.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\794bab1182.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\794bab1182.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\794bab1182.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\794bab1182.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\794bab1182.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\794bab1182.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\794bab1182.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\794bab1182.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\794bab1182.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\794bab1182.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\794bab1182.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\794bab1182.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\794bab1182.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\794bab1182.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\794bab1182.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\794bab1182.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\794bab1182.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\794bab1182.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\794bab1182.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\794bab1182.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe	Evasive API call chain: CreateMutex,DecisionNodes,Sleep			graph_0-10958
Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess			graph_0-10958

Source: C:\Users\user\AppData\Local\Temp\794bab1182.exe TID: 6520	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe TID: 6468	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe TID: 3396	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe TID: 5444	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe

Evasive API call chain: GetLocalTime,DecisionNodes

graph_0-11372

Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\794bab1182.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\adobe.exe

Window / User API: threadDelayed 4548

Jump to behavior

Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe

API coverage: 8.0 %

Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe

Evaded block: after key decision

graph_0-10985

Source: C:\Users\user\AppData\Local\Temp\794bab1182.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe	API call chain: ExitProcess graph end node	graph_0-10800
Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe	API call chain: ExitProcess graph end node	graph_0-11099
Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe	API call chain: ExitProcess graph end node	graph_0-11166

Source: adobe.exe, 0000000A.00000002.641444169.0000000000AEC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllxu
Source: gKi3fKq4Kh.exe	Binary or memory string: jiejwogfdjieovevodnvfnievngsegtsrgrefsfsfsgrsgrttrhgtehgfsgrfgtrwegtrejytjyegrsfvfbgfsdfhgtrfsgfrsgfgregtregtrfrgjbfdkbnfsdjbvofsjfrfreSVWU
Source: adobe.exe, 0000000A.00000002.641444169.0000000000AEC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWe=neutral, Pub
Source: gKi3fKq4Kh.exe, svchost.exe	Binary or memory string: trhgtehgfsgrfgtrwegtre
Source: netsh.exe, 0000000F.00000002.451857662.0000000000B78000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Local\Temp\adobe.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe

Code function: 0_2_10005CA4 FindFirstFileW,FindClose,

0_2_10005CA4

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\747MBR Regenerator v4.5.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\794bab1182.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe	Memory allocated: C:\Windows\SysWOW64\svchost.exe base: 10000000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 10000000 protect: page execute and read and write			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe	Memory written: C:\Windows\SysWOW64\svchost.exe base: 10000000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 10000000 value starts with: 4D5A			Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe

Code function: 0_2_1000BD14 CreateProcessW,Sleep,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,SetThreadContext,ResumeThread,

0_2_1000BD14

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe

Thread created: C:\Windows\SysWOW64\svchost.exe EIP: 1000C9D0

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe	Memory written: C:\Windows\SysWOW64\svchost.exe base: 10000000			Jump to behavior
Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 10000000			Jump to behavior

.NET source code references suspicious native API functions

Source: 794bab1182.exe.0.dr, OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 794bab1182.exe.0.dr, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: adobe.exe.7.dr, OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: adobe.exe.7.dr, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 7.0.794bab1182.exe.cf0000.0.unpack, OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 7.0.794bab1182.exe.cf0000.0.unpack, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 7.2.794bab1182.exe.cf0000.0.unpack, OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 7.2.794bab1182.exe.cf0000.0.unpack, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 1f777f760b787dc4d8cfb3fe867defca.exe.10.dr, OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 1f777f760b787dc4d8cfb3fe867defca.exe.10.dr, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 10.0.adobe.exe.480000.3.unpack, OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 10.0.adobe.exe.480000.3.unpack, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 10.0.adobe.exe.480000.1.unpack, OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 10.0.adobe.exe.480000.1.unpack, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 10.2.adobe.exe.480000.0.unpack, OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 10.2.adobe.exe.480000.0.unpack, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 10.0.adobe.exe.480000.2.unpack, OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 10.0.adobe.exe.480000.2.unpack, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 10.0.adobe.exe.480000.0.unpack, OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 10.0.adobe.exe.480000.0.unpack, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 19.0.adobe.exe.8e0000.0.unpack, OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 19.0.adobe.exe.8e0000.0.unpack, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 19.2.adobe.exe.8e0000.0.unpack, OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 19.2.adobe.exe.8e0000.0.unpack, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 20.2.adobe.exe.70000.0.unpack, OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 20.2.adobe.exe.70000.0.unpack, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 20.0.adobe.exe.70000.0.unpack, OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 20.0.adobe.exe.70000.0.unpack, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 23.0.adobe.exe.110000.0.unpack, OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 23.0.adobe.exe.110000.0.unpack, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 23.2.adobe.exe.110000.0.unpack, OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 23.2.adobe.exe.110000.0.unpack, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')

Contains functionality to inject threads in other processes

Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe

Code function: 0_2_100098A8 GetModuleHandleA,VirtualFreeEx,VirtualAllocEx,GetModuleHandleA,WriteProcessMemory,CreateRemoteThread,CloseHandle,

0_2_100098A8

Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe	Process created: C:\Windows\SysWOW64\svchost.exe svchost.exe	Jump to behavior
Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe	Jump to behavior
Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe	Process created: C:\Users\user\AppData\Local\Temp\794bab1182.exe "C:\Users\user\AppData\Local\Temp\794bab1182.exe"	Jump to behavior
Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe	Process created: C:\Windows\747MBR Regenerator v4.5.exe "C:\Windows\747MBR Regenerator v4.5.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\794bab1182.exe	Process created: C:\Users\user\AppData\Local\Temp\adobe.exe "C:\Users\user\AppData\Local\Temp\adobe.exe"	Jump to behavior

Source: adobe.exe, 0000000A.00000002.642162794.0000000002BC5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: adobe.exe, 0000000A.00000002.642162794.0000000002BC5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager\|9Hq
Source: adobe.exe, 0000000A.00000002.642162794.0000000002BC5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager<

Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe

Code function: GetLocaleInfoA,

0_2_10004A84

Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\747MBR Regenerator v4.5.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adobe.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\747MBR Regenerator v4.5.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe

Code function: 0_2_10006B14 GetLocalTime,

0_2_10006B14

Source: C:\Users\user\Desktop\gKi3fKq4Kh.exe

Code function: 0_2_10004B4D GetCommandLineA,GetVersion,GetVersion,GetThreadLocale,GetThreadLocale,GetCurrentThreadId,

0_2_10004B4D

Lowering of HIPS / PFW / Operating System Security Settings

Uses netsh to modify the Windows network and firewall settings

Source: C:\Users\user\AppData\Local\Temp\adobe.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\adobe.exe" "adobe.exe" ENABLE

Modifies the windows firewall

Source: C:\Users\user\AppData\Local\Temp\adobe.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\adobe.exe" "adobe.exe" ENABLE

Stealing of Sensitive Information

Yara detected Njrat

Source: Yara match	File source: 10.0.adobe.exe.480000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.gKi3fKq4Kh.exe.2809474.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.adobe.exe.8e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.adobe.exe.70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.adobe.exe.480000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.794bab1182.exe.3367554.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.adobe.exe.480000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.794bab1182.exe.cf0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.794bab1182.exe.cf0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.adobe.exe.110000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.gKi3fKq4Kh.exe.26c8474.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.gKi3fKq4Kh.exe.2809474.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.adobe.exe.110000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.0.adobe.exe.70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.794bab1182.exe.3367554.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.adobe.exe.480000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.adobe.exe.8e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.adobe.exe.480000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000000.506871291.0000000000112000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.466457674.00000000008E2000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.387263414.0000000002809000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.389161206.00000000004FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.640869740.0000000000482000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.501246127.0000000000072000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.377265205.00000000026C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.412306049.0000000000482000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.377615498.0000000002949000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.479265241.00000000008E2000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.412702627.0000000000482000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.413119228.0000000000482000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.519357389.0000000000112000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.414543592.0000000000CF2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.415926103.0000000003365000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.382812726.0000000000CF2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.412039638.0000000000482000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000000.488787385.0000000000072000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: gKi3fKq4Kh.exe PID: 2576, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 794bab1182.exe PID: 6504, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 5920, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 5524, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 4360, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 2980, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\adobe.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\794bab1182.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1f777f760b787dc4d8cfb3fe867defca.exe, type: DROPPED

Remote Access Functionality

Detected njRat

Source: 794bab1182.exe.0.dr, OK.cs	.Net Code: njRat config detected
Source: adobe.exe.7.dr, OK.cs	.Net Code: njRat config detected
Source: 7.0.794bab1182.exe.cf0000.0.unpack, OK.cs	.Net Code: njRat config detected
Source: 7.2.794bab1182.exe.cf0000.0.unpack, OK.cs	.Net Code: njRat config detected
Source: 1f777f760b787dc4d8cfb3fe867defca.exe.10.dr, OK.cs	.Net Code: njRat config detected
Source: 10.0.adobe.exe.480000.3.unpack, OK.cs	.Net Code: njRat config detected
Source: 10.0.adobe.exe.480000.1.unpack, OK.cs	.Net Code: njRat config detected
Source: 10.2.adobe.exe.480000.0.unpack, OK.cs	.Net Code: njRat config detected
Source: 10.0.adobe.exe.480000.2.unpack, OK.cs	.Net Code: njRat config detected
Source: 10.0.adobe.exe.480000.0.unpack, OK.cs	.Net Code: njRat config detected
Source: 19.0.adobe.exe.8e0000.0.unpack, OK.cs	.Net Code: njRat config detected
Source: 19.2.adobe.exe.8e0000.0.unpack, OK.cs	.Net Code: njRat config detected
Source: 20.2.adobe.exe.70000.0.unpack, OK.cs	.Net Code: njRat config detected
Source: 20.0.adobe.exe.70000.0.unpack, OK.cs	.Net Code: njRat config detected
Source: 23.0.adobe.exe.110000.0.unpack, OK.cs	.Net Code: njRat config detected
Source: 23.2.adobe.exe.110000.0.unpack, OK.cs	.Net Code: njRat config detected

Yara detected Njrat

Source: Yara match	File source: 10.0.adobe.exe.480000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.gKi3fKq4Kh.exe.2809474.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.adobe.exe.8e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.adobe.exe.70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.adobe.exe.480000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.794bab1182.exe.3367554.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.adobe.exe.480000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.794bab1182.exe.cf0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.794bab1182.exe.cf0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.adobe.exe.110000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.gKi3fKq4Kh.exe.26c8474.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.gKi3fKq4Kh.exe.2809474.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.adobe.exe.110000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.0.adobe.exe.70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.794bab1182.exe.3367554.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.adobe.exe.480000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.adobe.exe.8e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.adobe.exe.480000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000000.506871291.0000000000112000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.466457674.00000000008E2000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.387263414.0000000002809000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.389161206.00000000004FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.640869740.0000000000482000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.501246127.0000000000072000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.377265205.00000000026C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.412306049.0000000000482000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.377615498.0000000002949000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.479265241.00000000008E2000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.412702627.0000000000482000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.413119228.0000000000482000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.519357389.0000000000112000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.414543592.0000000000CF2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.415926103.0000000003365000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.382812726.0000000000CF2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.412039638.0000000000482000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000000.488787385.0000000000072000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: gKi3fKq4Kh.exe PID: 2576, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 794bab1182.exe PID: 6504, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 5920, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 5524, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 4360, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 2980, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\adobe.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\794bab1182.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1f777f760b787dc4d8cfb3fe867defca.exe, type: DROPPED

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
1 Replication Through Removable Media	22 Native API	221 Registry Run Keys / Startup Folder	612 Process Injection	21 Disable or Modify Tools	231 Input Capture	1 System Time Discovery	1 Replication Through Removable Media	231 Input Capture	1 Exfiltration Over Alternative Protocol	1 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	221 Registry Run Keys / Startup Folder	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Peripheral Device Discovery	Remote Desktop Protocol	2 Clipboard Data	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	3 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Remote Access Software	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	13 Software Packing	NTDS	24 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	1 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	121 Masquerading	LSA Secrets	1 Query Registry	SSH	Keylogging	Data Transfer Size Limits	211 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	31 Virtualization/Sandbox Evasion	Cached Domain Credentials	111 Security Software Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	612 Process Injection	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	31 Virtualization/Sandbox Evasion	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	1 Application Window Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	1 Remote System Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
gKi3fKq4Kh.exe	83%	Metadefender		Browse
gKi3fKq4Kh.exe	100%	ReversingLabs	Win32.Backdoor.XtremeRAT
gKi3fKq4Kh.exe	100%	Avira	TR/Agent.hklh
gKi3fKq4Kh.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\794bab1182.exe	100%	Avira	TR/Dropper.Gen7
C:\Users\user\AppData\Local\Temp\adobe.exe	100%	Avira	TR/Dropper.Gen7
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1f777f760b787dc4d8cfb3fe867defca.exe	100%	Avira	TR/Dropper.Gen7
C:\Users\user\AppData\Local\Temp\794bab1182.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\adobe.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1f777f760b787dc4d8cfb3fe867defca.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\794bab1182.exe	91%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\794bab1182.exe	98%	ReversingLabs	ByteCode-MSIL.Backdoor.Bladabhindi
C:\Users\user\AppData\Local\Temp\adobe.exe	91%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\adobe.exe	98%	ReversingLabs	ByteCode-MSIL.Backdoor.Bladabhindi
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1f777f760b787dc4d8cfb3fe867defca.exe	91%	Metadefender		Browse
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1f777f760b787dc4d8cfb3fe867defca.exe	98%	ReversingLabs	ByteCode-MSIL.Backdoor.Bladabhindi
C:\Windows\747MBR Regenerator v4.5.exe	9%	Metadefender		Browse
C:\Windows\747MBR Regenerator v4.5.exe	3%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Download
7.0.794bab1182.exe.cf0000.0.unpack	100%	Avira	TR/Dropper.Gen7	Download File
1.2.svchost.exe.10000000.0.unpack	100%	Avira	TR/Agent.ssnsz	Download File
10.0.adobe.exe.480000.3.unpack	100%	Avira	TR/Dropper.Gen7	Download File
7.2.794bab1182.exe.cf0000.0.unpack	100%	Avira	TR/Dropper.Gen7	Download File
0.2.gKi3fKq4Kh.exe.10000000.0.unpack	100%	Avira	TR/Agent.ssnsz	Download File
10.0.adobe.exe.480000.1.unpack	100%	Avira	TR/Dropper.Gen7	Download File
10.2.adobe.exe.480000.0.unpack	100%	Avira	TR/Dropper.Gen7	Download File
20.2.adobe.exe.70000.0.unpack	100%	Avira	TR/Dropper.Gen7	Download File
10.0.adobe.exe.480000.2.unpack	100%	Avira	TR/Dropper.Gen7	Download File
19.0.adobe.exe.8e0000.0.unpack	100%	Avira	TR/Dropper.Gen7	Download File
0.0.gKi3fKq4Kh.exe.10000000.0.unpack	100%	Avira	TR/Agent.hklh	Download File
10.0.adobe.exe.480000.0.unpack	100%	Avira	TR/Dropper.Gen7	Download File
19.2.adobe.exe.8e0000.0.unpack	100%	Avira	TR/Dropper.Gen7	Download File
23.0.adobe.exe.110000.0.unpack	100%	Avira	TR/Dropper.Gen7	Download File
23.2.adobe.exe.110000.0.unpack	100%	Avira	TR/Dropper.Gen7	Download File
20.0.adobe.exe.70000.0.unpack	100%	Avira	TR/Dropper.Gen7	Download File
1.0.svchost.exe.10000000.0.unpack	100%	Avira	TR/Agent.ssnsz	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.smartassembly.com	0%	Avira URL Cloud	safe
http://www.urwpp.de&	0%	Avira URL Cloud	safe
http://www.sajatypeworks.comicoM	0%	Avira URL Cloud	safe
http://www.sakkal.com	0%	URL Reputation	safe
babaloo.duckdns.org	0%	Avira URL Cloud	safe
http://en.w	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
babaloo.duckdns.org	141.255.147.50	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
babaloo.duckdns.org	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.smartassembly.com	747MBR Regenerator v4.5.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://www.urwpp.de&	747MBR Regenerator v4.5.exe, 00000009.00000003.435601484.000000001BEB5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.sajatypeworks.comicoM	747MBR Regenerator v4.5.exe, 00000009.00000003.418962747.000000001BE72000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sakkal.com	747MBR Regenerator v4.5.exe, 00000009.00000003.427520259.000000001BE78000.00000004.00000020.00020000.00000000.sdmp, 747MBR Regenerator v4.5.exe, 00000009.00000003.427620869.000000001BE78000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://en.w	747MBR Regenerator v4.5.exe, 00000009.00000003.425486975.000000001BE7B000.00000004.00000020.00020000.00000000.sdmp, 747MBR Regenerator v4.5.exe, 00000009.00000003.425474373.000000001BE7A000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	747MBR Regenerator v4.5.exe, 00000009.00000003.418962747.000000001BE72000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
141.255.147.50	babaloo.duckdns.org	France		29075	IELOIELOMainNetworkFR	true

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	651955
Start date and time: 24/06/202217:55:31	2022-06-24 17:55:31 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	gKi3fKq4Kh.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	30
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.adwa.spyw.evad.winEXE@19/9@1/1
EGA Information:	Successful, ratio: 50%
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 33 Number of non-executed functions: 153
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.152.110.14, 40.125.122.176, 52.242.101.226, 20.223.24.244, 20.54.89.106
Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, arc.msn.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, cdn.onenote.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Execution Graph export aborted for target svchost.exe, PID 6456 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: gKi3fKq4Kh.exe

Simulations

Behavior and APIs

Time	Type	Description
17:57:19	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 1f777f760b787dc4d8cfb3fe867defca "C:\Users\user\AppData\Local\Temp\adobe.exe" ..
17:57:28	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run 1f777f760b787dc4d8cfb3fe867defca "C:\Users\user\AppData\Local\Temp\adobe.exe" ..
17:57:37	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 1f777f760b787dc4d8cfb3fe867defca "C:\Users\user\AppData\Local\Temp\adobe.exe" ..
17:57:47	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1f777f760b787dc4d8cfb3fe867defca.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
141.255.147.50	8BB700898B529BC602316E44EE626D47986FD24775D02.exe	Get hash	malicious	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
IELOIELOMainNetworkFR	7DABE14897DDFF2206AB44A43F56872FF90E1FB72BD33.exe	Get hash	malicious	Browse	141.255.146.232
	8BB700898B529BC602316E44EE626D47986FD24775D02.exe	Get hash	malicious	Browse	141.255.147.50
	AB0B2472713C5B3B9521D4B725D2721D0FD4207CF2091.exe	Get hash	malicious	Browse	91.109.186.2
	skjuxRGg4H.exe	Get hash	malicious	Browse	91.109.176.11
	C4tqQ3quOl	Get hash	malicious	Browse	91.109.185.217
	FDACD07D5B4337250F82A03192B0BE1AF1DB598307BC1.exe	Get hash	malicious	Browse	141.255.156.1
	EBC0DDB3A6B0DBA07DEFAA837069CE4E340789325BB96.exe	Get hash	malicious	Browse	141.255.147.164
	31E95C001FCDE0FC9D96FCF9DCCCC27445CEDBB22E095.exe	Get hash	malicious	Browse	91.109.182.6
	MAL.pub	Get hash	malicious	Browse	141.255.151.63
	test.exe	Get hash	malicious	Browse	91.109.190.5
	43938BE01F7EB07EA079505CF0B7D739DEB10F1035294.exe	Get hash	malicious	Browse	91.109.190.7
	57s7kpTftV.exe	Get hash	malicious	Browse	91.109.182.4
	NZ0atB7Y7r.exe	Get hash	malicious	Browse	91.109.186.12
	rubix.arm	Get hash	malicious	Browse	188.121.243.183
	www.admin.booking.com_extranet_ngmanagebooking.htmlres_id=3949840873pdf.bat	Get hash	malicious	Browse	141.255.151.63
	yJa3zrWCsJ.exe	Get hash	malicious	Browse	91.109.178.8
	kuwlX57hcF.exe	Get hash	malicious	Browse	91.109.178.8
	X4ugKhaw5s.exe	Get hash	malicious	Browse	91.109.178.8
	0FE89ED6775AFF2AEEDDE96F4851D85634F4FA801919A.exe	Get hash	malicious	Browse	91.109.186.7
	8FA3B2EB7650AC7FF7DBBEED506E3F17B805D64D69327.exe	Get hash	malicious	Browse	91.109.186.5

Process:	C:\Users\user\AppData\Local\Temp\794bab1182.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	525
Entropy (8bit):	5.2874233355119316
Encrypted:	false
SSDEEP:	12:Q3LaJU20NaL10Ug+9Yz9t0U29hJ5g1B0U2ukyrFk7v:MLF20NaL3z2p29hJ5g522r0
MD5:	80EFBEC081D7836D240503C4C9465FEC
SHA1:	6AF398E08A359457083727BAF296445030A55AC3
SHA-256:	C73F730EB5E05D15FAD6BE10AB51FE4D8A80B5E88B89D8BC80CC1DF09ACE1523
SHA-512:	DEC3B1D9403894418AFD4433629CA6476C7BD359963328D17B93283B52EEC18B3725D2F02F0E9A142E705398DDDCE244D53829570E9DE1A87060A7DABFDCE5B3
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\adobe.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\adobe.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	525
Entropy (8bit):	5.2874233355119316
Encrypted:	false
SSDEEP:	12:Q3LaJU20NaL10Ug+9Yz9t0U29hJ5g1B0U2ukyrFk7v:MLF20NaL3z2p29hJ5g522r0
MD5:	80EFBEC081D7836D240503C4C9465FEC
SHA1:	6AF398E08A359457083727BAF296445030A55AC3
SHA-256:	C73F730EB5E05D15FAD6BE10AB51FE4D8A80B5E88B89D8BC80CC1DF09ACE1523
SHA-512:	DEC3B1D9403894418AFD4433629CA6476C7BD359963328D17B93283B52EEC18B3725D2F02F0E9A142E705398DDDCE244D53829570E9DE1A87060A7DABFDCE5B3
Malicious:	false
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..

C:\Users\user\AppData\Local\Temp\794bab1182.exe

Download File

Process:	C:\Users\user\Desktop\gKi3fKq4Kh.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	24064
Entropy (8bit):	5.528943143377659
Encrypted:	false
SSDEEP:	384:CwTSiYWD2Z7w3CsJeiecwJ3fw6FgzeAh33RtmRvR6JZlbw8hqIusZzZz1+:hvZiBK1edJRpcnuT
MD5:	1858BBF45BE50E685409DB249B798996
SHA1:	A68B17653E12F9F9A7B740397620172D901F402C
SHA-256:	FF27F45369D6383E728A72923474E1CEF2F983827F105CB53FFFB852A5B9075A
SHA-512:	6B8FF0CEC4E0D79AC68E7D8595B7420EF3DC6D5EF4A458DD49FFB754CFDBA34026EBF60561CB20FDCF00D983AA76D1F0617D9DFE89B932532C8837C34642FA11
Malicious:	true
Yara Hits:	Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Local\Temp\794bab1182.exe, Author: Florian Roth Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Local\Temp\794bab1182.exe, Author: Joe Security Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Local\Temp\794bab1182.exe, Author: ditekSHen Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Local\Temp\794bab1182.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Local\Temp\794bab1182.exe, Author: JPCERT/CC Incident Response Group
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 91%, Browse Antivirus: ReversingLabs, Detection: 98%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Q.`.................V...........t... ........@.. ....................................@.................................Ht..S.......@............................................................................ ............... ..H............text....T... ...V.................. ..`.rsrc...@............X..............@..@.reloc...............\..............@..B.................t......H.......,K...)....../....................................................0..........r...p.....r3..p...........r=..p.....rQ..p.....r[..p.....r...p.....r...p.....r...p.....r...p(.........r...p(.........r...p(.........r...p(.........(....o....s.........s.....................r...p...........s......... ..............rA..p..............0..;.......~....o....o....rC..p~....(.....o.....o......%(.....(...............,,.......0..D.......~....o....o....rC..p~....(....o......(....o.....

C:\Users\user\AppData\Local\Temp\794bab1182.exe.exe

Download File

Process:	C:\Users\user\Desktop\gKi3fKq4Kh.exe
File Type:	data
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:j:j
MD5:	A2CE4C7B743725199DA04033B5B57469
SHA1:	1AE348EAFA097AB898941EAFE912D711A407DA10
SHA-256:	0FFF86057DCFB3975C8BC44459740BA5FFB43551931163538DF3F39A6BB991BC
SHA-512:	23BD59F57B16CD496B550C1BBA09EB3F9A9DFE764EA03470E3CC43E4D0B4CA415D239772E4A9B930749E88CEAD9A7EC4B0A77D0DD310E61D8C6521AE6FF278B0
Malicious:	true
Preview:	O.K.

C:\Users\user\AppData\Local\Temp\adobe.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\794bab1182.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	24064
Entropy (8bit):	5.528943143377659
Encrypted:	false
SSDEEP:	384:CwTSiYWD2Z7w3CsJeiecwJ3fw6FgzeAh33RtmRvR6JZlbw8hqIusZzZz1+:hvZiBK1edJRpcnuT
MD5:	1858BBF45BE50E685409DB249B798996
SHA1:	A68B17653E12F9F9A7B740397620172D901F402C
SHA-256:	FF27F45369D6383E728A72923474E1CEF2F983827F105CB53FFFB852A5B9075A
SHA-512:	6B8FF0CEC4E0D79AC68E7D8595B7420EF3DC6D5EF4A458DD49FFB754CFDBA34026EBF60561CB20FDCF00D983AA76D1F0617D9DFE89B932532C8837C34642FA11
Malicious:	true
Yara Hits:	Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Local\Temp\adobe.exe, Author: Florian Roth Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Local\Temp\adobe.exe, Author: Joe Security Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Local\Temp\adobe.exe, Author: ditekSHen Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Local\Temp\adobe.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Local\Temp\adobe.exe, Author: JPCERT/CC Incident Response Group
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 91%, Browse Antivirus: ReversingLabs, Detection: 98%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Q.`.................V...........t... ........@.. ....................................@.................................Ht..S.......@............................................................................ ............... ..H............text....T... ...V.................. ..`.rsrc...@............X..............@..@.reloc...............\..............@..B.................t......H.......,K...)....../....................................................0..........r...p.....r3..p...........r=..p.....rQ..p.....r[..p.....r...p.....r...p.....r...p.....r...p(.........r...p(.........r...p(.........r...p(.........(....o....s.........s.....................r...p...........s......... ..............rA..p..............0..;.......~....o....o....rC..p~....(.....o.....o......%(.....(...............,,.......0..D.......~....o....o....rC..p~....(....o......(....o.....

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1f777f760b787dc4d8cfb3fe867defca.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\adobe.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	24064
Entropy (8bit):	5.528943143377659
Encrypted:	false
SSDEEP:	384:CwTSiYWD2Z7w3CsJeiecwJ3fw6FgzeAh33RtmRvR6JZlbw8hqIusZzZz1+:hvZiBK1edJRpcnuT
MD5:	1858BBF45BE50E685409DB249B798996
SHA1:	A68B17653E12F9F9A7B740397620172D901F402C
SHA-256:	FF27F45369D6383E728A72923474E1CEF2F983827F105CB53FFFB852A5B9075A
SHA-512:	6B8FF0CEC4E0D79AC68E7D8595B7420EF3DC6D5EF4A458DD49FFB754CFDBA34026EBF60561CB20FDCF00D983AA76D1F0617D9DFE89B932532C8837C34642FA11
Malicious:	true
Yara Hits:	Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1f777f760b787dc4d8cfb3fe867defca.exe, Author: Florian Roth Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1f777f760b787dc4d8cfb3fe867defca.exe, Author: Joe Security Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1f777f760b787dc4d8cfb3fe867defca.exe, Author: ditekSHen Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1f777f760b787dc4d8cfb3fe867defca.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1f777f760b787dc4d8cfb3fe867defca.exe, Author: JPCERT/CC Incident Response Group
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 91%, Browse Antivirus: ReversingLabs, Detection: 98%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Q.`.................V...........t... ........@.. ....................................@.................................Ht..S.......@............................................................................ ............... ..H............text....T... ...V.................. ..`.rsrc...@............X..............@..@.reloc...............\..............@..B.................t......H.......,K...)....../....................................................0..........r...p.....r3..p...........r=..p.....rQ..p.....r[..p.....r...p.....r...p.....r...p.....r...p(.........r...p(.........r...p(.........r...p(.........(....o....s.........s.....................r...p...........s......... ..............rA..p..............0..;.......~....o....o....rC..p~....(.....o.....o......%(.....(...............,,.......0..D.......~....o....o....rC..p~....(....o......(....o.....

C:\Windows\747MBR Regenerator v4.5.exe

Download File

Process:	C:\Users\user\Desktop\gKi3fKq4Kh.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1189376
Entropy (8bit):	7.6880978588181685
Encrypted:	false
SSDEEP:	24576:VTRqE2rb1UKApqrqI9PGi0gf0zQn8qqROJH40UdSX4ovytII6:VTr0b13ApqrqI9PORO8qLYN3UI6
MD5:	FCA2AA6D8039DD107AFF1A3CFBE97F7B
SHA1:	7D47EB1EC59C3381CED53AF2AFE4A5C14CDF86F5
SHA-256:	78729C8E1D3DCC6C70445016E36EB07D79D87033EB124598363038B7D001769F
SHA-512:	F3CCCE78945455536AC6F077EA15B49A73F560043DCF47A054F749E389DF2E9B8FBAB7AC5008E0971B7B8489D359FE2E9F96BC54ED57CFAA94B703CFC3D148BE
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 9%, Browse Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......N....................."...........@... ....@.. ....................................@.....................................X.... ..8....................`..........................................................................H............rsrc...8.... ... ..................@..@.text...p....@.......".............. ..`.reloc.......`.......$..............@..B....................................0.......h...............................................................................................(.......................@.......................X.......................p...........................................................................................................................................................................@&..(...........h...................(B..........8....%...........*...............;..L............!..L............;..]...

C:\Windows\747MBR Regenerator v4.5.exe.exe

Download File

Process:	C:\Users\user\Desktop\gKi3fKq4Kh.exe
File Type:	data
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:j:j
MD5:	A2CE4C7B743725199DA04033B5B57469
SHA1:	1AE348EAFA097AB898941EAFE912D711A407DA10
SHA-256:	0FFF86057DCFB3975C8BC44459740BA5FFB43551931163538DF3F39A6BB991BC
SHA-512:	23BD59F57B16CD496B550C1BBA09EB3F9A9DFE764EA03470E3CC43E4D0B4CA415D239772E4A9B930749E88CEAD9A7EC4B0A77D0DD310E61D8C6521AE6FF278B0
Malicious:	false
Preview:	O.K.

\Device\ConDrv

Download File

Process:	C:\Windows\SysWOW64\netsh.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	313
Entropy (8bit):	4.971939296804078
Encrypted:	false
SSDEEP:	6:/ojfKsUTGN8Ypox42k9L+DbGMKeQE+vigqAZs2E+AYeDPO+Yswyha:wjPIGNrkHk9iaeIM6ADDPOHyha
MD5:	689E2126A85BF55121488295EE068FA1
SHA1:	09BAAA253A49D80C18326DFBCA106551EBF22DD6
SHA-256:	D968A966EF474068E41256321F77807A042F1965744633D37A203A705662EC25
SHA-512:	C3736A8FC7E6573FA1B26FE6A901C05EE85C55A4A276F8F569D9EADC9A58BEC507D1BB90DBF9EA62AE79A6783178C69304187D6B90441D82E46F5F56172B5C5C
Malicious:	false
Preview:	..IMPORTANT: Command executed successfully...However, "netsh firewall" is deprecated;..use "netsh advfirewall firewall" instead...For more information on using "netsh advfirewall firewall" commands..instead of "netsh firewall", see KB article 947709..at https://go.microsoft.com/fwlink/?linkid=121488 .....Ok.....

