Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
itVg5XA6eK.exe

Overview

General Information

Sample Name:itVg5XA6eK.exe
Analysis ID:753416
MD5:8533ef6f79e259e9e5fe7c28f1fcd372
SHA1:48c1f9b2a798a374b6e8c2e5fb655c19e5fa2ed3
SHA256:bbc8cabc1ba4f81d1ee316d3869ed8e61c91840cb533abee708a3099ab196470
Tags:exenjratRAT
Infos:

Detection

njRat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Detected njRat
Malicious sample detected (through community Yara rule)
Yara detected Njrat
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Uses netsh to modify the Windows network and firewall settings
Drops PE files to the startup folder
Protects its processes via BreakOnTermination flag
.NET source code references suspicious native API functions
Contains functionality to log keystrokes (.Net Source)
Machine Learning detection for sample
.NET source code contains potential unpacker
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious names
Modifies the windows firewall
Uses dynamic DNS services
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Drops PE files to the application program directory (C:\ProgramData)
May sleep (evasive loops) to hinder dynamic analysis
Internet Provider seen in connection with other malware
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • itVg5XA6eK.exe (PID: 6104 cmdline: C:\Users\user\Desktop\itVg5XA6eK.exe MD5: 8533EF6F79E259E9E5FE7C28F1FCD372)
    • rejdit_free_fire.exe (PID: 1852 cmdline: "C:\ProgramData\rejdit_free_fire.exe" MD5: 8533EF6F79E259E9E5FE7C28F1FCD372)
      • netsh.exe (PID: 2436 cmdline: netsh firewall add allowedprogram "C:\ProgramData\rejdit_free_fire.exe" "rejdit_free_fire.exe" ENABLE MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
        • conhost.exe (PID: 732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • rejdit_free_fire.exe (PID: 644 cmdline: "C:\ProgramData\rejdit_free_fire.exe" .. MD5: 8533EF6F79E259E9E5FE7C28F1FCD372)
  • rejdit_free_fire.exe (PID: 1280 cmdline: "C:\ProgramData\rejdit_free_fire.exe" .. MD5: 8533EF6F79E259E9E5FE7C28F1FCD372)
  • rejdit_free_fire.exe (PID: 1112 cmdline: "C:\ProgramData\rejdit_free_fire.exe" .. MD5: 8533EF6F79E259E9E5FE7C28F1FCD372)
  • cleanup

Malware Configuration

Threatname: Njrat

{"Host": "h43vipforyou.ddns.net", "Port": "1177", "Version": "0.7d", "Campaign ID": "HacKed", "Install Name": "rejdit_free_fire.exe", "Install Dir": "AllUsersProfile", "Network Seprator": "|'|'|"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
itVg5XA6eK.exeJoeSecurity_NjratYara detected NjratJoe Security
    itVg5XA6eK.exeMALWARE_Win_NjRATDetects NjRAT / BladabindiditekSHen
    • 0x4ce8:$s1: netsh firewall delete allowedprogram
    • 0x4dc4:$s2: netsh firewall add allowedprogram
    • 0x4d56:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67
    • 0x4e6c:$s4: Execute ERROR
    • 0x4ec8:$s4: Execute ERROR
    • 0x4e90:$s5: Download ERROR
    • 0x4ff4:$s6: [kl]
    itVg5XA6eK.exenjrat1Identify njRatBrian Wallace @botnet_hunter
    • 0x4dc4:$a1: netsh firewall add allowedprogram
    • 0x4d94:$a2: SEE_MASK_NOZONECHECKS
    • 0x503e:$b1: [TAP]
    • 0x4d56:$c3: cmd.exe /c ping
    itVg5XA6eK.exeWindows_Trojan_Njrat_30f3c220unknownunknown
    • 0x3c9a:$a1: get_Registry
    • 0x4d94:$a2: SEE_MASK_NOZONECHECKS
    • 0x4e90:$a3: Download ERROR
    • 0x4d56:$a4: cmd.exe /c ping 0 -n 2 & del "
    • 0x4ce8:$a5: netsh firewall delete allowedprogram "
    itVg5XA6eK.exeNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
    • 0x4d94:$reg: SEE_MASK_NOZONECHECKS
    • 0x4e6c:$msg: Execute ERROR
    • 0x4ec8:$msg: Execute ERROR
    • 0x4d56:$ping: cmd.exe /c ping 0 -n 2 & del

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\ProgramData\rejdit_free_fire.exeJoeSecurity_NjratYara detected NjratJoe Security
      C:\ProgramData\rejdit_free_fire.exeMALWARE_Win_NjRATDetects NjRAT / BladabindiditekSHen
      • 0x4ce8:$s1: netsh firewall delete allowedprogram
      • 0x4dc4:$s2: netsh firewall add allowedprogram
      • 0x4d56:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67
      • 0x4e6c:$s4: Execute ERROR
      • 0x4ec8:$s4: Execute ERROR
      • 0x4e90:$s5: Download ERROR
      • 0x4ff4:$s6: [kl]
      C:\ProgramData\rejdit_free_fire.exenjrat1Identify njRatBrian Wallace @botnet_hunter
      • 0x4dc4:$a1: netsh firewall add allowedprogram
      • 0x4d94:$a2: SEE_MASK_NOZONECHECKS
      • 0x503e:$b1: [TAP]
      • 0x4d56:$c3: cmd.exe /c ping
      C:\ProgramData\rejdit_free_fire.exeWindows_Trojan_Njrat_30f3c220unknownunknown
      • 0x3c9a:$a1: get_Registry
      • 0x4d94:$a2: SEE_MASK_NOZONECHECKS
      • 0x4e90:$a3: Download ERROR
      • 0x4d56:$a4: cmd.exe /c ping 0 -n 2 & del "
      • 0x4ce8:$a5: netsh firewall delete allowedprogram "
      C:\ProgramData\rejdit_free_fire.exeNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
      • 0x4d94:$reg: SEE_MASK_NOZONECHECKS
      • 0x4e6c:$msg: Execute ERROR
      • 0x4ec8:$msg: Execute ERROR
      • 0x4d56:$ping: cmd.exe /c ping 0 -n 2 & del
      Click to see the 5 entries

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.255333528.0000000003AB4000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_NjratYara detected NjratJoe Security
        00000000.00000002.255333528.0000000003AB4000.00000004.00000800.00020000.00000000.sdmpnjrat1Identify njRatBrian Wallace @botnet_hunter
        • 0x7bb4:$a1: netsh firewall add allowedprogram
        • 0x7b84:$a2: SEE_MASK_NOZONECHECKS
        • 0x7e2e:$b1: [TAP]
        • 0x7b46:$c3: cmd.exe /c ping
        00000000.00000002.255333528.0000000003AB4000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Njrat_30f3c220unknownunknown
        • 0x6a8a:$a1: get_Registry
        • 0x7b84:$a2: SEE_MASK_NOZONECHECKS
        • 0x7c80:$a3: Download ERROR
        • 0x7b46:$a4: cmd.exe /c ping 0 -n 2 & del "
        • 0x7ad8:$a5: netsh firewall delete allowedprogram "
        00000000.00000002.255333528.0000000003AB4000.00000004.00000800.00020000.00000000.sdmpNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
        • 0x7b84:$reg: SEE_MASK_NOZONECHECKS
        • 0x7c5c:$msg: Execute ERROR
        • 0x7cb8:$msg: Execute ERROR
        • 0x7b46:$ping: cmd.exe /c ping 0 -n 2 & del
        00000000.00000000.239853870.0000000000442000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_NjratYara detected NjratJoe Security
          Click to see the 6 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.itVg5XA6eK.exe.3ab6df0.0.raw.unpackJoeSecurity_NjratYara detected NjratJoe Security
            0.2.itVg5XA6eK.exe.3ab6df0.0.raw.unpackMALWARE_Win_NjRATDetects NjRAT / BladabindiditekSHen
            • 0x4ce8:$s1: netsh firewall delete allowedprogram
            • 0x4dc4:$s2: netsh firewall add allowedprogram
            • 0x4d56:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67
            • 0x4e6c:$s4: Execute ERROR
            • 0x4ec8:$s4: Execute ERROR
            • 0x4e90:$s5: Download ERROR
            • 0x4ff4:$s6: [kl]
            0.2.itVg5XA6eK.exe.3ab6df0.0.raw.unpacknjrat1Identify njRatBrian Wallace @botnet_hunter
            • 0x4dc4:$a1: netsh firewall add allowedprogram
            • 0x4d94:$a2: SEE_MASK_NOZONECHECKS
            • 0x503e:$b1: [TAP]
            • 0x4d56:$c3: cmd.exe /c ping
            0.2.itVg5XA6eK.exe.3ab6df0.0.raw.unpackWindows_Trojan_Njrat_30f3c220unknownunknown
            • 0x3c9a:$a1: get_Registry
            • 0x4d94:$a2: SEE_MASK_NOZONECHECKS
            • 0x4e90:$a3: Download ERROR
            • 0x4d56:$a4: cmd.exe /c ping 0 -n 2 & del "
            • 0x4ce8:$a5: netsh firewall delete allowedprogram "
            0.2.itVg5XA6eK.exe.3ab6df0.0.raw.unpackNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
            • 0x4d94:$reg: SEE_MASK_NOZONECHECKS
            • 0x4e6c:$msg: Execute ERROR
            • 0x4ec8:$msg: Execute ERROR
            • 0x4d56:$ping: cmd.exe /c ping 0 -n 2 & del
            Click to see the 10 entries

            Sigma Signatures

            No Sigma rule has matched

            Snort Signatures

            Timestamp:192.168.2.341.109.68.2394969911772033132 11/24/22-19:42:23.177340
            SID:2033132
            Source Port:49699
            Destination Port:1177
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.341.109.68.2394969911772825563 11/24/22-19:42:23.319941
            SID:2825563
            Source Port:49699
            Destination Port:1177
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.341.109.68.2394970111772825563 11/24/22-19:43:29.909277
            SID:2825563
            Source Port:49701
            Destination Port:1177
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.341.109.68.2394970011772033132 11/24/22-19:42:56.789376
            SID:2033132
            Source Port:49700
            Destination Port:1177
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.341.109.68.2394969911772825564 11/24/22-19:42:28.743067
            SID:2825564
            Source Port:49699
            Destination Port:1177
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.341.109.68.2394970011772825564 11/24/22-19:43:01.745518
            SID:2825564
            Source Port:49700
            Destination Port:1177
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.341.109.68.2394970011772825563 11/24/22-19:42:56.884058
            SID:2825563
            Source Port:49700
            Destination Port:1177
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.341.109.68.2394970111772033132 11/24/22-19:43:29.805466
            SID:2033132
            Source Port:49701
            Destination Port:1177
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.341.109.68.2394970111772814856 11/24/22-19:43:29.909277
            SID:2814856
            Source Port:49701
            Destination Port:1177
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.341.109.68.2394970211772825563 11/24/22-19:44:02.683537
            SID:2825563
            Source Port:49702
            Destination Port:1177
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.341.109.68.2394970111772814860 11/24/22-19:43:44.045655
            SID:2814860
            Source Port:49701
            Destination Port:1177
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.341.109.68.2394970211772033132 11/24/22-19:44:02.583206
            SID:2033132
            Source Port:49702
            Destination Port:1177
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.341.109.68.2394969911772814860 11/24/22-19:42:28.743067
            SID:2814860
            Source Port:49699
            Destination Port:1177
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.341.109.68.2394970211772814856 11/24/22-19:44:02.683537
            SID:2814856
            Source Port:49702
            Destination Port:1177
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.341.109.68.2394970011772814860 11/24/22-19:43:01.745518
            SID:2814860
            Source Port:49700
            Destination Port:1177
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.341.109.68.2394970111772825564 11/24/22-19:43:44.045655
            SID:2825564
            Source Port:49701
            Destination Port:1177
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.341.109.68.2394970011772814856 11/24/22-19:42:56.884058
            SID:2814856
            Source Port:49700
            Destination Port:1177
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.341.109.68.2394969911772814856 11/24/22-19:42:23.319941
            SID:2814856
            Source Port:49699
            Destination Port:1177
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: itVg5XA6eK.exeReversingLabs: Detection: 100%
            Source: itVg5XA6eK.exeVirustotal: Detection: 76%Perma Link
            Yara detected Njrat
            Source: Yara matchFile source: itVg5XA6eK.exe, type: SAMPLE
            Source: Yara matchFile source: 0.2.itVg5XA6eK.exe.3ab6df0.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.0.itVg5XA6eK.exe.440000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.itVg5XA6eK.exe.3ab6df0.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.255333528.0000000003AB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000000.239853870.0000000000442000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.507753585.0000000002965000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: itVg5XA6eK.exe PID: 6104, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rejdit_free_fire.exe PID: 1852, type: MEMORYSTR
            Source: Yara matchFile source: C:\ProgramData\rejdit_free_fire.exe, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\869b16e2825dce24066aba38ee1a9add.exe, type: DROPPED
            Antivirus / Scanner detection for submitted sample
            Source: itVg5XA6eK.exeAvira: detected
            Antivirus detection for URL or domain
            Source: h43vipforyou.ddns.netAvira URL Cloud: Label: malware
            Multi AV Scanner detection for domain / URL
            Source: h43vipforyou.ddns.netVirustotal: Detection: 9%Perma Link
            Source: h43vipforyou.ddns.netVirustotal: Detection: 9%Perma Link
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\869b16e2825dce24066aba38ee1a9add.exeAvira: detection malicious, Label: TR/Dropper.Gen7
            Source: C:\ProgramData\rejdit_free_fire.exeAvira: detection malicious, Label: TR/Dropper.Gen7
            Multi AV Scanner detection for dropped file
            Source: C:\ProgramData\rejdit_free_fire.exeReversingLabs: Detection: 100%
            Source: C:\ProgramData\rejdit_free_fire.exeVirustotal: Detection: 76%Perma Link
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\869b16e2825dce24066aba38ee1a9add.exeReversingLabs: Detection: 100%
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\869b16e2825dce24066aba38ee1a9add.exeVirustotal: Detection: 76%Perma Link
            Machine Learning detection for sample
            Source: itVg5XA6eK.exeJoe Sandbox ML: detected
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\869b16e2825dce24066aba38ee1a9add.exeJoe Sandbox ML: detected
            Source: C:\ProgramData\rejdit_free_fire.exeJoe Sandbox ML: detected
            Source: 0.0.itVg5XA6eK.exe.440000.0.unpackAvira: Label: TR/Dropper.Gen7
            Source: 00000000.00000002.255333528.0000000003AB4000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Njrat {"Host": "h43vipforyou.ddns.net", "Port": "1177", "Version": "0.7d", "Campaign ID": "HacKed", "Install Name": "rejdit_free_fire.exe", "Install Dir": "AllUsersProfile", "Network Seprator": "|'|'|"}
            Source: itVg5XA6eK.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
            Source: itVg5XA6eK.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Networking

            barindex
            Snort IDS alert for network traffic
            Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49699 -> 41.109.68.239:1177
            Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.3:49699 -> 41.109.68.239:1177
            Source: TrafficSnort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.3:49699 -> 41.109.68.239:1177
            Source: TrafficSnort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.3:49699 -> 41.109.68.239:1177
            Source: TrafficSnort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.3:49699 -> 41.109.68.239:1177
            Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49700 -> 41.109.68.239:1177
            Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.3:49700 -> 41.109.68.239:1177
            Source: TrafficSnort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.3:49700 -> 41.109.68.239:1177
            Source: TrafficSnort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.3:49700 -> 41.109.68.239:1177
            Source: TrafficSnort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.3:49700 -> 41.109.68.239:1177
            Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49701 -> 41.109.68.239:1177
            Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.3:49701 -> 41.109.68.239:1177
            Source: TrafficSnort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.3:49701 -> 41.109.68.239:1177
            Source: TrafficSnort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.3:49701 -> 41.109.68.239:1177
            Source: TrafficSnort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.3:49701 -> 41.109.68.239:1177
            Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49702 -> 41.109.68.239:1177
            Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.3:49702 -> 41.109.68.239:1177
            Source: TrafficSnort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.3:49702 -> 41.109.68.239:1177
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: h43vipforyou.ddns.net
            Uses dynamic DNS services
            Source: unknownDNS query: name: h43vipforyou.ddns.net
            Source: Joe Sandbox ViewASN Name: ALGTEL-ASDZ ALGTEL-ASDZ
            Source: global trafficTCP traffic: 192.168.2.3:49699 -> 41.109.68.239:1177
            Source: unknownDNS traffic detected: queries for: h43vipforyou.ddns.net

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Contains functionality to log keystrokes (.Net Source)
            Source: itVg5XA6eK.exe, kl.cs.Net Code: VKCodeToUnicode
            Source: rejdit_free_fire.exe.0.dr, kl.cs.Net Code: VKCodeToUnicode
            Source: 0.0.itVg5XA6eK.exe.440000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
            Source: 869b16e2825dce24066aba38ee1a9add.exe.1.dr, kl.cs.Net Code: VKCodeToUnicode
            Source: rejdit_free_fire.exe, 00000001.00000002.505779349.000000000070A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

            E-Banking Fraud

            barindex
            Yara detected Njrat
            Source: Yara matchFile source: itVg5XA6eK.exe, type: SAMPLE
            Source: Yara matchFile source: 0.2.itVg5XA6eK.exe.3ab6df0.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.0.itVg5XA6eK.exe.440000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.itVg5XA6eK.exe.3ab6df0.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.255333528.0000000003AB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000000.239853870.0000000000442000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.507753585.0000000002965000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: itVg5XA6eK.exe PID: 6104, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rejdit_free_fire.exe PID: 1852, type: MEMORYSTR
            Source: Yara matchFile source: C:\ProgramData\rejdit_free_fire.exe, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\869b16e2825dce24066aba38ee1a9add.exe, type: DROPPED

            Operating System Destruction

            barindex
            Protects its processes via BreakOnTermination flag
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: 01 00 00 00 Jump to behavior