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.536751075410278
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	gKi3fKq4Kh.exe
File size:	1556992
MD5:	ee24b7367c090788a5d86d24bceb27d2
SHA1:	b88a3bf151e935051c6731a42af97b523bf6c2fb
SHA256:	484310027c8e469f5154e53c9d3543095410b68730722158848b01d5a842642c
SHA512:	51756aca07c2330607906f9f68b696344531f6244c23fc8de26ae12ebb9610c8954cf9f2a8a3be5d0d77fe13f4681623d06cbf1351f285099a47b17bfa072929
SSDEEP:	24576:xDBDlQkQvALBxR01QpSO2BrrE11MXL/3ButMGmXp3Z8DED2LE1:xDBDcAu1QpSOH11QLvc2Gm53CED2o1
TLSH:	99751250B644C8FBC86506B49C16D07015BABDAA69A1994D7DF23F0F7CB239320EBE07
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	14f2d1f0dc7c3045

Static PE Info

General

Entrypoint:	0x1000d0f4
Entrypoint Section:	CODE
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	d98325588570403f283a229c660142db

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
mov ecx, 000002BCh
push 00000000h
push 00000000h
dec ecx
jne 00007FF7B18A40BBh
push ebx
push esi
push edi
mov eax, 1000D030h
call 00007FF7B189BC99h
mov edi, 1000F834h
xor eax, eax
push ebp
push 1000D759h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
mov eax, 1000D0D0h
call 00007FF7B1899FBCh
mov eax, dword ptr [1000E134h]
mov byte ptr [eax], 00000001h
push 00008007h
call 00007FF7B189BEA6h
lea edx, dword ptr [ebp-14h]
mov eax, 00000001h
call 00007FF7B189C8CDh
mov eax, dword ptr [ebp-14h]
mov edx, 1000D76Ch
call 00007FF7B189A9A0h
jne 00007FF7B18A40FDh
lea edx, dword ptr [ebp-18h]
xor eax, eax
call 00007FF7B189C8B4h
mov edx, dword ptr [ebp-18h]
mov eax, 10012580h
call 00007FF7B189A6FFh
push 00000000h
push 00000000h
push 00000000h
mov eax, dword ptr [10012580h]
call 00007FF7B189A84Fh
push eax
push 1000D77Ch
push 00000000h
call 00007FF7B18A262Eh
push 00000000h
call 00007FF7B189BD67h
lea edx, dword ptr [ebp-1Ch]
mov eax, 00000001h
call 00007FF7B189C876h
mov eax, dword ptr [ebp-1Ch]
mov edx, 1000D78Ch
call 00007FF7B189A949h
jne 00007FF7B18A40CCh
push 00001770h
call 00007FF7B189BE61h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x44000	0xf9e	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x48000	0x16d044	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x47000	0xc5c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x46000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
CODE	0x1000	0xc828	0xca00	False	0.5406675433168316	data	6.246857924236235	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
DATA	0xe000	0x138	0x200	False	0.37109375	data	2.6875021606861305	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
BSS	0xf000	0x342d9	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x44000	0xf9e	0x1000	False	0.39404296875	data	4.698355445739603	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x45000	0x8	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x46000	0x18	0x200	False	0.052734375	data	0.2491299020576082	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.reloc	0x47000	0xc5c	0xe00	False	0.7179129464285714	data	6.264900000779177	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.rsrc	0x48000	0x16d044	0x16d200	False	0.8587578365713797	data	7.561175819870481	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x483d4	0x10828	dBase III DBT, version number 0, next free block index 40
RT_ICON	0x58bfc	0x94a8	dBase III DBT, version number 0, next free block index 40
RT_ICON	0x620a4	0x4228	dBase III DBT, version number 0, next free block index 40
RT_ICON	0x662cc	0x25a8	dBase III DBT, version number 0, next free block index 40
RT_ICON	0x68874	0x10a8	dBase III DBT, version number 0, next free block index 40
RT_ICON	0x6991c	0x10828	dBase III DBT, version number 0, next free block index 40
RT_ICON	0x7a144	0x94a8	dBase III DBT, version number 0, next free block index 40
RT_ICON	0x835ec	0x4228	dBase III DBT, version number 0, next free block index 40
RT_ICON	0x87814	0x25a8	dBase III DBT, version number 0, next free block index 40
RT_ICON	0x89dbc	0x10a8	dBase III DBT, version number 0, next free block index 40
RT_RCDATA	0x8ae64	0x10	data
RT_RCDATA	0x8ae74	0x108	data
RT_RCDATA	0x8af7c	0x1390	data
RT_RCDATA	0x8c30c	0x128ca0	data
RT_GROUP_ICON	0x1b4fac	0x4c	data
RT_GROUP_ICON	0x1b4ff8	0x4c	data

Imports

DLL	Import
kernel32.dll	DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetVersion, GetCurrentThreadId, WideCharToMultiByte, MultiByteToWideChar, GetThreadLocale, GetStartupInfoA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, ExitProcess, ExitThread, CreateThread, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
user32.dll	GetKeyboardType, MessageBoxA
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
advapi32.dll	RegSetValueExW, RegQueryValueExW, RegOpenKeyExW, RegCreateKeyW, RegCloseKey
kernel32.dll	lstrlenW, WriteProcessMemory, WriteFile, WaitForSingleObject, VirtualProtectEx, VirtualFreeEx, VirtualFree, VirtualAllocEx, VirtualAlloc, TerminateThread, TerminateProcess, Sleep, SizeofResource, SetThreadPriority, SetThreadContext, SetFilePointer, SetFileAttributesW, SetEvent, SetErrorMode, SetEndOfFile, ResumeThread, ReadProcessMemory, ReadFile, LockResource, LoadResource, LoadLibraryA, InitializeCriticalSection, GlobalUnlock, GlobalSize, GlobalLock, GetWindowsDirectoryW, GetThreadContext, GetTempPathW, GetSystemDirectoryW, GetModuleHandleA, GetModuleFileNameW, GetLocalTime, GetLastError, GetFileSize, GetFileAttributesW, GetCommandLineW, FreeResource, InterlockedIncrement, InterlockedDecrement, FindResourceW, FindFirstFileW, FindClose, ExitProcess, DeleteFileW, DeleteCriticalSection, CreateThread, CreateRemoteThread, CreateProcessW, CreateMutexW, CreateFileW, CreateEventA, CreateDirectoryW, CopyFileW, CloseHandle
user32.dll	CreateWindowExW, CreateWindowExA, UnregisterClassW, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, ShowWindow, SetWindowsHookExW, SetWindowLongA, SetClipboardViewer, SendMessageA, RegisterWindowMessageW, RegisterClassW, RegisterClassA, PostMessageA, PeekMessageA, OpenClipboard, MapVirtualKeyW, GetWindowThreadProcessId, GetWindowTextW, GetWindowRect, GetWindowLongA, GetMessageA, GetKeyboardLayout, GetKeyState, GetForegroundWindow, GetDesktopWindow, GetClipboardData, GetClassInfoA, DispatchMessageA, DestroyWindow, DefWindowProcA, CloseClipboard, CharUpperW, CharNextW, CharLowerW, CallNextHookEx
shlwapi.dll	SHDeleteKeyW
shell32.dll	SHGetPathFromIDListW, SHGetSpecialFolderLocation, SHGetMalloc, FindExecutableW
URLMON.DLL	URLDownloadToCacheFileW
wininet.dll	InternetCloseHandle, FtpPutFileW, FtpSetCurrentDirectoryW, InternetOpenW, InternetConnectW
user32.dll	GetKeyboardState, ToUnicodeEx
shell32.dll	ShellExecuteW
ntdll.dll	NtUnmapViewOfSection
shlwapi.dll	SHDeleteValueW, SHDeleteKeyW

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.6141.255.147.504977411822814856 06/24/22-17:57:22.268200	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49774	1182	192.168.2.6	141.255.147.50
192.168.2.6141.255.147.504977411822033132 06/24/22-17:57:22.048969	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49774	1182	192.168.2.6	141.255.147.50
192.168.2.6141.255.147.504977411822825563 06/24/22-17:57:22.268200	TCP	2825563	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)	49774	1182	192.168.2.6	141.255.147.50
192.168.2.6141.255.147.504977411822814860 06/24/22-17:58:58.665134	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49774	1182	192.168.2.6	141.255.147.50
192.168.2.6141.255.147.504977411822825564 06/24/22-17:58:58.665134	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49774	1182	192.168.2.6	141.255.147.50

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 24, 2022 17:57:21.339171886 CEST	49774	1182	192.168.2.6	141.255.147.50
Jun 24, 2022 17:57:21.504998922 CEST	1182	49774	141.255.147.50	192.168.2.6
Jun 24, 2022 17:57:21.505120039 CEST	49774	1182	192.168.2.6	141.255.147.50
Jun 24, 2022 17:57:22.048969030 CEST	49774	1182	192.168.2.6	141.255.147.50
Jun 24, 2022 17:57:22.268106937 CEST	1182	49774	141.255.147.50	192.168.2.6
Jun 24, 2022 17:57:22.268199921 CEST	49774	1182	192.168.2.6	141.255.147.50
Jun 24, 2022 17:57:22.477569103 CEST	1182	49774	141.255.147.50	192.168.2.6
Jun 24, 2022 17:57:27.128601074 CEST	49774	1182	192.168.2.6	141.255.147.50
Jun 24, 2022 17:57:27.337821960 CEST	1182	49774	141.255.147.50	192.168.2.6
Jun 24, 2022 17:57:27.697654963 CEST	1182	49774	141.255.147.50	192.168.2.6
Jun 24, 2022 17:57:27.701221943 CEST	49774	1182	192.168.2.6	141.255.147.50
Jun 24, 2022 17:57:27.932090998 CEST	1182	49774	141.255.147.50	192.168.2.6
Jun 24, 2022 17:57:45.717359066 CEST	1182	49774	141.255.147.50	192.168.2.6
Jun 24, 2022 17:57:45.718348026 CEST	49774	1182	192.168.2.6	141.255.147.50
Jun 24, 2022 17:57:45.927191019 CEST	1182	49774	141.255.147.50	192.168.2.6
Jun 24, 2022 17:58:03.740978956 CEST	1182	49774	141.255.147.50	192.168.2.6
Jun 24, 2022 17:58:03.744545937 CEST	49774	1182	192.168.2.6	141.255.147.50
Jun 24, 2022 17:58:03.970599890 CEST	1182	49774	141.255.147.50	192.168.2.6
Jun 24, 2022 17:58:21.812078953 CEST	1182	49774	141.255.147.50	192.168.2.6
Jun 24, 2022 17:58:21.812890053 CEST	49774	1182	192.168.2.6	141.255.147.50
Jun 24, 2022 17:58:22.032814026 CEST	1182	49774	141.255.147.50	192.168.2.6
Jun 24, 2022 17:58:39.834538937 CEST	1182	49774	141.255.147.50	192.168.2.6
Jun 24, 2022 17:58:39.842678070 CEST	49774	1182	192.168.2.6	141.255.147.50
Jun 24, 2022 17:58:40.059125900 CEST	1182	49774	141.255.147.50	192.168.2.6
Jun 24, 2022 17:58:42.035995007 CEST	49774	1182	192.168.2.6	141.255.147.50
Jun 24, 2022 17:58:42.253650904 CEST	1182	49774	141.255.147.50	192.168.2.6
Jun 24, 2022 17:58:50.539097071 CEST	49774	1182	192.168.2.6	141.255.147.50
Jun 24, 2022 17:58:50.758990049 CEST	1182	49774	141.255.147.50	192.168.2.6
Jun 24, 2022 17:58:57.891163111 CEST	1182	49774	141.255.147.50	192.168.2.6
Jun 24, 2022 17:58:57.891724110 CEST	49774	1182	192.168.2.6	141.255.147.50
Jun 24, 2022 17:58:58.105972052 CEST	1182	49774	141.255.147.50	192.168.2.6
Jun 24, 2022 17:58:58.665133953 CEST	49774	1182	192.168.2.6	141.255.147.50
Jun 24, 2022 17:58:58.936659098 CEST	1182	49774	141.255.147.50	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 24, 2022 17:57:21.227395058 CEST	60350	53	192.168.2.6	8.8.8.8
Jun 24, 2022 17:57:21.333596945 CEST	53	60350	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jun 24, 2022 17:57:21.227395058 CEST	192.168.2.6	8.8.8.8	0x1d82	Standard query (0)	babaloo.duckdns.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jun 24, 2022 17:57:21.333596945 CEST	8.8.8.8	192.168.2.6	0x1d82	No error (0)	babaloo.duckdns.org		141.255.147.50	A (IP address)	IN (0x0001)

Target ID:	0
Start time:	17:56:42
Start date:	24/06/2022
Path:	C:\Users\user\Desktop\gKi3fKq4Kh.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\gKi3fKq4Kh.exe"
Imagebase:	0x10000000
File size:	1556992 bytes
MD5 hash:	EE24B7367C090788A5D86D24BCEB27D2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000003.387263414.0000000002809000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000000.00000003.387263414.0000000002809000.00000004.00000800.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000000.00000003.387263414.0000000002809000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000002.389161206.00000000004FA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000000.00000002.389161206.00000000004FA000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000000.00000002.389161206.00000000004FA000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: RAT_Xtreme, Description: Detects Xtreme RAT, Source: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_XtremeRat, Description: Yara detected Xtreme RAT, Source: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: xtremrat, Description: Xtrem RAT v3.5, Source: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Author: Jean-Philippe Teissier / @Jipe_ Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000003.377265205.00000000026C8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000000.00000003.377265205.00000000026C8000.00000004.00000800.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000000.00000003.377265205.00000000026C8000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: xtremrat, Description: Xtrem RAT v3.5, Source: 00000000.00000000.368594046.0000000010047000.00000002.00000001.01000000.00000003.sdmp, Author: Jean-Philippe Teissier / @Jipe_ Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000003.377615498.0000000002949000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000000.00000003.377615498.0000000002949000.00000004.00000800.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000000.00000003.377615498.0000000002949000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: xtremrat, Description: Xtrem RAT v3.5, Source: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmp, Author: Jean-Philippe Teissier / @Jipe_ Rule: RAT_Xtreme, Description: Detects Xtreme RAT, Source: 00000000.00000000.368576082.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_XtremeRat, Description: Yara detected Xtreme RAT, Source: 00000000.00000000.368576082.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: xtremrat, Description: Xtrem RAT v3.5, Source: 00000000.00000000.368576082.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Author: Jean-Philippe Teissier / @Jipe_
Reputation:	low

Show Windows behavior

Target ID:	1
Start time:	17:56:45
Start date:	24/06/2022
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	svchost.exe
Imagebase:	0x80000
File size:	44520 bytes
MD5 hash:	FA6C268A5B5BDA067A901764D203D433
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: xtremrat, Description: Xtrem RAT v3.5, Source: 00000001.00000002.385106851.0000000010047000.00000040.00000400.00020000.00000000.sdmp, Author: Jean-Philippe Teissier / @Jipe_ Rule: xtremrat, Description: Xtrem RAT v3.5, Source: 00000001.00000000.375422528.0000000010047000.00000040.00000400.00020000.00000000.sdmp, Author: Jean-Philippe Teissier / @Jipe_ Rule: RAT_Xtreme, Description: Detects Xtreme RAT, Source: 00000001.00000002.385046170.0000000010000000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Xtreme_Sep17_1, Description: Detects XTREME sample analyzed in September 2017, Source: 00000001.00000002.385046170.0000000010000000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_XtremeRat, Description: Yara detected Xtreme RAT, Source: 00000001.00000002.385046170.0000000010000000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: xtremrat, Description: Xtrem RAT v3.5, Source: 00000001.00000002.385046170.0000000010000000.00000040.00000400.00020000.00000000.sdmp, Author: Jean-Philippe Teissier / @Jipe_ Rule: RAT_Xtreme, Description: Detects Xtreme RAT, Source: 00000001.00000000.375372033.0000000010000000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Xtreme_Sep17_1, Description: Detects XTREME sample analyzed in September 2017, Source: 00000001.00000000.375372033.0000000010000000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_XtremeRat, Description: Yara detected Xtreme RAT, Source: 00000001.00000000.375372033.0000000010000000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: xtremrat, Description: Xtrem RAT v3.5, Source: 00000001.00000000.375372033.0000000010000000.00000040.00000400.00020000.00000000.sdmp, Author: Jean-Philippe Teissier / @Jipe_
Reputation:	high

Show Windows behavior

Target ID:	2
Start time:	17:56:46
Start date:	24/06/2022
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):
Commandline:	C:\Program Files\Google\Chrome\Application\chrome.exe
Imagebase:
File size:	2150896 bytes
MD5 hash:	C139654B5C1438A95B321BB01AD63EF6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	5
Start time:	17:56:48
Start date:	24/06/2022
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6456 -s 568
Imagebase:	0xc20000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	7
Start time:	17:56:49
Start date:	24/06/2022
Path:	C:\Users\user\AppData\Local\Temp\794bab1182.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\794bab1182.exe"
Imagebase:	0xcf0000
File size:	24064 bytes
MD5 hash:	1858BBF45BE50E685409DB249B798996
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000007.00000002.414543592.0000000000CF2000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000007.00000002.414543592.0000000000CF2000.00000002.00000001.01000000.00000006.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000007.00000002.414543592.0000000000CF2000.00000002.00000001.01000000.00000006.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000007.00000002.415926103.0000000003365000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000007.00000002.415926103.0000000003365000.00000004.00000800.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000007.00000002.415926103.0000000003365000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000007.00000000.382812726.0000000000CF2000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000007.00000000.382812726.0000000000CF2000.00000002.00000001.01000000.00000006.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000007.00000000.382812726.0000000000CF2000.00000002.00000001.01000000.00000006.sdmp, Author: JPCERT/CC Incident Response Group Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Local\Temp\794bab1182.exe, Author: Florian Roth Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Local\Temp\794bab1182.exe, Author: Joe Security Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Local\Temp\794bab1182.exe, Author: ditekSHen Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Local\Temp\794bab1182.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Local\Temp\794bab1182.exe, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 91%, Metadefender, Browse Detection: 98%, ReversingLabs
Reputation:	low

Show Windows behavior

Target ID:	8
Start time:	17:56:49
Start date:	24/06/2022
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6456 -s 576
Imagebase:	0xc20000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	9
Start time:	17:56:51
Start date:	24/06/2022
Path:	C:\Windows\747MBR Regenerator v4.5.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\747MBR Regenerator v4.5.exe"
Imagebase:	0x7b0000
File size:	1189376 bytes
MD5 hash:	FCA2AA6D8039DD107AFF1A3CFBE97F7B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 9%, Metadefender, Browse Detection: 3%, ReversingLabs
Reputation:	low

Show Windows behavior

Target ID:	10
Start time:	17:57:02
Start date:	24/06/2022
Path:	C:\Users\user\AppData\Local\Temp\adobe.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\adobe.exe"
Imagebase:	0x480000
File size:	24064 bytes
MD5 hash:	1858BBF45BE50E685409DB249B798996
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000000A.00000002.640869740.0000000000482000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 0000000A.00000002.640869740.0000000000482000.00000002.00000001.01000000.0000000A.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 0000000A.00000002.640869740.0000000000482000.00000002.00000001.01000000.0000000A.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000000A.00000000.412306049.0000000000482000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 0000000A.00000000.412306049.0000000000482000.00000002.00000001.01000000.0000000A.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 0000000A.00000000.412306049.0000000000482000.00000002.00000001.01000000.0000000A.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000000A.00000000.412702627.0000000000482000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000000A.00000000.413119228.0000000000482000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 0000000A.00000000.413119228.0000000000482000.00000002.00000001.01000000.0000000A.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 0000000A.00000000.413119228.0000000000482000.00000002.00000001.01000000.0000000A.sdmp, Author: JPCERT/CC Incident Response Group Rule: njrat1, Description: Identify njRat, Source: 0000000A.00000000.412702627.0000000000482000.00000002.00000001.01000000.0000000A.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 0000000A.00000000.412702627.0000000000482000.00000002.00000001.01000000.0000000A.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000000A.00000000.412039638.0000000000482000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 0000000A.00000000.412039638.0000000000482000.00000002.00000001.01000000.0000000A.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 0000000A.00000000.412039638.0000000000482000.00000002.00000001.01000000.0000000A.sdmp, Author: JPCERT/CC Incident Response Group Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Local\Temp\adobe.exe, Author: Florian Roth Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Local\Temp\adobe.exe, Author: Joe Security Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Local\Temp\adobe.exe, Author: ditekSHen Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Local\Temp\adobe.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Local\Temp\adobe.exe, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 91%, Metadefender, Browse Detection: 98%, ReversingLabs
Reputation:	low

Show Windows behavior

Target ID:	15
Start time:	17:57:11
Start date:	24/06/2022
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\adobe.exe" "adobe.exe" ENABLE
Imagebase:	0x12b0000
File size:	82944 bytes
MD5 hash:	A0AA3322BB46BBFC36AB9DC1DBBBB807
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	16
Start time:	17:57:11
Start date:	24/06/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6406f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	19
Start time:	17:57:28
Start date:	24/06/2022
Path:	C:\Users\user\AppData\Local\Temp\adobe.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\adobe.exe" ..
Imagebase:	0x8e0000
File size:	24064 bytes
MD5 hash:	1858BBF45BE50E685409DB249B798996
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000013.00000000.466457674.00000000008E2000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000013.00000000.466457674.00000000008E2000.00000002.00000001.01000000.0000000A.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000013.00000000.466457674.00000000008E2000.00000002.00000001.01000000.0000000A.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000013.00000002.479265241.00000000008E2000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000013.00000002.479265241.00000000008E2000.00000002.00000001.01000000.0000000A.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000013.00000002.479265241.00000000008E2000.00000002.00000001.01000000.0000000A.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Show Windows behavior

Target ID:	20
Start time:	17:57:37
Start date:	24/06/2022
Path:	C:\Users\user\AppData\Local\Temp\adobe.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\adobe.exe" ..
Imagebase:	0x70000
File size:	24064 bytes
MD5 hash:	1858BBF45BE50E685409DB249B798996
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000014.00000002.501246127.0000000000072000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000014.00000002.501246127.0000000000072000.00000002.00000001.01000000.0000000A.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000014.00000002.501246127.0000000000072000.00000002.00000001.01000000.0000000A.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000014.00000000.488787385.0000000000072000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000014.00000000.488787385.0000000000072000.00000002.00000001.01000000.0000000A.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000014.00000000.488787385.0000000000072000.00000002.00000001.01000000.0000000A.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Show Windows behavior

Target ID:	23
Start time:	17:57:47
Start date:	24/06/2022
Path:	C:\Users\user\AppData\Local\Temp\adobe.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\adobe.exe" ..
Imagebase:	0x110000
File size:	24064 bytes
MD5 hash:	1858BBF45BE50E685409DB249B798996
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000017.00000000.506871291.0000000000112000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000017.00000000.506871291.0000000000112000.00000002.00000001.01000000.0000000A.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000017.00000000.506871291.0000000000112000.00000002.00000001.01000000.0000000A.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000017.00000002.519357389.0000000000112000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000017.00000002.519357389.0000000000112000.00000002.00000001.01000000.0000000A.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000017.00000002.519357389.0000000000112000.00000002.00000001.01000000.0000000A.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Show Windows behavior

Execution Graph

Execution Coverage:	7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	4.8%
Total number of Nodes:	1193
Total number of Limit Nodes:	14

Executed Functions

Function 100098A8 Relevance: 10.6, APIs: 7, Instructions: 70
injectionmemorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 100098C0
VirtualFreeEx.KERNEL32(00000000,?,00000000,00008000,?,00000000), ref: 100098EA
VirtualAllocEx.KERNEL32(00000000,?,?,00003000,00000040,00000000,?,00000000,00008000,?,00000000), ref: 100098F9
GetModuleHandleA.KERNEL32(00000000,?,?,00000000,?,?,00003000,00000040,00000000,?,00000000,00008000,?,00000000), ref: 1000990C
WriteProcessMemory.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,00003000,00000040,00000000,?,00000000,00008000), ref: 10009914
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000), ref: 10009935
CloseHandle.KERNEL32(00000000,00000000,?,00000000,00000000,?,?,00000000,?,?,00003000,00000040,00000000,?,00000000,00008000), ref: 1000993B

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Handle$ModuleVirtual$AllocCloseCreateFreeMemoryProcessRemoteThreadWrite
String ID:
API String ID: 2398686212-0
Opcode ID: 8b33c0d4130813cb4961417709022df427b3791c4551b7101a0d9c88382725a9
Instruction ID: 56678c190a81291c74d5659315aa0a406f5499a7e455af1083e81e7bb303a9db
Opcode Fuzzy Hash: 8b33c0d4130813cb4961417709022df427b3791c4551b7101a0d9c88382725a9
Instruction Fuzzy Hash: 161130B52443417FE350DA69CC82F2B77ECEBC4790F01882CB648D7292DA70F814876A

Uniqueness

Uniqueness Score: -1.00%

Function 10005CA4 Relevance: 3.0, APIs: 2, Instructions: 15
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,1000D3CA,.cfg,?,?,00000002,?,80000001,00000000,00008007,00000000,1000D759), ref: 10005CAF
FindClose.KERNEL32(00000000,00000000,?,00000000,1000D3CA,.cfg,?,?,00000002,?,80000001,00000000,00008007,00000000,1000D759), ref: 10005CBC

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 330f1bf4dbc552c91da48253f5c4906a029c88ec3c8321f42aab6186b9465800
Instruction ID: 7a3a1ab874b80ece1c9db2ee4d12350f52d059cd31b038f16b98c78c9643ece9
Opcode Fuzzy Hash: 330f1bf4dbc552c91da48253f5c4906a029c88ec3c8321f42aab6186b9465800
Instruction Fuzzy Hash: CBC01295941A0016B90055B45CCB897210DD7411B5F150731BA25863D4DB1E581A10A9

Uniqueness

Uniqueness Score: -1.00%

Function 1000D0F4 Relevance: 56.4, APIs: 18, Strings: 14, Instructions: 400
sleepfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNEL32(00008007,00000000,1000D759,?,?,?,?,00000000,00000000), ref: 1000D13A
ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 1000D18A
ExitProcess.KERNEL32(00000000,00000000,open,00000000,00000000,00000000,00000000,00008007,00000000,1000D759,?,?,?,?,00000000,00000000), ref: 1000D191
Sleep.KERNEL32(00001770,00008007,00000000,1000D759,?,?,?,?,00000000,00000000), ref: 1000D1B7
SHDeleteKeyW.SHLWAPI(80000001,00000000,00008007,00000000,1000D759,?,?,?,?,00000000,00000000), ref: 1000D281

Part of subcall function 1000577C: RegCreateKeyW.ADVAPI32(80000001,00000000,?), ref: 100057C2
Part of subcall function 1000577C: RegSetValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,10005825,?,1000F834), ref: 100057EE
Part of subcall function 1000577C: RegCloseKey.ADVAPI32(?,?,00000000,00000000,?,00000000,00000000,00000000,10005825,?,1000F834), ref: 100057FD

Part of subcall function 10005690: lstrlenW.KERNEL32(00000000,1000F834,1000F834,?,1000D2F8,00000002,?,80000001,00000000,00008007,00000000,1000D759), ref: 100056B7

SetFileAttributesW.KERNEL32(00000000,00000080,.cfg,?,?,00000002,?,80000001,00000000,00008007,00000000,1000D759), ref: 1000D3D8
SetFileAttributesW.KERNEL32(00000000,00000080), ref: 1000D499
DeleteFileW.KERNEL32(00000000,00000000,00000080), ref: 1000D49F

Part of subcall function 10004DF0: CreateMutexW.KERNEL32(?,?,?,?,1000D54A,00000000,00000000,wzk5VL6RM0QU9blk), ref: 10004E06

GetLastError.KERNEL32(00000000,00000000,wzk5VL6RM0QU9blk), ref: 1000D54C
ExitProcess.KERNEL32(00000000,00000000,00000000,wzk5VL6RM0QU9blk), ref: 1000D55A
CloseHandle.KERNEL32(00000000,00000000,00000000,wzk5VL6RM0QU9blk), ref: 1000D560
GetLastError.KERNEL32(00000000,00000000,wzk5VL6RM0QU9blkPERSIST,00000000,00000000,00000000,wzk5VL6RM0QU9blk), ref: 1000D580
CloseHandle.KERNEL32(00000000,00000000,00000000,wzk5VL6RM0QU9blkPERSIST,00000000,00000000,00000000,wzk5VL6RM0QU9blk), ref: 1000D58D
CloseHandle.KERNEL32(00000000,00000000,00000000,wzk5VL6RM0QU9blkPERSIST,00000000,00000000,00000000,wzk5VL6RM0QU9blk), ref: 1000D5D3
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\gKi3fKq4Kh.exe,0000020A,00000000,00000000,00000000,wzk5VL6RM0QU9blk), ref: 1000D5E4
TerminateProcess.KERNEL32(00000000,00000000,00000000,C:\Users\user\Desktop\gKi3fKq4Kh.exe,0000020A,00000000,00000000,00000000,wzk5VL6RM0QU9blk), ref: 1000D6CD
Sleep.KERNEL32(000001F4,00000000,00000000,00000000,C:\Users\user\Desktop\gKi3fKq4Kh.exe,0000020A,00000000,00000000,00000000,wzk5VL6RM0QU9blk), ref: 1000D6E3
TerminateProcess.KERNEL32(00000000,00000000,00000000,C:\Users\user\Desktop\gKi3fKq4Kh.exe,0000020A,00000000,00000000,00000000,wzk5VL6RM0QU9blk), ref: 1000D70F

Part of subcall function 100054C4: GetTempPathW.KERNEL32(00000104,?,1000F834,00000000,1000D64A,00000000,C:\Users\user\Desktop\gKi3fKq4Kh.exe,0000020A,00000000,00000000,00000000,wzk5VL6RM0QU9blk), ref: 100054D4
Part of subcall function 100054C4: CreateFileW.KERNEL32(?,40000000,00000002,00000000,00000002,00000080,00000000,00000104,?,1000F834,00000000,1000D64A,00000000,C:\Users\user\Desktop\gKi3fKq4Kh.exe,0000020A,00000000), ref: 10005515
Part of subcall function 100054C4: CloseHandle.KERNEL32(00000000,?,40000000,00000002,00000000,00000002,00000080,00000000,00000104,?,1000F834,00000000,1000D64A,00000000,C:\Users\user\Desktop\gKi3fKq4Kh.exe,0000020A), ref: 1000551B
Part of subcall function 100054C4: FindExecutableW.SHELL32(?,00000000,?), ref: 10005528
Part of subcall function 100054C4: DeleteFileW.KERNEL32(?,00000000,?,40000000,00000002,00000000,00000002,00000080,00000000,00000104,?,1000F834,00000000,1000D64A,00000000,C:\Users\user\Desktop\gKi3fKq4Kh.exe), ref: 1000552E

Part of subcall function 10009950: CreateProcessW.KERNEL32 ref: 1000999D
Part of subcall function 10009950: Sleep.KERNEL32(00000064,00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?,1000F834,1000F834,00000000,1000D68D,00000000), ref: 100099AF

Strings

open, xrefs: 1000D183
Mutex, xrefs: 1000D2A3
C:\Program Files\Google\Chrome\Application\chrome.exe, xrefs: 1000D651, 1000D660, 1000D674, 1000D683, 1000D6D2
O, xrefs: 1000D349, 1000D3A8, 1000D3B7, 1000D3F5
.cfg, xrefs: 1000D344, 1000D3A3
update, xrefs: 1000D1A6
svchost.exe, xrefs: 1000D5AB, 1000D5B6
CONFIG, xrefs: 1000D20F, 1000D440, 1000D4F7
\Microsoft\Windows\, xrefs: 1000D2DE, 1000D323
wzk5VL6RM0QU9blkPERSIST, xrefs: 1000D574
SOFTWARE\XtremeRAT, xrefs: 1000D267, 1000D2A8
restart, xrefs: 1000D14F
C:\Users\user\Desktop\gKi3fKq4Kh.exe, xrefs: 1000D5DD, 1000D6A1, 1000D6AD, 1000D714
wzk5VL6RM0QU9blk, xrefs: 1000D540

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: File$CloseProcess$CreateHandle$DeleteErrorSleep$AttributesExitLastTerminate$ExecutableExecuteFindModeModuleMutexNamePathShellTempValuelstrlen
String ID: .cfg$C:\Program Files\Google\Chrome\Application\chrome.exe$C:\Users\user\Desktop\gKi3fKq4Kh.exe$CONFIG$Mutex$SOFTWARE\XtremeRAT$\Microsoft\Windows\$open$restart$svchost.exe$update$wzk5VL6RM0QU9blk$wzk5VL6RM0QU9blkPERSIST$O
API String ID: 17641713-2566548298
Opcode ID: 505c14424dfcb23af79bd2a44f64f6aa8ae68e70c4de436f47dbc495ab51ce5a
Instruction ID: 7babdffad351a71ae314de662e95e98ead1dbb94228c143735747afee298a140
Opcode Fuzzy Hash: 505c14424dfcb23af79bd2a44f64f6aa8ae68e70c4de436f47dbc495ab51ce5a
Instruction Fuzzy Hash: E2E1B5787005559BF715E764CC82B9FB3AAEB803C0F508061F5489B29EEEB5FE418B61

Uniqueness

Uniqueness Score: -1.00%

Function 1000B78C Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 309
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 10003770: SysFreeString.OLEAUT32(1000CFDC), ref: 1000377E

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 1000BBC4

Part of subcall function 1000553C: RegOpenKeyExW.ADVAPI32(80000001,00000000,00000000,00000001,?,00000000,10005628,?,1000F834,?), ref: 10005591
Part of subcall function 1000553C: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,?,80000001,00000000,00000000,00000001,?,00000000,10005628,?,1000F834,?), ref: 100055B5
Part of subcall function 1000553C: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,?,?,00000000,00000000,?,00000000,?,80000001,00000000,00000000,00000001), ref: 100055E6
Part of subcall function 1000553C: RegCloseKey.ADVAPI32(?,?,00000000,00000000,?,00000000,?,80000001,00000000,00000000,00000001,?,00000000,10005628,?,1000F834), ref: 10005600

Part of subcall function 1000577C: RegCreateKeyW.ADVAPI32(80000001,00000000,?), ref: 100057C2
Part of subcall function 1000577C: RegSetValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,10005825,?,1000F834), ref: 100057EE
Part of subcall function 1000577C: RegCloseKey.ADVAPI32(?,?,00000000,00000000,?,00000000,00000000,00000000,10005825,?,1000F834), ref: 100057FD

DeleteFileW.KERNEL32(00000000,00000004,00000000,00000002,00000000,00000002,00000000,?,00000000,1000BC5D,?,1000F834,00000000,00000000,000002C4,00000000), ref: 1000BB79
ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 1000BBDD

Part of subcall function 100053D8: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 10005406

Strings

.exe, xrefs: 1000BAF7
SOFTWARE\, xrefs: 1000B8ED, 1000B971
open, xrefs: 1000BBBD, 1000BBD6
.xtr, xrefs: 1000BB60
BINDER, xrefs: 1000B7DC

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Value$CloseExecuteQueryShell$CreateDeleteDirectoryFileFreeOpenStringSystem
String ID: .exe$.xtr$BINDER$SOFTWARE\$open
API String ID: 3529233218-3085899294
Opcode ID: 0a22a47b740f272aa9815302f1ca917ca28341e751ca6317fe122055c7ff1c0c
Instruction ID: e2e431fa4438d6138b358157023902ea7bce804184865157e4dc89de6df5abab
Opcode Fuzzy Hash: 0a22a47b740f272aa9815302f1ca917ca28341e751ca6317fe122055c7ff1c0c
Instruction Fuzzy Hash: 33C11C38A005199BFB25DB54CC82BCFB3B9EB84381F5080B5B509AB249DE75FE858F51

Uniqueness

Uniqueness Score: -1.00%

Function 100054BC Relevance: 7.5, APIs: 5, Instructions: 43
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNEL32(00000104,?,1000F834,00000000,1000D64A,00000000,C:\Users\user\Desktop\gKi3fKq4Kh.exe,0000020A,00000000,00000000,00000000,wzk5VL6RM0QU9blk), ref: 100054D4
CreateFileW.KERNEL32(?,40000000,00000002,00000000,00000002,00000080,00000000,00000104,?,1000F834,00000000,1000D64A,00000000,C:\Users\user\Desktop\gKi3fKq4Kh.exe,0000020A,00000000), ref: 10005515
CloseHandle.KERNEL32(00000000,?,40000000,00000002,00000000,00000002,00000080,00000000,00000104,?,1000F834,00000000,1000D64A,00000000,C:\Users\user\Desktop\gKi3fKq4Kh.exe,0000020A), ref: 1000551B
FindExecutableW.SHELL32(?,00000000,?), ref: 10005528
DeleteFileW.KERNEL32(?,00000000,?,40000000,00000002,00000000,00000002,00000080,00000000,00000104,?,1000F834,00000000,1000D64A,00000000,C:\Users\user\Desktop\gKi3fKq4Kh.exe), ref: 1000552E

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: File$CloseCreateDeleteExecutableFindHandlePathTemp
String ID:
API String ID: 3048815070-0
Opcode ID: 957bafadc8339fc7e9c53daa970423df76f48532bb4bd51b0a326c54caf883da
Instruction ID: 3ea9f2177f4edda36d5c03afde6c78b2b523ab1dccb69f8e5379325d0c4c700b
Opcode Fuzzy Hash: 957bafadc8339fc7e9c53daa970423df76f48532bb4bd51b0a326c54caf883da
Instruction Fuzzy Hash: B9F0A4B56453806FF311D7B4EC87FCB3B98CB01390F154462B240EA1EBEDA0B80483AA

Uniqueness

Uniqueness Score: -1.00%

Function 100054C4 Relevance: 7.5, APIs: 5, Instructions: 40
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNEL32(00000104,?,1000F834,00000000,1000D64A,00000000,C:\Users\user\Desktop\gKi3fKq4Kh.exe,0000020A,00000000,00000000,00000000,wzk5VL6RM0QU9blk), ref: 100054D4
CreateFileW.KERNEL32(?,40000000,00000002,00000000,00000002,00000080,00000000,00000104,?,1000F834,00000000,1000D64A,00000000,C:\Users\user\Desktop\gKi3fKq4Kh.exe,0000020A,00000000), ref: 10005515
CloseHandle.KERNEL32(00000000,?,40000000,00000002,00000000,00000002,00000080,00000000,00000104,?,1000F834,00000000,1000D64A,00000000,C:\Users\user\Desktop\gKi3fKq4Kh.exe,0000020A), ref: 1000551B
FindExecutableW.SHELL32(?,00000000,?), ref: 10005528
DeleteFileW.KERNEL32(?,00000000,?,40000000,00000002,00000000,00000002,00000080,00000000,00000104,?,1000F834,00000000,1000D64A,00000000,C:\Users\user\Desktop\gKi3fKq4Kh.exe), ref: 1000552E

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: File$CloseCreateDeleteExecutableFindHandlePathTemp
String ID:
API String ID: 3048815070-0
Opcode ID: d6f59c1516086c58ca134ac9e9af6d26f027bd27afbd4c33f68de5c84c349836
Instruction ID: b8191a8fbfdb6de079f1d7f918beb96f752e281eea5dde0cd3b62906432631ca
Opcode Fuzzy Hash: d6f59c1516086c58ca134ac9e9af6d26f027bd27afbd4c33f68de5c84c349836
Instruction Fuzzy Hash: 3BF030B96413147BF210E7B4EC87FDB369CDB407D0F214521B244EA1DAEEA1BD4486EA

Uniqueness

Uniqueness Score: -1.00%

Function 1000553C Relevance: 6.1, APIs: 4, Instructions: 88
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 10003C28: SysAllocStringLen.OLEAUT32(CONFIG,?), ref: 10003C36

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

RegOpenKeyExW.ADVAPI32(80000001,00000000,00000000,00000001,?,00000000,10005628,?,1000F834,?), ref: 10005591
RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,?,80000001,00000000,00000000,00000001,?,00000000,10005628,?,1000F834,?), ref: 100055B5
RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,?,?,00000000,00000000,?,00000000,?,80000001,00000000,00000000,00000001), ref: 100055E6
RegCloseKey.ADVAPI32(?,?,00000000,00000000,?,00000000,?,80000001,00000000,00000000,00000001,?,00000000,10005628,?,1000F834), ref: 10005600

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: AllocQueryStringValue$CloseOpen
String ID:
API String ID: 1380265509-0
Opcode ID: 44f5328e4876b6f52479c3c45a49cad434a2d2e4ded6db1d1893a13467945e67
Instruction ID: 9e8535e9bd190b0497b11441725f9f23fe9a8eb8553ebcc7748c6e293a187153
Opcode Fuzzy Hash: 44f5328e4876b6f52479c3c45a49cad434a2d2e4ded6db1d1893a13467945e67
Instruction Fuzzy Hash: 3621FC75A04618ABFB01DBA8CC82EAF77ECEF44280F518561B504E7259EB71EE048B55

Uniqueness

Uniqueness Score: -1.00%

Function 10005EB4 Relevance: 6.0, APIs: 4, Instructions: 48
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000000,00000000,?,1000F834,?,?,?,1000BB19,00000004,00000000,00000002), ref: 10005ECF
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,?,1000F834,?), ref: 10005EEE
WriteFile.KERNEL32(00000000,1000BCB8,?,?,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,?,1000F834,?), ref: 10005EFF
CloseHandle.KERNEL32(00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,?,1000F834,?,?,?,1000BB19,00000004,00000000), ref: 10005F0B

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandlePointerWrite
String ID:
API String ID: 3604237281-0
Opcode ID: 15ac5577d5dae7d4aec97f1a3cb8dd2b14689dc654f3c78174f220ac4ac4aebd
Instruction ID: e4f3c4844a55c36be20b49d11d00148b33621b8e0b4bed1061d4f26ea208953b
Opcode Fuzzy Hash: 15ac5577d5dae7d4aec97f1a3cb8dd2b14689dc654f3c78174f220ac4ac4aebd
Instruction Fuzzy Hash: 2CF0F6762413157DF620D965AC87F9B624CDB41BF5F214236F614A90C0CAA16E0582A9

Uniqueness

Uniqueness Score: -1.00%

Function 10006090 Relevance: 4.6, APIs: 3, Instructions: 85
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetMalloc.SHELL32(00000000), ref: 100060D4
SHGetSpecialFolderLocation.SHELL32(00000000,0000001A,?,00000000,1000616E,?,00000000,1000618B,?,1000F834,1000F834,?,?,10005673,?,1000D2C2), ref: 1000610A
SHGetPathFromIDListW.SHELL32(?,?), ref: 10006123

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: FolderFromListLocationMallocPathSpecial
String ID:
API String ID: 628029987-0
Opcode ID: f6cc65bf62ea17e1061210d62eb0f9c292ca39f545557847811f4f652a5415d6
Instruction ID: f5f1894c3c3aa185a840a3eadd195327b621776b8329dab3f1fb33b6c646e1e3
Opcode Fuzzy Hash: f6cc65bf62ea17e1061210d62eb0f9c292ca39f545557847811f4f652a5415d6
Instruction Fuzzy Hash: C021AEB5904108AFEB11DAA4CC54ADF77BEEB4D380F6144B0B905E360ADA35AF19CA21

Uniqueness

Uniqueness Score: -1.00%

Function 1000577C Relevance: 4.6, APIs: 3, Instructions: 61
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 10003C28: SysAllocStringLen.OLEAUT32(CONFIG,?), ref: 10003C36

RegCreateKeyW.ADVAPI32(80000001,00000000,?), ref: 100057C2
RegSetValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,10005825,?,1000F834), ref: 100057EE
RegCloseKey.ADVAPI32(?,?,00000000,00000000,?,00000000,00000000,00000000,10005825,?,1000F834), ref: 100057FD

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: AllocCloseCreateStringValue
String ID:
API String ID: 2140091102-0
Opcode ID: 8386abb8985e96b7e742ca73356f96697864f8e82dd8d2b35a464892efa59d00
Instruction ID: 0dd5ed0a943e6cb984665ac1d2623c356232ef0b36590c9567a6f14ca7775770
Opcode Fuzzy Hash: 8386abb8985e96b7e742ca73356f96697864f8e82dd8d2b35a464892efa59d00
Instruction Fuzzy Hash: 3511DDB9904108BFE741DBA4DC42D9F77ECDF04290F518575B914E7215EB70AE109B50

Uniqueness

Uniqueness Score: -1.00%

Function 10003C28 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 16
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocStringLen.OLEAUT32(CONFIG,?), ref: 10003C36

Strings

CONFIG, xrefs: 10003C35

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: AllocString
String ID: CONFIG
API String ID: 2525500382-611510522
Opcode ID: 734bba22bcabf0676f6a1f2d94e45a7007c05a1f4cc569600fc17bea491f4fa7
Instruction ID: 25e1bc4a7362bba16a589b72a0d6fee5176ce5d44e135c61f892b3ac78b80433
Opcode Fuzzy Hash: 734bba22bcabf0676f6a1f2d94e45a7007c05a1f4cc569600fc17bea491f4fa7
Instruction Fuzzy Hash: B0D012F82045025A779DCE18896596BB3EFDBC25C1361C258A501DE14CDB31E841DB20

Uniqueness

Uniqueness Score: -1.00%

Function 10003158 Relevance: 3.1, APIs: 2, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(10000000,?,?,?,00000002,1000323A,1000259B,100025E3,00000002,00000000,10002538,?,1000D702,00000000,C:\Users\user\Desktop\gKi3fKq4Kh.exe,0000020A), ref: 100031DD
ExitProcess.KERNEL32(00000000,?,?,?,00000002,1000323A,1000259B,100025E3,00000002,00000000,10002538,?,1000D702,00000000,C:\Users\user\Desktop\gKi3fKq4Kh.exe,0000020A), ref: 10003212

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: ExitFreeLibraryProcess
String ID:
API String ID: 1404682716-0
Opcode ID: a7d26fcc6f4fce9ecc30ffe483834d278041aa4daacdb7ce10931836dbac7f8e
Instruction ID: 102873f78adbb93bbd2a11590cb18782e29a3d6c26b998e20b0a0626f3baee5f
Opcode Fuzzy Hash: a7d26fcc6f4fce9ecc30ffe483834d278041aa4daacdb7ce10931836dbac7f8e
Instruction Fuzzy Hash: 132148B49002819BFB52DB64C48879677EDEB093D0F26C569D8448B18ED775DCC4C791

Uniqueness

Uniqueness Score: -1.00%

Function 10003150 Relevance: 3.1, APIs: 2, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(10000000,?,?,?,00000002,1000323A,1000259B,100025E3,00000002,00000000,10002538,?,1000D702,00000000,C:\Users\user\Desktop\gKi3fKq4Kh.exe,0000020A), ref: 100031DD
ExitProcess.KERNEL32(00000000,?,?,?,00000002,1000323A,1000259B,100025E3,00000002,00000000,10002538,?,1000D702,00000000,C:\Users\user\Desktop\gKi3fKq4Kh.exe,0000020A), ref: 10003212

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: ExitFreeLibraryProcess
String ID:
API String ID: 1404682716-0
Opcode ID: 0eb6f4655f148300ca2f24b40a13f7269e70753ec68d107d5bfe6d84152a04b1
Instruction ID: fe416cb812802e2425b92288dcf65fb30cec29a5b1ace6356a2caf233bfd9b77
Opcode Fuzzy Hash: 0eb6f4655f148300ca2f24b40a13f7269e70753ec68d107d5bfe6d84152a04b1
Instruction Fuzzy Hash: CA2157B49002819AFB52DB60C4887927BE9EF093D0F26C9A9D8448A18ED774DCC4CB52

Uniqueness

Uniqueness Score: -1.00%

Function 10003154 Relevance: 3.1, APIs: 2, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(10000000,?,?,?,00000002,1000323A,1000259B,100025E3,00000002,00000000,10002538,?,1000D702,00000000,C:\Users\user\Desktop\gKi3fKq4Kh.exe,0000020A), ref: 100031DD
ExitProcess.KERNEL32(00000000,?,?,?,00000002,1000323A,1000259B,100025E3,00000002,00000000,10002538,?,1000D702,00000000,C:\Users\user\Desktop\gKi3fKq4Kh.exe,0000020A), ref: 10003212

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: ExitFreeLibraryProcess
String ID:
API String ID: 1404682716-0
Opcode ID: f029aa4d048ab71b3d48e2163f45d484fdec98b6e81d7e04a45f41dc6beeb9e9
Instruction ID: 0923f5ad4ec0768f18e91c29f3e5e862ef011e1a732e010652329f9221a0f365
Opcode Fuzzy Hash: f029aa4d048ab71b3d48e2163f45d484fdec98b6e81d7e04a45f41dc6beeb9e9
Instruction Fuzzy Hash: D7215BB49002819BFB52DF60C4887967BEDEF093D0F22C569D8448618ED775DCC4CB52

Uniqueness

Uniqueness Score: -1.00%

Function 10009950 Relevance: 3.0, APIs: 2, Instructions: 38
sleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNEL32 ref: 1000999D
Sleep.KERNEL32(00000064,00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?,1000F834,1000F834,00000000,1000D68D,00000000), ref: 100099AF

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: CreateProcessSleep
String ID:
API String ID: 3229676899-0
Opcode ID: bca0b144e135752a1d5e6e13312447c91aa1364c1872f8c890ab86c12d918bbf
Instruction ID: 37df1048d1a9e356d2120e553cad0eb1a5fc8c22ebf76e4491bd2cded27ec310
Opcode Fuzzy Hash: bca0b144e135752a1d5e6e13312447c91aa1364c1872f8c890ab86c12d918bbf
Instruction Fuzzy Hash: 05F089B63843442BF330D694DC86FEB739CEB84790F110539BB88DA1C1DAB5A91583B6

Uniqueness

Uniqueness Score: -1.00%

Function 10003864 Relevance: 3.0, APIs: 2, Instructions: 13memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(1000CFDC), ref: 1000377E
SysAllocStringLen.OLEAUT32(?,00000105), ref: 1000386F
SysFreeString.OLEAUT32 ref: 10003881

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: 21118d2c77f2e3f9fe37a42b328e85e62b155979c5758a64c4b92a8b62830715
Instruction ID: ca28794199431f72530e799d36250414a245c489da467331e40bdcc928d85e60
Opcode Fuzzy Hash: 21118d2c77f2e3f9fe37a42b328e85e62b155979c5758a64c4b92a8b62830715
Instruction Fuzzy Hash: 6BC08CFC1052022CBF0AAB3148859BB639CEF801C13408068BA04C4008D634E8814020

Uniqueness

Uniqueness Score: -1.00%

Function 10001358 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,10001661), ref: 10001387
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,10001661), ref: 100013AE

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: f06ee548b5ebffe1745c786babf5b5d23a6d64f926da9f609fe49afe4c263715
Instruction ID: a9c88282e432f8f48e60550f2442f7a71b9eebfe68f090cfd9eaf30bd27f6b92
Opcode Fuzzy Hash: f06ee548b5ebffe1745c786babf5b5d23a6d64f926da9f609fe49afe4c263715
Instruction Fuzzy Hash: 82F0A7B6B0062027F730C9694C81BCA66C5DF86BE1F154270FF48EF7CEDA619C0082A0

Uniqueness

Uniqueness Score: -1.00%

Function 10003788 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 1000379B

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: a97da6d1a166e53047aad3afbfbd3a8eda8bad4dfe458de0bb8b2fbaa1060f86
Instruction ID: c2b807945fbd858067c7052735d838f70a134ef64bf736acf42af14dc62dc520
Opcode Fuzzy Hash: a97da6d1a166e53047aad3afbfbd3a8eda8bad4dfe458de0bb8b2fbaa1060f86
Instruction Fuzzy Hash: 64C012F66506200BFB62CBA99CC0B8763CCDB892E5F1541A1A518DB208E660AC0086A2

Uniqueness

Uniqueness Score: -1.00%

Function 10004DF0 Relevance: 1.5, APIs: 1, Instructions: 14synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNEL32(?,?,?,?,1000D54A,00000000,00000000,wzk5VL6RM0QU9blk), ref: 10004E06

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 21e0619b74412fae9514185c35c6bd95fbb7b52f213a822672066e7264c0ded7
Instruction ID: 5a3873c4f99191ebd0c5874248a48e85116967648e1c4cce01420d804b7247f1
Opcode Fuzzy Hash: 21e0619b74412fae9514185c35c6bd95fbb7b52f213a822672066e7264c0ded7
Instruction Fuzzy Hash: 20C012B71A024CAB8B00EEA9CC06D9B33DCAB28609B008825B928CB100C539E5909B60

Uniqueness

Uniqueness Score: -1.00%

Function 10005678 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(00000000,100056A6,1000F834,1000F834,?,1000D2F8,00000002,?,80000001,00000000,00008007,00000000,1000D759), ref: 10005679

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: fe0dc61edb0e7cc40dd00668538b564961092fac01b342148f47dbe8c26fd250
Instruction ID: ea5e7307e224a2362f62b937032a713fdd445899dab5aa11519bd1f809b1bc4b
Opcode Fuzzy Hash: fe0dc61edb0e7cc40dd00668538b564961092fac01b342148f47dbe8c26fd250
Instruction Fuzzy Hash: 7AB012A88012410C7D40D175080506B31C4EB911F7BE71F81E874C34DDDF17940B2820

Uniqueness

Uniqueness Score: -1.00%

Function 10003748 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON

Download Yara Rule

APIs

SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 1000374F

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: AllocString
String ID:
API String ID: 2525500382-0
Opcode ID: c3d9d0a666eff376f821b6af0d3cd74f414e7a9998069cdbae396ed4eef14e50
Instruction ID: 594f7db3346f59ee2b746a14ae0536c80aa61ded5ebc518595aa97b66a28efc9
Opcode Fuzzy Hash: c3d9d0a666eff376f821b6af0d3cd74f414e7a9998069cdbae396ed4eef14e50
Instruction Fuzzy Hash: A9B012F820C70310FEAAD1210D517B703CCCB004C3F825014EF08C40CDDA50D8025031

Uniqueness

Uniqueness Score: -1.00%

Function 10003760 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 10003767

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: c84231d939c3f1dede93ead9e794aca24fb850687463f20dd1216931c1658ed6
Instruction ID: 74cff04a054d399575dcd112ce88993749322833dca3bd7758bf9d1364754a37
Opcode Fuzzy Hash: c84231d939c3f1dede93ead9e794aca24fb850687463f20dd1216931c1658ed6
Instruction Fuzzy Hash: C6A022FC000B0308BF0FB32C00A20A333BAFFC00C03C2C0A832080A00E8E3BC8008020

Uniqueness

Uniqueness Score: -1.00%

Function 10001434 Relevance: 1.3, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(FFFFFFFF,00000000,00008000), ref: 10001498

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 10fe2dbb55c9af0552f02238f08e03cb0f8d1b4e9af3fd0ffb6fb2eede832607
Instruction ID: 3fa41a510b944b51636159baf3a22d7c595f027a87933030a07595b3af302d5b
Opcode Fuzzy Hash: 10fe2dbb55c9af0552f02238f08e03cb0f8d1b4e9af3fd0ffb6fb2eede832607
Instruction Fuzzy Hash: FF2108706087519FE300CF19C8C0A9ABBE4EF847A0F15C929E5988B369D774EC41CB96

Uniqueness

Uniqueness Score: -1.00%

Function 100014EC Relevance: 1.3, APIs: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 10001559

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 658d5346f56e2b90820d1a4238b762dd8e40d303793816f207723b6d5c2275ec
Instruction ID: 376a20137c8c7a1c0fe805d4ca5c7b4e53bfabd2decc6611af020c1a5c038b4e
Opcode Fuzzy Hash: 658d5346f56e2b90820d1a4238b762dd8e40d303793816f207723b6d5c2275ec
Instruction Fuzzy Hash: 42117076A05B029BE310DF19CC80A9AB7E1EBC47D2F15C52CE6894B759D630EC408A81

Uniqueness

Uniqueness Score: -1.00%

Function 10001580 Relevance: 1.3, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(00000000,00000000,00004000,?,?,?,00000000,00004003,100017E7), ref: 100015DA

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 19ed765fabffe9195ef8269cde91d8c30df923ae3bcc911b56444050f0160e6e
Instruction ID: e66e407dd1e15fa3fc9a28e351f6f3ad1c49e8eb648c93e6ec0b59d0a763a2f7
Opcode Fuzzy Hash: 19ed765fabffe9195ef8269cde91d8c30df923ae3bcc911b56444050f0160e6e
Instruction Fuzzy Hash: 7901F276609B508FE310DF68CCC0A9A77E4DBC43E6F16053CDA859B749D732AC0087A0

Uniqueness

Uniqueness Score: -1.00%

Function 10005664 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Malloc
String ID:
API String ID: 2696272793-0
Opcode ID: e494b0dbbd17313aec99b6fdc899f248a05a96dc61f52493615a425915e08986
Instruction ID: 2b23affcbc4175e08e38b0563d1324aa0b8922ef3a41ef4a7c7d2d78b35e8f64
Opcode Fuzzy Hash: e494b0dbbd17313aec99b6fdc899f248a05a96dc61f52493615a425915e08986
Instruction Fuzzy Hash: 06A0029574220407EB50D9FE98C174782CBA78D351FB04079710DC734BD955AC562136

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 10008568 Relevance: 58.2, APIs: 22, Strings: 11, Instructions: 407fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,?,?,00000000,00008000,00000000,10008BA5), ref: 10008751
VirtualFree.KERNEL32(?,00000000,00008000,00000000,10008BA5,?,?,?,0000002E,00000000,00000000), ref: 100085B7

Part of subcall function 10003770: SysFreeString.OLEAUT32(1000CFDC), ref: 1000377E

Strings

, xrefs: 1000862D, 10008650, 100089BC, 10008A46
[, xrefs: 10008660
--- , xrefs: 10008680, 100089D1
], xrefs: 100089F4
SOFTWARE\, xrefs: 10008B3A
[Clipboard End], xrefs: 10008A3B
qualquercoisarsrsr, xrefs: 10008AAD
[Clipboard, xrefs: 100089CC
, xrefs: 100086A3
temp, xrefs: 10008800, 10008827, 1000885D
LastSize, xrefs: 10008B4A

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Free$FileStringVirtualWrite
String ID: $ --- $$[$[Clipboard$[Clipboard End]$LastSize$SOFTWARE\$]$qualquercoisarsrsr$temp
API String ID: 84115566-3009520543
Opcode ID: e238ab7fd7b67536d2de49d1c07564a4c6aee27f7ac160145bbdbd2866874383
Instruction ID: 057d20e264fa80afaee32c8a6c883f4daf1d9cc34b90863f49a2566050bc1c08
Opcode Fuzzy Hash: e238ab7fd7b67536d2de49d1c07564a4c6aee27f7ac160145bbdbd2866874383
Instruction Fuzzy Hash: 6DF16F74A00219ABFB51DB64CC81FDE73B9FB083C0F508065F148A72ADDB75AE858B65

Uniqueness

Uniqueness Score: -1.00%

Function 1000BD14 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 244injectionthreadsleepCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32 ref: 1000BE3A
Sleep.KERNEL32(000000C8,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 1000BE4C
GetThreadContext.KERNEL32(?,00010007,000000C8,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 1000BE5F
ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,00010007,000000C8,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000), ref: 1000BE7F
NtUnmapViewOfSection.NTDLL(?,?), ref: 1000BE8F
VirtualAllocEx.KERNEL32(?,?,?,00003000,00000004,?,?,?,00000004,00000000,?,00010007,000000C8,00000000,00000000,00000000), ref: 1000BEB0
WriteProcessMemory.KERNEL32(?,00000000,1000C797,?,00000000,?,?,?,00003000,00000004,?,?,?,00000004,00000000,?), ref: 1000BECF
WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 1000BF46
VirtualProtectEx.KERNEL32(?,?,?,00000040,?,?,?,?,?,?), ref: 1000BF69
WriteProcessMemory.KERNEL32(?,?,00000000,00000004,00000000,?,00000000,1000C797,?,00000000,?,?,?,00003000,00000004,?), ref: 1000BF91
SetThreadContext.KERNEL32(?,00010007,?,?,00000000,00000004,00000000,?,00000000,1000C797,?,00000000,?,?,?,00003000), ref: 1000BFBE
ResumeThread.KERNEL32(?,?,00010007,?,?,00000000,00000004,00000000,?,00000000,1000C797,?,00000000,?,?,?), ref: 1000BFD0

Strings

D, xrefs: 1000BDD6

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Process$Memory$ThreadWrite$ContextVirtual$AllocCreateProtectReadResumeSectionSleepUnmapView
String ID: D
API String ID: 251557703-2746444292
Opcode ID: ddef249305afe7fb47cb9d0f556ca1214483f34f73db6a87cab3b00bcfcfae37
Instruction ID: 51d3043d039fb927f3967ecafbc59ab6c1ff4cf1235e2731e9b23ce8e7e6b630
Opcode Fuzzy Hash: ddef249305afe7fb47cb9d0f556ca1214483f34f73db6a87cab3b00bcfcfae37
Instruction Fuzzy Hash: A8916FB5904259AFEB51DBA4CC81FEEB7BCEB49340F1140E6F208E7156DA34AE458B20

Uniqueness

Uniqueness Score: -1.00%

Function 1000BD60 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 208injectionthreadsleepCOMMON

Download Yara Rule

APIs

Part of subcall function 10003C28: SysAllocStringLen.OLEAUT32(CONFIG,?), ref: 10003C36

CreateProcessW.KERNEL32 ref: 1000BE3A
Sleep.KERNEL32(000000C8,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 1000BE4C
GetThreadContext.KERNEL32(?,00010007,000000C8,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 1000BE5F
ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,00010007,000000C8,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000), ref: 1000BE7F
NtUnmapViewOfSection.NTDLL(?,?), ref: 1000BE8F
VirtualAllocEx.KERNEL32(?,?,?,00003000,00000004,?,?,?,00000004,00000000,?,00010007,000000C8,00000000,00000000,00000000), ref: 1000BEB0
WriteProcessMemory.KERNEL32(?,00000000,1000C797,?,00000000,?,?,?,00003000,00000004,?,?,?,00000004,00000000,?), ref: 1000BECF
WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 1000BF46
VirtualProtectEx.KERNEL32(?,?,?,00000040,?,?,?,?,?,?), ref: 1000BF69
WriteProcessMemory.KERNEL32(?,?,00000000,00000004,00000000,?,00000000,1000C797,?,00000000,?,?,?,00003000,00000004,?), ref: 1000BF91
SetThreadContext.KERNEL32(?,00010007,?,?,00000000,00000004,00000000,?,00000000,1000C797,?,00000000,?,?,?,00003000), ref: 1000BFBE
ResumeThread.KERNEL32(?,?,00010007,?,?,00000000,00000004,00000000,?,00000000,1000C797,?,00000000,?,?,?), ref: 1000BFD0

Strings

D, xrefs: 1000BDD6

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtual$CreateProtectReadResumeSectionSleepStringUnmapView
String ID: D
API String ID: 3069046386-2746444292
Opcode ID: 5631d4e2f2f3d5cc413d0a5eaa7ab72704478a6d10640b3fbfc5c98150998316
Instruction ID: 773f2633af5c966dbae7503bb26a44348cd9fcb95ad73bfc51fdb85d8e92df93
Opcode Fuzzy Hash: 5631d4e2f2f3d5cc413d0a5eaa7ab72704478a6d10640b3fbfc5c98150998316
Instruction Fuzzy Hash: A971DAB5A00119AFEB60DB98CD81FEEB3FCEB48340F5144A5F608E7245DA74AE458F64

Uniqueness

Uniqueness Score: -1.00%

Function 10006D04 Relevance: 12.0, APIs: 8, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000014), ref: 10006D09
GetKeyState.USER32(00000010), ref: 10006D16
GetKeyState.USER32(00000014), ref: 10006D26
GetKeyState.USER32(00000010), ref: 10006D33
GetKeyState.USER32(00000014), ref: 10006D43
GetKeyState.USER32(00000010), ref: 10006D50

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: State
String ID:
API String ID: 1649606143-0
Opcode ID: 6918d53d3d07aab4c0cd6e783a8e12689080c07576cae801b53ea161e8d972bc
Instruction ID: d6486f2fec8aba8f3b5500d340924e9af812674e08ffb561a2d1824f8f856f0b
Opcode Fuzzy Hash: 6918d53d3d07aab4c0cd6e783a8e12689080c07576cae801b53ea161e8d972bc
Instruction Fuzzy Hash: 6EF01D2CF95A4728FD90E2A04D527DD1152CF187C6FA0802AEA802D09E98825AC630FB