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: itVg5XA6eK.exe, type: SAMPLEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: itVg5XA6eK.exe, type: SAMPLEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
            Source: itVg5XA6eK.exe, type: SAMPLEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
            Source: itVg5XA6eK.exe, type: SAMPLEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: 0.2.itVg5XA6eK.exe.3ab6df0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: 0.2.itVg5XA6eK.exe.3ab6df0.0.raw.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
            Source: 0.2.itVg5XA6eK.exe.3ab6df0.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
            Source: 0.2.itVg5XA6eK.exe.3ab6df0.0.raw.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: 0.0.itVg5XA6eK.exe.440000.0.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: 0.0.itVg5XA6eK.exe.440000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
            Source: 0.0.itVg5XA6eK.exe.440000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
            Source: 0.0.itVg5XA6eK.exe.440000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: 0.2.itVg5XA6eK.exe.3ab6df0.0.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: 0.2.itVg5XA6eK.exe.3ab6df0.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
            Source: 0.2.itVg5XA6eK.exe.3ab6df0.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
            Source: 0.2.itVg5XA6eK.exe.3ab6df0.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.255333528.0000000003AB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
            Source: 00000000.00000002.255333528.0000000003AB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
            Source: 00000000.00000002.255333528.0000000003AB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000000.239853870.0000000000442000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
            Source: 00000000.00000000.239853870.0000000000442000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
            Source: 00000000.00000000.239853870.0000000000442000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: C:\ProgramData\rejdit_free_fire.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: C:\ProgramData\rejdit_free_fire.exe, type: DROPPEDMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
            Source: C:\ProgramData\rejdit_free_fire.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
            Source: C:\ProgramData\rejdit_free_fire.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\869b16e2825dce24066aba38ee1a9add.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\869b16e2825dce24066aba38ee1a9add.exe, type: DROPPEDMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\869b16e2825dce24066aba38ee1a9add.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\869b16e2825dce24066aba38ee1a9add.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: itVg5XA6eK.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: itVg5XA6eK.exe, type: SAMPLEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: itVg5XA6eK.exe, type: SAMPLEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
            Source: itVg5XA6eK.exe, type: SAMPLEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
            Source: itVg5XA6eK.exe, type: SAMPLEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: 0.2.itVg5XA6eK.exe.3ab6df0.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: 0.2.itVg5XA6eK.exe.3ab6df0.0.raw.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
            Source: 0.2.itVg5XA6eK.exe.3ab6df0.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
            Source: 0.2.itVg5XA6eK.exe.3ab6df0.0.raw.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: 0.0.itVg5XA6eK.exe.440000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: 0.0.itVg5XA6eK.exe.440000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
            Source: 0.0.itVg5XA6eK.exe.440000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
            Source: 0.0.itVg5XA6eK.exe.440000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: 0.2.itVg5XA6eK.exe.3ab6df0.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: 0.2.itVg5XA6eK.exe.3ab6df0.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
            Source: 0.2.itVg5XA6eK.exe.3ab6df0.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
            Source: 0.2.itVg5XA6eK.exe.3ab6df0.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: 00000000.00000002.255333528.0000000003AB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
            Source: 00000000.00000002.255333528.0000000003AB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
            Source: 00000000.00000002.255333528.0000000003AB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: 00000000.00000000.239853870.0000000000442000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
            Source: 00000000.00000000.239853870.0000000000442000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
            Source: 00000000.00000000.239853870.0000000000442000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: C:\ProgramData\rejdit_free_fire.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: C:\ProgramData\rejdit_free_fire.exe, type: DROPPEDMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
            Source: C:\ProgramData\rejdit_free_fire.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
            Source: C:\ProgramData\rejdit_free_fire.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\869b16e2825dce24066aba38ee1a9add.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\869b16e2825dce24066aba38ee1a9add.exe, type: DROPPEDMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\869b16e2825dce24066aba38ee1a9add.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\869b16e2825dce24066aba38ee1a9add.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: itVg5XA6eK.exeReversingLabs: Detection: 100%
            Source: itVg5XA6eK.exeVirustotal: Detection: 76%
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeFile read: C:\Users\user\Desktop\itVg5XA6eK.exeJump to behavior
            Source: itVg5XA6eK.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\itVg5XA6eK.exe C:\Users\user\Desktop\itVg5XA6eK.exe
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeProcess created: C:\ProgramData\rejdit_free_fire.exe "C:\ProgramData\rejdit_free_fire.exe"
            Source: C:\ProgramData\rejdit_free_fire.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\ProgramData\rejdit_free_fire.exe" "rejdit_free_fire.exe" ENABLE
            Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\ProgramData\rejdit_free_fire.exe "C:\ProgramData\rejdit_free_fire.exe" ..
            Source: unknownProcess created: C:\ProgramData\rejdit_free_fire.exe "C:\ProgramData\rejdit_free_fire.exe" ..
            Source: unknownProcess created: C:\ProgramData\rejdit_free_fire.exe "C:\ProgramData\rejdit_free_fire.exe" ..
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeProcess created: C:\ProgramData\rejdit_free_fire.exe "C:\ProgramData\rejdit_free_fire.exe" Jump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\ProgramData\rejdit_free_fire.exe" "rejdit_free_fire.exe" ENABLEJump to behavior
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\itVg5XA6eK.exe.logJump to behavior
            Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@9/5@4/1
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: itVg5XA6eK.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeMutant created: \Sessions\1\BaseNamedObjects\869b16e2825dce24066aba38ee1a9add
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:732:120:WilError_01
            Source: C:\ProgramData\rejdit_free_fire.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
            Source: itVg5XA6eK.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: itVg5XA6eK.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Data Obfuscation

            barindex
            .NET source code contains potential unpacker
            Source: itVg5XA6eK.exe, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: rejdit_free_fire.exe.0.dr, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 0.0.itVg5XA6eK.exe.440000.0.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 869b16e2825dce24066aba38ee1a9add.exe.1.dr, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeFile created: C:\ProgramData\rejdit_free_fire.exeJump to dropped file
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeFile created: C:\ProgramData\rejdit_free_fire.exeJump to dropped file
            Source: C:\ProgramData\rejdit_free_fire.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\869b16e2825dce24066aba38ee1a9add.exeJump to dropped file

            Boot Survival

            barindex
            Drops PE files to the startup folder
            Source: C:\ProgramData\rejdit_free_fire.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\869b16e2825dce24066aba38ee1a9add.exeJump to dropped file
            Creates autostart registry keys with suspicious names
            Source: C:\ProgramData\rejdit_free_fire.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 869b16e2825dce24066aba38ee1a9addJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\869b16e2825dce24066aba38ee1a9add.exeJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\869b16e2825dce24066aba38ee1a9add.exeJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 869b16e2825dce24066aba38ee1a9addJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 869b16e2825dce24066aba38ee1a9addJump to behavior
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\itVg5XA6eK.exe TID: 6112Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exe TID: 2148Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exe TID: 1760Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exe TID: 3508Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeWindow / User API: threadDelayed 5692Jump to behavior
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: rejdit_free_fire.exe, 00000001.00000002.506101970.000000000073B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\ProgramData\rejdit_free_fire.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            .NET source code references suspicious native API functions
            Source: itVg5XA6eK.exe, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
            Source: itVg5XA6eK.exe, kl.csReference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
            Source: rejdit_free_fire.exe.0.dr, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
            Source: rejdit_free_fire.exe.0.dr, kl.csReference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
            Source: 0.0.itVg5XA6eK.exe.440000.0.unpack, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
            Source: 0.0.itVg5XA6eK.exe.440000.0.unpack, kl.csReference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
            Source: 869b16e2825dce24066aba38ee1a9add.exe.1.dr, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
            Source: 869b16e2825dce24066aba38ee1a9add.exe.1.dr, kl.csReference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
            Source: C:\Users\user\Desktop\itVg5XA6eK.exeProcess created: C:\ProgramData\rejdit_free_fire.exe "C:\ProgramData\rejdit_free_fire.exe" Jump to behavior
            Source: rejdit_free_fire.exe, 00000001.00000002.509172881.0000000002A96000.00000004.00000800.00020000.00000000.sdmp, rejdit_free_fire.exe, 00000001.00000002.507753585.0000000002965000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
            Source: rejdit_free_fire.exe, 00000001.00000002.509172881.0000000002A96000.00000004.00000800.00020000.00000000.sdmp, rejdit_free_fire.exe, 00000001.00000002.507753585.0000000002965000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager|9
            Source: rejdit_free_fire.exe, 00000001.00000002.509172881.0000000002A96000.00000004.00000800.00020000.00000000.sdmp, rejdit_free_fire.exe, 00000001.00000002.507753585.0000000002965000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager<
            Source: C:\ProgramData\rejdit_free_fire.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\ProgramData\rejdit_free_fire.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Lowering of HIPS / PFW / Operating System Security Settings

            barindex
            Uses netsh to modify the Windows network and firewall settings
            Source: C:\ProgramData\rejdit_free_fire.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\ProgramData\rejdit_free_fire.exe" "rejdit_free_fire.exe" ENABLE
            Modifies the windows firewall
            Source: C:\ProgramData\rejdit_free_fire.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\ProgramData\rejdit_free_fire.exe" "rejdit_free_fire.exe" ENABLE

            Stealing of Sensitive Information

            barindex
            Yara detected Njrat
            Source: Yara matchFile source: itVg5XA6eK.exe, type: SAMPLE
            Source: Yara matchFile source: 0.2.itVg5XA6eK.exe.3ab6df0.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.0.itVg5XA6eK.exe.440000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.itVg5XA6eK.exe.3ab6df0.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.255333528.0000000003AB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000000.239853870.0000000000442000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.507753585.0000000002965000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: itVg5XA6eK.exe PID: 6104, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rejdit_free_fire.exe PID: 1852, type: MEMORYSTR
            Source: Yara matchFile source: C:\ProgramData\rejdit_free_fire.exe, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\869b16e2825dce24066aba38ee1a9add.exe, type: DROPPED

            Remote Access Functionality

            barindex
            Detected njRat
            Source: itVg5XA6eK.exe, OK.cs.Net Code: njRat config detected
            Source: rejdit_free_fire.exe.0.dr, OK.cs.Net Code: njRat config detected
            Source: 0.0.itVg5XA6eK.exe.440000.0.unpack, OK.cs.Net Code: njRat config detected
            Source: 869b16e2825dce24066aba38ee1a9add.exe.1.dr, OK.cs.Net Code: njRat config detected
            Yara detected Njrat
            Source: Yara matchFile source: itVg5XA6eK.exe, type: SAMPLE
            Source: Yara matchFile source: 0.2.itVg5XA6eK.exe.3ab6df0.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.0.itVg5XA6eK.exe.440000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.itVg5XA6eK.exe.3ab6df0.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.255333528.0000000003AB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000000.239853870.0000000000442000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.507753585.0000000002965000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: itVg5XA6eK.exe PID: 6104, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rejdit_free_fire.exe PID: 1852, type: MEMORYSTR
            Source: Yara matchFile source: C:\ProgramData\rejdit_free_fire.exe, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\869b16e2825dce24066aba38ee1a9add.exe, type: DROPPED

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid Accounts1
            Native API            		221
            Registry Run Keys / Startup Folder            		12
            Process Injection            		1
            Masquerading            		11
            Input Capture            		11
            Security Software Discovery            		Remote Services11
            Input Capture            		Exfiltration Over Other Network Medium1
            Non-Standard Port            		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts221
            Registry Run Keys / Startup Folder            		21
            Disable or Modify Tools            		LSASS Memory1
            Process Discovery            		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
            Remote Access Software            		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)21
            Virtualization/Sandbox Evasion            		Security Account Manager21
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
            Non-Application Layer Protocol            		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)12
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput CaptureScheduled Transfer21
            Application Layer Protocol            		SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script11
            Software Packing            		LSA Secrets1
            Remote System Discovery            		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain Credentials1
            File and Directory Discovery            		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync12
            System Information Discovery            		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 753416 Sample: itVg5XA6eK.exe Startdate: 24/11/2022 Architecture: WINDOWS Score: 100 34 Snort IDS alert for network traffic 2->34 36 Multi AV Scanner detection for domain / URL 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 14 other signatures 2->40 8 itVg5XA6eK.exe 1 5 2->8         started        11 rejdit_free_fire.exe 3 2->11         started        13 rejdit_free_fire.exe 2 2->13         started        15 rejdit_free_fire.exe 2 2->15         started        process3 file4 28 C:\ProgramData\rejdit_free_fire.exe, PE32 8->28 dropped 30 C:\Users\user\AppData\...\itVg5XA6eK.exe.log, ASCII 8->30 dropped 17 rejdit_free_fire.exe 4 5 8->17         started        process5 dnsIp6 32 h43vipforyou.ddns.net 41.109.68.239, 1177, 49699, 49700 ALGTEL-ASDZ Algeria 17->32 26 C:\...\869b16e2825dce24066aba38ee1a9add.exe, PE32 17->26 dropped 42 Antivirus detection for dropped file 17->42 44 Multi AV Scanner detection for dropped file 17->44 46 Protects its processes via BreakOnTermination flag 17->46 48 5 other signatures 17->48 22 netsh.exe 3 17->22         started        file7 signatures8 process9 process10 24 conhost.exe 22->24         started       

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            itVg5XA6eK.exe100%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi
            itVg5XA6eK.exe76%VirustotalBrowse
            itVg5XA6eK.exe100%AviraTR/Dropper.Gen7
            itVg5XA6eK.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\869b16e2825dce24066aba38ee1a9add.exe100%AviraTR/Dropper.Gen7
            C:\ProgramData\rejdit_free_fire.exe100%AviraTR/Dropper.Gen7
            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\869b16e2825dce24066aba38ee1a9add.exe100%Joe Sandbox ML
            C:\ProgramData\rejdit_free_fire.exe100%Joe Sandbox ML
            C:\ProgramData\rejdit_free_fire.exe100%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi
            C:\ProgramData\rejdit_free_fire.exe76%VirustotalBrowse
            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\869b16e2825dce24066aba38ee1a9add.exe100%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi
            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\869b16e2825dce24066aba38ee1a9add.exe76%VirustotalBrowse

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            0.0.itVg5XA6eK.exe.440000.0.unpack100%AviraTR/Dropper.Gen7Download File

            Domains

            SourceDetectionScannerLabelLink
            h43vipforyou.ddns.net10%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            h43vipforyou.ddns.net100%Avira URL Cloudmalware
            h43vipforyou.ddns.net10%VirustotalBrowse

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            h43vipforyou.ddns.net
            		41.109.68.239
            		truetrueunknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            h43vipforyou.ddns.nettrue
            • 10%, Virustotal, Browse
            • Avira URL Cloud: malware
            		unknown

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious
            41.109.68.239
            		h43vipforyou.ddns.netAlgeria
            		36947ALGTEL-ASDZtrue

            General Information

            Joe Sandbox Version:36.0.0 Rainbow Opal
            Analysis ID:753416
            Start date and time:2022-11-24 19:41:09 +01:00
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 5m 39s
            Hypervisor based Inspection enabled:false
            Report type:full
            Sample file name:itVg5XA6eK.exe
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
            Number of analysed new started processes analysed:18
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal100.troj.adwa.spyw.evad.winEXE@9/5@4/1
            EGA Information:
            • Successful, ratio: 60%
            HDC Information:Failed
            HCA Information:
            • Successful, ratio: 100%
            • Number of executed functions: 104
            • Number of non-executed functions: 0
            Cookbook Comments:
            • Found application associated with file extension: .exe

            Warnings

            • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
            • Excluded IPs from analysis (whitelisted): 93.184.221.240
            • Excluded domains from analysis (whitelisted): fs.microsoft.com, wu.ec.azureedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, wu.azureedge.net
            • Execution Graph export aborted for target rejdit_free_fire.exe, PID 1280 because it is empty
            • Execution Graph export aborted for target rejdit_free_fire.exe, PID 644 because it is empty
            • Not all processes where analyzed, report is missing behavior information
            • Report size exceeded maximum capacity and may have missing behavior information.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            19:42:20AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 869b16e2825dce24066aba38ee1a9add "C:\ProgramData\rejdit_free_fire.exe" ..
            19:42:29AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run 869b16e2825dce24066aba38ee1a9add "C:\ProgramData\rejdit_free_fire.exe" ..
            19:42:37AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 869b16e2825dce24066aba38ee1a9add "C:\ProgramData\rejdit_free_fire.exe" ..
            19:42:45AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\869b16e2825dce24066aba38ee1a9add.exe

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASNs

            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
            ALGTEL-ASDZ9jVyxtQ8WD.exeGet hashmaliciousBrowse
            • 41.104.207.48
            Bm5ck7xf3Q.elfGet hashmaliciousBrowse
            • 197.114.121.131
            smShnU1y9O.elfGet hashmaliciousBrowse
            • 41.108.83.55
            HHbpqfGZ8F.dllGet hashmaliciousBrowse
            • 41.98.228.100
            LQag34QR3c.dllGet hashmaliciousBrowse
            • 41.98.228.100
            VmLrezaoZj.dllGet hashmaliciousBrowse
            • 41.98.228.100
            HHbpqfGZ8F.dllGet hashmaliciousBrowse
            • 41.98.228.100
            LQag34QR3c.dllGet hashmaliciousBrowse
            • 41.98.228.100
            VmLrezaoZj.dllGet hashmaliciousBrowse
            • 41.98.228.100
            cqif7RyAs5.elfGet hashmaliciousBrowse
            • 197.114.121.187
            Wpl6j0oOQG.elfGet hashmaliciousBrowse
            • 197.202.110.228
            nFsgj2jnQ8.elfGet hashmaliciousBrowse
            • 41.105.231.129
            tYV5avLJzh.elfGet hashmaliciousBrowse
            • 41.102.161.29
            kQhLxBYJGw.elfGet hashmaliciousBrowse
            • 41.108.48.186
            fpkbDaRE8f.elfGet hashmaliciousBrowse
            • 197.114.121.129
            1RGtHIxh3W.elfGet hashmaliciousBrowse
            • 41.110.216.191
            watering.dllGet hashmaliciousBrowse
            • 41.98.228.100
            watering.dllGet hashmaliciousBrowse
            • 41.98.228.100
            5WOPvndI8Z.elfGet hashmaliciousBrowse
            • 41.105.231.115
            RNP_82213835_14112022.htmlGet hashmaliciousBrowse
            • 105.103.33.225

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\ProgramData\rejdit_free_fire.exe

            Download File
            Process:C:\Users\user\Desktop\itVg5XA6eK.exe
            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):232960
            Entropy (8bit):6.66426413554523
            Encrypted:false
            SSDEEP:3072:HSuZ00DVrF1rVcCPP+Tl6Ws5cUYTMExjHSTdMTfNlx35eRPG+79IwGrpc:J/2TAcZyOjNlri7Ww
            MD5:8533EF6F79E259E9E5FE7C28F1FCD372
            SHA1:48C1F9B2A798A374B6E8C2E5FB655C19E5FA2ED3
            SHA-256:BBC8CABC1BA4F81D1EE316D3869ED8E61C91840CB533ABEE708A3099AB196470
            SHA-512:533FACB9E64028915336F7A7035E726409279309B05D2CF1E6DEF878513A85F49A9119F09E53BCC8371FF5BC8F91474B67934773E3C6A7AD12C3778FFA3F2697
            Malicious:true
            Yara Hits:
            • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\ProgramData\rejdit_free_fire.exe, Author: Joe Security
            • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\ProgramData\rejdit_free_fire.exe, Author: ditekSHen
            • Rule: njrat1, Description: Identify njRat, Source: C:\ProgramData\rejdit_free_fire.exe, Author: Brian Wallace @botnet_hunter
            • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\ProgramData\rejdit_free_fire.exe, Author: unknown
            • Rule: Njrat, Description: detect njRAT in memory, Source: C:\ProgramData\rejdit_free_fire.exe, Author: JPCERT/CC Incident Response Group
            Antivirus:
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            • Antivirus: ReversingLabs, Detection: 100%
            • Antivirus: Virustotal, Detection: 76%, Browse
            Reputation:low
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R[vc.................V...6.......t... ........@.. ....................................@.................................\t..O.......d2........................................................................... ............... ..H............text....T... ...V.................. ..`.rsrc...d2.......4...X..............@..@.reloc..............................@..B.................t......H.......,K..0)....../....................................................0..........r...p.....r...p...........r...p.....rG..p.....rg..p.....r...p.....r...p.....r...p.....r...p(.........r...p(.........r...p(.........r...p(.........(....o....s.........s.....................r...p...........s......... ..............rQ..p...........*...0..;.......~....o....o....rS..p~....(.....o.....o......%(.....(......*.........,,.......0..D.......~....o....o....rS..p~....(....o......(....o.....