Uniqueness

Uniqueness Score: -1.00%

Function 10008040 Relevance: 10.6, APIs: 7, Instructions: 71memorythreadwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,10008123), ref: 1000808A
GetForegroundWindow.USER32(?,00000000,10008123), ref: 1000808F
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 10008097
GetKeyboardLayout.USER32(00000000), ref: 1000809F
VirtualAlloc.KERNEL32(00000000,0000010C,00001000,00000040,?,00000000,10008123), ref: 100080C7
SendMessageA.USER32 ref: 100080F7
CallNextHookEx.USER32 ref: 1000811D

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: KeyboardWindow$AllocCallForegroundHookLayoutMessageNextProcessSendStateThreadVirtual
String ID:
API String ID: 2475829859-0
Opcode ID: cfb8c2f6c07dd6c8c12c5b73d6607ef2dbe25eb77fb659a241c05aedeeedaf23
Instruction ID: 27a6fad57be863aabbe855ec58336ce39a4f816ab1f20d22dae40b31cdfd5c32
Opcode Fuzzy Hash: cfb8c2f6c07dd6c8c12c5b73d6607ef2dbe25eb77fb659a241c05aedeeedaf23
Instruction Fuzzy Hash: 412151B4600208AFFB51DF64CC82FDB37A8EB4C781F004524FA44A7255DA75AE858FA4

Uniqueness

Uniqueness Score: -1.00%

Function 100068EC Relevance: 10.6, APIs: 7, Instructions: 62networkfilesynchronizationCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 10006907
InternetConnectW.WININET(00000000,?,00000015,?,?,00000001,08000000,00000000), ref: 10006923
FtpSetCurrentDirectoryW.WININET(00000000,?), ref: 1000692F
WaitForSingleObject.KERNEL32(00000001,000000FF), ref: 10006940
FtpPutFileW.WININET(00000000,?,?,00000002,00000000), ref: 10006952
InternetCloseHandle.WININET(00000000), ref: 1000695E
InternetCloseHandle.WININET(00000000), ref: 10006964

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandle$ConnectCurrentDirectoryFileObjectOpenSingleWait
String ID:
API String ID: 140008950-0
Opcode ID: 986aac2d3270ff8f09d33a4b0a939757c489752215f58343083dd92cbf4cca8d
Instruction ID: cbc3213e50a342726adeb0dcb95658ed0f55962254ebdcc4bae47dda2437ff56
Opcode Fuzzy Hash: 986aac2d3270ff8f09d33a4b0a939757c489752215f58343083dd92cbf4cca8d
Instruction Fuzzy Hash: D80175767853047EF710DAA84C83FBE629CDB49BA5F300629F614EB1C1D5B27D004665

Uniqueness

Uniqueness Score: -1.00%

Function 100069DC Relevance: 9.1, APIs: 6, Instructions: 98clipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 10003770: SysFreeString.OLEAUT32(1000CFDC), ref: 1000377E

OpenClipboard.USER32(00000000), ref: 10006A07
GetClipboardData.USER32 ref: 10006A24
GlobalFix.KERNEL32 ref: 10006A48
GlobalSize.KERNEL32(00000000), ref: 10006A53

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

GlobalUnWire.KERNEL32(00000000), ref: 10006AB9
CloseClipboard.USER32(10006AE8,?,00000000,10006B04,?,?,?), ref: 10006AD7

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: ClipboardGlobal$String$AllocCloseDataFreeOpenSizeWire
String ID:
API String ID: 1300121464-0
Opcode ID: 064efa2ddcbdc333166debe158bc30ea9b511c389f605a726f971f8daa8baf48
Instruction ID: 6c9ee2d81449cc0851c779360ccc62e81b10a1ab3d70038b93f0ad500b4e2f45
Opcode Fuzzy Hash: 064efa2ddcbdc333166debe158bc30ea9b511c389f605a726f971f8daa8baf48
Instruction Fuzzy Hash: D3310774A04644AFFB01DBA4CC52AAFB7E9EB4D380F6284B5F900E3749DB35AD00CA55

Uniqueness

Uniqueness Score: -1.00%

Function 10004B4D Relevance: 9.0, APIs: 6, Instructions: 41threadCOMMON

Download Yara Rule

APIs

Part of subcall function 100027DC: GetKeyboardType.USER32(00000000), ref: 100027E1
Part of subcall function 100027DC: GetKeyboardType.USER32(00000001), ref: 100027ED

GetCommandLineA.KERNEL32 ref: 10004BB3
GetVersion.KERNEL32 ref: 10004BC7
GetVersion.KERNEL32 ref: 10004BD8
GetCurrentThreadId.KERNEL32 ref: 10004C14

Part of subcall function 1000280C: RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 1000282E
Part of subcall function 1000280C: RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,1000287D,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 10002861
Part of subcall function 1000280C: RegCloseKey.ADVAPI32(?,10002884,00000000,?,00000004,00000000,1000287D,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 10002877

GetThreadLocale.KERNEL32 ref: 10004BF4

Part of subcall function 10004A84: GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,10004AEA), ref: 10004AAA

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: KeyboardLocaleThreadTypeVersion$CloseCommandCurrentInfoLineOpenQueryValue
String ID:
API String ID: 3734044017-0
Opcode ID: 4a55a734a805fa50f35cfdecb007be50b81c5b88d7ec8d0924afd786aa6d3e41
Instruction ID: b691414424a171523e6ed701ccaa2f926f8cba09af9fdddc6886d40973360df8
Opcode Fuzzy Hash: 4a55a734a805fa50f35cfdecb007be50b81c5b88d7ec8d0924afd786aa6d3e41
Instruction Fuzzy Hash: 600156F88013918AF750EFB08C863A93B60EB113C0F01852DD2404AA6FDFB95184EB6B

Uniqueness

Uniqueness Score: -1.00%

Function 100051E8 Relevance: 7.5, APIs: 5, Instructions: 37COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(10000000,00000000,0000000A,1000F834,?,?,1000D1D5,00008007,00000000,1000D759,?,?,?,?,00000000,00000000), ref: 100051FF
SizeofResource.KERNEL32(10000000,00000000,10000000,00000000,0000000A,1000F834,?,?,1000D1D5,00008007,00000000,1000D759), ref: 1000520D
LoadResource.KERNEL32(10000000,00000000,10000000,00000000,10000000,00000000,0000000A,1000F834,?,?,1000D1D5,00008007,00000000,1000D759), ref: 1000521B
LockResource.KERNEL32(00000000,10000000,00000000,10000000,00000000,10000000,00000000,0000000A,1000F834,?,?,1000D1D5,00008007,00000000,1000D759), ref: 10005223
FreeResource.KERNEL32(00000000,00000000,10000000,00000000,10000000,00000000,10000000,00000000,0000000A,1000F834,?,?,1000D1D5,00008007,00000000,1000D759), ref: 10005237

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Resource$FindFreeLoadLockSizeof
String ID:
API String ID: 4159136517-0
Opcode ID: 6f9064c725ce0eda676baacf6c63ec492ac870baedeada23c600b6ea1a41f5ea
Instruction ID: 394ad428024afc6b979a81fc6034fab6802de57518f58b4d3ea2d93c6a88d4c5
Opcode Fuzzy Hash: 6f9064c725ce0eda676baacf6c63ec492ac870baedeada23c600b6ea1a41f5ea
Instruction Fuzzy Hash: 98F08CF63006512BF600D3F98CC1E3B62DDFB986C1B020024B608D721ADD29EC044364

Uniqueness

Uniqueness Score: -1.00%

Function 10005F86 Relevance: 3.0, APIs: 2, Instructions: 49filenetworkCOMMON

Download Yara Rule

APIs

Part of subcall function 10003C28: SysAllocStringLen.OLEAUT32(CONFIG,?), ref: 10003C36

URLDownloadToCacheFileW.URLMON(00000000,00000000,?,00000104,00000010,00000000), ref: 10005FD1
CopyFileW.KERNEL32(?,00000000,00000000,00000000,10006016), ref: 10005FEC

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: File$AllocCacheCopyDownloadString
String ID:
API String ID: 2397740412-0
Opcode ID: 4a77a2e6e5b60fd12bd9e17b935437ef89a8161801deff5e08ca33a82e0ce24b
Instruction ID: 518c37ad459ba6dfeec1cc82918b9415ec9692cdfa9117b24deab1163ccdcd4a
Opcode Fuzzy Hash: 4a77a2e6e5b60fd12bd9e17b935437ef89a8161801deff5e08ca33a82e0ce24b
Instruction Fuzzy Hash: 4D018474544208BEF711DB64CC82FEFBBECDB08780F904572F504E6196EB75AA549A50

Uniqueness

Uniqueness Score: -1.00%

Function 10006B14 Relevance: 1.6, APIs: 1, Instructions: 148timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,00000000,10006CD2,?,?,?,?,00000000,00000000,0000003A,?,1000C3BA,?,.dat,?,1000C958), ref: 10006B42

Part of subcall function 10003788: SysFreeString.OLEAUT32(?), ref: 1000379B

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: FreeLocalStringTime
String ID:
API String ID: 4115487899-0
Opcode ID: 080143b38f47a14bc7abd16a6aa459c922e841604fcb300ac30b8a9b522506b0
Instruction ID: 6c50818c357f400c33ad67fb0aa65d9f8c3d174c8eb37c65fd316cc4577b83bf
Opcode Fuzzy Hash: 080143b38f47a14bc7abd16a6aa459c922e841604fcb300ac30b8a9b522506b0
Instruction Fuzzy Hash: E051F17890405DABFB05DB94CC41DFFB7BBEF89380FA08066F440B6259DE35AE458A60

Uniqueness

Uniqueness Score: -1.00%

Function 1000649C Relevance: 1.6, APIs: 1, Instructions: 53nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 10006507

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: a36e2596e50cbdcff5ffa68e6a1e7b8638978eb7ec4bb7942f87b3b5f9b64d97
Instruction ID: d91e40c9a86a1603bffb38651a5b716410016987c82cb3399e660d7322f9702c
Opcode Fuzzy Hash: a36e2596e50cbdcff5ffa68e6a1e7b8638978eb7ec4bb7942f87b3b5f9b64d97
Instruction Fuzzy Hash: 23014B7A80E3C55FC703DF7898A55413FB9AE5B24070F04D7E484CF0A3E6685858CB62

Uniqueness

Uniqueness Score: -1.00%

Function 10004A84 Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,10004AEA), ref: 10004AAA

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: efe5643a6653c0d33cbe588f2399e79e61fc0be940d45b1ddb6cbc9784bd52bb
Instruction ID: a6b1d0fb2cc725cd67dae8327f47cbfeb89b8e8f14ee4b1b67c3bb55e1ee9b21
Opcode Fuzzy Hash: efe5643a6653c0d33cbe588f2399e79e61fc0be940d45b1ddb6cbc9784bd52bb
Instruction Fuzzy Hash: F8F0C274A08209AFFB01DEA1CC51AEFB3BAFB85350F40C835E11066588EBB43A04C695

Uniqueness

Uniqueness Score: -1.00%

Function 1000AF50 Relevance: 1.5, APIs: 1, Instructions: 28nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 1000AF81

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: d3956dd715256d4decada7e69221bfc1ce5d5ef765fdf7dd91a78ac1ce545737
Instruction ID: 8e78343bb29869cc51209ea075ef4b030323b4b60e46301b02e33cef73b8dc7b
Opcode Fuzzy Hash: d3956dd715256d4decada7e69221bfc1ce5d5ef765fdf7dd91a78ac1ce545737
Instruction Fuzzy Hash: 0DE0EDB67051905FA711CAAE98C486ABBEDDF8A19130981A6F548CB21AC664EC418760

Uniqueness

Uniqueness Score: -1.00%

Function 100064F4 Relevance: 1.5, APIs: 1, Instructions: 13nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 10006507

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 91a85faddc0a6b7c48ccd8513a21e82de454515e62290299adcaadae15e2c70d
Instruction ID: 436466b3821b95b6b86dd239864fdc8ccfeb13c66957006ad6da2fca92e58a32
Opcode Fuzzy Hash: 91a85faddc0a6b7c48ccd8513a21e82de454515e62290299adcaadae15e2c70d
Instruction Fuzzy Hash: A1D002BA20420DAF8B40DEDDEC81E9B33ECAB0C650B008411BA18C7205CA70F9609B75

Uniqueness

Uniqueness Score: -1.00%

Function 1000C9D0 Relevance: 72.0, APIs: 23, Strings: 18, Instructions: 235librarysleepCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,00000000,1000CD6B,?,?,?,?,00000009,00000000,00000000), ref: 1000C9F9
LoadLibraryA.KERNEL32(kernel32.dll,advapi32.dll,00000000,1000CD6B,?,?,?,?,00000009,00000000,00000000), ref: 1000CA03
LoadLibraryA.KERNEL32(shell32.dll,kernel32.dll,advapi32.dll,00000000,1000CD6B,?,?,?,?,00000009,00000000,00000000), ref: 1000CA0D
LoadLibraryA.KERNEL32(mpr.dll,shell32.dll,kernel32.dll,advapi32.dll,00000000,1000CD6B,?,?,?,?,00000009,00000000,00000000), ref: 1000CA17
LoadLibraryA.KERNEL32(version.dll,mpr.dll,shell32.dll,kernel32.dll,advapi32.dll,00000000,1000CD6B,?,?,?,?,00000009,00000000,00000000), ref: 1000CA21
LoadLibraryA.KERNEL32(comctl32.dll,version.dll,mpr.dll,shell32.dll,kernel32.dll,advapi32.dll,00000000,1000CD6B,?,?,?,?,00000009,00000000,00000000), ref: 1000CA2B
LoadLibraryA.KERNEL32(gdi32.dll,comctl32.dll,version.dll,mpr.dll,shell32.dll,kernel32.dll,advapi32.dll,00000000,1000CD6B,?,?,?,?,00000009,00000000,00000000), ref: 1000CA35
LoadLibraryA.KERNEL32(opengl32.dll,gdi32.dll,comctl32.dll,version.dll,mpr.dll,shell32.dll,kernel32.dll,advapi32.dll,00000000,1000CD6B,?,?,?,?,00000009,00000000), ref: 1000CA3F
LoadLibraryA.KERNEL32(user32.dll,opengl32.dll,gdi32.dll,comctl32.dll,version.dll,mpr.dll,shell32.dll,kernel32.dll,advapi32.dll,00000000,1000CD6B,?,?,?,?,00000009), ref: 1000CA49
LoadLibraryA.KERNEL32(wintrust.dll,user32.dll,opengl32.dll,gdi32.dll,comctl32.dll,version.dll,mpr.dll,shell32.dll,kernel32.dll,advapi32.dll,00000000,1000CD6B), ref: 1000CA53
LoadLibraryA.KERNEL32(msimg32.dll,wintrust.dll,user32.dll,opengl32.dll,gdi32.dll,comctl32.dll,version.dll,mpr.dll,shell32.dll,kernel32.dll,advapi32.dll,00000000,1000CD6B), ref: 1000CA5D
LoadLibraryA.KERNEL32(shell32.dll,msimg32.dll,wintrust.dll,user32.dll,opengl32.dll,gdi32.dll,comctl32.dll,version.dll,mpr.dll,shell32.dll,kernel32.dll,advapi32.dll,00000000,1000CD6B), ref: 1000CA67
Sleep.KERNEL32(000003E8,?,00000000,00000000,00000000,?,shell32.dll,msimg32.dll,wintrust.dll,user32.dll,opengl32.dll,gdi32.dll,comctl32.dll,version.dll,mpr.dll,shell32.dll), ref: 1000CAC7
SHDeleteValueW.SHLWAPI(80000001,00000000,00000000,000003E8,?,00000000,00000000,00000000,?,shell32.dll,msimg32.dll,wintrust.dll,user32.dll,opengl32.dll,gdi32.dll,comctl32.dll), ref: 1000CB2A

Part of subcall function 10005E30: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 10005E67
Part of subcall function 10005E30: GetFileSize.KERNEL32(00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 10005E71
Part of subcall function 10005E30: ReadFile.KERNEL32(00000000,?,?,?,00000000,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 10005E99
Part of subcall function 10005E30: CloseHandle.KERNEL32(00000000,00000000,?,?,?,00000000,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 10005E9F

SHDeleteKeyW.SHLWAPI(80000001,00000000,00000002,?,00000002,?,00000000,00000000,00000000,?,00001388,00000000,00000000,00000000,?), ref: 1000CC27
GetLastError.KERNEL32(00000000,00000000,?), ref: 1000CCC2
CloseHandle.KERNEL32(00000000,00000000,00000000,?,?,?,00000002,?,80000001,00000000,00000002,?,00000002,?,00000000,00000000), ref: 1000CCCF
ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 1000CCE2
CloseHandle.KERNEL32(00000000,00000000,00000000,?), ref: 1000CCEA
Sleep.KERNEL32(00001388,00000000,00000000,00000000,?), ref: 1000CCF4
GetLastError.KERNEL32(00000000,00000000,?,00001388,00000000,00000000,00000000,?), ref: 1000CD0B
ExitProcess.KERNEL32(00000000,00000000,00000000,?,00001388,00000000,open,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 1000CD19

Part of subcall function 1000577C: RegCreateKeyW.ADVAPI32(80000001,00000000,?), ref: 100057C2
Part of subcall function 1000577C: RegSetValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,10005825,?,1000F834), ref: 100057EE
Part of subcall function 1000577C: RegCloseKey.ADVAPI32(?,?,00000000,00000000,?,00000000,00000000,00000000,10005825,?,1000F834), ref: 100057FD

CloseHandle.KERNEL32(00000000,00000000,00000000,?,00001388,00000000,00000000,00000000,?), ref: 1000CD24

Strings

advapi32.dll, xrefs: 1000C9F4
user32.dll, xrefs: 1000CA44
Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 1000CB32
gdi32.dll, xrefs: 1000CA30
StubPath, xrefs: 1000CC32
mpr.dll, xrefs: 1000CA12
jjj, xrefs: 1000CCD4
msimg32.dll, xrefs: 1000CA58
SOFTWARE\, xrefs: 1000CA9B, 1000CAF1
version.dll, xrefs: 1000CA1C
comctl32.dll, xrefs: 1000CA26
ServerName, xrefs: 1000CAB3, 1000CB09
wintrust.dll, xrefs: 1000CA4E
shell32.dll, xrefs: 1000CA08, 1000CA62
Software\Microsoft\Active Setup\Installed Components\, xrefs: 1000CB55
open, xrefs: 1000CCDB
kernel32.dll, xrefs: 1000C9FE
opengl32.dll, xrefs: 1000CA3A

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: LibraryLoad$Close$Handle$File$CreateDeleteErrorLastSleepValue$ExecuteExitProcessReadShellSize
String ID: SOFTWARE\$ServerName$Software\Microsoft\Active Setup\Installed Components\$Software\Microsoft\Windows\CurrentVersion\Run$StubPath$advapi32.dll$comctl32.dll$gdi32.dll$jjj$kernel32.dll$mpr.dll$msimg32.dll$open$opengl32.dll$shell32.dll$user32.dll$version.dll$wintrust.dll
API String ID: 570719760-3930227570
Opcode ID: e5b13b107185a785ff7609e54e9964f14f8500de5215f434d3a790ea522c5d6f
Instruction ID: 2f4b2620837c28cfdf5e49335ff29dada521f5c21c6ac21027946eb6f57ed48d
Opcode Fuzzy Hash: e5b13b107185a785ff7609e54e9964f14f8500de5215f434d3a790ea522c5d6f
Instruction Fuzzy Hash: 20911F78A4024DABFB01EBA4D882FDE7779EF442C1F118162F9046B28ECB75BD058765

Uniqueness

Uniqueness Score: -1.00%

Function 1000C080 Relevance: 66.9, APIs: 19, Strings: 19, Instructions: 445librarysleepfileCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,00000000,1000C850,?,1000F834,00000000,00000000,00000000,00000000,?,1000D71E,C:\Users\user\Desktop\gKi3fKq4Kh.exe,00000000,00000000,00000000,C:\Users\user\Desktop\gKi3fKq4Kh.exe), ref: 1000C0A8
LoadLibraryA.KERNEL32(kernel32.dll,advapi32.dll,00000000,1000C850,?,1000F834,00000000,00000000,00000000,00000000,?,1000D71E,C:\Users\user\Desktop\gKi3fKq4Kh.exe,00000000,00000000,00000000), ref: 1000C0B2
LoadLibraryA.KERNEL32(shell32.dll,kernel32.dll,advapi32.dll,00000000,1000C850,?,1000F834,00000000,00000000,00000000,00000000,?,1000D71E,C:\Users\user\Desktop\gKi3fKq4Kh.exe,00000000,00000000), ref: 1000C0BC
LoadLibraryA.KERNEL32(mpr.dll,shell32.dll,kernel32.dll,advapi32.dll,00000000,1000C850,?,1000F834,00000000,00000000,00000000,00000000,?,1000D71E,C:\Users\user\Desktop\gKi3fKq4Kh.exe,00000000), ref: 1000C0C6
LoadLibraryA.KERNEL32(version.dll,mpr.dll,shell32.dll,kernel32.dll,advapi32.dll,00000000,1000C850,?,1000F834,00000000,00000000,00000000,00000000,?,1000D71E,C:\Users\user\Desktop\gKi3fKq4Kh.exe), ref: 1000C0D0
LoadLibraryA.KERNEL32(comctl32.dll,version.dll,mpr.dll,shell32.dll,kernel32.dll,advapi32.dll,00000000,1000C850,?,1000F834,00000000,00000000,00000000,00000000,?,1000D71E), ref: 1000C0DA
LoadLibraryA.KERNEL32(gdi32.dll,comctl32.dll,version.dll,mpr.dll,shell32.dll,kernel32.dll,advapi32.dll,00000000,1000C850,?,1000F834,00000000,00000000,00000000,00000000), ref: 1000C0E4
LoadLibraryA.KERNEL32(opengl32.dll,gdi32.dll,comctl32.dll,version.dll,mpr.dll,shell32.dll,kernel32.dll,advapi32.dll,00000000,1000C850,?,1000F834,00000000,00000000,00000000,00000000), ref: 1000C0EE
LoadLibraryA.KERNEL32(user32.dll,opengl32.dll,gdi32.dll,comctl32.dll,version.dll,mpr.dll,shell32.dll,kernel32.dll,advapi32.dll,00000000,1000C850,?,1000F834,00000000,00000000,00000000), ref: 1000C0F8
LoadLibraryA.KERNEL32(wintrust.dll,user32.dll,opengl32.dll,gdi32.dll,comctl32.dll,version.dll,mpr.dll,shell32.dll,kernel32.dll,advapi32.dll,00000000,1000C850,?,1000F834,00000000,00000000), ref: 1000C102
LoadLibraryA.KERNEL32(msimg32.dll,wintrust.dll,user32.dll,opengl32.dll,gdi32.dll,comctl32.dll,version.dll,mpr.dll,shell32.dll,kernel32.dll,advapi32.dll,00000000,1000C850,?,1000F834,00000000), ref: 1000C10C

Part of subcall function 10006B14: GetLocalTime.KERNEL32(?,00000000,10006CD2,?,?,?,?,00000000,00000000,0000003A,?,1000C3BA,?,.dat,?,1000C958), ref: 10006B42

Part of subcall function 1000577C: RegCreateKeyW.ADVAPI32(80000001,00000000,?), ref: 100057C2
Part of subcall function 1000577C: RegSetValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,10005825,?,1000F834), ref: 100057EE
Part of subcall function 1000577C: RegCloseKey.ADVAPI32(?,?,00000000,00000000,?,00000000,00000000,00000000,10005825,?,1000F834), ref: 100057FD

Part of subcall function 10004DF0: CreateMutexW.KERNEL32(?,?,?,?,1000D54A,00000000,00000000,wzk5VL6RM0QU9blk), ref: 10004E06

GetLastError.KERNEL32(00000000,00000000,?,00000002,?,?,.dat,?,1000C958,?,.xtr,?,1000C958,?,.cfg,?), ref: 1000C428
ExitProcess.KERNEL32(00000000,00000000,00000000,?,00000002,?,?,.dat,?,1000C958,?,.xtr,?,1000C958,?,.cfg), ref: 1000C436
SetFileAttributesW.KERNEL32(?,00000080,00000000,00000000,?,00000002,?,?,.dat,?,1000C958,?,.xtr,?,1000C958,?), ref: 1000C567
DeleteFileW.KERNEL32(?,?,00000080,00000000,00000000,?,00000002,?,?,.dat,?,1000C958,?,.xtr,?,1000C958), ref: 1000C56D
Sleep.KERNEL32(000001F4,?,?,00000080,00000000,00000000,?,00000002,?,?,.dat,?,1000C958,?,.xtr,?), ref: 1000C577
SetFileAttributesW.KERNEL32(00000000,00000080,?,00000000,00000000,?,00000002,?,?,.dat,?,1000C958,?,.xtr,?,1000C958), ref: 1000C6C4
CloseHandle.KERNEL32(?), ref: 1000C7A5
ExitProcess.KERNEL32(00000000,?), ref: 1000C7AC

Part of subcall function 100093E4: ShowWindow.USER32(00000000,00000000,00000000,100095DE,?,00000000,00000000,00000000,?,1000C659,00000000,00000000,?,00000002,?,?), ref: 10009443
Part of subcall function 100093E4: SetFileAttributesW.KERNEL32(00000000,00000080,00000000,00000000,00000000,100095DE,?,00000000,00000000,00000000,?,1000C659,00000000,00000000,?,00000002), ref: 10009467
Part of subcall function 100093E4: CreateFileW.KERNEL32(00000000,C0000000,00000003,00000000,00000004,00000000,00000000,00000000,00000080,00000000,00000000,00000000,100095DE,?,00000000,00000000), ref: 10009486
Part of subcall function 100093E4: GetFileSize.KERNEL32(00000000,00000000,00000000,C0000000,00000003,00000000,00000004,00000000,00000000,00000000,00000080,00000000,00000000,00000000,100095DE), ref: 100094C3
Part of subcall function 100093E4: SetFileAttributesW.KERNEL32(00000000,00000007,00000000,C0000000,00000003,00000000,00000004,00000000,00000000,00000000,00000080,00000000,00000000,00000000,100095DE), ref: 10009554

Part of subcall function 10003788: SysFreeString.OLEAUT32(?), ref: 1000379B

Part of subcall function 10003770: SysFreeString.OLEAUT32(1000CFDC), ref: 1000377E

Strings

opengl32.dll, xrefs: 1000C0E9
InstalledServer, xrefs: 1000C726
mpr.dll, xrefs: 1000C0C1
comctl32.dll, xrefs: 1000C0D5
shell32.dll, xrefs: 1000C0B7
msimg32.dll, xrefs: 1000C107
kernel32.dll, xrefs: 1000C0AD
advapi32.dll, xrefs: 1000C0A3
.xtr, xrefs: 1000C21F, 1000C334
ServerName, xrefs: 1000C4EB
gdi32.dll, xrefs: 1000C0DF
.dat, xrefs: 1000C279, 1000C38E
ServerStarted, xrefs: 1000C406
user32.dll, xrefs: 1000C0F3
wintrust.dll, xrefs: 1000C0FD
.cfg, xrefs: 1000C1C5, 1000C2DA
version.dll, xrefs: 1000C0CB
\Microsoft\Windows\, xrefs: 1000C15B, 1000C1A4, 1000C1FE, 1000C258
SOFTWARE\, xrefs: 1000C3E5, 1000C4CA, 1000C705

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: LibraryLoad$File$Attributes$Create$CloseExitFreeProcessString$DeleteErrorHandleLastLocalMutexShowSizeSleepTimeValueWindow
String ID: .cfg$.dat$.xtr$InstalledServer$SOFTWARE\$ServerName$ServerStarted$\Microsoft\Windows\$advapi32.dll$comctl32.dll$gdi32.dll$kernel32.dll$mpr.dll$msimg32.dll$opengl32.dll$shell32.dll$user32.dll$version.dll$wintrust.dll
API String ID: 3227317601-3293355523
Opcode ID: 5b9d371332c0436a819d40e36f887bfd0ab1ce0b3426eda82bdb212bd3585989
Instruction ID: 1bb01a822c3cd363219a61f58cecc4d3cd4d7df1aa5892b4b649a7b9097d74e2
Opcode Fuzzy Hash: 5b9d371332c0436a819d40e36f887bfd0ab1ce0b3426eda82bdb212bd3585989
Instruction Fuzzy Hash: 58128D7890025D9BEB21DB50CC82EDEB3B9EF84381F4080E5E5096B299DB71BF858F55

Uniqueness

Uniqueness Score: -1.00%

Function 10008DA4 Relevance: 33.5, APIs: 13, Strings: 6, Instructions: 218filewindowCOMMON

Download Yara Rule

APIs

GetFileSize.KERNEL32(00000000,00000000,00000000,1000907B), ref: 10008DF5
SendMessageA.USER32 ref: 10008EB2
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00000000,0000C1AD,00000000,00000000,00000000,00000000,00000000,1000907B), ref: 10008EC7
ReadFile.KERNEL32(00000000,?,-1000F6C4,?,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,0000C1AD,00000000,00000000,00000000), ref: 10008F0B
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,00000000,?,-1000F6C4,?,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000), ref: 10008F1C
SendMessageA.USER32 ref: 10008F36
SetFileAttributesW.KERNEL32(?,00000080,</html>,100091AC,</body>,?,<html><meta http-equiv="Content-Type" content="text/html;charset=UTF-8"><head><title>Xtreme RAT</title></head><body>,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000000), ref: 10008F65
DeleteFileW.KERNEL32(?,?,00000080,</html>,100091AC,</body>,?,<html><meta http-equiv="Content-Type" content="text/html;charset=UTF-8"><head><title>Xtreme RAT</title></head><body>,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002), ref: 10008F6B
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000,?,?,00000080,</html>,100091AC,</body>,?,<html><meta http-equiv="Content-Type" content="text/html;charset=UTF-8"><head><title>Xtreme RAT</title></head><body>,00000000), ref: 10008F80
WriteFile.KERNEL32(00000000,000000FF,00000002,?,00000000,?,40000000,00000000,00000000,00000002,00000000,00000000,?,?,00000080,</html>), ref: 10008FA1
WriteFile.KERNEL32(00000000,?,00000000,?,00000000,00000000,000000FF,00000002,?,00000000,?,40000000,00000000,00000000,00000002,00000000), ref: 10008FBC
CloseHandle.KERNEL32(00000000,?,40000000,00000000,00000000,00000002,00000000,00000000,?,?,00000080,</html>,100091AC,</body>,?,<html><meta http-equiv="Content-Type" content="text/html;charset=UTF-8"><head><title>Xtreme RAT</title></head><body>), ref: 10008FC2
DeleteFileW.KERNEL32(00000000,00000000,?,40000000,00000000,00000000,00000002,00000000,00000000,?,?,00000080,</html>,100091AC,</body>,?), ref: 10009053

Strings

FTP, xrefs: 1000903A
LastSize, xrefs: 10009028
<html><meta http-equiv="Content-Type" content="text/html;charset=UTF-8"><head><title>Xtreme RAT</title></head><body>, xrefs: 10008F3B
</html>, xrefs: 10008F4D
</body>, xrefs: 10008F43
SOFTWARE\, xrefs: 1000901B

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: File$DeleteMessagePointerSendWrite$AttributesCloseCreateHandleReadSize
String ID: </body>$</html>$<html><meta http-equiv="Content-Type" content="text/html;charset=UTF-8"><head><title>Xtreme RAT</title></head><body>$FTP$LastSize$SOFTWARE\
API String ID: 1838766879-265700797
Opcode ID: 6afe5d7baa92ee49307d14607dcc6b54c298818535a995e093fc1311981f44f4
Instruction ID: 9ae569672a167bc613e47318ba2929e521b2e386b238916fb1c1f90ba9e27590
Opcode Fuzzy Hash: 6afe5d7baa92ee49307d14607dcc6b54c298818535a995e093fc1311981f44f4
Instruction Fuzzy Hash: 2C814D74A00259AFFB10DFA8CC85FEE77F9FB08380F508119F544A72A9CB75A9458B64

Uniqueness

Uniqueness Score: -1.00%

Function 1000A558 Relevance: 21.3, APIs: 5, Strings: 7, Instructions: 279libraryfileCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(URLMON.DLL,00000000,1000A98B,?,?,?,?,00000000,00000000), ref: 1000A5A8
LoadLibraryA.KERNEL32(shell32.dll,URLMON.DLL,00000000,1000A98B,?,?,?,?,00000000,00000000), ref: 1000A5B2
SetFileAttributesW.KERNEL32(00000000,00000080,shell32.dll,URLMON.DLL,00000000,1000A98B,?,?,?,?,00000000,00000000), ref: 1000A5E7
DeleteFileW.KERNEL32(00000000,00000002,00000000,00000000,00000080,shell32.dll,URLMON.DLL,00000000,1000A98B,?,?,?,?,00000000,00000000), ref: 1000A6BA

Part of subcall function 10005F88: URLDownloadToCacheFileW.URLMON(00000000,00000000,?,00000104,00000010,00000000), ref: 10005FD1
Part of subcall function 10005F88: CopyFileW.KERNEL32(?,00000000,00000000,00000000,10006016), ref: 10005FEC

DeleteFileW.KERNEL32(00000000,.functions,?,1000AA34,?,?,1000AA2C,?,http://), ref: 1000A915

Part of subcall function 10005E30: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 10005E67
Part of subcall function 10005E30: GetFileSize.KERNEL32(00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 10005E71
Part of subcall function 10005E30: ReadFile.KERNEL32(00000000,?,?,?,00000000,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 10005E99
Part of subcall function 10005E30: CloseHandle.KERNEL32(00000000,00000000,?,?,?,00000000,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 10005E9F

Strings

ENDSERVERBUFFER, xrefs: 1000A65B, 1000A842, 1000A8A9
STARTSERVERBUFFER, xrefs: 1000A64A, 1000A82D, 1000A89F
shell32.dll, xrefs: 1000A5AD
http://, xrefs: 1000A6F8
XTREME, xrefs: 1000A5BA
URLMON.DLL, xrefs: 1000A5A3
.functions, xrefs: 1000A779

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: File$DeleteLibraryLoad$AttributesCacheCloseCopyCreateDownloadHandleReadSize
String ID: .functions$ENDSERVERBUFFER$STARTSERVERBUFFER$URLMON.DLL$XTREME$http://$shell32.dll
API String ID: 1556940775-4263465085
Opcode ID: 4ee3fca3fa4ba668606f9b885bd85ae8f743085f3bd6b7371585acf1e6052cfe
Instruction ID: 095f8cd7e1ad7f54d17a8aaba90678f4abf6843293fa25502bb1c2560b129c41
Opcode Fuzzy Hash: 4ee3fca3fa4ba668606f9b885bd85ae8f743085f3bd6b7371585acf1e6052cfe
Instruction Fuzzy Hash: 3FB14D78A001199BEB11DBA4CC82ADFB7B9FF44380F5081A5F504A765ADB74AF858F50

Uniqueness

Uniqueness Score: -1.00%

Function 1000B0D0 Relevance: 21.2, APIs: 1, Strings: 11, Instructions: 177fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNEL32(00000000,00000000,00000000,00000000,1000B2FA,?,?,00000000,00000000), ref: 1000B1C1

Part of subcall function 10005F1C: GetFileAttributesW.KERNEL32(00000000,00000000,10005F73,?,?,?,?,?,1000C491,00000000,00000000,?,00000002,?,?,.dat), ref: 10005F46
Part of subcall function 10005F1C: SetFileAttributesW.KERNEL32(00000000,00000000,00000000,00000000,10005F73,?,?,?,?,?,1000C491,00000000,00000000,?,00000002,?), ref: 10005F58

Part of subcall function 10003788: SysFreeString.OLEAUT32(?), ref: 1000379B

Strings

RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\, xrefs: 1000B172, 1000B1ED, 1000B228
[autorun];open=RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\, xrefs: 1000B1C6
shell\Open=Open, xrefs: 1000B219
RECYCLER\, xrefs: 1000B2A1
shell\Open\Default=1, xrefs: 1000B240
autorun.inf, xrefs: 1000B26B, 1000B289
shellexecute=, xrefs: 1000B1E8
label=PENDRIVE, xrefs: 1000B205
shell\Open\command=, xrefs: 1000B223
icon=shell32.dll,4, xrefs: 1000B1DE
action=Open folder to view files, xrefs: 1000B20F

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: File$Attributes$CopyFreeString
String ID: RECYCLER\$RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\$[autorun];open=RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\$action=Open folder to view files$autorun.inf$icon=shell32.dll,4$label=PENDRIVE$shell\Open=Open$shell\Open\Default=1$shell\Open\command=$shellexecute=
API String ID: 1359780422-631342129
Opcode ID: 13ecfe44ea8818081acd79cdab56d55be9f714c6c0a79ac0d907a72402bacc2f
Instruction ID: e38e5125926d32c1d26ff353fbb275c64c03e2d6fa0b8cc01eec99beb1e39287
Opcode Fuzzy Hash: 13ecfe44ea8818081acd79cdab56d55be9f714c6c0a79ac0d907a72402bacc2f
Instruction Fuzzy Hash: CA616334909688AFEB03DF64CC519DEBF75DF46280B5580E6F040AB15BD774AE05CB61

Uniqueness

Uniqueness Score: -1.00%

Function 100093E4 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 138filewindowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 10008D4C: SendMessageA.USER32 ref: 10008D6F
Part of subcall function 10008D4C: CloseHandle.KERNEL32(00000000,1000C6A4,?,00000000,00000000,?,00000002,?,?,.dat,?,1000C958,?,.xtr,?,1000C958), ref: 10008D83

ShowWindow.USER32(00000000,00000000,00000000,100095DE,?,00000000,00000000,00000000,?,1000C659,00000000,00000000,?,00000002,?,?), ref: 10009443
SetFileAttributesW.KERNEL32(00000000,00000080,00000000,00000000,00000000,100095DE,?,00000000,00000000,00000000,?,1000C659,00000000,00000000,?,00000002), ref: 10009467
CreateFileW.KERNEL32(00000000,C0000000,00000003,00000000,00000004,00000000,00000000,00000000,00000080,00000000,00000000,00000000,100095DE,?,00000000,00000000), ref: 10009486
GetFileSize.KERNEL32(00000000,00000000,00000000,C0000000,00000003,00000000,00000004,00000000,00000000,00000000,00000080,00000000,00000000,00000000,100095DE), ref: 100094C3
SetFileAttributesW.KERNEL32(00000000,00000007,00000000,C0000000,00000003,00000000,00000004,00000000,00000000,00000000,00000080,00000000,00000000,00000000,100095DE), ref: 10009554
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,00000000,00000007,00000000,C0000000,00000003,00000000,00000004,00000000,00000000,00000000,00000080,00000000), ref: 10009565
SendMessageA.USER32 ref: 1000957F
SetClipboardViewer.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000000,00000007,00000000,C0000000,00000003,00000000,00000004), ref: 1000958F

Part of subcall function 10006510: GetDesktopWindow.USER32 ref: 10006571
Part of subcall function 10006510: GetWindowRect.USER32 ref: 10006577
Part of subcall function 10006510: GetModuleHandleA.KERNEL32(00000000,00000000,?,?,?), ref: 1000657E
Part of subcall function 10006510: RegisterClassW.USER32 ref: 1000658A

Strings

XtremeKeylogger, xrefs: 10009403
qualquercoisarsrsr, xrefs: 1000944D
SOFTWARE\, xrefs: 1000952B
LastSize, xrefs: 10009538

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: File$Window$AttributesHandleMessageSend$ClassClipboardCloseCreateDesktopModulePointerRectRegisterShowSizeViewer
String ID: LastSize$SOFTWARE\$XtremeKeylogger$qualquercoisarsrsr
API String ID: 411803610-193067991
Opcode ID: 676dcd07bedc78bc966ac9f8878885fe89c124370f656291f037c9e9c79c44c2
Instruction ID: e10228e688af51e092dac2c6f3dee7a218e45a64ed0b3a8379d93de067ea2b0a
Opcode Fuzzy Hash: 676dcd07bedc78bc966ac9f8878885fe89c124370f656291f037c9e9c79c44c2
Instruction Fuzzy Hash: 86415E78604251AFF711EB70CC92F6E37A9E7483C0F518029F144AB6FECEB6A8419751

Uniqueness

Uniqueness Score: -1.00%

Function 1000B140 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 125fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNEL32(00000000,00000000,00000000,00000000,1000B2FA,?,?,00000000,00000000), ref: 1000B1C1

Part of subcall function 10005F1C: GetFileAttributesW.KERNEL32(00000000,00000000,10005F73,?,?,?,?,?,1000C491,00000000,00000000,?,00000002,?,?,.dat), ref: 10005F46
Part of subcall function 10005F1C: SetFileAttributesW.KERNEL32(00000000,00000000,00000000,00000000,10005F73,?,?,?,?,?,1000C491,00000000,00000000,?,00000002,?), ref: 10005F58

Part of subcall function 10003788: SysFreeString.OLEAUT32(?), ref: 1000379B

Strings

RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\, xrefs: 1000B172, 1000B1ED, 1000B228
[autorun];open=RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\, xrefs: 1000B1C6
shell\Open=Open, xrefs: 1000B219
RECYCLER\, xrefs: 1000B2A1
shell\Open\Default=1, xrefs: 1000B240
autorun.inf, xrefs: 1000B26B, 1000B289
shellexecute=, xrefs: 1000B1E8
label=PENDRIVE, xrefs: 1000B205
shell\Open\command=, xrefs: 1000B223
icon=shell32.dll,4, xrefs: 1000B1DE
action=Open folder to view files, xrefs: 1000B20F

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: File$Attributes$CopyFreeString
String ID: RECYCLER\$RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\$[autorun];open=RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\$action=Open folder to view files$autorun.inf$icon=shell32.dll,4$label=PENDRIVE$shell\Open=Open$shell\Open\Default=1$shell\Open\command=$shellexecute=
API String ID: 1359780422-631342129
Opcode ID: f3564a97d53de12c9b48bdf10bff330839f6c1832b8590ef24407a4c5debb447
Instruction ID: 6ae93d5114324f60805c066673cfebbd25bb18d06d828e6891266f46ee2437b0
Opcode Fuzzy Hash: f3564a97d53de12c9b48bdf10bff330839f6c1832b8590ef24407a4c5debb447
Instruction Fuzzy Hash: 71410E38900909ABEB05EF94CD82DDEB7B9EF44281F90C165F500B725EDB71BE058BA0

Uniqueness

Uniqueness Score: -1.00%

Function 100096F6 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 35registryclipboardCOMMON

Download Yara Rule

APIs

RegisterClipboardFormatW.USER32(jiejwogfdjieovevodnvfnievn), ref: 10009717
RegisterClipboardFormatW.USER32(gsegtsrgrefsfsfsgrsgrt), ref: 10009726
RegisterClipboardFormatW.USER32(trhgtehgfsgrfgtrwegtre), ref: 10009735
RegisterClipboardFormatW.USER32(jytjyegrsfvfbgfsdf), ref: 10009744
RegisterClipboardFormatW.USER32(hgtrfsgfrsgfgregtregtr), ref: 10009753
RegisterClipboardFormatW.USER32(frgjbfdkbnfsdjbvofsjfrfre), ref: 10009762

Strings

jytjyegrsfvfbgfsdf, xrefs: 1000973F
trhgtehgfsgrfgtrwegtre, xrefs: 10009730
hgtrfsgfrsgfgregtregtr, xrefs: 1000974E
frgjbfdkbnfsdjbvofsjfrfre, xrefs: 1000975D
jiejwogfdjieovevodnvfnievn, xrefs: 10009712
gsegtsrgrefsfsfsgrsgrt, xrefs: 10009721

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: ClipboardFormatRegister
String ID: frgjbfdkbnfsdjbvofsjfrfre$gsegtsrgrefsfsfsgrsgrt$hgtrfsgfrsgfgregtregtr$jiejwogfdjieovevodnvfnievn$jytjyegrsfvfbgfsdf$trhgtehgfsgrfgtrwegtre
API String ID: 1228543026-2672052065
Opcode ID: eaca480185e3529857f08a7b99fa4587865511e38ce0a633c86f9ec4ba4854cf
Instruction ID: ed3f77de684bd0d246fe2b552f76a464aac7a3f76a0323551fd1ca8e49655e55
Opcode Fuzzy Hash: eaca480185e3529857f08a7b99fa4587865511e38ce0a633c86f9ec4ba4854cf
Instruction Fuzzy Hash: 8BF0F9794192116EF701DF714C6697B7698E7453C13818529F5C882A3DDF3358059BE1

Uniqueness

Uniqueness Score: -1.00%

Function 100096F8 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 34registryclipboardCOMMON

Download Yara Rule

APIs

RegisterClipboardFormatW.USER32(jiejwogfdjieovevodnvfnievn), ref: 10009717
RegisterClipboardFormatW.USER32(gsegtsrgrefsfsfsgrsgrt), ref: 10009726
RegisterClipboardFormatW.USER32(trhgtehgfsgrfgtrwegtre), ref: 10009735
RegisterClipboardFormatW.USER32(jytjyegrsfvfbgfsdf), ref: 10009744
RegisterClipboardFormatW.USER32(hgtrfsgfrsgfgregtregtr), ref: 10009753
RegisterClipboardFormatW.USER32(frgjbfdkbnfsdjbvofsjfrfre), ref: 10009762

Strings

jytjyegrsfvfbgfsdf, xrefs: 1000973F
trhgtehgfsgrfgtrwegtre, xrefs: 10009730
hgtrfsgfrsgfgregtregtr, xrefs: 1000974E
frgjbfdkbnfsdjbvofsjfrfre, xrefs: 1000975D
jiejwogfdjieovevodnvfnievn, xrefs: 10009712
gsegtsrgrefsfsfsgrsgrt, xrefs: 10009721

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: ClipboardFormatRegister
String ID: frgjbfdkbnfsdjbvofsjfrfre$gsegtsrgrefsfsfsgrsgrt$hgtrfsgfrsgfgregtregtr$jiejwogfdjieovevodnvfnievn$jytjyegrsfvfbgfsdf$trhgtehgfsgrfgtrwegtre
API String ID: 1228543026-2672052065
Opcode ID: 0db88cb41446c7a1772992425046f1e51f35a21a88b435333acbf191ec07eeb4
Instruction ID: 4cd3ad10a4a29e5a40757261822789eba1ab52c8d76854998792a07700413263
Opcode Fuzzy Hash: 0db88cb41446c7a1772992425046f1e51f35a21a88b435333acbf191ec07eeb4
Instruction Fuzzy Hash: EDF0F4B94192116EF701DFB18C6A97B7A98E7453C13818529E6C882A3DDF331405ABE2

Uniqueness

Uniqueness Score: -1.00%

Function 10005838 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

CharNextW.USER32(00000000,?,00000000,00000001,?,1000599D,1000F834,?,?,1000D14C,00008007,00000000,1000D759), ref: 10005877
CharNextW.USER32(00000000,00000000,?,00000000,00000001,?,1000599D,1000F834,?,?,1000D14C,00008007,00000000,1000D759), ref: 10005881
CharNextW.USER32(00000000,00000000,?,00000000,00000001,?,1000599D,1000F834,?,?,1000D14C,00008007,00000000,1000D759), ref: 100058AA
CharNextW.USER32(00000000,?,00000000,00000001,?,1000599D,1000F834,?,?,1000D14C,00008007,00000000,1000D759), ref: 100058B4
CharNextW.USER32(00000000,00000000,?,00000000,00000001,?,1000599D,1000F834,?,?,1000D14C,00008007,00000000,1000D759), ref: 100058E9
CharNextW.USER32(00000000,00000000,00000000,?,00000000,00000001,?,1000599D,1000F834,?,?,1000D14C,00008007,00000000,1000D759), ref: 100058F3
CharNextW.USER32(00000000,00000000,00000000,?,00000000,00000001,?,1000599D,1000F834,?,?,1000D14C,00008007,00000000,1000D759), ref: 10005920
CharNextW.USER32(00000000,00000000,?,00000000,00000001,?,1000599D,1000F834,?,?,1000D14C,00008007,00000000,1000D759), ref: 1000592A

Strings

", xrefs: 1000585E
", xrefs: 10005858

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: CharNext
String ID: "$"
API String ID: 3213498283-3758156766
Opcode ID: 56db7724e89b489fdf42acb8acbc4d14fc1821fe57b6b69609cfd9fea17b0585
Instruction ID: 49fe6b66c80159b6a372ae54facb011d0530469a5cfb0b84791d945b4afab074
Opcode Fuzzy Hash: 56db7724e89b489fdf42acb8acbc4d14fc1821fe57b6b69609cfd9fea17b0585
Instruction Fuzzy Hash: EA31E74D70031795FB20FA649CC025B72D5EB452D3BA6C931ED41A728EEDB25C438369

Uniqueness

Uniqueness Score: -1.00%

Function 1000A54F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 127libraryfileCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(URLMON.DLL,00000000,1000A98B,?,?,?,?,00000000,00000000), ref: 1000A5A8
LoadLibraryA.KERNEL32(shell32.dll,URLMON.DLL,00000000,1000A98B,?,?,?,?,00000000,00000000), ref: 1000A5B2
SetFileAttributesW.KERNEL32(00000000,00000080,shell32.dll,URLMON.DLL,00000000,1000A98B,?,?,?,?,00000000,00000000), ref: 1000A5E7
DeleteFileW.KERNEL32(00000000,00000002,00000000,00000000,00000080,shell32.dll,URLMON.DLL,00000000,1000A98B,?,?,?,?,00000000,00000000), ref: 1000A6BA

Strings

ENDSERVERBUFFER, xrefs: 1000A65B
STARTSERVERBUFFER, xrefs: 1000A64A
shell32.dll, xrefs: 1000A5AD
XTREME, xrefs: 1000A5BA
URLMON.DLL, xrefs: 1000A5A3

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: FileLibraryLoad$AttributesDelete
String ID: ENDSERVERBUFFER$STARTSERVERBUFFER$URLMON.DLL$XTREME$shell32.dll
API String ID: 1064610246-2417524110
Opcode ID: 5f286e1d0fd3c37f5beda26e71c0865df4d0ed5b9a9d771c72d972da7527a27b
Instruction ID: 30b3ef76a2a80ae0936852672a2bbee531ad642fb2a80bd77bca9c30e5cd02f7
Opcode Fuzzy Hash: 5f286e1d0fd3c37f5beda26e71c0865df4d0ed5b9a9d771c72d972da7527a27b
Instruction Fuzzy Hash: 7F418D78A141199BEB11DBA4CC82BEFB3B9FF44380F508165F504A728ADB34BE418B64

Uniqueness

Uniqueness Score: -1.00%

Function 10009204 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 100sleepfileCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000003E8,00000000,1000937D,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 10009230
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,000003E8,00000000,1000937D,?,?,?,?,00000000), ref: 100092FD
SetEndOfFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,000003E8,00000000,1000937D), ref: 10009305

Strings

.html, xrefs: 10009260
SOFTWARE\, xrefs: 10009341
LastSize, xrefs: 1000934E
FTP, xrefs: 1000928C
jjj, xrefs: 100092F4

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: File$PointerSleep
String ID: .html$FTP$LastSize$SOFTWARE\$jjj
API String ID: 1384090385-2221063783
Opcode ID: f64d9703497d1778a1f724dcd6172282dd11fce0a9d43a36a9a9269ada9e7162
Instruction ID: 1ef3a85e4ac3c80801a06b688fa0acd6d065186ae52865efd5065228073e7574
Opcode Fuzzy Hash: f64d9703497d1778a1f724dcd6172282dd11fce0a9d43a36a9a9269ada9e7162
Instruction Fuzzy Hash: 9F317078500145BFF705DB64CD81BAF77ADEB453C0F904129F440AB6BACBB2AD509B61

Uniqueness

Uniqueness Score: -1.00%

Function 10005A94 Relevance: 12.6, Strings: 10, Instructions: 71COMMON

Download Yara Rule

Strings

HKU, xrefs: 10005B3B
HKCU, xrefs: 10005AF1
HKEY_USERS, xrefs: 10005B2C
HKCC, xrefs: 10005B60
HKEY_CURRENT_CONFIG, xrefs: 10005B51
HKEY_CLASSES_ROOT, xrefs: 10005ABA
HKLM, xrefs: 10005B16
HKEY_CURRENT_USER, xrefs: 10005AE2
HKEY_LOCAL_MACHINE, xrefs: 10005B07
HKCR, xrefs: 10005AC9

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: AllocString
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 2525500382-909552448
Opcode ID: 19a7d89fdd0d4a8943666261cc10e3fb7835feb1d7da3395f8e32f4d42fefbdb
Instruction ID: 07abd4759daa604870a4f77bd8534178fed91fd4fee8f89ff290bb29f67fd9b2
Opcode Fuzzy Hash: 19a7d89fdd0d4a8943666261cc10e3fb7835feb1d7da3395f8e32f4d42fefbdb
Instruction Fuzzy Hash: E5211D38B041C99BF711DA99858295FB3E9DB8D7C2FB08091B8415731EDB37BF019622

Uniqueness

Uniqueness Score: -1.00%

Function 10006E78 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 165COMMON

Download Yara Rule

APIs

Part of subcall function 10003770: SysFreeString.OLEAUT32(1000CFDC), ref: 1000377E

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$FreeString
String ID: KeyDelBackspace$Numpad
API String ID: 610577094-3409537306
Opcode ID: ed6114367509c6d9fab90cc7175f2c84ae42d38466c56a82ea0a6d039912394e
Instruction ID: 239179f37c3e83d944ae5989e00453cfc3f7d2dfafefd2690d13731161f6058c
Opcode Fuzzy Hash: ed6114367509c6d9fab90cc7175f2c84ae42d38466c56a82ea0a6d039912394e
Instruction Fuzzy Hash: 9451E9B9E002545BF721CB24CC41B9F73A9FB887C0F5081A5FA489724ADA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 100030CC Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,1000319A,?,?,?,00000002,1000323A,1000259B,100025E3,00000002,00000000), ref: 10003105
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,1000319A,?,?,?,00000002,1000323A,1000259B,100025E3,00000002), ref: 1000310B
GetStdHandle.KERNEL32(000000F5,10003154,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,1000319A,?,?), ref: 10003120
WriteFile.KERNEL32(00000000,000000F5,10003154,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,1000319A,?,?), ref: 10003126
MessageBoxA.USER32 ref: 10003144

Strings

Runtime error at 00000000, xrefs: 100030FE, 1000313D
Error, xrefs: 10003138

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: FileHandleWrite$Message
String ID: Error$Runtime error at 00000000
API String ID: 1570097196-2970929446
Opcode ID: 34c1e474a0937ca068d19135c8955f1baf6dec87746d38fd93c81dd1fbdfdeba
Instruction ID: d75082f90510a20ccce61780b3b63c21f75a1319e25b57c37db6013eec112d5f
Opcode Fuzzy Hash: 34c1e474a0937ca068d19135c8955f1baf6dec87746d38fd93c81dd1fbdfdeba
Instruction Fuzzy Hash: F8F0B4BA9443D078F621E3608C86FEB239CC745BD0F108208F364648DFCBE468C4A626

Uniqueness

Uniqueness Score: -1.00%

Function 10008560 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 148COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00008000,00000000,10008BA5,?,?,?,0000002E,00000000,00000000), ref: 100085B7

Strings

, xrefs: 1000862D, 10008650
[, xrefs: 10008660
--- , xrefs: 10008680
, xrefs: 100086A3

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID: $ --- $$[
API String ID: 1263568516-341333612
Opcode ID: 844369069b05dfd62b440b7fafa7b9f06d8a9886853feb290a734d0b2ba6acd8
Instruction ID: 82ed3cb906cd8235e36a84cac39b9343783464e2b4201940a396f7c820685ddb
Opcode Fuzzy Hash: 844369069b05dfd62b440b7fafa7b9f06d8a9886853feb290a734d0b2ba6acd8
Instruction Fuzzy Hash: 6F513A78A00119AFEB11DB94CC81FDEB7B9FB48380F5084A1F548A7269DB31BF458B61

Uniqueness

Uniqueness Score: -1.00%

Function 1000B700 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

Part of subcall function 10003770: SysFreeString.OLEAUT32(1000CFDC), ref: 1000377E

FindResourceW.KERNEL32(10000000,XTREMEBINDER,0000000A,?,?,1000F834,?,1000B7CA,00000000,1000BC5D,?,1000F834,00000000,00000000,000002C4,00000000), ref: 1000B71A
SizeofResource.KERNEL32(10000000,00000000,10000000,XTREMEBINDER,0000000A,?,?,1000F834,?,1000B7CA,00000000,1000BC5D,?,1000F834,00000000,00000000), ref: 1000B728
LoadResource.KERNEL32(10000000,00000000,10000000,00000000,10000000,XTREMEBINDER,0000000A,?,?,1000F834,?,1000B7CA,00000000,1000BC5D,?,1000F834), ref: 1000B736
LockResource.KERNEL32(00000000,10000000,00000000,10000000,00000000,10000000,XTREMEBINDER,0000000A,?,?,1000F834,?,1000B7CA,00000000,1000BC5D), ref: 1000B73E
FreeResource.KERNEL32(00000000,00000000,10000000,00000000,10000000,00000000,10000000,XTREMEBINDER,0000000A,?,?,1000F834,?,1000B7CA,00000000,1000BC5D), ref: 1000B765

Strings

XTREMEBINDER, xrefs: 1000B70F

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Resource$Free$FindLoadLockSizeofString
String ID: XTREMEBINDER
API String ID: 1314290513-399165745
Opcode ID: 17ceae75176a0c04b03f872206b008580ef93f74fcc784d7bab5c6ea897d36e1
Instruction ID: 56a9b21ec2ef0885f1dba9b5c05c5a0442ce31da9cf93dba5427497db9e4b129
Opcode Fuzzy Hash: 17ceae75176a0c04b03f872206b008580ef93f74fcc784d7bab5c6ea897d36e1
Instruction Fuzzy Hash: A2F09AAA700A542BB111E7BD8CC1D3F738DEB84AC0B420020F608DB21ECE29FC0543A8

Uniqueness

Uniqueness Score: -1.00%

Function 10001904 Relevance: 9.1, APIs: 6, Instructions: 62COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.KERNEL32(1000F5B8,00000000,100019DA), ref: 10001931
LocalFree.KERNEL32(00000000,00000000,100019DA), ref: 10001943
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,100019DA), ref: 10001962
LocalFree.KERNEL32(00000000,00000000,00000000,00008000,00000000,00000000,100019DA), ref: 100019A1
RtlLeaveCriticalSection.KERNEL32(1000F5B8,100019E1,00000000,00000000,100019DA), ref: 100019CA
RtlDeleteCriticalSection.KERNEL32(1000F5B8,100019E1,00000000,00000000,100019DA), ref: 100019D4

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
String ID:
API String ID: 3782394904-0
Opcode ID: 4d314bb510370c6eda77b791f80044d8227fb3aea424606413f6edf4cfd7fdca
Instruction ID: c7235647f75663e059265485ffa3ed86b09466631e02243638bb2540abc76f59
Opcode Fuzzy Hash: 4d314bb510370c6eda77b791f80044d8227fb3aea424606413f6edf4cfd7fdca
Instruction Fuzzy Hash: 591182B9604A906EF715DF648CA1BF53799E7452C6F80405CF340879AEDB25A840E761

Uniqueness

Uniqueness Score: -1.00%

Function 100070F0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
[Numpad /], xrefs: 10007169
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Numpad /]
API String ID: 783433895-3841828083
Opcode ID: a69122926cd9ff44543af4826b796c0f070a02847923b1c1add8bc23721ad3f3
Instruction ID: fa9f52e14e4bae6c9c3f3ac931d5b0ad477dd65ff029e14091f69c139beb8dbd
Opcode Fuzzy Hash: a69122926cd9ff44543af4826b796c0f070a02847923b1c1add8bc23721ad3f3
Instruction Fuzzy Hash: 3931BEB8F042545BF722DB658C45B9F73A9FB882C0F50C0A5F5489B24ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10007196 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886
[Numpad *], xrefs: 1000719C

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Numpad *]
API String ID: 783433895-2575978678
Opcode ID: 40a71dd3fd3848f36daa4371efc6091b58f5d128a51f6a9aba358ae957a7c821
Instruction ID: d9c473077837587251831d3c435770d097e1af4f38d4c7dbbca54610dc210ef0
Opcode Fuzzy Hash: 40a71dd3fd3848f36daa4371efc6091b58f5d128a51f6a9aba358ae957a7c821
Instruction Fuzzy Hash: B831C0B8F042545BF722D7658C45B9F73A9FB882C0F50C1A5F5489B20ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10007145 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
[Backspace], xrefs: 10007147
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Backspace]
API String ID: 783433895-3993161958
Opcode ID: ce0ad2ca1f90caf9ea666e0b07d6a3e8c10c8d2f93d8c23ca1895d0225b460b2
Instruction ID: 70b2502395a00a419c57d53d4495c89bce5646a586783f0d1f72156cf019b369
Opcode Fuzzy Hash: ce0ad2ca1f90caf9ea666e0b07d6a3e8c10c8d2f93d8c23ca1895d0225b460b2
Instruction Fuzzy Hash: 9031C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10007156 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
[Numpad .], xrefs: 10007158
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Numpad .]
API String ID: 783433895-4259747250
Opcode ID: b54b2f61d87570f8875ef0f8debff805adedceafda15ff330bb240909df8f3a1
Instruction ID: 0bc05a9cc8b03a63822bed3d9a4d5e012b227a2082e24ae561fe8c67785f8955
Opcode Fuzzy Hash: b54b2f61d87570f8875ef0f8debff805adedceafda15ff330bb240909df8f3a1
Instruction Fuzzy Hash: 2A31C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F6489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10007178 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
[Esc], xrefs: 1000717A
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Esc]
API String ID: 783433895-3858598201
Opcode ID: 77c0f584e0695a7ac5b051d0ce750dd1d5baeb7579199a9787a9a3ee3ba27aa5
Instruction ID: a0438d12f8ed14f13429e205a5184d8ddefa3685f311b8074393ca4d61dc1d3f
Opcode Fuzzy Hash: 77c0f584e0695a7ac5b051d0ce750dd1d5baeb7579199a9787a9a3ee3ba27aa5
Instruction Fuzzy Hash: 6131C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F5489724ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10007255 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

[Back Tab], xrefs: 10007257
Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Back Tab]
API String ID: 783433895-1646378708
Opcode ID: 93a1f9fd4b03a2b64f3aec136e1b11870f180bc3e6a4538c105c08aaf9b2b6df
Instruction ID: 3a85998fe2589ccb64e60228e5e214ad5b480cee4fe54291cbf2aada2de1e6bb
Opcode Fuzzy Hash: 93a1f9fd4b03a2b64f3aec136e1b11870f180bc3e6a4538c105c08aaf9b2b6df
Instruction Fuzzy Hash: 4131C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A6F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10007266 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

[Copy], xrefs: 10007268
Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Copy]
API String ID: 783433895-3795801677
Opcode ID: 44d757909d80be684137888da5a970062e875dbb24bf93a2939e8a7e6361997e
Instruction ID: 34291bd968ee6a57f754c6061d72616049048bf9c09e257ad4a1739f3e02d25f
Opcode Fuzzy Hash: 44d757909d80be684137888da5a970062e875dbb24bf93a2939e8a7e6361997e
Instruction Fuzzy Hash: 0D31C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10007277 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

[Finish], xrefs: 10007279
Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Finish]
API String ID: 783433895-126034051
Opcode ID: 692f9ff7583ff38c64fa304b1c97454ce66ce919cf4bbd85751b8f3092655a58
Instruction ID: a0ed5623e56a33cb834bfc176e6fd190eaeae0050e97d100fa21e54e37a1b336
Opcode Fuzzy Hash: 692f9ff7583ff38c64fa304b1c97454ce66ce919cf4bbd85751b8f3092655a58
Instruction Fuzzy Hash: EB31BEB8B042545BF722CB658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE458B61