            C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\itVg5XA6eK.exe.log

            Download File
            Process:C:\Users\user\Desktop\itVg5XA6eK.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):525
            Entropy (8bit):5.2874233355119316
            Encrypted:false
            SSDEEP:12:Q3LaJU20NaL10Ug+9Yz9t0U29hJ5g1B0U2ukyrFk7v:MLF20NaL3z2p29hJ5g522r0
            MD5:80EFBEC081D7836D240503C4C9465FEC
            SHA1:6AF398E08A359457083727BAF296445030A55AC3
            SHA-256:C73F730EB5E05D15FAD6BE10AB51FE4D8A80B5E88B89D8BC80CC1DF09ACE1523
            SHA-512:DEC3B1D9403894418AFD4433629CA6476C7BD359963328D17B93283B52EEC18B3725D2F02F0E9A142E705398DDDCE244D53829570E9DE1A87060A7DABFDCE5B3
            Malicious:true
            Reputation:high, very likely benign file
            Preview:1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..

            C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\rejdit_free_fire.exe.log

            Download File
            Process:C:\ProgramData\rejdit_free_fire.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):525
            Entropy (8bit):5.2874233355119316
            Encrypted:false
            SSDEEP:12:Q3LaJU20NaL10Ug+9Yz9t0U29hJ5g1B0U2ukyrFk7v:MLF20NaL3z2p29hJ5g522r0
            MD5:80EFBEC081D7836D240503C4C9465FEC
            SHA1:6AF398E08A359457083727BAF296445030A55AC3
            SHA-256:C73F730EB5E05D15FAD6BE10AB51FE4D8A80B5E88B89D8BC80CC1DF09ACE1523
            SHA-512:DEC3B1D9403894418AFD4433629CA6476C7BD359963328D17B93283B52EEC18B3725D2F02F0E9A142E705398DDDCE244D53829570E9DE1A87060A7DABFDCE5B3
            Malicious:false
            Reputation:high, very likely benign file
            Preview:1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..

            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\869b16e2825dce24066aba38ee1a9add.exe

            Download File
            Process:C:\ProgramData\rejdit_free_fire.exe
            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):232960
            Entropy (8bit):6.66426413554523
            Encrypted:false
            SSDEEP:3072:HSuZ00DVrF1rVcCPP+Tl6Ws5cUYTMExjHSTdMTfNlx35eRPG+79IwGrpc:J/2TAcZyOjNlri7Ww
            MD5:8533EF6F79E259E9E5FE7C28F1FCD372
            SHA1:48C1F9B2A798A374B6E8C2E5FB655C19E5FA2ED3
            SHA-256:BBC8CABC1BA4F81D1EE316D3869ED8E61C91840CB533ABEE708A3099AB196470
            SHA-512:533FACB9E64028915336F7A7035E726409279309B05D2CF1E6DEF878513A85F49A9119F09E53BCC8371FF5BC8F91474B67934773E3C6A7AD12C3778FFA3F2697
            Malicious:true
            Yara Hits:
            • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\869b16e2825dce24066aba38ee1a9add.exe, Author: Joe Security
            • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\869b16e2825dce24066aba38ee1a9add.exe, Author: ditekSHen
            • Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\869b16e2825dce24066aba38ee1a9add.exe, Author: Brian Wallace @botnet_hunter
            • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\869b16e2825dce24066aba38ee1a9add.exe, Author: unknown
            • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\869b16e2825dce24066aba38ee1a9add.exe, Author: JPCERT/CC Incident Response Group
            Antivirus:
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            • Antivirus: ReversingLabs, Detection: 100%
            • Antivirus: Virustotal, Detection: 76%, Browse
            Reputation:low
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R[vc.................V...6.......t... ........@.. ....................................@.................................\t..O.......d2........................................................................... ............... ..H............text....T... ...V.................. ..`.rsrc...d2.......4...X..............@..@.reloc..............................@..B.................t......H.......,K..0)....../....................................................0..........r...p.....r...p...........r...p.....rG..p.....rg..p.....r...p.....r...p.....r...p.....r...p(.........r...p(.........r...p(.........r...p(.........(....o....s.........s.....................r...p...........s......... ..............rQ..p...........*...0..;.......~....o....o....rS..p~....(.....o.....o......%(.....(......*.........,,.......0..D.......~....o....o....rS..p~....(....o......(....o.....

            \Device\ConDrv

            Download File
            Process:C:\Windows\SysWOW64\netsh.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):313
            Entropy (8bit):4.971939296804078
            Encrypted:false
            SSDEEP:6:/ojfKsUTGN8Ypox42k9L+DbGMKeQE+vigqAZs2E+AYeDPO+Yswyha:wjPIGNrkHk9iaeIM6ADDPOHyha
            MD5:689E2126A85BF55121488295EE068FA1
            SHA1:09BAAA253A49D80C18326DFBCA106551EBF22DD6
            SHA-256:D968A966EF474068E41256321F77807A042F1965744633D37A203A705662EC25
            SHA-512:C3736A8FC7E6573FA1B26FE6A901C05EE85C55A4A276F8F569D9EADC9A58BEC507D1BB90DBF9EA62AE79A6783178C69304187D6B90441D82E46F5F56172B5C5C
            Malicious:false
            Preview:..IMPORTANT: Command executed successfully...However, "netsh firewall" is deprecated;..use "netsh advfirewall firewall" instead...For more information on using "netsh advfirewall firewall" commands..instead of "netsh firewall", see KB article 947709..at https://go.microsoft.com/fwlink/?linkid=121488 .....Ok.....

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Entropy (8bit):6.66426413554523
            TrID:
            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            • Win32 Executable (generic) a (10002005/4) 49.78%
            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
            • Win16/32 Executable Delphi generic (2074/23) 0.01%
            • Generic Win/DOS Executable (2004/3) 0.01%
            File name:itVg5XA6eK.exe
            File size:232960
            MD5:8533ef6f79e259e9e5fe7c28f1fcd372
            SHA1:48c1f9b2a798a374b6e8c2e5fb655c19e5fa2ed3
            SHA256:bbc8cabc1ba4f81d1ee316d3869ed8e61c91840cb533abee708a3099ab196470
            SHA512:533facb9e64028915336f7a7035e726409279309b05d2cf1e6def878513a85f49a9119f09e53bcc8371ff5bc8f91474b67934773e3c6a7ad12c3778ffa3f2697
            SSDEEP:3072:HSuZ00DVrF1rVcCPP+Tl6Ws5cUYTMExjHSTdMTfNlx35eRPG+79IwGrpc:J/2TAcZyOjNlri7Ww
            TLSH:4834BF821D4689E8EC7E1934102D1C4EC271DD3B85B62DDA9FCAF464C9B31E1606EA7F
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R[vc.................V...6.......t... ........@.. ....................................@................................

            File Icon

            Icon Hash:33f995df0f063033

            Static PE Info

            General

            Entrypoint:0x4074ae
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Time Stamp:0x63765B52 [Thu Nov 17 16:03:30 2022 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:4
            OS Version Minor:0
            File Version Major:4
            File Version Minor:0
            Subsystem Version Major:4
            Subsystem Version Minor:0
            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

            Entrypoint Preview

            Instruction
            jmp dword ptr [00402000h]
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0x745c0x4f.text
            IMAGE_DIRECTORY_ENTRY_RESOURCE0x80000x33264.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x3c0000xc.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x20000x54b40x5600False0.4898255813953488data5.58038459164499IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            .rsrc0x80000x332640x33400False0.6070121951219513data6.562617643019481IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .reloc0x3c0000xc0x200False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountry
            RT_ICON0x80e80x32f80Device independent bitmap graphic, 226 x 446 x 32, image size 201592
            RT_GROUP_ICON0x3b0680x14data
            RT_MANIFEST0x3b07c0x1e7XML 1.0 document, ASCII text, with CRLF line terminators

            Imports

            DLLImport
            mscoree.dll_CorExeMain

            Network Behavior

            Snort IDS Alerts

            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
            192.168.2.341.109.68.2394969911772033132 11/24/22-19:42:23.177340TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)496991177192.168.2.341.109.68.239
            192.168.2.341.109.68.2394969911772825563 11/24/22-19:42:23.319941TCP2825563ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)496991177192.168.2.341.109.68.239
            192.168.2.341.109.68.2394970111772825563 11/24/22-19:43:29.909277TCP2825563ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)497011177192.168.2.341.109.68.239
            192.168.2.341.109.68.2394970011772033132 11/24/22-19:42:56.789376TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)497001177192.168.2.341.109.68.239
            192.168.2.341.109.68.2394969911772825564 11/24/22-19:42:28.743067TCP2825564ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)496991177192.168.2.341.109.68.239
            192.168.2.341.109.68.2394970011772825564 11/24/22-19:43:01.745518TCP2825564ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)497001177192.168.2.341.109.68.239
            192.168.2.341.109.68.2394970011772825563 11/24/22-19:42:56.884058TCP2825563ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)497001177192.168.2.341.109.68.239
            192.168.2.341.109.68.2394970111772033132 11/24/22-19:43:29.805466TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)497011177192.168.2.341.109.68.239
            192.168.2.341.109.68.2394970111772814856 11/24/22-19:43:29.909277TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)497011177192.168.2.341.109.68.239
            192.168.2.341.109.68.2394970211772825563 11/24/22-19:44:02.683537TCP2825563ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)497021177192.168.2.341.109.68.239
            192.168.2.341.109.68.2394970111772814860 11/24/22-19:43:44.045655TCP2814860ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)497011177192.168.2.341.109.68.239
            192.168.2.341.109.68.2394970211772033132 11/24/22-19:44:02.583206TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)497021177192.168.2.341.109.68.239
            192.168.2.341.109.68.2394969911772814860 11/24/22-19:42:28.743067TCP2814860ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)496991177192.168.2.341.109.68.239
            192.168.2.341.109.68.2394970211772814856 11/24/22-19:44:02.683537TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)497021177192.168.2.341.109.68.239
            192.168.2.341.109.68.2394970011772814860 11/24/22-19:43:01.745518TCP2814860ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)497001177192.168.2.341.109.68.239
            192.168.2.341.109.68.2394970111772825564 11/24/22-19:43:44.045655TCP2825564ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)497011177192.168.2.341.109.68.239
            192.168.2.341.109.68.2394970011772814856 11/24/22-19:42:56.884058TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)497001177192.168.2.341.109.68.239
            192.168.2.341.109.68.2394969911772814856 11/24/22-19:42:23.319941TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)496991177192.168.2.341.109.68.239

            Network Port Distribution

            TCP Packets

            TimestampSource PortDest PortSource IPDest IP
            Nov 24, 2022 19:42:22.877197981 CET496991177192.168.2.341.109.68.239
            Nov 24, 2022 19:42:22.978322029 CET11774969941.109.68.239192.168.2.3
            Nov 24, 2022 19:42:22.978456974 CET496991177192.168.2.341.109.68.239
            Nov 24, 2022 19:42:23.177340031 CET496991177192.168.2.341.109.68.239
            Nov 24, 2022 19:42:23.319797993 CET11774969941.109.68.239192.168.2.3
            Nov 24, 2022 19:42:23.319941044 CET496991177192.168.2.341.109.68.239
            Nov 24, 2022 19:42:23.475019932 CET11774969941.109.68.239192.168.2.3
            Nov 24, 2022 19:42:28.743067026 CET496991177192.168.2.341.109.68.239
            Nov 24, 2022 19:42:29.029788017 CET11774969941.109.68.239192.168.2.3
            Nov 24, 2022 19:42:53.837865114 CET11774969941.109.68.239192.168.2.3
            Nov 24, 2022 19:42:53.838188887 CET496991177192.168.2.341.109.68.239
            Nov 24, 2022 19:42:56.635041952 CET496991177192.168.2.341.109.68.239
            Nov 24, 2022 19:42:56.703151941 CET497001177192.168.2.341.109.68.239
            Nov 24, 2022 19:42:56.742235899 CET11774969941.109.68.239192.168.2.3
            Nov 24, 2022 19:42:56.776344061 CET11774970041.109.68.239192.168.2.3
            Nov 24, 2022 19:42:56.776509047 CET497001177192.168.2.341.109.68.239
            Nov 24, 2022 19:42:56.789376020 CET497001177192.168.2.341.109.68.239
            Nov 24, 2022 19:42:56.883812904 CET11774970041.109.68.239192.168.2.3
            Nov 24, 2022 19:42:56.884057999 CET497001177192.168.2.341.109.68.239
            Nov 24, 2022 19:42:56.986124992 CET11774970041.109.68.239192.168.2.3
            Nov 24, 2022 19:43:01.745517969 CET497001177192.168.2.341.109.68.239
            Nov 24, 2022 19:43:01.860215902 CET11774970041.109.68.239192.168.2.3
            Nov 24, 2022 19:43:27.425684929 CET11774970041.109.68.239192.168.2.3
            Nov 24, 2022 19:43:27.425894976 CET497001177192.168.2.341.109.68.239
            Nov 24, 2022 19:43:29.566560984 CET497001177192.168.2.341.109.68.239
            Nov 24, 2022 19:43:29.634968042 CET11774970041.109.68.239192.168.2.3
            Nov 24, 2022 19:43:29.699424028 CET497011177192.168.2.341.109.68.239
            Nov 24, 2022 19:43:29.769546032 CET11774970141.109.68.239192.168.2.3
            Nov 24, 2022 19:43:29.769810915 CET497011177192.168.2.341.109.68.239
            Nov 24, 2022 19:43:29.805465937 CET497011177192.168.2.341.109.68.239
            Nov 24, 2022 19:43:29.909079075 CET11774970141.109.68.239192.168.2.3
            Nov 24, 2022 19:43:29.909276962 CET497011177192.168.2.341.109.68.239
            Nov 24, 2022 19:43:30.009236097 CET11774970141.109.68.239192.168.2.3
            Nov 24, 2022 19:43:35.919970989 CET497011177192.168.2.341.109.68.239
            Nov 24, 2022 19:43:36.018954992 CET11774970141.109.68.239192.168.2.3
            Nov 24, 2022 19:43:44.045655012 CET497011177192.168.2.341.109.68.239
            Nov 24, 2022 19:43:44.143486023 CET11774970141.109.68.239192.168.2.3
            Nov 24, 2022 19:44:00.425215006 CET11774970141.109.68.239192.168.2.3
            Nov 24, 2022 19:44:00.425400019 CET497011177192.168.2.341.109.68.239
            Nov 24, 2022 19:44:02.437489986 CET497011177192.168.2.341.109.68.239
            Nov 24, 2022 19:44:02.491133928 CET497021177192.168.2.341.109.68.239
            Nov 24, 2022 19:44:02.504364014 CET11774970141.109.68.239192.168.2.3
            Nov 24, 2022 19:44:02.563647032 CET11774970241.109.68.239192.168.2.3
            Nov 24, 2022 19:44:02.563779116 CET497021177192.168.2.341.109.68.239
            Nov 24, 2022 19:44:02.583205938 CET497021177192.168.2.341.109.68.239
            Nov 24, 2022 19:44:02.682976007 CET11774970241.109.68.239192.168.2.3
            Nov 24, 2022 19:44:02.683537006 CET497021177192.168.2.341.109.68.239
            Nov 24, 2022 19:44:02.784684896 CET11774970241.109.68.239192.168.2.3