Uniqueness

Uniqueness Score: -1.00%

Function 10007288 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
[Reset], xrefs: 1000728A
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Reset]
API String ID: 783433895-245523249
Opcode ID: 0bc9773a6bbad631a6a70fe1f822373a926ab4f180a8ef66085c0ab71cdd19d9
Instruction ID: 291c1767fd01b166514c41e15e57a47f42bc66d9c0c46ca14ea2eebe3236c6d1
Opcode Fuzzy Hash: 0bc9773a6bbad631a6a70fe1f822373a926ab4f180a8ef66085c0ab71cdd19d9
Instruction Fuzzy Hash: F031C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10007299 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
[Play], xrefs: 1000729B
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Play]
API String ID: 783433895-3392069046
Opcode ID: 7cbc7b547a09e3bc52c6deb3fa975999c833a7782dcd4b422faccb44a12d16fc
Instruction ID: c39f81576484fb7735cad50cf9efa43f524eeb1dbde31a28f4c5d3b5c036a80a
Opcode Fuzzy Hash: 7cbc7b547a09e3bc52c6deb3fa975999c833a7782dcd4b422faccb44a12d16fc
Instruction Fuzzy Hash: 2731C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 100072AA Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
[Process], xrefs: 100072AC
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Process]
API String ID: 783433895-2206852380
Opcode ID: 9cc73bee2c5c66c45c57059d7ed4abb569be2cba4b687590c36e796b9dc273c7
Instruction ID: 542da9702f65af167a2acd74eee3d938ae924f742fa8779219d2eac7aa9adbbf
Opcode Fuzzy Hash: 9cc73bee2c5c66c45c57059d7ed4abb569be2cba4b687590c36e796b9dc273c7
Instruction Fuzzy Hash: 3431C2B8F042545BF722C7658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45C761

Uniqueness

Uniqueness Score: -1.00%

Function 100072CC Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
[Select], xrefs: 100072CE
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Select]
API String ID: 783433895-2413838692
Opcode ID: 514ff3e34b14a9e5d8ab413587dce2c2f410968874725fa2580441ff6d415804
Instruction ID: a17747a1b3028d12c7a4f27126b47fc81b0c71295ef6cb46dcdf9e05795c8619
Opcode Fuzzy Hash: 514ff3e34b14a9e5d8ab413587dce2c2f410968874725fa2580441ff6d415804
Instruction Fuzzy Hash: 1E31C0B8F042545BF722DB658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 100072DD Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
[Separator], xrefs: 100072DF
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Separator]
API String ID: 783433895-3494163826
Opcode ID: b28f82d1315a21c0ec3eeca5f420e7cb8781b37bf75afc05d08b2ace6efbe94e
Instruction ID: 4579c8cabb46fc9fc98fa56ae242cb9821b75e5cae476442ada672dc186bafb3
Opcode Fuzzy Hash: b28f82d1315a21c0ec3eeca5f420e7cb8781b37bf75afc05d08b2ace6efbe94e
Instruction Fuzzy Hash: A831C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 100072FF Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

[Numpad -], xrefs: 10007301
Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Numpad -]
API String ID: 783433895-3603678833
Opcode ID: f727318df62ab6984be34b48274f61689c13b89c74ec8ef95ab27e6241858d3f
Instruction ID: b676ca2d17fe351d24fe2de8df4d6e9bb7385714fcd3c7b893a6d02882ec396e
Opcode Fuzzy Hash: f727318df62ab6984be34b48274f61689c13b89c74ec8ef95ab27e6241858d3f
Instruction Fuzzy Hash: D031C2B8F042545BF722C7658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45C761

Uniqueness

Uniqueness Score: -1.00%

Function 10007310 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
[Tab], xrefs: 10007312
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Tab]
API String ID: 783433895-199360412
Opcode ID: a785524ab226e4e94283a726cfb6f81e18d137b6129507000f7a99f762322629
Instruction ID: 2d267a324e9484a07124ea1970936e27bf22569b5696d9d4b95596e51c586869
Opcode Fuzzy Hash: a785524ab226e4e94283a726cfb6f81e18d137b6129507000f7a99f762322629
Instruction Fuzzy Hash: 5C31C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10007321 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886
[Zoom], xrefs: 10007323

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Zoom]
API String ID: 783433895-3055259814
Opcode ID: c86214f759ae3126244a3cd9606ceefeacbd963b4d36a47ee78664366667e26b
Instruction ID: c5f0f41a8bcff8c1d7aba9d7791743940dec5144013e653b87fb915418b11de3
Opcode Fuzzy Hash: c86214f759ae3126244a3cd9606ceefeacbd963b4d36a47ee78664366667e26b
Instruction Fuzzy Hash: 4331C0B8F042545BF722DB658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10007332 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886
[Accept], xrefs: 10007334

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Accept]
API String ID: 783433895-902341990
Opcode ID: 061c268dcb76f09fc094880b4e13fa08ad57f8be8229b2d86ba77c075008c1be
Instruction ID: d2ccba2c791f0b7862c28547fcae4e8d4588ca6c664595fde746ffb7111930bd
Opcode Fuzzy Hash: 061c268dcb76f09fc094880b4e13fa08ad57f8be8229b2d86ba77c075008c1be
Instruction Fuzzy Hash: 7831C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F5489720ECAB8EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10007343 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

[Context Menu], xrefs: 10007345
Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Context Menu]
API String ID: 783433895-1701729690
Opcode ID: 5d34866b129b1461d8c55ee51f28b427d56f46fb75139132869c509ee41a27b4
Instruction ID: 9c56b4dc1bb70802c6b761373c7da6d8c422a16c06a74f10d60259aa3dc6bda0
Opcode Fuzzy Hash: 5d34866b129b1461d8c55ee51f28b427d56f46fb75139132869c509ee41a27b4
Instruction Fuzzy Hash: E531C2B8F042545BF722C7658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45C761

Uniqueness

Uniqueness Score: -1.00%

Function 10007354 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
[Caps Lock], xrefs: 10007356
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Caps Lock]
API String ID: 783433895-928131802
Opcode ID: 490ffde09bfcbb988d4b6b8e85d853c254a7b6d763ca68262fef91c207acda70
Instruction ID: 1db21de267972ec542353e6ccb0e08bd67032bee9118580e561326deec9e72ff
Opcode Fuzzy Hash: 490ffde09bfcbb988d4b6b8e85d853c254a7b6d763ca68262fef91c207acda70
Instruction Fuzzy Hash: 2231C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10007365 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
[Delete], xrefs: 10007367
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Delete]
API String ID: 783433895-1730770369
Opcode ID: 400296010eaf9738d0fbc21618fd4f91ee1e467b3b431434bb3075d31a3e91e2
Instruction ID: bb44ce128919629e04e34867fdffb35d74004a6f3688c35cfe140960795f1254
Opcode Fuzzy Hash: 400296010eaf9738d0fbc21618fd4f91ee1e467b3b431434bb3075d31a3e91e2
Instruction Fuzzy Hash: 5C31C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10007376 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

[Arrow Down], xrefs: 10007378
Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Arrow Down]
API String ID: 783433895-3022692989
Opcode ID: f45b26b29b61d5e51fb90bdc8d895315599a8a53428478e9d688cd7bca0c64de
Instruction ID: 02fcabc6e8f29592f11b422fe8cf2b1af30d8c93f08c5ed3910a1be214322d5a
Opcode Fuzzy Hash: f45b26b29b61d5e51fb90bdc8d895315599a8a53428478e9d688cd7bca0c64de
Instruction Fuzzy Hash: 9031BEB8B042545BF722DB658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE458B61

Uniqueness

Uniqueness Score: -1.00%

Function 10007387 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886
[End], xrefs: 10007389

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[End]
API String ID: 783433895-3192008669
Opcode ID: 8be033b71e6cc91fa7183bd242525b69fd42a60ab2c77db8e333b15f6c02985c
Instruction ID: 877a2d7053b44eef148fc6c70e56ab44244d2a6eb94c84edd50b79bcd33e9510
Opcode Fuzzy Hash: 8be033b71e6cc91fa7183bd242525b69fd42a60ab2c77db8e333b15f6c02985c
Instruction Fuzzy Hash: C431C0B8F042545BF722DB658C45B9F73A9FB882C0F50C0A6F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10007398 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
[F1], xrefs: 1000739A
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[F1]
API String ID: 783433895-641059523
Opcode ID: 64e4913f7c88e1f6cf871e329d884627882b20964cb17dd16a0edd8879f2af3b
Instruction ID: 59f01fadd6c1986280f76c7ec94e26e07e8e794a631d308a07038ad1fc5cdc92
Opcode Fuzzy Hash: 64e4913f7c88e1f6cf871e329d884627882b20964cb17dd16a0edd8879f2af3b
Instruction Fuzzy Hash: 4231C0B8F042545BF722DB658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE49CB61

Uniqueness

Uniqueness Score: -1.00%

Function 100073A9 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
[F10], xrefs: 100073AB
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[F10]
API String ID: 783433895-364933614
Opcode ID: 9f166c72ca3fb3b12034e07594ffb6c51ca785a8f37ad7b268c171178664f28e
Instruction ID: 4cdd846a56abf61bb4e4c6fde4f6555a2bc56d43735489f94f76061a9b7946e9
Opcode Fuzzy Hash: 9f166c72ca3fb3b12034e07594ffb6c51ca785a8f37ad7b268c171178664f28e
Instruction Fuzzy Hash: 5931C0B8F042545BF722DB658C45B9F73A9FB882C0F50C0A5F6489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 100073BA Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

[F11], xrefs: 100073BC
Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[F11]
API String ID: 783433895-215695535
Opcode ID: ea95564da9a66dc7470533b2786a86451c8797b2579bdf17ac1d53f73ee1c4ab
Instruction ID: ab767402ff5a0ef776935679cf191d8ea99af36a4d9809d38744d6a7013e6ded
Opcode Fuzzy Hash: ea95564da9a66dc7470533b2786a86451c8797b2579bdf17ac1d53f73ee1c4ab
Instruction Fuzzy Hash: 8C31C0B8F042545BF722DB658C85B9F73A9FB882C0F50C0A5F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 100073CB Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

[F12], xrefs: 100073CD
Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[F12]
API String ID: 783433895-670438252
Opcode ID: 0c12ee716339a32b888c429408e51ea20923bef0f46d25eede9ce57d1a8b8c38
Instruction ID: 79f6c1988ebe657b0a26f0600b493b9fd807da5f9602e5f532d1718735006c02
Opcode Fuzzy Hash: 0c12ee716339a32b888c429408e51ea20923bef0f46d25eede9ce57d1a8b8c38
Instruction Fuzzy Hash: 0D31C0B8F042545BF722DB658C45B9F73A9FB882C0F50C0A5F5489720ECAB8EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 100073DC Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886
[F13], xrefs: 100073DE

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[F13]
API String ID: 783433895-1055728173
Opcode ID: 55794011ea89da0739b276c20e738cabb44d155302fcc1f045d1e4b9aea512c3
Instruction ID: 7717c9acb7a48c1fd9aa5c525c440081627dfa369ae28c64501c57b8f83c06ce
Opcode Fuzzy Hash: 55794011ea89da0739b276c20e738cabb44d155302fcc1f045d1e4b9aea512c3
Instruction Fuzzy Hash: 0131C0B8F042545BF722DB658C45B9F73A9FB882C0F50C0A6F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 100073ED Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
[F14], xrefs: 100073EF
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[F14]
API String ID: 783433895-1907143914
Opcode ID: 203ad46c11f461d6459dc7cfca51af08d8e7ecda52987724564deb56dbc02e20
Instruction ID: 7a25b7b709d0a6fd19846fba783c816f7393c35fd42baf023038af521e89d6ec
Opcode Fuzzy Hash: 203ad46c11f461d6459dc7cfca51af08d8e7ecda52987724564deb56dbc02e20
Instruction Fuzzy Hash: 6831C0B8F042545BF722DB658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 100073FE Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
[F15], xrefs: 10007400
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[F15]
API String ID: 783433895-1756857771
Opcode ID: f8b9d19cacf00eabcfa74d6abe32546b7e715af37a9aab5616ce0c298a08cd1d
Instruction ID: a3abf2809a5496e46b19b8e66a7b892f1753b03d83a72077e8ed13536b214ed3
Opcode Fuzzy Hash: f8b9d19cacf00eabcfa74d6abe32546b7e715af37a9aab5616ce0c298a08cd1d
Instruction Fuzzy Hash: 9531C0B8F042545BF722DB658C45B9F73A9FB882C0F50C0A5F5489720ECAB8EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 1000740F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

[F16], xrefs: 10007411
Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[F16]
API String ID: 783433895-1134220904
Opcode ID: 8801c05138b566acd2804adc7f16252f9de8661d5aa877f6d0b8586ef6fde810
Instruction ID: 9ded0a974e7829e14449a0db8178bd5f1510f0ab5ff1090cc1a9a41416e86c25
Opcode Fuzzy Hash: 8801c05138b566acd2804adc7f16252f9de8661d5aa877f6d0b8586ef6fde810
Instruction Fuzzy Hash: 2831C0B8F042545BF722DB658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10007420 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

[F17], xrefs: 10007422
Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[F17]
API String ID: 783433895-1518462761
Opcode ID: 89e69890d16f782e70caca9f1ed976a7ef2713fc690923ff71a1332dafe3380d
Instruction ID: 2ed4a8681e7407375f66ccd48db4609f3149d056e008a571d680b5df1c264ba8
Opcode Fuzzy Hash: 89e69890d16f782e70caca9f1ed976a7ef2713fc690923ff71a1332dafe3380d
Instruction Fuzzy Hash: 8231C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10007431 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
[F18], xrefs: 10007433
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[F18]
API String ID: 783433895-3709467622
Opcode ID: 6d6948c150d618c0e6ff589f068a60c306c83d8aae76315f58b2b8978f8f552d
Instruction ID: 149d1606a04f5e631dce96eb90406079d1e697c39fef19b4217db4c894f8743d
Opcode Fuzzy Hash: 6d6948c150d618c0e6ff589f068a60c306c83d8aae76315f58b2b8978f8f552d
Instruction Fuzzy Hash: 2C31C0B8F042545BF722CB658C45B9F73A9FB882C0F50C4A5F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10007442 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

[F19], xrefs: 10007444
Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[F19]
API String ID: 783433895-3288517287
Opcode ID: fdf93db7dfc6a872f4b4257a607c2791a5697a33a6d87c52e9f2c4f7bf3239d7
Instruction ID: c1d88a8a83b3fff2f0a92d393676b3d9be71f05b44633e1edb0896168ba610e4
Opcode Fuzzy Hash: fdf93db7dfc6a872f4b4257a607c2791a5697a33a6d87c52e9f2c4f7bf3239d7
Instruction Fuzzy Hash: 6F31C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A6F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10007453 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
[F2], xrefs: 10007455
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[F2]
API String ID: 783433895-219715840
Opcode ID: bc4e0beed6f5971c97352df3017e66fb88d969414a5b5ea74617967ef4fb9ef4
Instruction ID: b16667c500a8f6aee4ba6b3ba7482377eae1e2be3dd1480aee087fcb1cdc840b
Opcode Fuzzy Hash: bc4e0beed6f5971c97352df3017e66fb88d969414a5b5ea74617967ef4fb9ef4
Instruction Fuzzy Hash: D931C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10007464 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
[F20], xrefs: 10007466
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[F20]
API String ID: 783433895-394710967
Opcode ID: 6d471ac1e053abb11c3b1d7b11cba9aa75bbbea4d48d7b348b99f179170ee903
Instruction ID: a680e9b239fa0aebbd035ce6a985e10c990f55e2f26307f0e1286ccc6e1c0c6e
Opcode Fuzzy Hash: 6d471ac1e053abb11c3b1d7b11cba9aa75bbbea4d48d7b348b99f179170ee903
Instruction Fuzzy Hash: D331C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F6489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10007475 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
[F21], xrefs: 10007477
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[F21]
API String ID: 783433895-245235446
Opcode ID: a583e5d24fb749a61087f2418aa3365330e5370283494b596e987e39d4a65dac
Instruction ID: 510fef3e6fa0df149ae542c76aa25a181dcf5755431cbbb85e5b1cc66d8b058e
Opcode Fuzzy Hash: a583e5d24fb749a61087f2418aa3365330e5370283494b596e987e39d4a65dac
Instruction Fuzzy Hash: A131BEB8B042545BF722CB658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE458B61

Uniqueness

Uniqueness Score: -1.00%

Function 10007486 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

[F22], xrefs: 10007488
Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[F22]
API String ID: 783433895-632335669
Opcode ID: 538fe9a1677a7cf68954d1a7aa096ae76dd59aeb88e8845f61bacfcf84bd100c
Instruction ID: 90321dbe446a42362a2d965519f54d3763325675bd58b520da20de7a1a4fc573
Opcode Fuzzy Hash: 538fe9a1677a7cf68954d1a7aa096ae76dd59aeb88e8845f61bacfcf84bd100c
Instruction Fuzzy Hash: 0931C0B8F042545BF722CB658C85B9F73A9FB882C0F50C0A5F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10007497 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
[F23], xrefs: 10007499
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[F23]
API String ID: 783433895-1017879668
Opcode ID: ef35aa9342167d40ef5d6cda57461785793fe1f05099ee63a642656f0a901aee
Instruction ID: 28673ba874af58d34bd6c2be020580e78fa885bb135c4682ba041cb78c112e65
Opcode Fuzzy Hash: ef35aa9342167d40ef5d6cda57461785793fe1f05099ee63a642656f0a901aee
Instruction Fuzzy Hash: 3631C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 100074A8 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
[F24], xrefs: 100074AA
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[F24]
API String ID: 783433895-1944718003
Opcode ID: 665d1b7efd069a3ae324f5ec22a3b3878916ac6c883f3f9a389a2f470a77c692
Instruction ID: c4be0e32e04de120a2cca3183412b642890461deb7d46080007a753c2659c191
Opcode Fuzzy Hash: 665d1b7efd069a3ae324f5ec22a3b3878916ac6c883f3f9a389a2f470a77c692
Instruction Fuzzy Hash: 7C31C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE49CB61

Uniqueness

Uniqueness Score: -1.00%

Function 100074B9 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

[F3], xrefs: 100074BB
Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[F3]
API String ID: 783433895-335784001
Opcode ID: 80c9ce260dae226eb44177270cdbf564c4ea894a5715ee9831f10be66ef7018d
Instruction ID: 5ffa793185ddc03e6bd9b518dcc1c3a840d5d258ef7404ebf5977b295413e047
Opcode Fuzzy Hash: 80c9ce260dae226eb44177270cdbf564c4ea894a5715ee9831f10be66ef7018d
Instruction Fuzzy Hash: 3031BEB8B042545BF722CB658C45B9F73A9FB882C0F50C0A5F6489720ECA78EE458B61

Uniqueness

Uniqueness Score: -1.00%

Function 100074CA Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
[F4], xrefs: 100074CC
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[F4]
API String ID: 783433895-1531068038
Opcode ID: 6d9a0e9fbebd9a50c8bcb9db2712b1e2ac49f4d56deef2cfada9a671fa5fc202
Instruction ID: 257b764002efa9c4341bee291622735cee0b2dcf4ecee3ad542065e968f39148
Opcode Fuzzy Hash: 6d9a0e9fbebd9a50c8bcb9db2712b1e2ac49f4d56deef2cfada9a671fa5fc202
Instruction Fuzzy Hash: 5D31C0B8F042545BF722CB658C85B9F73A9FB882C0F50C0A5F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 100074DB Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
[F5], xrefs: 100074DD
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[F5]
API String ID: 783433895-1113132999
Opcode ID: f81663136670eefa6b559e0c3c47de8a84feb9d0a987ea63e8a80dbafee9e838
Instruction ID: e633cb04462a412f5613c9ae028300c402083a262aa70dec723c73e3e1fc98dc
Opcode Fuzzy Hash: f81663136670eefa6b559e0c3c47de8a84feb9d0a987ea63e8a80dbafee9e838
Instruction Fuzzy Hash: 8131C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 100074EC Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
[F6], xrefs: 100074EE
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[F6]
API String ID: 783433895-1769233412
Opcode ID: de0a920129dad26d8c4fe0b58c73f8f855b5dba485b07b544234d7fa5c6e68d1
Instruction ID: 06c9bff7c49a7ca2c2341c9269cfae46da6e7e947720c8e577cceb00dd52d8a3
Opcode Fuzzy Hash: de0a920129dad26d8c4fe0b58c73f8f855b5dba485b07b544234d7fa5c6e68d1
Instruction Fuzzy Hash: 9F31C0B8F042545BF722DB658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 100074FD Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

[F7], xrefs: 100074FF
Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[F7]
API String ID: 783433895-1886350661
Opcode ID: 345da217220ec433c981a36fa361fc3ad81173d5edecf30b3bf0f3c1a6518443
Instruction ID: 73602d54f96144a7c61c9f0aea61f9d03e1029ed712db4d82cb90836cee0ee4d
Opcode Fuzzy Hash: 345da217220ec433c981a36fa361fc3ad81173d5edecf30b3bf0f3c1a6518443
Instruction Fuzzy Hash: 7E31C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 1000750E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

[F8], xrefs: 10007510
Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[F8]
API String ID: 783433895-4160188810
Opcode ID: 269bc51cce26e08b7987e5e807f60e6eca6bbb1954024bbcceed0e0ae58e0d67
Instruction ID: f8e9f27ca4e45bd5c8ec38f2eac8d4937add76fc56490cf5c4d7db7a8d0d77db
Opcode Fuzzy Hash: 269bc51cce26e08b7987e5e807f60e6eca6bbb1954024bbcceed0e0ae58e0d67
Instruction Fuzzy Hash: 6031C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F5489720ECAB8EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 1000751F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
[F9], xrefs: 10007521
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[F9]
API String ID: 783433895-4008460491
Opcode ID: 444f65efb271440691118d92cbb22e99e4c9ae094b7b34bc2ed2fe1424e09415
Instruction ID: 38b91922dc69364cef5aea0e1c7caf2c8941d83122a4e84074c5e0a9e1d120e7
Opcode Fuzzy Hash: 444f65efb271440691118d92cbb22e99e4c9ae094b7b34bc2ed2fe1424e09415
Instruction Fuzzy Hash: 7931C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A6F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10007530 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

[Help], xrefs: 10007532
Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Help]
API String ID: 783433895-1051485797
Opcode ID: ced4cd071d1595dfe819caa796369f839c5973703fb59967c5cdb73c5bd85563
Instruction ID: f0b57f7016c57c8c20a1b9935e52d223e1421e2fc95fd17f59aa325daa1d6166
Opcode Fuzzy Hash: ced4cd071d1595dfe819caa796369f839c5973703fb59967c5cdb73c5bd85563
Instruction Fuzzy Hash: 6531C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A6F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10007541 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886
[Home], xrefs: 10007543

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Home]
API String ID: 783433895-1734740514
Opcode ID: 9ec5ab9d4604e29abd3d62d3fd543d6ce600cb0c2aac55af5353df70f8432c9f
Instruction ID: 9b7988cd9c8808cb16b3aff513ce4990ca071120e42acbfc5b27312343c6384a
Opcode Fuzzy Hash: 9ec5ab9d4604e29abd3d62d3fd543d6ce600cb0c2aac55af5353df70f8432c9f
Instruction Fuzzy Hash: 5431B0B8B042545BF722C7658C45B9F73A9FB882C0F50C0A5B5489720ECA78EE45C761

Uniqueness

Uniqueness Score: -1.00%

Function 10007552 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
[Insert], xrefs: 10007554
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Insert]
API String ID: 783433895-3655187251
Opcode ID: 9d60750e0895b90f1793ccffef72419a008b73ac973bbf6264f6d5eda5d9540b
Instruction ID: 57a58e9cbdcce06a745c8a6e1d46379205d73043c2f41df68cb32627f3cbbbdd
Opcode Fuzzy Hash: 9d60750e0895b90f1793ccffef72419a008b73ac973bbf6264f6d5eda5d9540b
Instruction Fuzzy Hash: 4831BEB8F042545BF722CB658C45B9F73A9FB882C0F50C0A6B5489720ECA78EE458B61

Uniqueness

Uniqueness Score: -1.00%

Function 10007563 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

[Mail], xrefs: 10007565
Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Mail]
API String ID: 783433895-2576540148
Opcode ID: 894362c06f24928aebacecf1c1ea633ebd1172f8d8f33313dcf1344a25e01b1e
Instruction ID: fbc98f99418ed78a52aeb1d89c1fb141902b9a4107213f6ffe6694a7e55c15de
Opcode Fuzzy Hash: 894362c06f24928aebacecf1c1ea633ebd1172f8d8f33313dcf1344a25e01b1e
Instruction Fuzzy Hash: BC31C2B8F042545BF722C7658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45C761

Uniqueness

Uniqueness Score: -1.00%

Function 10007574 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
[Media], xrefs: 10007576
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Media]
API String ID: 783433895-256090921
Opcode ID: 1e0823390995c0d7b20590a1ed7fc42133228cec3a3e15fac83785cecb6d023e
Instruction ID: 1d6d8283b16d110cfc78ae97d037f546bcd25651ecbbde41830c0a0e15c384cb
Opcode Fuzzy Hash: 1e0823390995c0d7b20590a1ed7fc42133228cec3a3e15fac83785cecb6d023e
Instruction Fuzzy Hash: AE31C2B8F042545BF722C7658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45C761

Uniqueness

Uniqueness Score: -1.00%

Function 10007585 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
[Left Ctrl], xrefs: 10007587
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Left Ctrl]
API String ID: 783433895-3005955766
Opcode ID: 6e196f45300483c3a4ae03fa75a33ab96228d6b58ef24f6c2d519915bf58e4fe
Instruction ID: 28846d815b0a88ec7f80af092469e54f7a14a72bd487e43e72f76064ef582a80
Opcode Fuzzy Hash: 6e196f45300483c3a4ae03fa75a33ab96228d6b58ef24f6c2d519915bf58e4fe
Instruction Fuzzy Hash: E731BEB8F042545BF722CB658C45B9F73A9FB882C0F50C0A6B5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10007596 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
[Arrow Left], xrefs: 10007598
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Arrow Left]
API String ID: 783433895-1177434692
Opcode ID: 5da1957fa9e9ca11a06898b52d5d6c0a4425c8685ea52a547f580b048b1913c6
Instruction ID: 960f23aa8f43220be064e63a19ba5b46ed73888c7d640a2a7c440eaac0204f03
Opcode Fuzzy Hash: 5da1957fa9e9ca11a06898b52d5d6c0a4425c8685ea52a547f580b048b1913c6
Instruction Fuzzy Hash: 5A31C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A6F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 100075A7 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
[Left Alt], xrefs: 100075A9
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Left Alt]
API String ID: 783433895-4254496124
Opcode ID: 2cec1b9318e2d2c86633c5b15370c804d0d016b88f7532adb9ff4300fb6f5750
Instruction ID: 3f3db3c1f6d446afdc82a05f0a05d26ced4366bb5cd4d0252c92c5b85f9850ca
Opcode Fuzzy Hash: 2cec1b9318e2d2c86633c5b15370c804d0d016b88f7532adb9ff4300fb6f5750
Instruction Fuzzy Hash: DA31B0B8B042545BF722C7658C45B9F73A9FB882C0F50C0A5B5489720ECA78EE458761

Uniqueness

Uniqueness Score: -1.00%

Function 100075B8 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

[Next Track], xrefs: 100075BA
Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Next Track]
API String ID: 783433895-2289579739
Opcode ID: 4bb0c2166a23f48689fc7f19d14cbfaf811bbbb3efc322fb13dea8c573a2909b
Instruction ID: d5362d4f7291d6c897a022562f4ff387a401af9e6337d31ccc62730f376386c9
Opcode Fuzzy Hash: 4bb0c2166a23f48689fc7f19d14cbfaf811bbbb3efc322fb13dea8c573a2909b
Instruction Fuzzy Hash: 8731C0B8F042545BF722DB658C45B9F73A9FB882C0F50C0A6F5489724ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 100075C9 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
[Play / Pause], xrefs: 100075CB
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Play / Pause]
API String ID: 783433895-1618082066
Opcode ID: 574edec8092f91f95576e93fb39d4c139960eca42ee1905eafac8136fd6412dc
Instruction ID: 996c3445bb2b0b98ef0d408312881446d9d9f055120b4c6d947ec6de027f53a4
Opcode Fuzzy Hash: 574edec8092f91f95576e93fb39d4c139960eca42ee1905eafac8136fd6412dc
Instruction Fuzzy Hash: 6631C2B8F042545BF722D7658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45C761

Uniqueness

Uniqueness Score: -1.00%

Function 100075DA Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
[Previous Track], xrefs: 100075DC
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Previous Track]
API String ID: 783433895-3210990766
Opcode ID: ae1fa225a0918d02fcfd180ec664d208efe1b38483678a19622561ea0e0a9972
Instruction ID: 497027ec4e24f1f338977bd459717c223580bce7c7b0098a339831e971cc0eb2
Opcode Fuzzy Hash: ae1fa225a0918d02fcfd180ec664d208efe1b38483678a19622561ea0e0a9972
Instruction Fuzzy Hash: E131C2B8F042545BF722C7658C45B9F73A9FB892C0F50C0A5F5489724ECA78EE45C761

Uniqueness

Uniqueness Score: -1.00%

Function 100075EB Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
[Stop], xrefs: 100075ED
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Stop]
API String ID: 783433895-3279900245
Opcode ID: 57c83d590c1141da6764717a6adadb01255764739223c7300deac7d1602d8fdb
Instruction ID: 5922670b37668e1b016a45364b7f0f1fd26dfdd2ab1d479554ab01751d872b69
Opcode Fuzzy Hash: 57c83d590c1141da6764717a6adadb01255764739223c7300deac7d1602d8fdb
Instruction Fuzzy Hash: 3531BEB8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE458B61

Uniqueness

Uniqueness Score: -1.00%

Function 100075FC Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
[Mode Change], xrefs: 100075FE
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Mode Change]
API String ID: 783433895-697438833
Opcode ID: 951490631784bd0ba326a047b941ed8099158b17901292eede5ad9bfe8389a96
Instruction ID: fde19adec7dbaa11acaab95407c7a091db194ab80798eb66de65d17821cfaf80
Opcode Fuzzy Hash: 951490631784bd0ba326a047b941ed8099158b17901292eede5ad9bfe8389a96
Instruction Fuzzy Hash: E631C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F6489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 1000760D Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
[Page Down], xrefs: 1000760F
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Page Down]
API String ID: 783433895-3750966751
Opcode ID: 90d8874289e11761f89f11684cbec7ed874ee66b227f605c1b29b6e1100aa61f
Instruction ID: 2fd29d5386bce6dd60f48b13cf1f1d6e541de4379b2d15e3869f5661c23656ba
Opcode Fuzzy Hash: 90d8874289e11761f89f11684cbec7ed874ee66b227f605c1b29b6e1100aa61f
Instruction Fuzzy Hash: CC31C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 1000761E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

[Num Lock], xrefs: 10007620
Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Num Lock]
API String ID: 783433895-3773462824
Opcode ID: 1422f95064fd9bc28c63e91cd01088c80977b6f7f954c3e9b92471192964d997
Instruction ID: b38ecb3cb3baf4de96862ef28da595c431d1415fe82338e8afeba86307a38cc0
Opcode Fuzzy Hash: 1422f95064fd9bc28c63e91cd01088c80977b6f7f954c3e9b92471192964d997
Instruction Fuzzy Hash: 1431C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 1000762F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

[Pause], xrefs: 10007631
Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Pause]
API String ID: 783433895-3639855092
Opcode ID: 3ddccb20161475669b32e0ed3f5f6986b7ff8bc474ac456663870ed987cadc77
Instruction ID: f377d357f69d7f331ddfabdbfb855c93a3b8fb647f7e8fffab3015d3f91a404c
Opcode Fuzzy Hash: 3ddccb20161475669b32e0ed3f5f6986b7ff8bc474ac456663870ed987cadc77
Instruction Fuzzy Hash: 6231C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F6489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10007640 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

[Print], xrefs: 10007642
Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Print]
API String ID: 783433895-2723926450
Opcode ID: 71e1bbc33dcade09357cc993f120fda1afbf8fb62500d9a110b3f8fbfb4a5a8d
Instruction ID: 24b1e428621fc0ddc22d7c61b343553baf738b43ed31914f1cc8e82f23897795
Opcode Fuzzy Hash: 71e1bbc33dcade09357cc993f120fda1afbf8fb62500d9a110b3f8fbfb4a5a8d
Instruction Fuzzy Hash: 8731C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10007651 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
[Page Up], xrefs: 10007653
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Page Up]
API String ID: 783433895-227267868
Opcode ID: ed868094e9fb9788b0736906f1eab0e99cfbf2a70a189b7d5b275534b12506be
Instruction ID: d1f179d62c1294aab4835214f7be03122cb2be3f790280f2a5ffd5127ba462cb
Opcode Fuzzy Hash: ed868094e9fb9788b0736906f1eab0e99cfbf2a70a189b7d5b275534b12506be
Instruction Fuzzy Hash: 0331C0B8F042545BF722DB658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10007662 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

[Right Ctrl], xrefs: 10007664
Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Right Ctrl]
API String ID: 783433895-2161099509
Opcode ID: 37b88f1e4698b1e3016850942fdcabb82c0df24804045081dcb261375e4b9424
Instruction ID: 8e6155c5c846e0b52aba043055f7dd5c5d9cb4f960ca40d31a8d32a727805560
Opcode Fuzzy Hash: 37b88f1e4698b1e3016850942fdcabb82c0df24804045081dcb261375e4b9424
Instruction Fuzzy Hash: A631C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10007670 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

[Arrow Right], xrefs: 10007672
Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Arrow Right]
API String ID: 783433895-2747614471
Opcode ID: aca24b8e51f7e3e1dab343980e379713395e851feaea9de910577454060b53af
Instruction ID: d55769cdf0c3d80231fc2ac86e76adf7b4e32c99f9af14db686804d95fffef21
Opcode Fuzzy Hash: aca24b8e51f7e3e1dab343980e379713395e851feaea9de910577454060b53af
Instruction Fuzzy Hash: 3931C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F5489B24ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 1000767E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
[Right Alt], xrefs: 10007680
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Right Alt]
API String ID: 783433895-444060433
Opcode ID: d9417e567954be7a013c4a1f352142b679dc3c107156d497e706b0c1705b6daf
Instruction ID: afd7f63f49bfae50f92b7a44b0612bc8afbb30cc7fb8ea37a6cc1a6026fb1e9c
Opcode Fuzzy Hash: d9417e567954be7a013c4a1f352142b679dc3c107156d497e706b0c1705b6daf
Instruction Fuzzy Hash: 4231C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F5489724ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 1000768C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

[Scrol Lock], xrefs: 1000768E
Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Scrol Lock]
API String ID: 783433895-3106752957
Opcode ID: 7d739420cde52f5cdf23b0552a77265f6848328848d1a0f3863d68950f1cd5c9
Instruction ID: 538bcb97e9cdfd1a49afb72e3ad707114e7046f27a94ba55a28649c3e7b83c1d
Opcode Fuzzy Hash: 7d739420cde52f5cdf23b0552a77265f6848328848d1a0f3863d68950f1cd5c9
Instruction Fuzzy Hash: 7031C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 1000769A Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

[Sleep], xrefs: 1000769C
Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Sleep]
API String ID: 783433895-3656392610
Opcode ID: 4f42286bcb9d2d57705b4f68fa1ae7d45a5f494e57315e7dc3e0b652194aa4b2
Instruction ID: 0f1bd7a52d7bab131bf13330daa87dc6c7aebe1a4c65384e0524c1501f8f18d4
Opcode Fuzzy Hash: 4f42286bcb9d2d57705b4f68fa1ae7d45a5f494e57315e7dc3e0b652194aa4b2
Instruction Fuzzy Hash: A031C2B8F042545BF722C7658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45C761

Uniqueness

Uniqueness Score: -1.00%

Function 100076A8 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

[Print Screen], xrefs: 100076AA
Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Print Screen]
API String ID: 783433895-3743399299
Opcode ID: 1ddbb06d12cae7f61712b76396317ea06106a7346feb82e8f9531a385193e155
Instruction ID: ab27b4f068ad1f5cf43c9d8905a98d245769d77d18c34ebd10b41bde0b20419d
Opcode Fuzzy Hash: 1ddbb06d12cae7f61712b76396317ea06106a7346feb82e8f9531a385193e155
Instruction Fuzzy Hash: 8231C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F5489724ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 100076B6 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
[Arrow Up], xrefs: 100076B8
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Arrow Up]
API String ID: 783433895-3327686714
Opcode ID: 83203669f0511a29086e5a836e6f4c0065e3a22eefa3cde518e48db2ad99b6a3
Instruction ID: b80a0d9e46f3fa67cf2931779c914642823d7e923a8a23d77be412dba9eacf16
Opcode Fuzzy Hash: 83203669f0511a29086e5a836e6f4c0065e3a22eefa3cde518e48db2ad99b6a3
Instruction Fuzzy Hash: 8631C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 100076C4 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

[Volume Down], xrefs: 100076C6
Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Volume Down]
API String ID: 783433895-1488893751
Opcode ID: 304b93c83e960425b2644ed9c30a8069e95f38cdf27668f700968b4d8be163ed
Instruction ID: 36b4c4fc11892ac8fc2660bbf295ac53e9d52ac89c47b39cb3f3571394c4b765
Opcode Fuzzy Hash: 304b93c83e960425b2644ed9c30a8069e95f38cdf27668f700968b4d8be163ed
Instruction Fuzzy Hash: 4D31C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F5489724ECAB8EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 100076D2 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
[Volume Mute], xrefs: 100076D4
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Volume Mute]
API String ID: 783433895-2344092975
Opcode ID: 455afcd6e3832ca7b84d94a3bb7d8776a597c069f1cf387fb9e20d828b192e7e
Instruction ID: 16984cad3dea769ffc9e719f0c3c6e6ae58df65779da4dd1961d81e5b5ee2c4d
Opcode Fuzzy Hash: 455afcd6e3832ca7b84d94a3bb7d8776a597c069f1cf387fb9e20d828b192e7e
Instruction Fuzzy Hash: 1231C0B8F042545BF722DB658C45B9F73A9FB882C0F50C0A5F5489724ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 100076E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 96keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

[Volume Up], xrefs: 100076E2
Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad$[Volume Up]
API String ID: 783433895-1130620078
Opcode ID: 1396860a42cb380e9acc2e04de6d3966a62f39ee4fc40e43a8010b9064b996bb
Instruction ID: 44a22ba6fee8b4e9f78c922aeec61573fdb0a25af906651eec748b7687c73eda
Opcode Fuzzy Hash: 1396860a42cb380e9acc2e04de6d3966a62f39ee4fc40e43a8010b9064b996bb
Instruction Fuzzy Hash: A131C0B8B042545BF722DB658C45B9F73A9FB882C0F50C0A5F5489724ECA78EE458761

Uniqueness

Uniqueness Score: -1.00%

Function 1000280C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 1000282E
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,1000287D,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 10002861
RegCloseKey.ADVAPI32(?,10002884,00000000,?,00000004,00000000,1000287D,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 10002877

Strings

FPUMaskValue, xrefs: 10002858
SOFTWARE\Borland\Delphi\RTL, xrefs: 10002824

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 3677997916-4173385793
Opcode ID: 2de27d201efc82a7483fe1fc3ca906961f394501151e49489695f63c5642027c
Instruction ID: 58881b6b02d8723bd0b6b44eaf0a35f8982818fe5ca11f09a28713a058d90beb
Opcode Fuzzy Hash: 2de27d201efc82a7483fe1fc3ca906961f394501151e49489695f63c5642027c
Instruction Fuzzy Hash: 7501F77D900249BAFB15DBA0CC42FE9B3BCEB08780F5040A1FB00E7598EB70AA50D765

Uniqueness

Uniqueness Score: -1.00%

Function 1000711C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 104COMMON

Download Yara Rule

APIs

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode
String ID: KeyDelBackspace$Numpad
API String ID: 470584828-3409537306
Opcode ID: d00852749f0fa98736970e4bd149b739843efba6f4ddf0c6cc158de6b8264dba
Instruction ID: 149ee91c77b329ac99fc9af66e0b3d6a30fb45bb34e994fec82f682e2bcf3d65
Opcode Fuzzy Hash: d00852749f0fa98736970e4bd149b739843efba6f4ddf0c6cc158de6b8264dba
Instruction Fuzzy Hash: B43123B8F042545BF722D7648C85B9F73A9FF892C0F10C096F5489724ECA78AE49CB61

Uniqueness

Uniqueness Score: -1.00%

Function 100071AB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad
API String ID: 783433895-3409537306
Opcode ID: f7aef9f21616257945c88be8e333fc38432ac4e89a882b8b49a9e8d0194266b7
Instruction ID: b9b3ae13005e08ec592b66eecad70d017cc54a4a4b75dc847ff917e2bac9dbd1
Opcode Fuzzy Hash: f7aef9f21616257945c88be8e333fc38432ac4e89a882b8b49a9e8d0194266b7
Instruction Fuzzy Hash: DF31C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE49CB61

Uniqueness

Uniqueness Score: -1.00%

Function 100071BC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad
API String ID: 783433895-3409537306
Opcode ID: 4ab29850c5f1ea5968f8bdd8de0f37538667ca36111ee2f0d472207cb48857ef
Instruction ID: 3a51f266618fbb6b802821ae4c3cebfa16a004a881c451f646cc2ee8cf1695e6
Opcode Fuzzy Hash: 4ab29850c5f1ea5968f8bdd8de0f37538667ca36111ee2f0d472207cb48857ef
Instruction Fuzzy Hash: 1231C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 100071CD Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad
API String ID: 783433895-3409537306
Opcode ID: 60778e521d3828b1ac1843a7a9634b6a047fd589048255cd8357fb5c81321ec6
Instruction ID: 6a83edecdd09e7cf6567bb4e12f854a4e7878076b54641c7a23d56263201f881
Opcode Fuzzy Hash: 60778e521d3828b1ac1843a7a9634b6a047fd589048255cd8357fb5c81321ec6
Instruction Fuzzy Hash: 6C31C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F6489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 100071DE Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad
API String ID: 783433895-3409537306
Opcode ID: f4a8bbbe697522b7cb839a06d61e9bc714ef5e6879113a86d806209f1cea9cc7
Instruction ID: b1ba141e3efd31ddec5efd417cab8458379c596905762369eb56fe309a4f9560
Opcode Fuzzy Hash: f4a8bbbe697522b7cb839a06d61e9bc714ef5e6879113a86d806209f1cea9cc7
Instruction Fuzzy Hash: CA31C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F6489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 100071EF Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad
API String ID: 783433895-3409537306
Opcode ID: 39b03309cb925559adc94f9655e3a5a9f0f01a3343eadd4f371930683951da97
Instruction ID: 8aa69b91d737cd1935abe9d1b170b80890827fc85faedbd8b906090cccbd213a
Opcode Fuzzy Hash: 39b03309cb925559adc94f9655e3a5a9f0f01a3343eadd4f371930683951da97
Instruction Fuzzy Hash: EB31C2B8F042545BF722C7658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45C761

Uniqueness

Uniqueness Score: -1.00%

Function 10007200 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad
API String ID: 783433895-3409537306
Opcode ID: a162cc495929e47f1e2b8db7e60090edff99d25f5f2755788ca8ad98c3a46845
Instruction ID: da241092db117cf8670937f7e946dbca7f1b2fe6bc2353ea6322e4b84d0426b2
Opcode Fuzzy Hash: a162cc495929e47f1e2b8db7e60090edff99d25f5f2755788ca8ad98c3a46845
Instruction Fuzzy Hash: B031C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45CB62

Uniqueness

Uniqueness Score: -1.00%

Function 10007211 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad
API String ID: 783433895-3409537306
Opcode ID: 6fb5cf8c127330519ac590d7b260d6f1972dd4d19386bf32214d38e0e73a7627
Instruction ID: 13d384bfb7d80fcaab74c7c21edcce233b970dd7a99a864e689220d7ee6072be
Opcode Fuzzy Hash: 6fb5cf8c127330519ac590d7b260d6f1972dd4d19386bf32214d38e0e73a7627
Instruction Fuzzy Hash: E831C0B8F042545BF722CB658C85B9F73A9FB882C0F50C0A5F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10007222 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad
API String ID: 783433895-3409537306
Opcode ID: b4064cf9196f1bd766f61690eec419dae147e0aac919e4e137b35742a66dca64
Instruction ID: bead1d8953916fe6a2caf6aa6abcbb8af6aaada5367ea8c14ed574beb6cc7c0d
Opcode Fuzzy Hash: b4064cf9196f1bd766f61690eec419dae147e0aac919e4e137b35742a66dca64
Instruction Fuzzy Hash: E631C0B8F042545BF722CB658C85B9F73A9FB882C0F50C0A5F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10007233 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad
API String ID: 783433895-3409537306
Opcode ID: ad526f3a44082b4da89a5289e758324e4cba0574a2e660b1230691faf556a316
Instruction ID: 311b08e60e3b521a7c3a0356ba3012efa993796664cd4508c3663b1c0811d3ac
Opcode Fuzzy Hash: ad526f3a44082b4da89a5289e758324e4cba0574a2e660b1230691faf556a316
Instruction Fuzzy Hash: 9131C0B8F042545BF722DB658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10007244 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad
API String ID: 783433895-3409537306
Opcode ID: 3018831f3d2d7d46207b6938651625027ba0aae8da63efaf5cfa44b6499e9dc2
Instruction ID: 74b2e92b555be62d4c67bea0bf12e908dc11cad6fd28d16d482c19b7e5004677
Opcode Fuzzy Hash: 3018831f3d2d7d46207b6938651625027ba0aae8da63efaf5cfa44b6499e9dc2
Instruction Fuzzy Hash: 9B31C0B8F042545BF722DB658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 100072BB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad
API String ID: 783433895-3409537306
Opcode ID: 58d40c07809cf6c1f88f00f7cd4d01a1027e2dbe51f130ce30c58b48c389b237
Instruction ID: 033e83d321774fcd4bda94542bc8b64ee5515bfb92d199e6e3b91a957bdcd820
Opcode Fuzzy Hash: 58d40c07809cf6c1f88f00f7cd4d01a1027e2dbe51f130ce30c58b48c389b237
Instruction Fuzzy Hash: 0831C0B8F042545BF722CB658C45B9F73A9FB882C0F50C0A5F5489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 100072EE Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 97keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 100037AC: SysReAllocStringLen.OLEAUT32(1000D0D0,1000CFDC,00000002), ref: 100037C2

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 10007754
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 100077F8
MapVirtualKeyW.USER32(0000006E,00000001), ref: 1000784E
MapVirtualKeyW.USER32(0000006E,00000001), ref: 10007871
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 10007879

Strings

Numpad, xrefs: 10007712
KeyDelBackspace, xrefs: 10007722, 10007886

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Unicode$Virtual$AllocString
String ID: KeyDelBackspace$Numpad
API String ID: 783433895-3409537306
Opcode ID: aa20c933a58f2305242e8b78a34cde6f3360a0dc9dcf15ed5906f17daae1d160
Instruction ID: c55d23e60b6bc9fae09bc4a5971d47f8544ea9c2ea09269a4cd522e11abc3ca6
Opcode Fuzzy Hash: aa20c933a58f2305242e8b78a34cde6f3360a0dc9dcf15ed5906f17daae1d160
Instruction Fuzzy Hash: 5E31C0B8F042545BF722CB658C45B9F73A9FB892C0F50C0A5F6489720ECA78EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10009E6C Relevance: 6.4, Strings: 5, Instructions: 162COMMON

Download Yara Rule

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 10009EE7, 10009F21
StubPath, xrefs: 10009FC7
restart, xrefs: 10009F7F
%SERVER%, xrefs: 10009FFF
Software\Microsoft\Active Setup\Installed Components\, xrefs: 10009F5F, 10009FB7

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: CloseCreateFreeStringValue
String ID: restart$%SERVER%$Software\Microsoft\Active Setup\Installed Components\$Software\Microsoft\Windows\CurrentVersion\Run$StubPath
API String ID: 523044198-2142522223
Opcode ID: 364ad897bbca38481dd1a11b2b492bd1a693bcb91c63773ed721ecd4ba2295bf
Instruction ID: ccd5ba8bb55e14e3b401f0629b5d5422583a699d941ac8acb34279bb9c56e552
Opcode Fuzzy Hash: 364ad897bbca38481dd1a11b2b492bd1a693bcb91c63773ed721ecd4ba2295bf
Instruction Fuzzy Hash: A4619438A0415D9FEB25C750C881BDEB3BEEF45380F8081D6A908A768ADB756F85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 10009E70 Relevance: 6.4, Strings: 5, Instructions: 160COMMON

Download Yara Rule

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 10009EE7, 10009F21
StubPath, xrefs: 10009FC7
restart, xrefs: 10009F7F
%SERVER%, xrefs: 10009FFF
Software\Microsoft\Active Setup\Installed Components\, xrefs: 10009F5F, 10009FB7

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: CloseCreateFreeStringValue
String ID: restart$%SERVER%$Software\Microsoft\Active Setup\Installed Components\$Software\Microsoft\Windows\CurrentVersion\Run$StubPath
API String ID: 523044198-2142522223
Opcode ID: 70bc63b1d7bf7f2434c0fd2a984a390c0a29f6a211df66fcb658c6ec4d215a6a
Instruction ID: 7bb9cab796adacb123c590501e10766ab110edc906df9b0df81ab3aad42e102a
Opcode Fuzzy Hash: 70bc63b1d7bf7f2434c0fd2a984a390c0a29f6a211df66fcb658c6ec4d215a6a
Instruction Fuzzy Hash: 23619438A0415D9BEB25C750C881BDEB3BEEF45380F8081D6A908A764ADB756F85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 10009E74 Relevance: 6.4, Strings: 5, Instructions: 158COMMON

Download Yara Rule

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 10009EE7, 10009F21
StubPath, xrefs: 10009FC7
restart, xrefs: 10009F7F
%SERVER%, xrefs: 10009FFF
Software\Microsoft\Active Setup\Installed Components\, xrefs: 10009F5F, 10009FB7

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: CloseCreateFreeStringValue
String ID: restart$%SERVER%$Software\Microsoft\Active Setup\Installed Components\$Software\Microsoft\Windows\CurrentVersion\Run$StubPath
API String ID: 523044198-2142522223
Opcode ID: 6a3a9802c04267f5677fb71fa8e26ddd48aad684d5027258f0195948b13e5c11
Instruction ID: 51db14d9a78096dfca6e0b2c0cac839b55e5a7d9a5be764b8c5632986f08cd1f
Opcode Fuzzy Hash: 6a3a9802c04267f5677fb71fa8e26ddd48aad684d5027258f0195948b13e5c11
Instruction Fuzzy Hash: B5619338A0415D9BEB15D750C841BDEB3BEEF45380F8081E6A908A7249DB75AF85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 10008270 Relevance: 6.3, Strings: 5, Instructions: 93COMMON

Download Yara Rule

Strings

, xrefs: 10008347
>, xrefs: 10008323
&, xrefs: 100082FF
<, xrefs: 10008311
", xrefs: 10008335

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID:
String ID: &$>$<$"$
API String ID: 0-2730314969
Opcode ID: 0cd1edd9943d5066e4ed9cbb4ed191d6f01f5bec750c3f69ea3f40f0141da2ec
Instruction ID: c2b4ba650b709cafa3e4efc2b6e91a51004f46039d2a3ae5a547a61f7c415082
Opcode Fuzzy Hash: 0cd1edd9943d5066e4ed9cbb4ed191d6f01f5bec750c3f69ea3f40f0141da2ec
Instruction Fuzzy Hash: 57314579A04189AFEF05DB94CC819DF77FDFB88680F509061F180A7209DA34AF028B65

Uniqueness

Uniqueness Score: -1.00%

Function 100099F8 Relevance: 6.3, APIs: 4, Instructions: 265fileCOMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNEL32(00000000,00000080), ref: 10009C28
CopyFileW.KERNEL32(00000000,00000000,00000000,00000000,00000080), ref: 10009C70
SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,00000000,00000000,00000000,00000000,00000080), ref: 10009D57
CopyFileW.KERNEL32(00000000,00000000,00000000,00000000,00000080,?,?,?,?,00000000,00000000,00000000,00000000,00000080), ref: 10009D95

Part of subcall function 100053D8: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 10005406

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: File$AttributesCopy$DirectorySystem
String ID:
API String ID: 3443914049-0
Opcode ID: 8ffb02acb12784a8fca7f00c8f7b14851c1630e5a7bcf1fe24323b8a2b1ac29b
Instruction ID: 24b82f3418a54abe61ddf0e4c7a52c3359c66f211f63a1d8d7c84fd7e5013851
Opcode Fuzzy Hash: 8ffb02acb12784a8fca7f00c8f7b14851c1630e5a7bcf1fe24323b8a2b1ac29b
Instruction Fuzzy Hash: 02B12F3890455DDBEB21DB50CC81ADEB3B9EF803C1F4081E5A44AAB289DB71AF85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 10006510 Relevance: 6.1, APIs: 4, Instructions: 77registryCOMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 10006571
GetWindowRect.USER32 ref: 10006577
GetModuleHandleA.KERNEL32(00000000,00000000,?,?,?), ref: 1000657E
RegisterClassW.USER32 ref: 1000658A

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Window$ClassDesktopHandleModuleRectRegister
String ID:
API String ID: 805957598-0
Opcode ID: a1c04505e5f5ba05ad93ee47a5be074ea14fb600836cbdd66e1b4b0242f25109
Instruction ID: fd61cd8fe43509876bed775ba568f59b673aa19b24296d0bc6aff4bc23203f03
Opcode Fuzzy Hash: a1c04505e5f5ba05ad93ee47a5be074ea14fb600836cbdd66e1b4b0242f25109
Instruction Fuzzy Hash: AB2147B1F44205AFEB50CFB8DC41B9FB7E6EB08291F108075F508EB285E97195048794

Uniqueness

Uniqueness Score: -1.00%

Function 1000ACD4 Relevance: 6.1, APIs: 4, Instructions: 59registryCOMMON

Download Yara Rule

APIs

GetClassInfoA.USER32 ref: 1000ACF5
UnregisterClassA.USER32 ref: 1000AD1E
RegisterClassA.USER32 ref: 1000AD28
SetWindowLongA.USER32 ref: 1000AD73

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Class$InfoLongRegisterUnregisterWindow
String ID:
API String ID: 4025006896-0
Opcode ID: 34ace1d3d250000ade5f731cbe714df2434c88e76e583f532eec8fd86c63c607
Instruction ID: a184255e0aa6b19b8a700ba1ba5d869a571dd8ac557c0204472f9db7938aee9a
Opcode Fuzzy Hash: 34ace1d3d250000ade5f731cbe714df2434c88e76e583f532eec8fd86c63c607
Instruction Fuzzy Hash: DE01C4716041146BFB40DBA8CC91FAE33ADE7193C1F004722F505E76ADCA76EC848790

Uniqueness

Uniqueness Score: -1.00%

Function 10001840 Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.KERNEL32(1000F5B8,00000000,100018F6,?,?,100020DA,1000F5F8,00000000,00000000,?,?,10001AC9,10001ADE,10001C2F), ref: 10001856
RtlEnterCriticalSection.KERNEL32(1000F5B8,1000F5B8,00000000,100018F6,?,?,100020DA,1000F5F8,00000000,00000000,?,?,10001AC9,10001ADE,10001C2F), ref: 10001869
LocalAlloc.KERNEL32(00000000,00000FF8,1000F5B8,00000000,100018F6,?,?,100020DA,1000F5F8,00000000,00000000,?,?,10001AC9,10001ADE,10001C2F), ref: 10001893
RtlLeaveCriticalSection.KERNEL32(1000F5B8,100018FD,00000000,100018F6,?,?,100020DA,1000F5F8,00000000,00000000,?,?,10001AC9,10001ADE,10001C2F), ref: 100018F0

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: CriticalSection$AllocEnterInitializeLeaveLocal
String ID:
API String ID: 730355536-0
Opcode ID: 5f07fa945b9f97fba898828a93f290c0886c6dfe5430a6f63fb956d26b2ed7b2
Instruction ID: dccb1d46fb8802896221657e2b19eaefe2a155e583b8e496b0545f4226b1fe46
Opcode Fuzzy Hash: 5f07fa945b9f97fba898828a93f290c0886c6dfe5430a6f63fb956d26b2ed7b2
Instruction Fuzzy Hash: 1101C0B49046909EF706DF688C417F83A95EB493C2F84807DE31086EAECF755541E715

Uniqueness

Uniqueness Score: -1.00%

Function 10005E30 Relevance: 6.0, APIs: 4, Instructions: 48fileCOMMON

Download Yara Rule

APIs

Part of subcall function 10005CA4: FindFirstFileW.KERNEL32(00000000,?,00000000,1000D3CA,.cfg,?,?,00000002,?,80000001,00000000,00008007,00000000,1000D759), ref: 10005CAF
Part of subcall function 10005CA4: FindClose.KERNEL32(00000000,00000000,?,00000000,1000D3CA,.cfg,?,?,00000002,?,80000001,00000000,00008007,00000000,1000D759), ref: 10005CBC

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 10005E67
GetFileSize.KERNEL32(00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 10005E71
ReadFile.KERNEL32(00000000,?,?,?,00000000,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 10005E99
CloseHandle.KERNEL32(00000000,00000000,?,?,?,00000000,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 10005E9F

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: File$CloseFind$CreateFirstHandleReadSize
String ID:
API String ID: 2300874643-0
Opcode ID: 82852cc2d8d25f5b7718ff9a34c6f0df449e81a1205941d0d4bd8c9d85c04275
Instruction ID: ec1664e735d5352034fe0f720539986a8c554a57553e37fb55f78792c2cbbe85
Opcode Fuzzy Hash: 82852cc2d8d25f5b7718ff9a34c6f0df449e81a1205941d0d4bd8c9d85c04275
Instruction Fuzzy Hash: 7701FBB4204300AFF750DF68DC82F5BB7D8DF48740F118929B6C8DB2D6EAB5A8408756

Uniqueness

Uniqueness Score: -1.00%

Function 1000CF04 Relevance: 6.0, APIs: 4, Instructions: 42fileCOMMON

Download Yara Rule

APIs

Part of subcall function 10005CA4: FindFirstFileW.KERNEL32(00000000,?,00000000,1000D3CA,.cfg,?,?,00000002,?,80000001,00000000,00008007,00000000,1000D759), ref: 10005CAF
Part of subcall function 10005CA4: FindClose.KERNEL32(00000000,00000000,?,00000000,1000D3CA,.cfg,?,?,00000002,?,80000001,00000000,00008007,00000000,1000D759), ref: 10005CBC

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 1000CF37
GetFileSize.KERNEL32(00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 1000CF41
ReadFile.KERNEL32(00000000,10012588,?,?,00000000,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 1000CF5D
CloseHandle.KERNEL32(00000000,00000000,10012588,?,?,00000000,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 1000CF63

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: File$CloseFind$CreateFirstHandleReadSize
String ID:
API String ID: 2300874643-0
Opcode ID: ddf39b76d56c946fe45e4c4f9f5b41c086577163610c8dbb6f6595d30d890769
Instruction ID: 0a6ea64837ac90d6558c1ae8266d2dbde50220b88be3e9169680d92fb0307424
Opcode Fuzzy Hash: ddf39b76d56c946fe45e4c4f9f5b41c086577163610c8dbb6f6595d30d890769
Instruction Fuzzy Hash: 54F012B42443007EF710DB689CC2F5B77DDDF84790F118929B6889B2C6DAB5A8008756

Uniqueness

Uniqueness Score: -1.00%

Function 10006024 Relevance: 6.0, APIs: 4, Instructions: 23windowsleepCOMMON

Download Yara Rule

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 10006033
TranslateMessage.USER32 ref: 1000603F
DispatchMessageA.USER32 ref: 10006045
Sleep.KERNEL32(00000005,?,?,10006062), ref: 1000604C

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: Message$DispatchPeekSleepTranslate
String ID:
API String ID: 3768732053-0
Opcode ID: cdfd25f36f656fbcf1ff338a95777bde3114a2653ddc5fdf0504e6a1debc9aed
Instruction ID: b6454b735261936b655b95e10bb9b448ccac05162160f127df45d4e102083895
Opcode Fuzzy Hash: cdfd25f36f656fbcf1ff338a95777bde3114a2653ddc5fdf0504e6a1debc9aed
Instruction Fuzzy Hash: 8AD052B53C2A253AF520A1A00C83FAF004DCF02BC6F220030B700BA0CACE867C0102AE

Uniqueness

Uniqueness Score: -1.00%

Function 100020BC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 118COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.KERNEL32(1000F5B8,00000000,u,?,1000F5F8,00000000,00000000,?,?,10001AC9,10001ADE,10001C2F), ref: 10002110
RtlLeaveCriticalSection.KERNEL32(1000F5B8,10002255,1000F5F8,00000000,00000000,?,?,10001AC9,10001ADE,10001C2F), ref: 10002248

Part of subcall function 10001840: RtlInitializeCriticalSection.KERNEL32(1000F5B8,00000000,100018F6,?,?,100020DA,1000F5F8,00000000,00000000,?,?,10001AC9,10001ADE,10001C2F), ref: 10001856
Part of subcall function 10001840: RtlEnterCriticalSection.KERNEL32(1000F5B8,1000F5B8,00000000,100018F6,?,?,100020DA,1000F5F8,00000000,00000000,?,?,10001AC9,10001ADE,10001C2F), ref: 10001869
Part of subcall function 10001840: LocalAlloc.KERNEL32(00000000,00000FF8,1000F5B8,00000000,100018F6,?,?,100020DA,1000F5F8,00000000,00000000,?,?,10001AC9,10001ADE,10001C2F), ref: 10001893
Part of subcall function 10001840: RtlLeaveCriticalSection.KERNEL32(1000F5B8,100018FD,00000000,100018F6,?,?,100020DA,1000F5F8,00000000,00000000,?,?,10001AC9,10001ADE,10001C2F), ref: 100018F0

Strings

u, xrefs: 100020F7

Memory Dump Source

Source File: 00000000.00000002.389752210.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.389735949.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389771171.000000001000E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389805329.0000000010044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389816427.0000000010047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389841317.000000001004A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389927958.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389934203.000000001005A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389980663.000000001006B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.389996603.0000000010079000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390000506.000000001007B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390008615.0000000010083000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gKi3fKq4Kh.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$AllocInitializeLocal
String ID: u
API String ID: 2227675388-1454174257
Opcode ID: 0381b4d275836edba91e48a056a1c546f7dfe9bb6bc52416cd0fc2a3e6f7adc3
Instruction ID: 561d0a3fabbc271b0414227351a2afb4dd9cd87895bc161ef682a7dca5e6893d
Opcode Fuzzy Hash: 0381b4d275836edba91e48a056a1c546f7dfe9bb6bc52416cd0fc2a3e6f7adc3
Instruction Fuzzy Hash: 8E413436A04660EFF311CFA4CD897A937E5EB443D4F24812DEA0087ABEC7349884E701

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: svchost.exePID: 6456, Parent PID: 2576COMMON

Executed Functions

Function 1000C9D0 Relevance: 21.5, Strings: 17, Instructions: 235COMMON

Download Yara Rule

Strings

open, xrefs: 1000CCDB
mpr.dll, xrefs: 1000CA12
Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 1000CB32
StubPath, xrefs: 1000CC32
opengl32.dll, xrefs: 1000CA3A
comctl32.dll, xrefs: 1000CA26
version.dll, xrefs: 1000CA1C
user32.dll, xrefs: 1000CA44
Software\Microsoft\Active Setup\Installed Components\, xrefs: 1000CB55
advapi32.dll, xrefs: 1000C9F4
kernel32.dll, xrefs: 1000C9FE
msimg32.dll, xrefs: 1000CA58
SOFTWARE\, xrefs: 1000CA9B, 1000CAF1
wintrust.dll, xrefs: 1000CA4E
shell32.dll, xrefs: 1000CA08, 1000CA62
gdi32.dll, xrefs: 1000CA30
ServerName, xrefs: 1000CAB3, 1000CB09

Memory Dump Source

Source File: 00000001.00000002.385046170.0000000010000000.00000040.00000400.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID: SOFTWARE\$ServerName$Software\Microsoft\Active Setup\Installed Components\$Software\Microsoft\Windows\CurrentVersion\Run$StubPath$advapi32.dll$comctl32.dll$gdi32.dll$kernel32.dll$mpr.dll$msimg32.dll$open$opengl32.dll$shell32.dll$user32.dll$version.dll$wintrust.dll
API String ID: 0-1620131929
Opcode ID: 3f003b5c3092192cfd81708055f069769660bd1ffedbc504d52b734bcf9630d0
Instruction ID: 2f4b2620837c28cfdf5e49335ff29dada521f5c21c6ac21027946eb6f57ed48d
Opcode Fuzzy Hash: 3f003b5c3092192cfd81708055f069769660bd1ffedbc504d52b734bcf9630d0
Instruction Fuzzy Hash: 20911F78A4024DABFB01EBA4D882FDE7779EF442C1F118162F9046B28ECB75BD058765