            UDP Packets

            TimestampSource PortDest PortSource IPDest IP
            Nov 24, 2022 19:42:22.846184969 CET4997753192.168.2.38.8.8.8
            Nov 24, 2022 19:42:22.867410898 CET53499778.8.8.8192.168.2.3
            Nov 24, 2022 19:42:56.673460960 CET5784053192.168.2.38.8.8.8
            Nov 24, 2022 19:42:56.691323042 CET53578408.8.8.8192.168.2.3
            Nov 24, 2022 19:43:29.652144909 CET5799053192.168.2.38.8.8.8
            Nov 24, 2022 19:43:29.674014091 CET53579908.8.8.8192.168.2.3
            Nov 24, 2022 19:44:02.472203970 CET5238753192.168.2.38.8.8.8
            Nov 24, 2022 19:44:02.489883900 CET53523878.8.8.8192.168.2.3

            DNS Queries

            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
            Nov 24, 2022 19:42:22.846184969 CET192.168.2.38.8.8.80x2f59Standard query (0)h43vipforyou.ddns.netA (IP address)IN (0x0001)false
            Nov 24, 2022 19:42:56.673460960 CET192.168.2.38.8.8.80x243bStandard query (0)h43vipforyou.ddns.netA (IP address)IN (0x0001)false
            Nov 24, 2022 19:43:29.652144909 CET192.168.2.38.8.8.80xa7fdStandard query (0)h43vipforyou.ddns.netA (IP address)IN (0x0001)false
            Nov 24, 2022 19:44:02.472203970 CET192.168.2.38.8.8.80x8abaStandard query (0)h43vipforyou.ddns.netA (IP address)IN (0x0001)false

            DNS Answers

            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
            Nov 24, 2022 19:42:22.867410898 CET8.8.8.8192.168.2.30x2f59No error (0)h43vipforyou.ddns.net41.109.68.239A (IP address)IN (0x0001)false
            Nov 24, 2022 19:42:56.691323042 CET8.8.8.8192.168.2.30x243bNo error (0)h43vipforyou.ddns.net41.109.68.239A (IP address)IN (0x0001)false
            Nov 24, 2022 19:43:29.674014091 CET8.8.8.8192.168.2.30xa7fdNo error (0)h43vipforyou.ddns.net41.109.68.239A (IP address)IN (0x0001)false
            Nov 24, 2022 19:44:02.489883900 CET8.8.8.8192.168.2.30x8abaNo error (0)h43vipforyou.ddns.net41.109.68.239A (IP address)IN (0x0001)false

            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            General

            Target ID:0
            Start time:19:41:59
            Start date:24/11/2022
            Path:C:\Users\user\Desktop\itVg5XA6eK.exe
            Wow64 process (32bit):true
            Commandline:C:\Users\user\Desktop\itVg5XA6eK.exe
            Imagebase:0x440000
            File size:232960 bytes
            MD5 hash:8533EF6F79E259E9E5FE7C28F1FCD372
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:.Net C# or VB.NET
            Yara matches:
            • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000002.255333528.0000000003AB4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            • Rule: njrat1, Description: Identify njRat, Source: 00000000.00000002.255333528.0000000003AB4000.00000004.00000800.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter
            • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000000.00000002.255333528.0000000003AB4000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
            • Rule: Njrat, Description: detect njRAT in memory, Source: 00000000.00000002.255333528.0000000003AB4000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
            • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000000.239853870.0000000000442000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
            • Rule: njrat1, Description: Identify njRat, Source: 00000000.00000000.239853870.0000000000442000.00000002.00000001.01000000.00000003.sdmp, Author: Brian Wallace @botnet_hunter
            • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000000.00000000.239853870.0000000000442000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
            • Rule: Njrat, Description: detect njRAT in memory, Source: 00000000.00000000.239853870.0000000000442000.00000002.00000001.01000000.00000003.sdmp, Author: JPCERT/CC Incident Response Group
            Reputation:low

            General

            Target ID:1
            Start time:19:42:06
            Start date:24/11/2022
            Path:C:\ProgramData\rejdit_free_fire.exe
            Wow64 process (32bit):true
            Commandline:"C:\ProgramData\rejdit_free_fire.exe"
            Imagebase:0xb0000
            File size:232960 bytes
            MD5 hash:8533EF6F79E259E9E5FE7C28F1FCD372
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:.Net C# or VB.NET
            Yara matches:
            • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000001.00000002.507753585.0000000002965000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\ProgramData\rejdit_free_fire.exe, Author: Joe Security
            • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\ProgramData\rejdit_free_fire.exe, Author: ditekSHen
            • Rule: njrat1, Description: Identify njRat, Source: C:\ProgramData\rejdit_free_fire.exe, Author: Brian Wallace @botnet_hunter
            • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\ProgramData\rejdit_free_fire.exe, Author: unknown
            • Rule: Njrat, Description: detect njRAT in memory, Source: C:\ProgramData\rejdit_free_fire.exe, Author: JPCERT/CC Incident Response Group
            Antivirus matches:
            • Detection: 100%, Avira
            • Detection: 100%, Joe Sandbox ML
            • Detection: 100%, ReversingLabs
            • Detection: 76%, Virustotal, Browse
            Reputation:low

            General

            Target ID:2
            Start time:19:42:14
            Start date:24/11/2022
            Path:C:\Windows\SysWOW64\netsh.exe
            Wow64 process (32bit):true
            Commandline:netsh firewall add allowedprogram "C:\ProgramData\rejdit_free_fire.exe" "rejdit_free_fire.exe" ENABLE
            Imagebase:0x10f0000
            File size:82944 bytes
            MD5 hash:A0AA3322BB46BBFC36AB9DC1DBBBB807
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            General

            Target ID:3
            Start time:19:42:15
            Start date:24/11/2022
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff745070000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            General

            Target ID:13
            Start time:19:42:29
            Start date:24/11/2022
            Path:C:\ProgramData\rejdit_free_fire.exe
            Wow64 process (32bit):true
            Commandline:"C:\ProgramData\rejdit_free_fire.exe" ..
            Imagebase:0x670000
            File size:232960 bytes
            MD5 hash:8533EF6F79E259E9E5FE7C28F1FCD372
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:.Net C# or VB.NET
            Reputation:low

            General

            Target ID:14
            Start time:19:42:37
            Start date:24/11/2022
            Path:C:\ProgramData\rejdit_free_fire.exe
            Wow64 process (32bit):true
            Commandline:"C:\ProgramData\rejdit_free_fire.exe" ..
            Imagebase:0x980000
            File size:232960 bytes
            MD5 hash:8533EF6F79E259E9E5FE7C28F1FCD372
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:.Net C# or VB.NET
            Reputation:low

            General

            Target ID:15
            Start time:19:42:45
            Start date:24/11/2022
            Path:C:\ProgramData\rejdit_free_fire.exe
            Wow64 process (32bit):true
            Commandline:"C:\ProgramData\rejdit_free_fire.exe" ..
            Imagebase:0xd70000
            File size:232960 bytes
            MD5 hash:8533EF6F79E259E9E5FE7C28F1FCD372
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:.Net C# or VB.NET
            Reputation:low

            Disassembly

            Reset < >

              Execution Graph

              Execution Coverage:11.3%
              Dynamic/Decrypted Code Coverage:100%
              Signature Coverage:0%
              Total number of Nodes:41
              Total number of Limit Nodes:2
              execution_graph 1479 d4a710 1480 d4a71b FindCloseChangeNotification 1479->1480 1482 d4a788 1480->1482 1459 d4a2d2 1460 d4a2d6 SetErrorMode 1459->1460 1462 d4a33f 1460->1462 1483 d4a612 1484 d4a646 CreateMutexW 1483->1484 1486 d4a6c1 1484->1486 1463 d4aa5c 1464 d4aa9e GetFileType 1463->1464 1466 d4ab00 1464->1466 1431 d4a2fe 1432 d4a353 1431->1432 1433 d4a32a SetErrorMode 1431->1433 1432->1433 1434 d4a33f 1433->1434 1439 d4a646 1441 d4a67e CreateMutexW 1439->1441 1442 d4a6c1 1441->1442 1443 d4a986 1444 d4a9be CreateFileW 1443->1444 1446 d4aa0d 1444->1446 1467 d4a966 1468 d4a986 CreateFileW 1467->1468 1470 d4aa0d 1468->1470 1471 d4a361 1473 d4a392 RegQueryValueExW 1471->1473 1474 d4a41b 1473->1474 1475 d4a462 1476 d4a486 RegSetValueExW 1475->1476 1478 d4a507 1476->1478 1451 d4a74e 1452 d4a7b9 1451->1452 1453 d4a77a FindCloseChangeNotification 1451->1453 1452->1453 1454 d4a788 1453->1454 1455 d4ac2e 1457 d4ac63 WriteFile 1455->1457 1458 d4ac95 1457->1458 1487 d4ac0e 1489 d4ac2e WriteFile 1487->1489 1490 d4ac95 1489->1490

              Callgraph

              • Executed
              • Not Executed
              • Opacity -> Relevance
              • Disassembly available
              callgraph 0 Function_00D4ACD7 1 Function_00D420D0 2 Function_00D4AE52 3 Function_00D4A2D2 4 Function_00D4AED3 5 Function_00D4A45C 6 Function_00D4AA5C 7 Function_0263076B 8 Function_04C00249 14 Function_04C006D1 8->14 19 Function_026305F6 8->19 31 Function_026305CF 8->31 9 Function_00D4A25E 10 Function_00D4AB5E 11 Function_0263066F 12 Function_00D42458 13 Function_00D42044 15 Function_00D4A646 16 Function_00D4A8C6 17 Function_00D4A7C7 18 Function_00D4A540 20 Function_04C00258 20->14 20->19 20->31 21 Function_00D4A74E 22 Function_00D4A1F4 23 Function_00D423F4 24 Function_04C003E1 25 Function_04C008E2 26 Function_04C00A63 27 Function_00D421F0 28 Function_00D4A172 29 Function_00D4A2FE 30 Function_00D4A078 32 Function_00D42264 33 Function_00D42364 34 Function_00D4A966 35 Function_00D4A361 36 Function_00D4A462 37 Function_04C009F8 38 Function_0263065A 39 Function_00D4A56E 40 Function_0263025D 41 Function_04C00080 42 Function_04C00980 43 Function_00D42194 44 Function_04C00B03 45 Function_00D4A710 46 Function_00D42310 47 Function_00D4AD12 48 Function_00D4A392 49 Function_00D4A612 50 Function_04C00007 51 Function_00D4AE1D 52 Function_00D4AA9E 53 Function_00D4A81E 54 Function_026305AF 55 Function_00D4A09A 56 Function_00D4AC04 57 Function_00D4A005 58 Function_00D42005 59 Function_00D4AF06 60 Function_00D4A986 61 Function_00D4A486 62 Function_02630730 63 Function_00D4AD80 64 Function_04C00498 65 Function_00D4AC0E 66 Function_02630639 66->38 67 Function_026305BF 68 Function_04C00B20 69 Function_00D422B4 70 Function_02630001 71 Function_02630701 72 Function_00D4AE30 73 Function_00D42430 74 Function_04C002A5 74->14 74->19 74->31 75 Function_00D4A23C 76 Function_00D423BC 77 Function_00D4213C 78 Function_0263000C 79 Function_04C00B30 80 Function_04C006B0 81 Function_00D4A8A4 82 Function_00D42525 83 Function_00D4A120 84 Function_00D425A0 85 Function_04C008B7 86 Function_00D4AB2C 87 Function_0263009B 88 Function_00D4A02E 89 Function_00D4AC2E 90 Function_04C0043D 91 Function_00D4ADAA 92 Function_04C005BE

              Executed Functions

              Function 00D4A612 Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 0 d4a612-d4a695 4 d4a697 0->4 5 d4a69a-d4a6a3 0->5 4->5 6 d4a6a5 5->6 7 d4a6a8-d4a6b1 5->7 6->7 8 d4a702-d4a707 7->8 9 d4a6b3-d4a6d7 CreateMutexW 7->9 8->9 12 d4a709-d4a70e 9->12 13 d4a6d9-d4a6ff 9->13 12->13
              APIs
              • CreateMutexW.KERNELBASE(?,?), ref: 00D4A6B9
              Memory Dump Source
              • Source File: 00000000.00000002.255218379.0000000000D4A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4A000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d4a000_itVg5XA6eK.jbxd
              Similarity
              • API ID: CreateMutex
              • String ID:
              • API String ID: 1964310414-0
              • Opcode ID: d9f6b5bee5517227f4a28cd9185a707c2ccc5894c1b6051bbd26cfd098e356ca
              • Instruction ID: f69d076977f0b91615c66c1d44504d856cb8910242c46fd9c96693dbf9da6a52
              • Opcode Fuzzy Hash: d9f6b5bee5517227f4a28cd9185a707c2ccc5894c1b6051bbd26cfd098e356ca
              • Instruction Fuzzy Hash: BC318F755097806FE722CB25CC85B56FFF8EF06310F09849AE9848F292D375A909CB62
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D4A966 Relevance: 1.6, APIs: 1, Instructions: 86fileCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 16 d4a966-d4a9de 20 d4a9e0 16->20 21 d4a9e3-d4a9ef 16->21 20->21 22 d4a9f4-d4a9fd 21->22 23 d4a9f1 21->23 24 d4aa4e-d4aa53 22->24 25 d4a9ff-d4aa23 CreateFileW 22->25 23->22 24->25 28 d4aa55-d4aa5a 25->28 29 d4aa25-d4aa4b 25->29 28->29
              APIs
              • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00D4AA05
              Memory Dump Source
              • Source File: 00000000.00000002.255218379.0000000000D4A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4A000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d4a000_itVg5XA6eK.jbxd
              Similarity
              • API ID: CreateFile
              • String ID:
              • API String ID: 823142352-0
              • Opcode ID: 549210a20761cf6cc5c7c106b5e25c08bd261ed3fc37e7db59da9ce373782ec3
              • Instruction ID: b9b711637e56a3b532e5d3c352212957fa7532dec04858880db7f9ab26358f59
              • Opcode Fuzzy Hash: 549210a20761cf6cc5c7c106b5e25c08bd261ed3fc37e7db59da9ce373782ec3
              • Instruction Fuzzy Hash: AC315C71544380AFE722CF65CD45F66FBE8EF05310F0884AEE9859B252D375E948CB61
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D4A361 Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 32 d4a361-d4a3cf 35 d4a3d4-d4a3dd 32->35 36 d4a3d1 32->36 37 d4a3e2-d4a3e8 35->37 38 d4a3df 35->38 36->35 39 d4a3ed-d4a404 37->39 40 d4a3ea 37->40 38->37 42 d4a406-d4a419 RegQueryValueExW 39->42 43 d4a43b-d4a440 39->43 40->39 44 d4a442-d4a447 42->44 45 d4a41b-d4a438 42->45 43->42 44->45
              APIs
              • RegQueryValueExW.KERNELBASE(?,00000E2C,D5CFC09A,00000000,00000000,00000000,00000000), ref: 00D4A40C
              Memory Dump Source
              • Source File: 00000000.00000002.255218379.0000000000D4A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4A000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d4a000_itVg5XA6eK.jbxd
              Similarity
              • API ID: QueryValue
              • String ID:
              • API String ID: 3660427363-0
              • Opcode ID: 37de0cd004fd6f79bed2f784d0c0bc22e5370c1c7a84e13ac357c91e44fbcb0a
              • Instruction ID: 90856f63dab46795f9695daefad4356dec5a1bdcc46a738cda66fdd3a9cf7e27
              • Opcode Fuzzy Hash: 37de0cd004fd6f79bed2f784d0c0bc22e5370c1c7a84e13ac357c91e44fbcb0a
              • Instruction Fuzzy Hash: 45318171149780AFE721CF25CC84F57BFB8EF06310F08849AE9859B292D364E849CB72
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D4AA5C Relevance: 1.6, APIs: 1, Instructions: 77COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 64 d4aa5c-d4aae9 68 d4ab1e-d4ab23 64->68 69 d4aaeb-d4aafe GetFileType 64->69 68->69 70 d4ab25-d4ab2a 69->70 71 d4ab00-d4ab1d 69->71 70->71
              APIs
              • GetFileType.KERNELBASE(?,00000E2C,D5CFC09A,00000000,00000000,00000000,00000000), ref: 00D4AAF1
              Memory Dump Source
              • Source File: 00000000.00000002.255218379.0000000000D4A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4A000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d4a000_itVg5XA6eK.jbxd
              Similarity
              • API ID: FileType
              • String ID:
              • API String ID: 3081899298-0
              • Opcode ID: 7da4dc90db45fb04887e1048ee1251ab855eab8d5a86b53a4e6f224f0e0661f2
              • Instruction ID: 2391062b7bb7787b167b5b6e7d595b396facaf11c9f3f0f1262552d3b91e2a2a
              • Opcode Fuzzy Hash: 7da4dc90db45fb04887e1048ee1251ab855eab8d5a86b53a4e6f224f0e0661f2
              • Instruction Fuzzy Hash: 2B21D8754087806FE712CB25DC54BA3BFA8EF46724F1884DBE9859B153D224A909C772
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D4A462 Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 49 d4a462-d4a4c3 52 d4a4c5 49->52 53 d4a4c8-d4a4d4 49->53 52->53 54 d4a4d6 53->54 55 d4a4d9-d4a4f0 53->55 54->55 57 d4a527-d4a52c 55->57 58 d4a4f2-d4a505 RegSetValueExW 55->58 57->58 59 d4a507-d4a524 58->59 60 d4a52e-d4a533 58->60 60->59
              APIs
              • RegSetValueExW.KERNELBASE(?,00000E2C,D5CFC09A,00000000,00000000,00000000,00000000), ref: 00D4A4F8
              Memory Dump Source
              • Source File: 00000000.00000002.255218379.0000000000D4A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4A000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d4a000_itVg5XA6eK.jbxd
              Similarity
              • API ID: Value
              • String ID:
              • API String ID: 3702945584-0
              • Opcode ID: dfcce09277bf10188d14ced69581e2b56c2a6b82af426189a8560b7315064112
              • Instruction ID: 934ac53c52896c2998cf7704db74138ef6a27f6a7ea410d9977b419eef5122c2
              • Opcode Fuzzy Hash: dfcce09277bf10188d14ced69581e2b56c2a6b82af426189a8560b7315064112
              • Instruction Fuzzy Hash: B52192721443806FE7228F25DC44F67BFB8EF46310F08849AE989DB252D264E848CB72
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D4A986 Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 75 d4a986-d4a9de 78 d4a9e0 75->78 79 d4a9e3-d4a9ef 75->79 78->79 80 d4a9f4-d4a9fd 79->80 81 d4a9f1 79->81 82 d4aa4e-d4aa53 80->82 83 d4a9ff-d4aa07 CreateFileW 80->83 81->80 82->83 85 d4aa0d-d4aa23 83->85 86 d4aa55-d4aa5a 85->86 87 d4aa25-d4aa4b 85->87 86->87
              APIs
              • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00D4AA05
              Memory Dump Source
              • Source File: 00000000.00000002.255218379.0000000000D4A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4A000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d4a000_itVg5XA6eK.jbxd
              Similarity
              • API ID: CreateFile
              • String ID:
              • API String ID: 823142352-0
              • Opcode ID: f2531a026cb816ab8d9451ae741e9d27e935dda62038b374a42eb72a5feb2d8b
              • Instruction ID: 7f81bd5bc464c5fe73cdd6fd05fe92ea3836ebaf67b092532091da2c54d6b3a0
              • Opcode Fuzzy Hash: f2531a026cb816ab8d9451ae741e9d27e935dda62038b374a42eb72a5feb2d8b
              • Instruction Fuzzy Hash: C5219D71544240AFE721CF69CD45B66FBE8EF08310F18886EED859B252D375E808CB72
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D4A646 Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 90 d4a646-d4a695 93 d4a697 90->93 94 d4a69a-d4a6a3 90->94 93->94 95 d4a6a5 94->95 96 d4a6a8-d4a6b1 94->96 95->96 97 d4a702-d4a707 96->97 98 d4a6b3-d4a6bb CreateMutexW 96->98 97->98 100 d4a6c1-d4a6d7 98->100 101 d4a709-d4a70e 100->101 102 d4a6d9-d4a6ff 100->102 101->102
              APIs
              • CreateMutexW.KERNELBASE(?,?), ref: 00D4A6B9
              Memory Dump Source
              • Source File: 00000000.00000002.255218379.0000000000D4A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4A000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d4a000_itVg5XA6eK.jbxd
              Similarity
              • API ID: CreateMutex
              • String ID:
              • API String ID: 1964310414-0
              • Opcode ID: 69a09d6b7faa45f510fcb63ffc10f405917e62e266ccd180e15f286f8ff18f16
              • Instruction ID: 5c0f59d4680851050ac689c2ee158c6e1a41ad56d48874e6ddd426ecb90dc3e8
              • Opcode Fuzzy Hash: 69a09d6b7faa45f510fcb63ffc10f405917e62e266ccd180e15f286f8ff18f16
              • Instruction Fuzzy Hash: 9421A171644640AFE720DF29CD85B66FBE8EF04310F18846AED898F241D775E805CB72
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D4AC0E Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 105 d4ac0e-d4ac85 109 d4ac87-d4aca7 WriteFile 105->109 110 d4acc9-d4acce 105->110 113 d4acd0-d4acd5 109->113 114 d4aca9-d4acc6 109->114 110->109 113->114
              APIs
              • WriteFile.KERNELBASE(?,00000E2C,D5CFC09A,00000000,00000000,00000000,00000000), ref: 00D4AC8D
              Memory Dump Source
              • Source File: 00000000.00000002.255218379.0000000000D4A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4A000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d4a000_itVg5XA6eK.jbxd
              Similarity
              • API ID: FileWrite
              • String ID:
              • API String ID: 3934441357-0
              • Opcode ID: b63e2dec1db24dc752b4082d367e45ceef7b323897551de4a78c5629f6246217
              • Instruction ID: 58bd9c13bf93900b378732a9cd76729a0762f0b790ee1014cafcf219c7c00b9f
              • Opcode Fuzzy Hash: b63e2dec1db24dc752b4082d367e45ceef7b323897551de4a78c5629f6246217
              • Instruction Fuzzy Hash: D6216271409380AFEB22CF65DC84F97FFB8EF45314F08889AE9459B252D265A508CB76
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D4A392 Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 117 d4a392-d4a3cf 119 d4a3d4-d4a3dd 117->119 120 d4a3d1 117->120 121 d4a3e2-d4a3e8 119->121 122 d4a3df 119->122 120->119 123 d4a3ed-d4a404 121->123 124 d4a3ea 121->124 122->121 126 d4a406-d4a419 RegQueryValueExW 123->126 127 d4a43b-d4a440 123->127 124->123 128 d4a442-d4a447 126->128 129 d4a41b-d4a438 126->129 127->126 128->129
              APIs
              • RegQueryValueExW.KERNELBASE(?,00000E2C,D5CFC09A,00000000,00000000,00000000,00000000), ref: 00D4A40C
              Memory Dump Source
              • Source File: 00000000.00000002.255218379.0000000000D4A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4A000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d4a000_itVg5XA6eK.jbxd
              Similarity
              • API ID: QueryValue
              • String ID:
              • API String ID: 3660427363-0
              • Opcode ID: ef11667f5f09cefd2b499e0dc818813f7cf8ffbdf43b0e8c4c0e373cf84e83b8
              • Instruction ID: 65c88a6a864dca247c56cace692da3b9c24af63431fed5fed64507814318e2f9
              • Opcode Fuzzy Hash: ef11667f5f09cefd2b499e0dc818813f7cf8ffbdf43b0e8c4c0e373cf84e83b8
              • Instruction Fuzzy Hash: D4219071640604AFE720CF59CC84FA7FBECEF14710F18846AED4A9B251D660E809CB72
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D4A710 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 133 d4a710-d4a71c 135 d4a736-d4a778 133->135 136 d4a71e-d4a735 133->136 138 d4a7b9-d4a7be 135->138 139 d4a77a-d4a782 FindCloseChangeNotification 135->139 136->135 138->139 141 d4a788-d4a79a 139->141 142 d4a7c0-d4a7c5 141->142 143 d4a79c-d4a7b8 141->143 142->143
              APIs
              • FindCloseChangeNotification.KERNELBASE(?), ref: 00D4A780
              Memory Dump Source
              • Source File: 00000000.00000002.255218379.0000000000D4A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4A000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d4a000_itVg5XA6eK.jbxd
              Similarity
              • API ID: ChangeCloseFindNotification
              • String ID:
              • API String ID: 2591292051-0
              • Opcode ID: 76a1bab1fc341d0742583554b53605c17d542be12663f504469e824afab2a223
              • Instruction ID: a7cd888c35de3c65415cca182a39ba5b0b486357e640f1db7a94082fcf4b10f3
              • Opcode Fuzzy Hash: 76a1bab1fc341d0742583554b53605c17d542be12663f504469e824afab2a223
              • Instruction Fuzzy Hash: 8621A4B54497809FD7128B24DC85752BFB8EF52324F0984EBDC858F663D2349909CB62
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D4A486 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 145 d4a486-d4a4c3 147 d4a4c5 145->147 148 d4a4c8-d4a4d4 145->148 147->148 149 d4a4d6 148->149 150 d4a4d9-d4a4f0 148->150 149->150 152 d4a527-d4a52c 150->152 153 d4a4f2-d4a505 RegSetValueExW 150->153 152->153 154 d4a507-d4a524 153->154 155 d4a52e-d4a533 153->155 155->154
              APIs
              • RegSetValueExW.KERNELBASE(?,00000E2C,D5CFC09A,00000000,00000000,00000000,00000000), ref: 00D4A4F8
              Memory Dump Source
              • Source File: 00000000.00000002.255218379.0000000000D4A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4A000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d4a000_itVg5XA6eK.jbxd
              Similarity
              • API ID: Value
              • String ID:
              • API String ID: 3702945584-0
              • Opcode ID: ef8bd0219efe5ddba5c1186ade2c42bdbf5f49c2b4687d95450b5e6d4cfe3c7d
              • Instruction ID: 36234eddaf26965367efba9fa3fcc055698831893779f1071fade5ac46b4a8b4
              • Opcode Fuzzy Hash: ef8bd0219efe5ddba5c1186ade2c42bdbf5f49c2b4687d95450b5e6d4cfe3c7d
              • Instruction Fuzzy Hash: BE1190B2540600AFEB208F19DD45F6BFBACEF14724F18846AED499B641D660E848CA72
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D4A2D2 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 159 d4a2d2-d4a2d4 160 d4a2d6-d4a2dd 159->160 161 d4a2de-d4a328 159->161 160->161 163 d4a353-d4a358 161->163 164 d4a32a-d4a33d SetErrorMode 161->164 163->164 165 d4a33f-d4a352 164->165 166 d4a35a-d4a35f 164->166 166->165
              APIs
              • SetErrorMode.KERNELBASE(?), ref: 00D4A330
              Memory Dump Source
              • Source File: 00000000.00000002.255218379.0000000000D4A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4A000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d4a000_itVg5XA6eK.jbxd
              Similarity
              • API ID: ErrorMode
              • String ID:
              • API String ID: 2340568224-0
              • Opcode ID: f404004dae6cdb028880d0bbedd22755ef88ac6894c88eb2fd31465e4929d3af
              • Instruction ID: 1a8c983ab8d484810bd19ffe63b7ac7d8c81851319f25e64c9a994ae852b5a87
              • Opcode Fuzzy Hash: f404004dae6cdb028880d0bbedd22755ef88ac6894c88eb2fd31465e4929d3af
              • Instruction Fuzzy Hash: FC214A7144E3C05FD7138B298C54A52BFB49F07220F0D80DBDD858F2A3D2696808DB62
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D4AC2E Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 169 d4ac2e-d4ac85 172 d4ac87-d4ac8f WriteFile 169->172 173 d4acc9-d4acce 169->173 175 d4ac95-d4aca7 172->175 173->172 176 d4acd0-d4acd5 175->176 177 d4aca9-d4acc6 175->177 176->177
              APIs
              • WriteFile.KERNELBASE(?,00000E2C,D5CFC09A,00000000,00000000,00000000,00000000), ref: 00D4AC8D
              Memory Dump Source
              • Source File: 00000000.00000002.255218379.0000000000D4A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4A000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d4a000_itVg5XA6eK.jbxd
              Similarity
              • API ID: FileWrite
              • String ID:
              • API String ID: 3934441357-0
              • Opcode ID: beb21e66969e2cf3c0898dde25c7edfb0102deb67ad136ae8162d4017ff5ca3a
              • Instruction ID: 03deea99e2b465147583e4aa0f4718ead91cff7caad777deeb42e726bace537e
              • Opcode Fuzzy Hash: beb21e66969e2cf3c0898dde25c7edfb0102deb67ad136ae8162d4017ff5ca3a
              • Instruction Fuzzy Hash: 1811E371440200EFEB21CF59DC80FA7FBA8EF44324F18886BED499B241D275A408CB72
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D4AA9E Relevance: 1.6, APIs: 1, Instructions: 52COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 180 d4aa9e-d4aae9 183 d4ab1e-d4ab23 180->183 184 d4aaeb-d4aafe GetFileType 180->184 183->184 185 d4ab25-d4ab2a 184->185 186 d4ab00-d4ab1d 184->186 185->186
              APIs
              • GetFileType.KERNELBASE(?,00000E2C,D5CFC09A,00000000,00000000,00000000,00000000), ref: 00D4AAF1
              Memory Dump Source
              • Source File: 00000000.00000002.255218379.0000000000D4A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4A000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d4a000_itVg5XA6eK.jbxd
              Similarity
              • API ID: FileType
              • String ID:
              • API String ID: 3081899298-0
              • Opcode ID: ba52faaa9c527529ec038486cbb1afceb654b089d9da3cf3648d15cc2bd6a313
              • Instruction ID: eb5c650a830177af62d97c3451ef51abe2b8f93a689afda7c5712377cfc5431a
              • Opcode Fuzzy Hash: ba52faaa9c527529ec038486cbb1afceb654b089d9da3cf3648d15cc2bd6a313
              • Instruction Fuzzy Hash: 2F01D271544600AFE720CF19DC85BA7FB98DF04724F18C4ABEE459B241D674A808CAB3
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D4A74E Relevance: 1.5, APIs: 1, Instructions: 43COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 190 d4a74e-d4a778 191 d4a7b9-d4a7be 190->191 192 d4a77a-d4a782 FindCloseChangeNotification 190->192 191->192 194 d4a788-d4a79a 192->194 195 d4a7c0-d4a7c5 194->195 196 d4a79c-d4a7b8 194->196 195->196
              APIs
              • FindCloseChangeNotification.KERNELBASE(?), ref: 00D4A780
              Memory Dump Source
              • Source File: 00000000.00000002.255218379.0000000000D4A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4A000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d4a000_itVg5XA6eK.jbxd
              Similarity
              • API ID: ChangeCloseFindNotification
              • String ID:
              • API String ID: 2591292051-0
              • Opcode ID: 1584e27562795c3f1db4e4888c2b01b6e6700fbae2f0d9489ffd8de691cad9cb
              • Instruction ID: 5b02709a356817439220a61693da6e125262282a4867df0f485e5f05d8944475
              • Opcode Fuzzy Hash: 1584e27562795c3f1db4e4888c2b01b6e6700fbae2f0d9489ffd8de691cad9cb
              • Instruction Fuzzy Hash: EF018F755442409FEB208F29D885766FBA4EF04320F18C4ABDD498F642D675E848CEB2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D4A2FE Relevance: 1.5, APIs: 1, Instructions: 35COMMON
              Download Yara Rule
              APIs
              • SetErrorMode.KERNELBASE(?), ref: 00D4A330
              Memory Dump Source
              • Source File: 00000000.00000002.255218379.0000000000D4A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4A000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d4a000_itVg5XA6eK.jbxd
              Similarity
              • API ID: ErrorMode
              • String ID:
              • API String ID: 2340568224-0
              • Opcode ID: 57d088110c8622f485ea700827917a853eb1eb494b2463cb5aec85ff3a35fc23
              • Instruction ID: b82cf0bf7631c948caa9c998535de721cdb2a7178a37e3cfef4ca9003f163134
              • Opcode Fuzzy Hash: 57d088110c8622f485ea700827917a853eb1eb494b2463cb5aec85ff3a35fc23
              • Instruction Fuzzy Hash: 0DF0AF35944240DFDB208F59D888766FFA4EF04321F5CC4AADD494B352E2B5A448CEB3
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04C00249 Relevance: .3, Instructions: 279COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.255450884.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_4c00000_itVg5XA6eK.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4dddc3e87bd628c9f8e0b140dda5615683e424c33d377d4089402f7c667c5a63
              • Instruction ID: c97a853bc8c2d24991e4a5b9924ab36deab608fdc4075693db2a6ce029923987
              • Opcode Fuzzy Hash: 4dddc3e87bd628c9f8e0b140dda5615683e424c33d377d4089402f7c667c5a63
              • Instruction Fuzzy Hash: 7DB18130700300CFDB19EB79D465A6D77A3FB89345B15846AD8019B3AAEF36AC43CB95
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04C00258 Relevance: .3, Instructions: 278COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.255450884.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_4c00000_itVg5XA6eK.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c6585284b9e1939f566e3f0fe998bf19bd2f796266ea0084a1ad25a09d570d8d
              • Instruction ID: db2eb49e8a77ed284d710de4cae17b38d6c795d70e3190f126a7cac3c09d7ae9
              • Opcode Fuzzy Hash: c6585284b9e1939f566e3f0fe998bf19bd2f796266ea0084a1ad25a09d570d8d
              • Instruction Fuzzy Hash: 98B19530700300CFDB19EB79D464A6D77A3FB89345B158469D8019B3BAEF36AC42CB95
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04C006D1 Relevance: .3, Instructions: 271COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.255450884.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_4c00000_itVg5XA6eK.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0987d2fce6cfb3e7bb21068cf1a36140bb3c84e8b1a5ef76d8b923d93af4a9c4
              • Instruction ID: 7c0c092b7c102effd6cd35d7702572d656f3dc82c2ac76afc45d1a4fd1279e87
              • Opcode Fuzzy Hash: 0987d2fce6cfb3e7bb21068cf1a36140bb3c84e8b1a5ef76d8b923d93af4a9c4
              • Instruction Fuzzy Hash: 5DA15B30704201CFD719EB78E864B6D37E2EB88345B254479D5069B3BAEF76AC42CB91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04C002A5 Relevance: .3, Instructions: 251COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.255450884.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_4c00000_itVg5XA6eK.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bc3949b1c6928d0ad1079978dc8be30bf2f9b65cde7cec6950fa652e202650ab
              • Instruction ID: 6d861794f520f0511c206d08023d9834ab86d0226ffc59de4875201e5f890ab7
              • Opcode Fuzzy Hash: bc3949b1c6928d0ad1079978dc8be30bf2f9b65cde7cec6950fa652e202650ab
              • Instruction Fuzzy Hash: B7A18430700301CFDB19EB79D464A6D77A3FB89345B15846AD8019B3BAEF36AC42CB95
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04C00080 Relevance: .1, Instructions: 96COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.255450884.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_4c00000_itVg5XA6eK.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 694f16e295daff22f648e458490b87b870909938095d619d69729f7195c121c5
              • Instruction ID: 14f6cb9a2fc9380cb24839dec7d4a379287ebc7c9feb51b3bdde56a8b87e65bf
              • Opcode Fuzzy Hash: 694f16e295daff22f648e458490b87b870909938095d619d69729f7195c121c5
              • Instruction Fuzzy Hash: 25411D30505245CBC704FF79E49099A3BB2FB847097588A7A94448B27FFB746D07CB92
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04C00007 Relevance: .0, Instructions: 49COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.255450884.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_4c00000_itVg5XA6eK.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 05b2e3cf392d8f49ce61dc113aca942fbd7110588bbe43ec2b4a53cb52fcbe12
              • Instruction ID: 1e9c0638b11d7a5730daeb7c224020237a4abc6b0403c956f8973ba712c6c06b
              • Opcode Fuzzy Hash: 05b2e3cf392d8f49ce61dc113aca942fbd7110588bbe43ec2b4a53cb52fcbe12
              • Instruction Fuzzy Hash: 0401319A84E7C01FEB4342B41CB82D13F30AA23158B9B00CBC480CB4E7E10D0A1FC722
              Uniqueness

              Uniqueness Score: -1.00%

              Function 026305CF Relevance: .0, Instructions: 45COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.255275270.0000000002630000.00000040.00000020.00020000.00000000.sdmp, Offset: 02630000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_2630000_itVg5XA6eK.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a1bf9a026aebe649121909c93865658b07019d13c5bba74674736985384f47dc
              • Instruction ID: 1dcc8d8fc4ddd68390204c3b784638a7f5975fa0fc83f2877267b0b289baf990
              • Opcode Fuzzy Hash: a1bf9a026aebe649121909c93865658b07019d13c5bba74674736985384f47dc
              • Instruction Fuzzy Hash: 4101D6755497806FD3128B16EC50953BFECDF8623070984ABEC498B652D125A909CB62
              Uniqueness

              Uniqueness Score: -1.00%

              Function 026305F6 Relevance: .0, Instructions: 27COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.255275270.0000000002630000.00000040.00000020.00020000.00000000.sdmp, Offset: 02630000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_2630000_itVg5XA6eK.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6585aa465b596bb3a7661415ede01191fc0c7db12a0c02a1d3f0548a0c0077a3
              • Instruction ID: 051297f46f74d7d6a6c57b0509c9f555c23db9e4f14865c90def86d637ac1aed
              • Opcode Fuzzy Hash: 6585aa465b596bb3a7661415ede01191fc0c7db12a0c02a1d3f0548a0c0077a3
              • Instruction Fuzzy Hash: DDE092766446004BD650CF0BEC41452F7D8EB88631718C47FDC0E8B700E135B505CEA6
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D423F4 Relevance: .0, Instructions: 15COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.255213053.0000000000D42000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D42000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d42000_itVg5XA6eK.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ce02b5e7cd0d668e2d5190426bced6b982e6e162b76d9411e4a8f3f2c8edaf18
              • Instruction ID: b67e9d5f73756c478cb78bc0c4366ca992fa5e4df503b99d7ac9d5dc47bd3c5c
              • Opcode Fuzzy Hash: ce02b5e7cd0d668e2d5190426bced6b982e6e162b76d9411e4a8f3f2c8edaf18
              • Instruction Fuzzy Hash: E7D05E79215A814FD3268A1CC1A9BB53BD4EB61B04F8A44F9E8408B6A3C768D981D210
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D423BC Relevance: .0, Instructions: 14COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.255213053.0000000000D42000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D42000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d42000_itVg5XA6eK.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 60ae90f0a78cf77d663d8f033133e0ce4f4c786435319da65170fc62b35e022d
              • Instruction ID: 0716c1b14c19f67d185b6a2f05b235e5341c4aab32b525dcd4b9b9d9d94aa2c1
              • Opcode Fuzzy Hash: 60ae90f0a78cf77d663d8f033133e0ce4f4c786435319da65170fc62b35e022d
              • Instruction Fuzzy Hash: F6D05E343002814BCB15DF0CC598F6937E4AB41B14F4A44ECBC008B662C3A9DC81C610
              Uniqueness

              Uniqueness Score: -1.00%

              Execution Graph

              Execution Coverage:28.6%
              Dynamic/Decrypted Code Coverage:100%
              Signature Coverage:0%
              Total number of Nodes:126
              Total number of Limit Nodes:1
              execution_graph 4527 9b0cd8 KiUserExceptionDispatcher 4528 9b0d0c 4527->4528 4697 a81e6e 4699 a81e8e LoadLibraryA 4697->4699 4700 a81f06 4699->4700 4721 a82d2f 4723 a82d52 ioctlsocket 4721->4723 4724 a82db3 4723->4724 4725 a81321 4726 a8132c OpenFileMappingW 4725->4726 4728 a81439 4726->4728 4737 a80b62 4739 a80b82 ReadFile 4737->4739 4740 a80be9 4739->4740 4541 a830fa 4542 a8314a RegEnumValueW 4541->4542 4543 a83158 4542->4543 4729 a8173d 4731 a8176a shutdown 4729->4731 4732 a817c8 4731->4732 4701 a811f0 4703 a81216 ConvertStringSecurityDescriptorToSecurityDescriptorW 4701->4703 4704 a8128f 4703->4704 4548 a80032 4549 a80070 DuplicateHandle 4548->4549 4550 a800a8 4548->4550 4551 a8007e 4549->4551 4550->4549 4705 a82df5 4707 a82e2e select 4705->4707 4708 a82e8c 4707->4708 4651 a81488 4652 a814c6 MapViewOfFile 4651->4652 4654 a8154d 4652->4654 4709 a80dca 4710 a80dea WSASocketW 4709->4710 4712 a80e5e 4710->4712 4552 a81e8e 4554 a81ec9 LoadLibraryA 4552->4554 4555 a81f06 4554->4555 4560 a80b82 4562 a80bb7 ReadFile 4560->4562 4563 a80be9 4562->4563 4713 a82fc3 4714 a82fe6 SetProcessWorkingSetSize 4713->4714 4716 a83047 4714->4716 4670 a82ec4 4673 a82edb GetProcessWorkingSetSize 4670->4673 4672 a82f63 4673->4672 4733 a81904 4734 a81926 getaddrinfo 4733->4734 4736 a819d3 4734->4736 4689 a80006 4690 a80032 DuplicateHandle 4689->4690 4692 a8007e 4690->4692 4693 a81810 4694 a8181a GetProcessTimes 4693->4694 4696 a818a1 4694->4696 4655 a83092 4656 a830d1 RegEnumValueW 4655->4656 4658 a83158 4656->4658 4674 9b0ee0 4675 9b0f0a 4674->4675 4676 9b12c9 2 API calls 4675->4676 4677 9b12d8 2 API calls 4675->4677 4678 9b1363 2 API calls 4675->4678 4679 9b1332 2 API calls 4675->4679 4680 9b1350 2 API calls 4675->4680 4676->4675 4677->4675 4678->4675 4679->4675 4680->4675 4584 9b1226 4585 9b0f0a 4584->4585 4591 9b12c9 4585->4591 4596 9b1350 4585->4596 4601 9b1332 4585->4601 4606 9b1363 4585->4606 4611 9b12d8 4585->4611 4592 9b1303 4591->4592 4593 9b142c 4592->4593 4616 9b1a50 4592->4616 4621 9b19f7 4592->4621 4593->4593 4597 9b1357 4596->4597 4598 9b142c 4597->4598 4599 9b1a50 2 API calls 4597->4599 4600 9b19f7 2 API calls 4597->4600 4598->4598 4599->4598 4600->4598 4602 9b1339 4601->4602 4603 9b142c 4602->4603 4604 9b1a50 2 API calls 4602->4604 4605 9b19f7 2 API calls 4602->4605 4603->4603 4604->4603 4605->4603 4607 9b136a 4606->4607 4608 9b142c 4607->4608 4609 9b1a50 2 API calls 4607->4609 4610 9b19f7 2 API calls 4607->4610 4608->4608 4609->4608 4610->4608 4612 9b1303 4611->4612 4613 9b142c 4612->4613 4614 9b1a50 2 API calls 4612->4614 4615 9b19f7 2 API calls 4612->4615 4613->4613 4614->4613 4615->4613 4617 9b1a7b 4616->4617 4618 9b1abc 4617->4618 4626 9b1ff2 4617->4626 4631 9b2000 4617->4631 4618->4593 4622 9b19fe 4621->4622 4623 9b1a1e 4622->4623 4624 9b1ff2 2 API calls 4622->4624 4625 9b2000 2 API calls 4622->4625 4623->4593 4624->4623 4625->4623 4627 9b2025 4626->4627 4636 a81c02 4627->4636 4639 a81b92 4627->4639 4628 9b2060 4628->4618 4632 9b2025 4631->4632 4634 a81c02 GetVolumeInformationA 4632->4634 4635 a81b92 GetVolumeInformationA 4632->4635 4633 9b2060 4633->4618 4634->4633 4635->4633 4637 a81c52 GetVolumeInformationA 4636->4637 4638 a81c5a 4637->4638 4638->4628 4640 a81c02 GetVolumeInformationA 4639->4640 4642 a81c5a 4640->4642 4642->4628 4647 a81356 4648 a8138b OpenFileMappingW 4647->4648 4650 a81439 4648->4650 4681 a81ad6 4683 a81b06 WSAConnect 4681->4683 4684 a81b5a 4683->4684 4741 a82b56 4742 a82b82 RegCreateKeyExW 4741->4742 4744 a82c2c 4742->4744 4685 a80cd7 4686 a80cf9 RegQueryValueExW 4685->4686 4688 a80dac 4686->4688

              Executed Functions

              Function 00A81321 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 0 a81321-a8132a 1 a8132c-a8139b 0->1 2 a8139d-a81415 0->2 1->2 8 a8141a-a81429 2->8 9 a81417 2->9 10 a8147a-a8147f 8->10 11 a8142b-a8144f OpenFileMappingW 8->11 9->8 10->11 14 a81481-a81486 11->14 15 a81451-a81477 11->15 14->15
              APIs
              • OpenFileMappingW.KERNELBASE(?,?), ref: 00A81431
              Memory Dump Source
              • Source File: 00000001.00000002.507431022.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_a80000_rejdit_free_fire.jbxd
              Similarity
              • API ID: FileMappingOpen
              • String ID:
              • API String ID: 1680863896-0
              • Opcode ID: 5ef501a58e4a0c940be58230bf6c42cb00624122cc4c56a3f1056b3df7f9497f
              • Instruction ID: 4aff17441d7ec70ca8cceaab5e91f0f3111b133b328463882e77cd121a3e8c8b
              • Opcode Fuzzy Hash: 5ef501a58e4a0c940be58230bf6c42cb00624122cc4c56a3f1056b3df7f9497f
              • Instruction Fuzzy Hash: ED41C3715493C06FE7128B25DC45F92FFB8EF02320F18849BE984DF293D265A808C762
              Uniqueness

              Uniqueness Score: -1.00%

              Function 009B0CD8 Relevance: 1.6, APIs: 1, Instructions: 110COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 18 9b0cd8-9b0d16 KiUserExceptionDispatcher 21 9b0d19-9b0d1f 18->21 22 9b0e1d-9b0e3a 21->22 23 9b0d25-9b0d28 21->23 24 9b0d2a 23->24 55 9b0d2c call 24b05cf 24->55 56 9b0d2c call 24b05f6 24->56 26 9b0d31-9b0d5e 31 9b0d60-9b0d62 26->31 32 9b0da5-9b0da8 26->32 52 9b0d64 call 24b05cf 31->52 53 9b0d64 call 9b16e0 31->53 54 9b0d64 call 24b05f6 31->54 32->22 34 9b0daa-9b0db0 32->34 34->24 35 9b0db6-9b0dbd 34->35 37 9b0dbf-9b0dd5 35->37 38 9b0e0e 35->38 36 9b0d6a-9b0d71 39 9b0d73-9b0d9a 36->39 40 9b0da2 36->40 37->22 44 9b0dd7-9b0ddf 37->44 43 9b0e18 38->43 39->40 40->32 43->21 45 9b0de1-9b0dec 44->45 46 9b0e00-9b0e06 44->46 45->22 48 9b0dee-9b0df8 45->48 57 9b0e08 call 9b23df 46->57 58 9b0e08 call 9b23f0 46->58 48->46 52->36 53->36 54->36 55->26 56->26 57->38 58->38
              APIs
              • KiUserExceptionDispatcher.NTDLL ref: 009B0CFF
              Memory Dump Source
              • Source File: 00000001.00000002.507343750.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_9b0000_rejdit_free_fire.jbxd
              Similarity
              • API ID: DispatcherExceptionUser
              • String ID:
              • API String ID: 6842923-0
              • Opcode ID: d0e1afc35ea2373cb2f61fe180c7f417a1d8985d16c540d2fccfb05dcb238249
              • Instruction ID: dc177df86a0bacdef8dd3036db3bdee01ace16cb4602e8b82bae7ab944667d4a
              • Opcode Fuzzy Hash: d0e1afc35ea2373cb2f61fe180c7f417a1d8985d16c540d2fccfb05dcb238249
              • Instruction Fuzzy Hash: 2F416031A002148FCB44DF78C58469EBBB6EFC8325B188579D909DB39ADB35DD81CBA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00A80CD7 Relevance: 1.6, APIs: 1, Instructions: 103registryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 59 a80cd7-a80cf7 60 a80d19-a80d6d 59->60 61 a80cf9-a80cfb 59->61 63 a80d6e-a80da6 RegQueryValueExW 60->63 62 a80cfd-a80d18 61->62 61->63 62->60 69 a80dac-a80dc2 63->69
              APIs
              • RegQueryValueExW.KERNELBASE(?,00000E2C,?,?), ref: 00A80D9E
              Memory Dump Source
              • Source File: 00000001.00000002.507431022.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_a80000_rejdit_free_fire.jbxd
              Similarity
              • API ID: QueryValue
              • String ID:
              • API String ID: 3660427363-0
              • Opcode ID: 73b88e8ca847be57264dd30e3c0afb57d00571ce0ca21c5decd4fb72e08923ae
              • Instruction ID: d03b9577817e56ae0d7f152349cf202e839410dfea4cb6e045cc34568754db30
              • Opcode Fuzzy Hash: 73b88e8ca847be57264dd30e3c0afb57d00571ce0ca21c5decd4fb72e08923ae
              • Instruction Fuzzy Hash: 7E319C6510E7C0AFD3138B359C61A62BF74EF47610B0E85CBE8C48F1A3D129A809C7B2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00A82B56 Relevance: 1.6, APIs: 1, Instructions: 99registryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 70 a82b56-a82bda 74 a82bdc 70->74 75 a82bdf-a82beb 70->75 74->75 76 a82bed 75->76 77 a82bf0-a82bf9 75->77 76->77 78 a82bfb 77->78 79 a82bfe-a82c15 77->79 78->79 81 a82c57-a82c5c 79->81 82 a82c17-a82c2a RegCreateKeyExW 79->82 81->82 83 a82c2c-a82c54 82->83 84 a82c5e-a82c63 82->84 84->83
              APIs
              • RegCreateKeyExW.KERNELBASE(?,00000E2C), ref: 00A82C1D
              Memory Dump Source
              • Source File: 00000001.00000002.507431022.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_a80000_rejdit_free_fire.jbxd
              Similarity
              • API ID: Create
              • String ID:
              • API String ID: 2289755597-0
              • Opcode ID: efab472db855ae07c3c1fa5e0aa9af189764ca8f387cb5975c3e44f8471a8cfa
              • Instruction ID: 7428f27c6bf01773a39994fccbf6e9ab46b71e2b35ab2374579caf3b3c4486a9
              • Opcode Fuzzy Hash: efab472db855ae07c3c1fa5e0aa9af189764ca8f387cb5975c3e44f8471a8cfa
              • Instruction Fuzzy Hash: 8A316F72504344AFEB218F65DD84F67BFECEF05710F08859AE985DB152D224E948CB61
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00A81904 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 89 a81904-a819c3 95 a81a15-a81a1a 89->95 96 a819c5-a819cd getaddrinfo 89->96 95->96 98 a819d3-a819e5 96->98 99 a81a1c-a81a21 98->99 100 a819e7-a81a12 98->100 99->100
              APIs
              • getaddrinfo.WS2_32(?,00000E2C), ref: 00A819CB
              Memory Dump Source
              • Source File: 00000001.00000002.507431022.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_a80000_rejdit_free_fire.jbxd
              Similarity
              • API ID: getaddrinfo
              • String ID:
              • API String ID: 300660673-0
              • Opcode ID: 0b3dd4340a1ad2f789f3dbef8fe0ab57caa9bc0e000f6b7608cbb3e7fc42f04f
              • Instruction ID: 1801ac5fbdea05cd2d0a375f600f01d17f2a7dbe3b0c7388f3c4adfad2825bdd
              • Opcode Fuzzy Hash: 0b3dd4340a1ad2f789f3dbef8fe0ab57caa9bc0e000f6b7608cbb3e7fc42f04f
              • Instruction Fuzzy Hash: F731C271144340BFEB21DB65DC84FA7FBACEF44310F14889AFA859B192D274A948CB61
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00A81B92 Relevance: 1.6, APIs: 1, Instructions: 92COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 104 a81b92-a81c54 GetVolumeInformationA 107 a81c5a-a81c83 104->107
              APIs
              • GetVolumeInformationA.KERNELBASE(?,00000E2C,?,?), ref: 00A81C52
              Memory Dump Source
              • Source File: 00000001.00000002.507431022.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_a80000_rejdit_free_fire.jbxd
              Similarity
              • API ID: InformationVolume
              • String ID:
              • API String ID: 2039140958-0
              • Opcode ID: fd736a29fa05ea9df9b102e386fcc4d2eff011af4b5630dbd53271ced336ac96
              • Instruction ID: 2caf4c24c2e6bac1eaedc4b9ff40aa653536933713900cd7d7afad0c52b8bb65
              • Opcode Fuzzy Hash: fd736a29fa05ea9df9b102e386fcc4d2eff011af4b5630dbd53271ced336ac96
              • Instruction Fuzzy Hash: B4318E7140D3C06FD7138B359C51A62BFB8AF47610F1D81DBE8C48F1A3D224A959C7A2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00A83092 Relevance: 1.6, APIs: 1, Instructions: 90registryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 109 a83092-a8316e RegEnumValueW
              APIs
              • RegEnumValueW.KERNELBASE(?,00000E2C,?,?), ref: 00A8314A
              Memory Dump Source
              • Source File: 00000001.00000002.507431022.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_a80000_rejdit_free_fire.jbxd
              Similarity
              • API ID: EnumValue
              • String ID:
              • API String ID: 2814608202-0
              • Opcode ID: b8022c4a7de5e8fb5d7af2ade8c0b0416bdd37e7ebd794a4bb6081db3f2271c0
              • Instruction ID: c658564a283991da53a82ce1aa432d6955f07a6f986805469ebab9313138abb6
              • Opcode Fuzzy Hash: b8022c4a7de5e8fb5d7af2ade8c0b0416bdd37e7ebd794a4bb6081db3f2271c0
              • Instruction Fuzzy Hash: 1C31B47550D7C06FD3038B25DC51A62BF74EF47614F1E80CBE8848B6A3D125690AD7B2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00A811F0 Relevance: 1.6, APIs: 1, Instructions: 89COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 114 a811f0-a81271 118 a81273 114->118 119 a81276-a8127f 114->119 118->119 120 a81281-a81289 ConvertStringSecurityDescriptorToSecurityDescriptorW 119->120 121 a812d7-a812dc 119->121 122 a8128f-a812a1 120->122 121->120 124 a812de-a812e3 122->124 125 a812a3-a812d4 122->125 124->125
              APIs
              • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E2C), ref: 00A81287
              Memory Dump Source
              • Source File: 00000001.00000002.507431022.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_a80000_rejdit_free_fire.jbxd
              Similarity
              • API ID: DescriptorSecurity$ConvertString
              • String ID:
              • API String ID: 3907675253-0
              • Opcode ID: 3591a675bf6da937b7d113a70175229ddc1af411637f6694b0ab6f7e3d7ee2f0
              • Instruction ID: 8364938cc7425c232106782165572e4f6108922443e76b16d1b9f9ca8b83c178
              • Opcode Fuzzy Hash: 3591a675bf6da937b7d113a70175229ddc1af411637f6694b0ab6f7e3d7ee2f0
              • Instruction Fuzzy Hash: AD3193725043456FEB11DB65DC45FA7FFACEF05310F0888AAE984DF152D224A909CB61
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00A81488 Relevance: 1.6, APIs: 1, Instructions: 87fileCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 129 a81488-a81532 134 a81534-a8154b MapViewOfFile 129->134 135 a81576-a8157b 129->135 136 a8157d-a81582 134->136 137 a8154d-a81573 134->137 135->134 136->137
              APIs
              Memory Dump Source
              • Source File: 00000001.00000002.507431022.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_a80000_rejdit_free_fire.jbxd
              Similarity
              • API ID: FileView
              • String ID:
              • API String ID: 3314676101-0
              • Opcode ID: 9ae0cf3bc2759778a3fb812e2addfed2e76f4b3bea0eeef01b9fdd086f7efc64
              • Instruction ID: 715e11ee46c2cd194874e9e8ff72ad16c5bc0025c7d37808b4a7857280a5fc0d
              • Opcode Fuzzy Hash: 9ae0cf3bc2759778a3fb812e2addfed2e76f4b3bea0eeef01b9fdd086f7efc64
              • Instruction Fuzzy Hash: 7431F672404380AFE722CB15DD45F96FFF8EF16324F08859EE9848B262D374A909CB61
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00A82B82 Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 141 a82b82-a82bda 144 a82bdc 141->144 145 a82bdf-a82beb 141->145 144->145 146 a82bed 145->146 147 a82bf0-a82bf9 145->147 146->147 148 a82bfb 147->148 149 a82bfe-a82c15 147->149 148->149 151 a82c57-a82c5c 149->151 152 a82c17-a82c2a RegCreateKeyExW 149->152 151->152 153 a82c2c-a82c54 152->153 154 a82c5e-a82c63 152->154 154->153
              APIs
              • RegCreateKeyExW.KERNELBASE(?,00000E2C), ref: 00A82C1D
              Memory Dump Source
              • Source File: 00000001.00000002.507431022.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_a80000_rejdit_free_fire.jbxd
              Similarity
              • API ID: Create
              • String ID:
              • API String ID: 2289755597-0
              • Opcode ID: 918f0c08681e82e58965b630dd0052a779db38eb65c70722d443283314813537
              • Instruction ID: e15f42ac42885c9e478f830761263e24843a25807ae7d5a7b346e238747d612e
              • Opcode Fuzzy Hash: 918f0c08681e82e58965b630dd0052a779db38eb65c70722d443283314813537
              • Instruction Fuzzy Hash: 9A218072500204AFEB219F15DD85F7BFBECEF08714F18896AE945DA251D630E9488B71
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00A82EC4 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 159 a82ec4-a82ed9 160 a82edb-a82ee2 159->160 161 a82ee3-a82f53 159->161 160->161 165 a82fa0-a82fa5 161->165 166 a82f55-a82f5d GetProcessWorkingSetSize 161->166 165->166 167 a82f63-a82f75 166->167 169 a82fa7-a82fac 167->169 170 a82f77-a82f9d 167->170 169->170
              APIs
              • GetProcessWorkingSetSize.KERNEL32(?,00000E2C,CF04E8B5,00000000,00000000,00000000,00000000), ref: 00A82F5B
              Memory Dump Source
              • Source File: 00000001.00000002.507431022.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_a80000_rejdit_free_fire.jbxd
              Similarity
              • API ID: ProcessSizeWorking
              • String ID:
              • API String ID: 3584180929-0
              • Opcode ID: 78caf5c068fb44163a68d39ed5655ae19abe376c543967d7327ce23f86707069
              • Instruction ID: e11534bd2f7f62d281ef7a8d4601bea0857d121728496aa91add8c06cf6d6e93
              • Opcode Fuzzy Hash: 78caf5c068fb44163a68d39ed5655ae19abe376c543967d7327ce23f86707069
              • Instruction Fuzzy Hash: 4021A5715093806FE713CB24DC55B96BFB8AF46314F08C4EBE9889F193D225A949CB62
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00A81926 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 173 a81926-a819c3 178 a81a15-a81a1a 173->178 179 a819c5-a819cd getaddrinfo 173->179 178->179 181 a819d3-a819e5 179->181 182 a81a1c-a81a21 181->182 183 a819e7-a81a12 181->183 182->183
              APIs
              • getaddrinfo.WS2_32(?,00000E2C), ref: 00A819CB
              Memory Dump Source
              • Source File: 00000001.00000002.507431022.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_a80000_rejdit_free_fire.jbxd
              Similarity
              • API ID: getaddrinfo
              • String ID:
              • API String ID: 300660673-0
              • Opcode ID: 5ede22d4725d06dda30d49c3bdd77a9943c23f066ab9d1d77c928b3db424dc65
              • Instruction ID: 25090fc7ca38b276e6c9f3e5804ae713f6b73d855f874596e9ed8fbe37a8fbb9
              • Opcode Fuzzy Hash: 5ede22d4725d06dda30d49c3bdd77a9943c23f066ab9d1d77c928b3db424dc65
              • Instruction Fuzzy Hash: AF21E571140200AFFB20EF65DC85FABFBACEF04710F14885AFE459B181D674A5098BB1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00A82DF5 Relevance: 1.6, APIs: 1, Instructions: 80COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 187 a82df5-a82e55 189 a82e5a-a82e60 187->189 190 a82e57 187->190 191 a82e62 189->191 192 a82e65-a82e6b 189->192 190->189 191->192 193 a82e6d 192->193 194 a82e70-a82e7c 192->194 193->194 195 a82e7e-a82e86 select 194->195 196 a82eb6-a82ebb 194->196 198 a82e8c-a82e9e 195->198 196->195 199 a82ebd-a82ec2 198->199 200 a82ea0-a82eb3 198->200 199->200
              APIs
              Memory Dump Source
              • Source File: 00000001.00000002.507431022.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_a80000_rejdit_free_fire.jbxd
              Similarity
              • API ID: select
              • String ID:
              • API String ID: 1274211008-0
              • Opcode ID: 3fe4aa649afbd7e8260251f0b583e6f7dfc1d4cd0a4c3014864faedaf3344ed0
              • Instruction ID: e8fa482427c3a18ea09974673522bc85b514aafbff71773a8354a4733b2cbe29
              • Opcode Fuzzy Hash: 3fe4aa649afbd7e8260251f0b583e6f7dfc1d4cd0a4c3014864faedaf3344ed0
              • Instruction Fuzzy Hash: F6215C755093849FDB22CF25DC44BA2BFF8EF06714F0884DAED84CB262D275A949CB61
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00A81810 Relevance: 1.6, APIs: 1, Instructions: 79timeCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 202 a81810-a81891 207 a818de-a818e3 202->207 208 a81893-a8189b GetProcessTimes 202->208 207->208 209 a818a1-a818b3 208->209 211 a818e5-a818ea 209->211 212 a818b5-a818db 209->212 211->212
              APIs
              • GetProcessTimes.KERNELBASE(?,00000E2C,CF04E8B5,00000000,00000000,00000000,00000000), ref: 00A81899
              Memory Dump Source
              • Source File: 00000001.00000002.507431022.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_a80000_rejdit_free_fire.jbxd
              Similarity
              • API ID: ProcessTimes
              • String ID:
              • API String ID: 1995159646-0
              • Opcode ID: 3c2ab29ee85d6448836e43b38eecbb2f178ab063d8a3da5af43b8c166b54fc06
              • Instruction ID: 26b13bc8d5c7010231895029d7f4f433849e29d37e242fb550cd2c720394f5e0
              • Opcode Fuzzy Hash: 3c2ab29ee85d6448836e43b38eecbb2f178ab063d8a3da5af43b8c166b54fc06
              • Instruction Fuzzy Hash: 3721F771105340AFEB228F25DC45F97FFB8EF06310F0884AAE9859B152D234A409C761
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00A80DCA Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 215 a80dca-a80e1c 217 a80e22-a80e2e 215->217 218 a80e34-a80e4e 217->218 219 a80e9f-a80ea4 218->219 220 a80e50-a80e58 WSASocketW 218->220 219->220 222 a80e5e-a80e74 220->222 223 a80ea6-a80eab 222->223 224 a80e76-a80e9c 222->224 223->224
              APIs
              • WSASocketW.WS2_32(?,?,?,?,?), ref: 00A80E56
              Memory Dump Source
              • Source File: 00000001.00000002.507431022.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_a80000_rejdit_free_fire.jbxd
              Similarity
              • API ID: Socket
              • String ID:
              • API String ID: 38366605-0
              • Opcode ID: 0b470cf0bab6317094d00aec1e465ae3758e8758d952c07e5245387c3c137853
              • Instruction ID: 5a9d856175b1ee9acde02232010113a4833f4501098a690160cd62de538ac5c6
              • Opcode Fuzzy Hash: 0b470cf0bab6317094d00aec1e465ae3758e8758d952c07e5245387c3c137853
              • Instruction Fuzzy Hash: 0C217C71509380AFE722CF65DD44F96FFB8EF05310F08889EE9859B292D375A408CB66
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00A810FE Relevance: 1.6, APIs: 1, Instructions: 76registryCOMMON
              Download Yara Rule
              APIs
              • RegQueryValueExW.KERNELBASE(?,00000E2C,CF04E8B5,00000000,00000000,00000000,00000000), ref: 00A8119C
              Memory Dump Source
              • Source File: 00000001.00000002.507431022.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_a80000_rejdit_free_fire.jbxd
              Similarity
              • API ID: QueryValue
              • String ID:
              • API String ID: 3660427363-0
              • Opcode ID: fa9b75f7180fde40990111a95066d2ba7c44d260caf3d6e982629374a81263b8
              • Instruction ID: d9695441a1662415bf3542d4c06a64eeb3fb8a1f3ad06cdf527c2e914e005bae
              • Opcode Fuzzy Hash: fa9b75f7180fde40990111a95066d2ba7c44d260caf3d6e982629374a81263b8
              • Instruction Fuzzy Hash: 50219F72504340AFE721CB25CC44F57BFFCAF45310F08859AE9859B292D324E909CB61
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00A81216 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
              Download Yara Rule
              APIs
              • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E2C), ref: 00A81287
              Memory Dump Source
              • Source File: 00000001.00000002.507431022.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_a80000_rejdit_free_fire.jbxd
              Similarity
              • API ID: DescriptorSecurity$ConvertString
              • String ID:
              • API String ID: 3907675253-0
              • Opcode ID: d9c61d5687a01138e953bb0a206f0ef6cb2f1fdb3dfd8869f3841a5dd43c607d
              • Instruction ID: a2b8ff3f74b0c67b45dabc42aa416f3bd309d08eb066fec4f4240d4127579c4d
              • Opcode Fuzzy Hash: d9c61d5687a01138e953bb0a206f0ef6cb2f1fdb3dfd8869f3841a5dd43c607d
              • Instruction Fuzzy Hash: BF218471500204AFEB20DF69DD45FABFBACEF04714F18886AED45DB241E674A5098B71
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00A82FC3 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
              Download Yara Rule
              APIs
              • SetProcessWorkingSetSize.KERNEL32(?,00000E2C,CF04E8B5,00000000,00000000,00000000,00000000), ref: 00A8303F
              Memory Dump Source
              • Source File: 00000001.00000002.507431022.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_a80000_rejdit_free_fire.jbxd
              Similarity
              • API ID: ProcessSizeWorking
              • String ID:
              • API String ID: 3584180929-0
              • Opcode ID: 643ffcaaa0a05d78fb9e7287b695542a280b20911c82f624e8bff80b98fdddac
              • Instruction ID: 2e5fe03626fa344ad00ea71413952c5882576d525556eb15662737f63d434a16
              • Opcode Fuzzy Hash: 643ffcaaa0a05d78fb9e7287b695542a280b20911c82f624e8bff80b98fdddac
              • Instruction Fuzzy Hash: 7321C5715093806FEB11CB25DC44F97FFA8EF45314F0884AFE944DB252D264A504CB62
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00A8173D Relevance: 1.6, APIs: 1, Instructions: 72COMMON
              Download Yara Rule
              APIs
              • shutdown.WS2_32(?,00000E2C,CF04E8B5,00000000,00000000,00000000,00000000), ref: 00A817C0
              Memory Dump Source
              • Source File: 00000001.00000002.507431022.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_a80000_rejdit_free_fire.jbxd
              Similarity
              • API ID: shutdown
              • String ID:
              • API String ID: 2510479042-0
              • Opcode ID: 6da5020b3a839a60fa93feeb4d9518008c1b7d4b9b47f3df1e4cb2328a3f1a31
              • Instruction ID: 62f7a5ff4d515981f316882c277782bb13645912890584db8c07d2f5faed7487
              • Opcode Fuzzy Hash: 6da5020b3a839a60fa93feeb4d9518008c1b7d4b9b47f3df1e4cb2328a3f1a31
              • Instruction Fuzzy Hash: 4021AA71409384AFD712CB24DC55B56FFB8EF46314F1884EBE9449F152D264A544C762
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00A80B62 Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON
              Download Yara Rule
              APIs
              • ReadFile.KERNELBASE(?,00000E2C,CF04E8B5,00000000,00000000,00000000,00000000), ref: 00A80BE1
              Memory Dump Source
              • Source File: 00000001.00000002.507431022.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_a80000_rejdit_free_fire.jbxd
              Similarity
              • API ID: FileRead
              • String ID:
              • API String ID: 2738559852-0
              • Opcode ID: 4a01177a02ab344c5035e719e60cd3933b686f8fe26c4c96984c5f6f7a41adb4
              • Instruction ID: 0b71d454fda6481daef54a3d1d93107cd7ac6d2d5ef29a2f8b5d9d1aa9cf014a
              • Opcode Fuzzy Hash: 4a01177a02ab344c5035e719e60cd3933b686f8fe26c4c96984c5f6f7a41adb4
              • Instruction Fuzzy Hash: 0821A472409340AFEB22CF65DC44F97FFB8EF45314F0884AAE9849B152D234A408CB72
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00A82D2F Relevance: 1.6, APIs: 1, Instructions: 69COMMON
              Download Yara Rule
              APIs
              • ioctlsocket.WS2_32(?,00000E2C,CF04E8B5,00000000,00000000,00000000,00000000), ref: 00A82DAB
              Memory Dump Source
              • Source File: 00000001.00000002.507431022.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_a80000_rejdit_free_fire.jbxd
              Similarity
              • API ID: ioctlsocket
              • String ID:
              • API String ID: 3577187118-0
              • Opcode ID: b2a95a0bf742b1bfb63a3ed9ec067385787f7a5596ad71d97f82bd5ebd7e9fec
              • Instruction ID: 3d91454bc874a1b7a2e607875f0a2d6b1aaa517538f46b0ea0614e43719e6319
              • Opcode Fuzzy Hash: b2a95a0bf742b1bfb63a3ed9ec067385787f7a5596ad71d97f82bd5ebd7e9fec
              • Instruction Fuzzy Hash: 96218171409384AFEB12CF65DC44FA6FFA8EF45314F0884ABE9449F252D274A508C762
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00A813C6 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
              Download Yara Rule
              APIs
              • OpenFileMappingW.KERNELBASE(?,?), ref: 00A81431
              Memory Dump Source
              • Source File: 00000001.00000002.507431022.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_a80000_rejdit_free_fire.jbxd
              Similarity
              • API ID: FileMappingOpen
              • String ID:
              • API String ID: 1680863896-0
              • Opcode ID: f2b3f89716ddd7d0c61ad7ac0e4def56e8ea314085d186077ba79b5de1049b4e
              • Instruction ID: 15e9006b6fd9df74e57622b53fc277b9af72b9c876ae9b2b8320efce3efea29a
              • Opcode Fuzzy Hash: f2b3f89716ddd7d0c61ad7ac0e4def56e8ea314085d186077ba79b5de1049b4e
              • Instruction Fuzzy Hash: F121D2B1504240AFEB20DF25DD85B66FBE8EF04724F18846EED858B241D375E809CB76
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00A80DEA Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON
              Download Yara Rule
              APIs
              • WSASocketW.WS2_32(?,?,?,?,?), ref: 00A80E56
              Memory Dump Source
              • Source File: 00000001.00000002.507431022.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_a80000_rejdit_free_fire.jbxd
              Similarity
              • API ID: Socket
              • String ID:
              • API String ID: 38366605-0
              • Opcode ID: d86b2f73cc2f3601197900d3ff2f95ba89c294cd274e369a303c9230e573b8a3
              • Instruction ID: f37c4227a4d69e8e656e924b2003dc6413cfd87c2faaf0b43e7a4a5935364396
              • Opcode Fuzzy Hash: d86b2f73cc2f3601197900d3ff2f95ba89c294cd274e369a303c9230e573b8a3
              • Instruction Fuzzy Hash: 7C219D71504240AFEB21DF65DD44F67FBA9EF08324F18886EED858B251D375A408CB62
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00A814C6 Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000001.00000002.507431022.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_a80000_rejdit_free_fire.jbxd
              Similarity
              • API ID: FileView
              • String ID:
              • API String ID: 3314676101-0
              • Opcode ID: 486f2a88c60619d91783bd913089372c6ca3f1ed96631b957835ab636a54b5b5
              • Instruction ID: b3cb04386e9aba1c80ebe27e88bae285cd9324b59f953cd1041080fee91ab4ce
              • Opcode Fuzzy Hash: 486f2a88c60619d91783bd913089372c6ca3f1ed96631b957835ab636a54b5b5
              • Instruction Fuzzy Hash: 8021C071500200EFE721DF15DD85FA6FBECEF08324F14845EE9859B251D771A509CB62
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00A81AD6 Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON
              Download Yara Rule
              APIs
              • WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 00A81B52
              Memory Dump Source
              • Source File: 00000001.00000002.507431022.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_a80000_rejdit_free_fire.jbxd
              Similarity
              • API ID: Connect
              • String ID:
              • API String ID: 3144859779-0
              • Opcode ID: 9b21cba5d65040ce55d40a4c5e076abbbb18481b217ae168ba906dbe38d33ea4
              • Instruction ID: 7a67afbe0f17f05ae2629bc482d3b0ce102dd36f77ab4aebca94fc87df9d1cfe
              • Opcode Fuzzy Hash: 9b21cba5d65040ce55d40a4c5e076abbbb18481b217ae168ba906dbe38d33ea4
              • Instruction Fuzzy Hash: ED218071408384AFDB228F65DC44B52BFB8EF06710F0884DAED858B162D235A819DB61
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00A81E6E Relevance: 1.6, APIs: 1, Instructions: 66libraryCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNELBASE(?,00000E2C), ref: 00A81EF7
              Memory Dump Source
              • Source File: 00000001.00000002.507431022.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_a80000_rejdit_free_fire.jbxd
              Similarity
              • API ID: LibraryLoad
              • String ID:
              • API String ID: 1029625771-0
              • Opcode ID: 2978861d0afb5a74f9c0fe89c0d545420c3a089eae075aee23d8fc37087fa479
              • Instruction ID: 54d23e55266d8b96c015c1d944eec6b1fc99200522443af60a0729cf4d0c7ca3
              • Opcode Fuzzy Hash: 2978861d0afb5a74f9c0fe89c0d545420c3a089eae075aee23d8fc37087fa479
              • Instruction Fuzzy Hash: 8B11D6715443406FE721CB15DC85FA6FFB8DF45720F18849AFE449B292D364A948CB62
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00A8112A Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
              Download Yara Rule
              APIs
              • RegQueryValueExW.KERNELBASE(?,00000E2C,CF04E8B5,00000000,00000000,00000000,00000000), ref: 00A8119C
              Memory Dump Source
              • Source File: 00000001.00000002.507431022.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_a80000_rejdit_free_fire.jbxd
              Similarity
              • API ID: QueryValue
              • String ID:
              • API String ID: 3660427363-0
              • Opcode ID: 49599aaaa9fbf2041ec8e97a8570ca511465aaf6260eb983612ac5d5be1f7557
              • Instruction ID: f34573f227532e775813134a451a57ab89eba5667e2e38151c39c09f23b22b20
              • Opcode Fuzzy Hash: 49599aaaa9fbf2041ec8e97a8570ca511465aaf6260eb983612ac5d5be1f7557
              • Instruction Fuzzy Hash: 4C11B171500200AFEB20DF15DC84FA7FBECEF04714F18896AEE459B251D660E809CB72
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00A8183A Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON
              Download Yara Rule
              APIs
              • GetProcessTimes.KERNELBASE(?,00000E2C,CF04E8B5,00000000,00000000,00000000,00000000), ref: 00A81899
              Memory Dump Source
              • Source File: 00000001.00000002.507431022.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_a80000_rejdit_free_fire.jbxd
              Similarity
              • API ID: ProcessTimes
              • String ID:
              • API String ID: 1995159646-0
              • Opcode ID: a882ce83a41f2084e7e9c0adade662a53d0d14ce9ed31d922defd54ce9996a9b
              • Instruction ID: 35fbd266762d50dba0071dc701e11e5e83ba4d41f66dc62061b634b32850404b
              • Opcode Fuzzy Hash: a882ce83a41f2084e7e9c0adade662a53d0d14ce9ed31d922defd54ce9996a9b
              • Instruction Fuzzy Hash: 0911E272500200EFEB219F65DC85FABFBACEF04324F18846AED498B241D674A409CB72
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00A82FE6 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
              Download Yara Rule
              APIs
              • SetProcessWorkingSetSize.KERNEL32(?,00000E2C,CF04E8B5,00000000,00000000,00000000,00000000), ref: 00A8303F
              Memory Dump Source
              • Source File: 00000001.00000002.507431022.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_a80000_rejdit_free_fire.jbxd
              Similarity
              • API ID: ProcessSizeWorking
              • String ID:
              • API String ID: 3584180929-0
              • Opcode ID: af949013d968f6a6c1519de10534108f4cf67150e4ecbf599f1cfa0bb97c8943
              • Instruction ID: 3f16f80cf1ac3cca3b485f1e20f320c98bcecdf0fbd8a3c8f4bdb3fa43884eb3
              • Opcode Fuzzy Hash: af949013d968f6a6c1519de10534108f4cf67150e4ecbf599f1cfa0bb97c8943
              • Instruction Fuzzy Hash: C411E372500200AFEB10DF69DC85BABFBA8EF04724F18C46BED49DB241D674A504CB72
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00A82F02 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
              Download Yara Rule
              APIs
              • GetProcessWorkingSetSize.KERNEL32(?,00000E2C,CF04E8B5,00000000,00000000,00000000,00000000), ref: 00A82F5B
              Memory Dump Source
              • Source File: 00000001.00000002.507431022.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_a80000_rejdit_free_fire.jbxd
              Similarity
              • API ID: ProcessSizeWorking
              • String ID:
              • API String ID: 3584180929-0
              • Opcode ID: af949013d968f6a6c1519de10534108f4cf67150e4ecbf599f1cfa0bb97c8943
              • Instruction ID: b8c17cb74cb84b7c5524ab5bcd920744db36658748d545ef0af770c95f220878
              • Opcode Fuzzy Hash: af949013d968f6a6c1519de10534108f4cf67150e4ecbf599f1cfa0bb97c8943
              • Instruction Fuzzy Hash: 9411C171500200AFEB10DF25DC85BABFBA8EF44324F18846BEE49DB241D674A814CB72
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00A80006 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
              Download Yara Rule
              APIs
              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00A80076
              Memory Dump Source
              • Source File: 00000001.00000002.507431022.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_a80000_rejdit_free_fire.jbxd
              Similarity
              • API ID: DuplicateHandle
              • String ID:
              • API String ID: 3793708945-0
              • Opcode ID: 98d525fce8d6fbff3d7aa8f312a59135c7999a8356a34429c731cd6fda3f4e59
              • Instruction ID: e8239423417adc90506d00ca42feb5f2fbf92020ed0a33881c2370160a5dae3e
              • Opcode Fuzzy Hash: 98d525fce8d6fbff3d7aa8f312a59135c7999a8356a34429c731cd6fda3f4e59
              • Instruction Fuzzy Hash: 2C218131409380AFDB228F61DC44A52FFF4EF46320F09849AED858B162D279A859CB61
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00A80B82 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
              Download Yara Rule
              APIs
              • ReadFile.KERNELBASE(?,00000E2C,CF04E8B5,00000000,00000000,00000000,00000000), ref: 00A80BE1
              Memory Dump Source
              • Source File: 00000001.00000002.507431022.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_a80000_rejdit_free_fire.jbxd
              Similarity
              • API ID: FileRead
              • String ID:
              • API String ID: 2738559852-0
              • Opcode ID: 6f889dcb4cc46140ffdaad537224156f351a504c2dffcb5112e3077242d02ce4
              • Instruction ID: 2e75305035db09aed8d9eaf37be184d28e8f0995c102878a956c450db6f27dba
              • Opcode Fuzzy Hash: 6f889dcb4cc46140ffdaad537224156f351a504c2dffcb5112e3077242d02ce4
              • Instruction Fuzzy Hash: A011C471400204EFEB21DF65DC44FA6FBA8EF04714F18846AED459B241D274A408CB72
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00A82D52 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
              Download Yara Rule
              APIs
              • ioctlsocket.WS2_32(?,00000E2C,CF04E8B5,00000000,00000000,00000000,00000000), ref: 00A82DAB
              Memory Dump Source
              • Source File: 00000001.00000002.507431022.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_a80000_rejdit_free_fire.jbxd
              Similarity
              • API ID: ioctlsocket
              • String ID:
              • API String ID: 3577187118-0
              • Opcode ID: ba95f2c0b365d20458b9b48b2cc7b358af09b7205fc56259b8f20d16a90310a9
              • Instruction ID: cae8c551b6ff10bf10bf60b338b64c90b6a18044f93fcb4da628696dae3f8fa4
              • Opcode Fuzzy Hash: ba95f2c0b365d20458b9b48b2cc7b358af09b7205fc56259b8f20d16a90310a9
              • Instruction Fuzzy Hash: 2A11A071404204AFEB21DF65DC84FA6FFA8EF44724F18846BEE499F241D674A408CB72
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00A8176A Relevance: 1.6, APIs: 1, Instructions: 57COMMON
              Download Yara Rule
              APIs
              • shutdown.WS2_32(?,00000E2C,CF04E8B5,00000000,00000000,00000000,00000000), ref: 00A817C0
              Memory Dump Source
              • Source File: 00000001.00000002.507431022.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_a80000_rejdit_free_fire.jbxd
              Similarity
              • API ID: shutdown
              • String ID:
              • API String ID: 2510479042-0
              • Opcode ID: 62d7f970f5498e6a2ee6d19d8ba2e523cc6c86b66828c6deeecd61024a4003ee
              • Instruction ID: df09a2ebba973a9fad04a2d14e25d94d8d82ba01f358c171ae2ac9eb58aa2fde
              • Opcode Fuzzy Hash: 62d7f970f5498e6a2ee6d19d8ba2e523cc6c86b66828c6deeecd61024a4003ee
              • Instruction Fuzzy Hash: 4811C271404204AEEB10DF25DC85BA6FBACEF44724F18C4ABED489B241D674A4058BB2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00A81E8E Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNELBASE(?,00000E2C), ref: 00A81EF7
              Memory Dump Source
              • Source File: 00000001.00000002.507431022.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_a80000_rejdit_free_fire.jbxd
              Similarity
              • API ID: LibraryLoad
              • String ID:
              • API String ID: 1029625771-0
              • Opcode ID: 24646977991df10326b90a0b516d9e34dd88ec42941ceee1cbbd3adf4d448818
              • Instruction ID: d7c7ff1aa72e5e16c59c91dd55f2895224e49171c68ca2fe48fb5e11d0c777d4
              • Opcode Fuzzy Hash: 24646977991df10326b90a0b516d9e34dd88ec42941ceee1cbbd3adf4d448818
              • Instruction Fuzzy Hash: EC11E531500200AFEB20DB15DC81BA6FBACDF04724F28C49AFE445B281D7B4A949CBB2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00A82E2E Relevance: 1.6, APIs: 1, Instructions: 55COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000001.00000002.507431022.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_a80000_rejdit_free_fire.jbxd
              Similarity
              • API ID: select
              • String ID:
              • API String ID: 1274211008-0
              • Opcode ID: b9ca8bf169ac6af9826961e582c72cd85c85a85d9d925f5124f43f797e4cfac1
              • Instruction ID: a229364fc2d52742934f4989b9bc7ae60cbeb4bd8a553faa31a702481ec65c10
              • Opcode Fuzzy Hash: b9ca8bf169ac6af9826961e582c72cd85c85a85d9d925f5124f43f797e4cfac1
              • Instruction Fuzzy Hash: 60114C75600204DFEB20DF69D884B66FBE8EF04710F1884AAED49CB252D774E848CB75
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00A81B06 Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON
              Download Yara Rule
              APIs
              • WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 00A81B52
              Memory Dump Source
              • Source File: 00000001.00000002.507431022.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_a80000_rejdit_free_fire.jbxd
              Similarity
              • API ID: Connect
              • String ID:
              • API String ID: 3144859779-0
              • Opcode ID: 736898024d9944f655898361897b6fd145db39e1bf4f4cae653be0aab813da4d
              • Instruction ID: 41d8a7d28bad96244dc0ca79ba906dbc7c3336aa105524fe7ccf0d329501156d
              • Opcode Fuzzy Hash: 736898024d9944f655898361897b6fd145db39e1bf4f4cae653be0aab813da4d
              • Instruction Fuzzy Hash: 20117C35500244DFDB20DF55D888B66FBF8EF08720F18C4AAED498B612E375E819DB62
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00A81C02 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
              Download Yara Rule
              APIs
              • GetVolumeInformationA.KERNELBASE(?,00000E2C,?,?), ref: 00A81C52
              Memory Dump Source
              • Source File: 00000001.00000002.507431022.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_a80000_rejdit_free_fire.jbxd
              Similarity
              • API ID: InformationVolume
              • String ID:
              • API String ID: 2039140958-0
              • Opcode ID: 5d7d858745ee86c81bfede672885bd6967ed6d136c13383b04e08c658b2eeecf
              • Instruction ID: 72fc54bcfb8c974c9515dae3ced512a9b197ce288a0bf02d995ae9cf8d82bb7e
              • Opcode Fuzzy Hash: 5d7d858745ee86c81bfede672885bd6967ed6d136c13383b04e08c658b2eeecf
              • Instruction Fuzzy Hash: B801B171940600ABD710DF16DD81B26FBA8EB88B20F14C12AED088B741D235B515CBE5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00A80032 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
              Download Yara Rule
              APIs
              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00A80076
              Memory Dump Source
              • Source File: 00000001.00000002.507431022.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_a80000_rejdit_free_fire.jbxd
              Similarity
              • API ID: DuplicateHandle
              • String ID:
              • API String ID: 3793708945-0
              • Opcode ID: 69f66581a270790cc7cdf9e60c636803988d9ae36a2d6f8649210d908f3e240a
              • Instruction ID: 6f5182dfea11faf6b06e946ea5ab1b79e29e4e535b6a354059e3048ce736dd5c
              • Opcode Fuzzy Hash: 69f66581a270790cc7cdf9e60c636803988d9ae36a2d6f8649210d908f3e240a
              • Instruction Fuzzy Hash: 55016D31404600DFDB619F55D844B66FFF4EF48720F18C9AAED894B612D276A418DF62
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00A830FA Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON
              Download Yara Rule
              APIs
              • RegEnumValueW.KERNELBASE(?,00000E2C,?,?), ref: 00A8314A
              Memory Dump Source
              • Source File: 00000001.00000002.507431022.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_a80000_rejdit_free_fire.jbxd
              Similarity
              • API ID: EnumValue
              • String ID:
              • API String ID: 2814608202-0
              • Opcode ID: 6b01cb834093119717d292522a943b6708be8ab92217962d66f987592889f7eb
              • Instruction ID: b567eed091f298e6d93be4007021e50f5d8e8241d4740231a424961dab73e171
              • Opcode Fuzzy Hash: 6b01cb834093119717d292522a943b6708be8ab92217962d66f987592889f7eb
              • Instruction Fuzzy Hash: 2E01A271540600ABD310DF1ADD82B26FBA8FB88B20F14C11AED084B741D331F515CBE5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00A80D4E Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON
              Download Yara Rule
              APIs
              • RegQueryValueExW.KERNELBASE(?,00000E2C,?,?), ref: 00A80D9E
              Memory Dump Source
              • Source File: 00000001.00000002.507431022.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_a80000_rejdit_free_fire.jbxd
              Similarity
              • API ID: QueryValue
              • String ID:
              • API String ID: 3660427363-0
              • Opcode ID: 462b2a77a31e984f789f65f01d600022cc2436ff9b0f54049f6599974df9c722
              • Instruction ID: 2519c3c987703d8be0440c321a13362b3aeeb15d8b8e9b7940dd10fae3d78abb
              • Opcode Fuzzy Hash: 462b2a77a31e984f789f65f01d600022cc2436ff9b0f54049f6599974df9c722
              • Instruction Fuzzy Hash: 8601A271540600ABD310DF1ADD82B26FBA8FB88B20F14C11AED084B741D371F515CBE5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 024B08ED Relevance: .1, Instructions: 63COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000001.00000002.507604675.00000000024B0000.00000040.00000020.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_24b0000_rejdit_free_fire.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dc07d05e618367144ca6167741423c604306c218df7591d339513adcadf253d5
              • Instruction ID: 52dd3755fe0a0cef13eee2a5a84fa662549960062f0fe6ee8086a7cbc4467546
              • Opcode Fuzzy Hash: dc07d05e618367144ca6167741423c604306c218df7591d339513adcadf253d5
              • Instruction Fuzzy Hash: AD2150351493C49FD7038B20D950B56BFB1EF87214F2986DBD8845B6A3C33A981BDB52
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04A82474 Relevance: .1, Instructions: 60COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000001.00000002.509319594.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_4a80000_rejdit_free_fire.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5d9251a2228631588f9f0346e8a0d1dba20a0daf31b4d89f24191ca516e441e2
              • Instruction ID: c7dda04cff31ba42b71f7578246fd8e64