Uniqueness

Uniqueness Score: -1.00%

Function 100034B0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.385046170.0000000010000000.00000040.00000400.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f70b2c41885a2b75705e30fc840686dfb1265623bc9199f295252585e81511e0
Instruction ID: 0d43bb01e54dc9b671ab70bbc6831eaed9bab68177c8673266180e336cb24133
Opcode Fuzzy Hash: f70b2c41885a2b75705e30fc840686dfb1265623bc9199f295252585e81511e0
Instruction Fuzzy Hash: 9211E135B0864657F323C969ACC086BA3CEDFC41E0B14C439B964C734ADEA9ED099241

Uniqueness

Uniqueness Score: -1.00%

Function 100014EC Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.385046170.0000000010000000.00000040.00000400.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 658d5346f56e2b90820d1a4238b762dd8e40d303793816f207723b6d5c2275ec
Instruction ID: 376a20137c8c7a1c0fe805d4ca5c7b4e53bfabd2decc6611af020c1a5c038b4e
Opcode Fuzzy Hash: 658d5346f56e2b90820d1a4238b762dd8e40d303793816f207723b6d5c2275ec
Instruction Fuzzy Hash: 42117076A05B029BE310DF19CC80A9AB7E1EBC47D2F15C52CE6894B759D630EC408A81

Uniqueness

Uniqueness Score: -1.00%

Function 10001358 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.385046170.0000000010000000.00000040.00000400.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d51b0ecb197f6104a2e181751b16b33db407c9c73752bb5c84ac1d3e4f38b51
Instruction ID: a9c88282e432f8f48e60550f2442f7a71b9eebfe68f090cfd9eaf30bd27f6b92
Opcode Fuzzy Hash: 9d51b0ecb197f6104a2e181751b16b33db407c9c73752bb5c84ac1d3e4f38b51
Instruction Fuzzy Hash: 82F0A7B6B0062027F730C9694C81BCA66C5DF86BE1F154270FF48EF7CEDA619C0082A0

Uniqueness

Uniqueness Score: -1.00%

Function 100033C0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.385046170.0000000010000000.00000040.00000400.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f526a8682a1746ab478b9ff0de63cbf056aa175396c796edc7b027d709aef71d
Instruction ID: c2faabbd69db4d94be3e596462244fa43c21c6edc70b3a96aead2daf1922e93e
Opcode Fuzzy Hash: f526a8682a1746ab478b9ff0de63cbf056aa175396c796edc7b027d709aef71d
Instruction Fuzzy Hash: 9EC012B22802083EF600CA88CC46FB3329CC348B80F008108F704CA180C0A1BC2046B8

Uniqueness

Uniqueness Score: -1.00%

Function 10004DF0 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.385046170.0000000010000000.00000040.00000400.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21e0619b74412fae9514185c35c6bd95fbb7b52f213a822672066e7264c0ded7
Instruction ID: 5a3873c4f99191ebd0c5874248a48e85116967648e1c4cce01420d804b7247f1
Opcode Fuzzy Hash: 21e0619b74412fae9514185c35c6bd95fbb7b52f213a822672066e7264c0ded7
Instruction Fuzzy Hash: 20C012B71A024CAB8B00EEA9CC06D9B33DCAB28609B008825B928CB100C539E5909B60

Uniqueness

Uniqueness Score: -1.00%

Function 10003864 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.385046170.0000000010000000.00000040.00000400.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bafc26852eecdc6c12b55ba738ab9fa026e6a82810d81ad4c3fd3d0f1dab815
Instruction ID: ca28794199431f72530e799d36250414a245c489da467331e40bdcc928d85e60
Opcode Fuzzy Hash: 8bafc26852eecdc6c12b55ba738ab9fa026e6a82810d81ad4c3fd3d0f1dab815
Instruction Fuzzy Hash: 6BC08CFC1052022CBF0AAB3148859BB639CEF801C13408068BA04C4008D634E8814020

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 1000C080 Relevance: 24.2, Strings: 19, Instructions: 445COMMON

Download Yara Rule

Strings

.xtr, xrefs: 1000C21F, 1000C334
\Microsoft\Windows\, xrefs: 1000C15B, 1000C1A4, 1000C1FE, 1000C258
advapi32.dll, xrefs: 1000C0A3
version.dll, xrefs: 1000C0CB
wintrust.dll, xrefs: 1000C0FD
.dat, xrefs: 1000C279, 1000C38E
SOFTWARE\, xrefs: 1000C3E5, 1000C4CA, 1000C705
InstalledServer, xrefs: 1000C726
user32.dll, xrefs: 1000C0F3
ServerStarted, xrefs: 1000C406
msimg32.dll, xrefs: 1000C107
gdi32.dll, xrefs: 1000C0DF
shell32.dll, xrefs: 1000C0B7
mpr.dll, xrefs: 1000C0C1
kernel32.dll, xrefs: 1000C0AD
opengl32.dll, xrefs: 1000C0E9
comctl32.dll, xrefs: 1000C0D5
.cfg, xrefs: 1000C1C5, 1000C2DA
ServerName, xrefs: 1000C4EB

Memory Dump Source

Source File: 00000001.00000002.385046170.0000000010000000.00000040.00000400.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID: .cfg$.dat$.xtr$InstalledServer$SOFTWARE\$ServerName$ServerStarted$\Microsoft\Windows\$advapi32.dll$comctl32.dll$gdi32.dll$kernel32.dll$mpr.dll$msimg32.dll$opengl32.dll$shell32.dll$user32.dll$version.dll$wintrust.dll
API String ID: 0-3293355523
Opcode ID: bde0dd1c3b5265f9cabb2d91f526b3a14c8d9b38cf1c088a702092fb281a6550
Instruction ID: 1bb01a822c3cd363219a61f58cecc4d3cd4d7df1aa5892b4b649a7b9097d74e2
Opcode Fuzzy Hash: bde0dd1c3b5265f9cabb2d91f526b3a14c8d9b38cf1c088a702092fb281a6550
Instruction Fuzzy Hash: 58128D7890025D9BEB21DB50CC82EDEB3B9EF84381F4080E5E5096B299DB71BF858F55

Uniqueness

Uniqueness Score: -1.00%

Function 1000D0F4 Relevance: 19.2, Strings: 15, Instructions: 400COMMON

Download Yara Rule

Strings

LP, xrefs: 1000D605
.cfg, xrefs: 1000D344, 1000D3A3
TP, xrefs: 1000D592, 1000D59F
\1P, xrefs: 1000D632
Mutex, xrefs: 1000D2A3
\Microsoft\Windows\, xrefs: 1000D2DE, 1000D323
wzk5VL6RM0QU9blkPERSIST, xrefs: 1000D574
restart, xrefs: 1000D14F
svchost.exe, xrefs: 1000D5AB, 1000D5B6
SOFTWARE\XtremeRAT, xrefs: 1000D267, 1000D2A8
open, xrefs: 1000D183
CONFIG, xrefs: 1000D20F, 1000D440, 1000D4F7
wzk5VL6RM0QU9blk, xrefs: 1000D540
O, xrefs: 1000D349, 1000D3A8, 1000D3B7, 1000D3F5
update, xrefs: 1000D1A6

Memory Dump Source

Source File: 00000001.00000002.385046170.0000000010000000.00000040.00000400.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID: .cfg$CONFIG$LP$Mutex$SOFTWARE\XtremeRAT$TP$\1P$\Microsoft\Windows\$open$restart$svchost.exe$update$wzk5VL6RM0QU9blk$wzk5VL6RM0QU9blkPERSIST$O
API String ID: 0-4244430324
Opcode ID: b25be51fba2d0f65df071fbb7db729566f5925429d87ceaf1aa7f8b9bf906716
Instruction ID: 7babdffad351a71ae314de662e95e98ead1dbb94228c143735747afee298a140
Opcode Fuzzy Hash: b25be51fba2d0f65df071fbb7db729566f5925429d87ceaf1aa7f8b9bf906716
Instruction Fuzzy Hash: E2E1B5787005559BF715E764CC82B9FB3AAEB803C0F508061F5489B29EEEB5FE418B61

Uniqueness

Uniqueness Score: -1.00%

Function 10008568 Relevance: 14.2, Strings: 11, Instructions: 407COMMON

Download Yara Rule

Strings

--- , xrefs: 10008680, 100089D1
[, xrefs: 10008660
, xrefs: 100086A3
temp, xrefs: 10008800, 10008827, 1000885D
LastSize, xrefs: 10008B4A
[Clipboard End], xrefs: 10008A3B
qualquercoisarsrsr, xrefs: 10008AAD
[Clipboard, xrefs: 100089CC
SOFTWARE\, xrefs: 10008B3A
], xrefs: 100089F4
, xrefs: 1000862D, 10008650, 100089BC, 10008A46

Memory Dump Source

Source File: 00000001.00000002.385046170.0000000010000000.00000040.00000400.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID: $ --- $$[$[Clipboard$[Clipboard End]$LastSize$SOFTWARE\$]$qualquercoisarsrsr$temp
API String ID: 0-3009520543
Opcode ID: 779d53ca8fe55552b1ceab16a14ff218901e1d0717973ec1ab609bf966c74ce1
Instruction ID: 057d20e264fa80afaee32c8a6c883f4daf1d9cc34b90863f49a2566050bc1c08
Opcode Fuzzy Hash: 779d53ca8fe55552b1ceab16a14ff218901e1d0717973ec1ab609bf966c74ce1
Instruction Fuzzy Hash: 6DF16F74A00219ABFB51DB64CC81FDE73B9FB083C0F508065F148A72ADDB75AE858B65

Uniqueness

Uniqueness Score: -1.00%

Function 1000B0D0 Relevance: 13.9, Strings: 11, Instructions: 177COMMON

Download Yara Rule

Strings

shellexecute=, xrefs: 1000B1E8
label=PENDRIVE, xrefs: 1000B205
RECYCLER\, xrefs: 1000B2A1
shell\Open=Open, xrefs: 1000B219
RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\, xrefs: 1000B172, 1000B1ED, 1000B228
shell\Open\Default=1, xrefs: 1000B240
[autorun];open=RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\, xrefs: 1000B1C6
autorun.inf, xrefs: 1000B26B, 1000B289
action=Open folder to view files, xrefs: 1000B20F
shell\Open\command=, xrefs: 1000B223
icon=shell32.dll,4, xrefs: 1000B1DE

Memory Dump Source

Source File: 00000001.00000002.385046170.0000000010000000.00000040.00000400.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID: RECYCLER\$RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\$[autorun];open=RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\$action=Open folder to view files$autorun.inf$icon=shell32.dll,4$label=PENDRIVE$shell\Open=Open$shell\Open\Default=1$shell\Open\command=$shellexecute=
API String ID: 0-631342129
Opcode ID: 13ecfe44ea8818081acd79cdab56d55be9f714c6c0a79ac0d907a72402bacc2f
Instruction ID: e38e5125926d32c1d26ff353fbb275c64c03e2d6fa0b8cc01eec99beb1e39287
Opcode Fuzzy Hash: 13ecfe44ea8818081acd79cdab56d55be9f714c6c0a79ac0d907a72402bacc2f
Instruction Fuzzy Hash: CA616334909688AFEB03DF64CC519DEBF75DF46280B5580E6F040AB15BD774AE05CB61

Uniqueness

Uniqueness Score: -1.00%

Function 1000B140 Relevance: 13.9, Strings: 11, Instructions: 125COMMON

Download Yara Rule

Strings

shellexecute=, xrefs: 1000B1E8
label=PENDRIVE, xrefs: 1000B205
RECYCLER\, xrefs: 1000B2A1
shell\Open=Open, xrefs: 1000B219
RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\, xrefs: 1000B172, 1000B1ED, 1000B228
shell\Open\Default=1, xrefs: 1000B240
[autorun];open=RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\, xrefs: 1000B1C6
autorun.inf, xrefs: 1000B26B, 1000B289
action=Open folder to view files, xrefs: 1000B20F
shell\Open\command=, xrefs: 1000B223
icon=shell32.dll,4, xrefs: 1000B1DE

Memory Dump Source

Source File: 00000001.00000002.385046170.0000000010000000.00000040.00000400.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID: RECYCLER\$RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\$[autorun];open=RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\$action=Open folder to view files$autorun.inf$icon=shell32.dll,4$label=PENDRIVE$shell\Open=Open$shell\Open\Default=1$shell\Open\command=$shellexecute=
API String ID: 0-631342129
Opcode ID: f3564a97d53de12c9b48bdf10bff330839f6c1832b8590ef24407a4c5debb447
Instruction ID: 6ae93d5114324f60805c066673cfebbd25bb18d06d828e6891266f46ee2437b0
Opcode Fuzzy Hash: f3564a97d53de12c9b48bdf10bff330839f6c1832b8590ef24407a4c5debb447
Instruction Fuzzy Hash: 71410E38900909ABEB05EF94CD82DDEB7B9EF44281F90C165F500B725EDB71BE058BA0

Uniqueness

Uniqueness Score: -1.00%

Function 10005A94 Relevance: 12.6, Strings: 10, Instructions: 71COMMON

Download Yara Rule

Strings

HKEY_CURRENT_USER, xrefs: 10005AE2
HKLM, xrefs: 10005B16
HKEY_USERS, xrefs: 10005B2C
HKEY_CURRENT_CONFIG, xrefs: 10005B51
HKCR, xrefs: 10005AC9
HKCU, xrefs: 10005AF1
HKCC, xrefs: 10005B60
HKEY_LOCAL_MACHINE, xrefs: 10005B07
HKEY_CLASSES_ROOT, xrefs: 10005ABA
HKU, xrefs: 10005B3B

Memory Dump Source

Source File: 00000001.00000002.385046170.0000000010000000.00000040.00000400.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 0-909552448
Opcode ID: 19a7d89fdd0d4a8943666261cc10e3fb7835feb1d7da3395f8e32f4d42fefbdb
Instruction ID: 07abd4759daa604870a4f77bd8534178fed91fd4fee8f89ff290bb29f67fd9b2
Opcode Fuzzy Hash: 19a7d89fdd0d4a8943666261cc10e3fb7835feb1d7da3395f8e32f4d42fefbdb
Instruction Fuzzy Hash: E5211D38B041C99BF711DA99858295FB3E9DB8D7C2FB08091B8415731EDB37BF019622

Uniqueness

Uniqueness Score: -1.00%

Function 1000A558 Relevance: 9.0, Strings: 7, Instructions: 279COMMON

Download Yara Rule

Strings

URLMON.DLL, xrefs: 1000A5A3
http://, xrefs: 1000A6F8
.functions, xrefs: 1000A779
ENDSERVERBUFFER, xrefs: 1000A65B, 1000A842, 1000A8A9
STARTSERVERBUFFER, xrefs: 1000A64A, 1000A82D, 1000A89F
XTREME, xrefs: 1000A5BA
shell32.dll, xrefs: 1000A5AD

Memory Dump Source

Source File: 00000001.00000002.385046170.0000000010000000.00000040.00000400.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID: .functions$ENDSERVERBUFFER$STARTSERVERBUFFER$URLMON.DLL$XTREME$http://$shell32.dll
API String ID: 0-4263465085
Opcode ID: 470b965d5662e412d8179e10860a8eacdfdba3da0a7e451b88e4202af90a0bea
Instruction ID: 095f8cd7e1ad7f54d17a8aaba90678f4abf6843293fa25502bb1c2560b129c41
Opcode Fuzzy Hash: 470b965d5662e412d8179e10860a8eacdfdba3da0a7e451b88e4202af90a0bea
Instruction Fuzzy Hash: 3FB14D78A001199BEB11DBA4CC82ADFB7B9FF44380F5081A5F504A765ADB74AF858F50

Uniqueness

Uniqueness Score: -1.00%

Function 10008DA4 Relevance: 7.7, Strings: 6, Instructions: 218COMMON

Download Yara Rule

Strings

</body>, xrefs: 10008F43
LastSize, xrefs: 10009028
SOFTWARE\, xrefs: 1000901B
FTP, xrefs: 1000903A
<html><meta http-equiv="Content-Type" content="text/html;charset=UTF-8"><head><title>Xtreme RAT</title></head><body>, xrefs: 10008F3B
</html>, xrefs: 10008F4D

Memory Dump Source

Source File: 00000001.00000002.385046170.0000000010000000.00000040.00000400.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID: </body>$</html>$<html><meta http-equiv="Content-Type" content="text/html;charset=UTF-8"><head><title>Xtreme RAT</title></head><body>$FTP$LastSize$SOFTWARE\
API String ID: 0-265700797
Opcode ID: 70478f3f3047d89982752d3640f3cec2226bc33a26c5257581dd13bee4673461
Instruction ID: 9ae569672a167bc613e47318ba2929e521b2e386b238916fb1c1f90ba9e27590
Opcode Fuzzy Hash: 70478f3f3047d89982752d3640f3cec2226bc33a26c5257581dd13bee4673461
Instruction Fuzzy Hash: 2C814D74A00259AFFB10DFA8CC85FEE77F9FB08380F508119F544A72A9CB75A9458B64

Uniqueness

Uniqueness Score: -1.00%

Function 100096F6 Relevance: 7.5, Strings: 6, Instructions: 35COMMON

Download Yara Rule

Strings

hgtrfsgfrsgfgregtregtr, xrefs: 1000974E
trhgtehgfsgrfgtrwegtre, xrefs: 10009730
gsegtsrgrefsfsfsgrsgrt, xrefs: 10009721
jytjyegrsfvfbgfsdf, xrefs: 1000973F
frgjbfdkbnfsdjbvofsjfrfre, xrefs: 1000975D
jiejwogfdjieovevodnvfnievn, xrefs: 10009712

Memory Dump Source

Source File: 00000001.00000002.385046170.0000000010000000.00000040.00000400.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID: frgjbfdkbnfsdjbvofsjfrfre$gsegtsrgrefsfsfsgrsgrt$hgtrfsgfrsgfgregtregtr$jiejwogfdjieovevodnvfnievn$jytjyegrsfvfbgfsdf$trhgtehgfsgrfgtrwegtre
API String ID: 0-2672052065
Opcode ID: eaca480185e3529857f08a7b99fa4587865511e38ce0a633c86f9ec4ba4854cf
Instruction ID: ed3f77de684bd0d246fe2b552f76a464aac7a3f76a0323551fd1ca8e49655e55
Opcode Fuzzy Hash: eaca480185e3529857f08a7b99fa4587865511e38ce0a633c86f9ec4ba4854cf
Instruction Fuzzy Hash: 8BF0F9794192116EF701DF714C6697B7698E7453C13818529F5C882A3DDF3358059BE1

Uniqueness

Uniqueness Score: -1.00%

Function 100096F8 Relevance: 7.5, Strings: 6, Instructions: 34COMMON

Download Yara Rule

Strings

hgtrfsgfrsgfgregtregtr, xrefs: 1000974E
trhgtehgfsgrfgtrwegtre, xrefs: 10009730
gsegtsrgrefsfsfsgrsgrt, xrefs: 10009721
jytjyegrsfvfbgfsdf, xrefs: 1000973F
frgjbfdkbnfsdjbvofsjfrfre, xrefs: 1000975D
jiejwogfdjieovevodnvfnievn, xrefs: 10009712

Memory Dump Source

Source File: 00000001.00000002.385046170.0000000010000000.00000040.00000400.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID: frgjbfdkbnfsdjbvofsjfrfre$gsegtsrgrefsfsfsgrsgrt$hgtrfsgfrsgfgregtregtr$jiejwogfdjieovevodnvfnievn$jytjyegrsfvfbgfsdf$trhgtehgfsgrfgtrwegtre
API String ID: 0-2672052065
Opcode ID: 0db88cb41446c7a1772992425046f1e51f35a21a88b435333acbf191ec07eeb4
Instruction ID: 4cd3ad10a4a29e5a40757261822789eba1ab52c8d76854998792a07700413263
Opcode Fuzzy Hash: 0db88cb41446c7a1772992425046f1e51f35a21a88b435333acbf191ec07eeb4
Instruction Fuzzy Hash: EDF0F4B94192116EF701DFB18C6A97B7A98E7453C13818529E6C882A3DDF331405ABE2

Uniqueness

Uniqueness Score: -1.00%

Function 1000B78C Relevance: 6.6, Strings: 5, Instructions: 309COMMON

Download Yara Rule

Strings

BINDER, xrefs: 1000B7DC
SOFTWARE\, xrefs: 1000B8ED, 1000B971
.exe, xrefs: 1000BAF7
.xtr, xrefs: 1000BB60
open, xrefs: 1000BBBD, 1000BBD6

Memory Dump Source

Source File: 00000001.00000002.385046170.0000000010000000.00000040.00000400.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID: .exe$.xtr$BINDER$SOFTWARE\$open
API String ID: 0-3085899294
Opcode ID: a17296029010211923f33a32a025bfe9590920d378f998e5d8a670387b69a70f
Instruction ID: e2e431fa4438d6138b358157023902ea7bce804184865157e4dc89de6df5abab
Opcode Fuzzy Hash: a17296029010211923f33a32a025bfe9590920d378f998e5d8a670387b69a70f
Instruction Fuzzy Hash: 33C11C38A005199BFB25DB54CC82BCFB3B9EB84381F5080B5B509AB249DE75FE858F51

Uniqueness

Uniqueness Score: -1.00%

Function 10009E6C Relevance: 6.4, Strings: 5, Instructions: 162COMMON

Download Yara Rule

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 10009EE7, 10009F21
StubPath, xrefs: 10009FC7
Software\Microsoft\Active Setup\Installed Components\, xrefs: 10009F5F, 10009FB7
%SERVER%, xrefs: 10009FFF
restart, xrefs: 10009F7F

Memory Dump Source

Source File: 00000001.00000002.385046170.0000000010000000.00000040.00000400.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID: restart$%SERVER%$Software\Microsoft\Active Setup\Installed Components\$Software\Microsoft\Windows\CurrentVersion\Run$StubPath
API String ID: 0-2142522223
Opcode ID: 364ad897bbca38481dd1a11b2b492bd1a693bcb91c63773ed721ecd4ba2295bf
Instruction ID: ccd5ba8bb55e14e3b401f0629b5d5422583a699d941ac8acb34279bb9c56e552
Opcode Fuzzy Hash: 364ad897bbca38481dd1a11b2b492bd1a693bcb91c63773ed721ecd4ba2295bf
Instruction Fuzzy Hash: A4619438A0415D9FEB25C750C881BDEB3BEEF45380F8081D6A908A768ADB756F85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 10009E70 Relevance: 6.4, Strings: 5, Instructions: 160COMMON

Download Yara Rule

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 10009EE7, 10009F21
StubPath, xrefs: 10009FC7
Software\Microsoft\Active Setup\Installed Components\, xrefs: 10009F5F, 10009FB7
%SERVER%, xrefs: 10009FFF
restart, xrefs: 10009F7F

Memory Dump Source

Source File: 00000001.00000002.385046170.0000000010000000.00000040.00000400.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID: restart$%SERVER%$Software\Microsoft\Active Setup\Installed Components\$Software\Microsoft\Windows\CurrentVersion\Run$StubPath
API String ID: 0-2142522223
Opcode ID: 70bc63b1d7bf7f2434c0fd2a984a390c0a29f6a211df66fcb658c6ec4d215a6a
Instruction ID: 7bb9cab796adacb123c590501e10766ab110edc906df9b0df81ab3aad42e102a
Opcode Fuzzy Hash: 70bc63b1d7bf7f2434c0fd2a984a390c0a29f6a211df66fcb658c6ec4d215a6a
Instruction Fuzzy Hash: 23619438A0415D9BEB25C750C881BDEB3BEEF45380F8081D6A908A764ADB756F85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 10009E74 Relevance: 6.4, Strings: 5, Instructions: 158COMMON

Download Yara Rule

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 10009EE7, 10009F21
StubPath, xrefs: 10009FC7
Software\Microsoft\Active Setup\Installed Components\, xrefs: 10009F5F, 10009FB7
%SERVER%, xrefs: 10009FFF
restart, xrefs: 10009F7F

Memory Dump Source

Source File: 00000001.00000002.385046170.0000000010000000.00000040.00000400.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID: restart$%SERVER%$Software\Microsoft\Active Setup\Installed Components\$Software\Microsoft\Windows\CurrentVersion\Run$StubPath
API String ID: 0-2142522223
Opcode ID: 6a3a9802c04267f5677fb71fa8e26ddd48aad684d5027258f0195948b13e5c11
Instruction ID: 51db14d9a78096dfca6e0b2c0cac839b55e5a7d9a5be764b8c5632986f08cd1f
Opcode Fuzzy Hash: 6a3a9802c04267f5677fb71fa8e26ddd48aad684d5027258f0195948b13e5c11
Instruction Fuzzy Hash: B5619338A0415D9BEB15D750C841BDEB3BEEF45380F8081E6A908A7249DB75AF85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 1000A54F Relevance: 6.4, Strings: 5, Instructions: 127COMMON

Download Yara Rule

Strings

URLMON.DLL, xrefs: 1000A5A3
ENDSERVERBUFFER, xrefs: 1000A65B
STARTSERVERBUFFER, xrefs: 1000A64A
XTREME, xrefs: 1000A5BA
shell32.dll, xrefs: 1000A5AD

Memory Dump Source

Source File: 00000001.00000002.385046170.0000000010000000.00000040.00000400.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID: ENDSERVERBUFFER$STARTSERVERBUFFER$URLMON.DLL$XTREME$shell32.dll
API String ID: 0-2417524110
Opcode ID: 713050decec376a8e5de2e79cbc70c6421a00f6f369ebb3c5e82f8a6782ac755
Instruction ID: 30b3ef76a2a80ae0936852672a2bbee531ad642fb2a80bd77bca9c30e5cd02f7
Opcode Fuzzy Hash: 713050decec376a8e5de2e79cbc70c6421a00f6f369ebb3c5e82f8a6782ac755
Instruction Fuzzy Hash: 7F418D78A141199BEB11DBA4CC82BEFB3B9FF44380F508165F504A728ADB34BE418B64

Uniqueness

Uniqueness Score: -1.00%

Function 10008270 Relevance: 6.3, Strings: 5, Instructions: 93COMMON

Download Yara Rule

Strings

", xrefs: 10008335
<, xrefs: 10008311
>, xrefs: 10008323
&, xrefs: 100082FF
, xrefs: 10008347

Memory Dump Source

Source File: 00000001.00000002.385046170.0000000010000000.00000040.00000400.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID: &$>$<$"$
API String ID: 0-2730314969
Opcode ID: 0cd1edd9943d5066e4ed9cbb4ed191d6f01f5bec750c3f69ea3f40f0141da2ec
Instruction ID: c2b4ba650b709cafa3e4efc2b6e91a51004f46039d2a3ae5a547a61f7c415082
Opcode Fuzzy Hash: 0cd1edd9943d5066e4ed9cbb4ed191d6f01f5bec750c3f69ea3f40f0141da2ec
Instruction Fuzzy Hash: 57314579A04189AFEF05DB94CC819DF77FDFB88680F509061F180A7209DA34AF028B65

Uniqueness

Uniqueness Score: -1.00%

Function 10008560 Relevance: 5.1, Strings: 4, Instructions: 148COMMON

Download Yara Rule

Strings

--- , xrefs: 10008680
[, xrefs: 10008660
, xrefs: 100086A3
, xrefs: 1000862D, 10008650

Memory Dump Source

Source File: 00000001.00000002.385046170.0000000010000000.00000040.00000400.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID: $ --- $$[
API String ID: 0-341333612
Opcode ID: 844369069b05dfd62b440b7fafa7b9f06d8a9886853feb290a734d0b2ba6acd8
Instruction ID: 82ed3cb906cd8235e36a84cac39b9343783464e2b4201940a396f7c820685ddb
Opcode Fuzzy Hash: 844369069b05dfd62b440b7fafa7b9f06d8a9886853feb290a734d0b2ba6acd8
Instruction Fuzzy Hash: 6F513A78A00119AFEB11DB94CC81FDEB7B9FB48380F5084A1F548A7269DB31BF458B61

Uniqueness

Uniqueness Score: -1.00%

Function 100093E4 Relevance: 5.1, Strings: 4, Instructions: 138COMMON

Download Yara Rule

Strings

XtremeKeylogger, xrefs: 10009403
qualquercoisarsrsr, xrefs: 1000944D
SOFTWARE\, xrefs: 1000952B
LastSize, xrefs: 10009538

Memory Dump Source

Source File: 00000001.00000002.385046170.0000000010000000.00000040.00000400.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID: LastSize$SOFTWARE\$XtremeKeylogger$qualquercoisarsrsr
API String ID: 0-193067991
Opcode ID: b8b35e645ddaf236c2101e74a19ca3d57dbe3ac871cbe1f58d3791964739a7a7
Instruction ID: e10228e688af51e092dac2c6f3dee7a218e45a64ed0b3a8379d93de067ea2b0a
Opcode Fuzzy Hash: b8b35e645ddaf236c2101e74a19ca3d57dbe3ac871cbe1f58d3791964739a7a7
Instruction Fuzzy Hash: 86415E78604251AFF711EB70CC92F6E37A9E7483C0F518029F144AB6FECEB6A8419751

Uniqueness

Uniqueness Score: -1.00%

Function 10009204 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

FTP, xrefs: 1000928C
.html, xrefs: 10009260
SOFTWARE\, xrefs: 10009341
LastSize, xrefs: 1000934E

Memory Dump Source

Source File: 00000001.00000002.385046170.0000000010000000.00000040.00000400.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID: .html$FTP$LastSize$SOFTWARE\
API String ID: 0-3487691436
Opcode ID: f64d9703497d1778a1f724dcd6172282dd11fce0a9d43a36a9a9269ada9e7162
Instruction ID: 1ef3a85e4ac3c80801a06b688fa0acd6d065186ae52865efd5065228073e7574
Opcode Fuzzy Hash: f64d9703497d1778a1f724dcd6172282dd11fce0a9d43a36a9a9269ada9e7162
Instruction Fuzzy Hash: 9F317078500145BFF705DB64CD81BAF77ADEB453C0F904129F440AB6BACBB2AD509B61

Uniqueness

Uniqueness Score: -1.00%

Function 1000CFE0 Relevance: 5.0, Strings: 4, Instructions: 22COMMON

Download Yara Rule

Strings

LP, xrefs: 1000D005
|*Q, xrefs: 1000CFF1
TP, xrefs: 1000CFFB
\1P, xrefs: 1000D00F

Memory Dump Source

Source File: 00000001.00000002.385046170.0000000010000000.00000040.00000400.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID: LP$TP$\1P$|*Q
API String ID: 0-718270435
Opcode ID: 73fc59df2933badc3a8ed5fc068dd753388fc0cd3a9b6805401d62ff910ff4f5
Instruction ID: 996994430743bc7117f6a1b416f6bb2c7dbe9114d28de827433b640eee596ff5
Opcode Fuzzy Hash: 73fc59df2933badc3a8ed5fc068dd753388fc0cd3a9b6805401d62ff910ff4f5
Instruction Fuzzy Hash: 50E0ECBC20C6C05AF236EA69581252F779DD7897C07C18871F54896A29DD59ACA04472

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Data loss prevention, File monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
Tactics:	Exfiltration
Data Sources:	Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report gKi3fKq4Kh.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Njrat

Threatname: Xtreme RAT

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\794bab1182.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\adobe.exe.log

C:\Users\user\AppData\Local\Temp\794bab1182.exe

C:\Users\user\AppData\Local\Temp\794bab1182.exe.exe

C:\Users\user\AppData\Local\Temp\adobe.exe

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1f777f760b787dc4d8cfb3fe867defca.exe

C:\Windows\747MBR Regenerator v4.5.exe

C:\Windows\747MBR Regenerator v4.5.exe.exe

\Device\ConDrv

Windows Analysis Report
gKi3fKq4Kh.exe

Function 100098A8 Relevance: 10.6, APIs: 7, Instructions: 70
injectionmemorythreadCOMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre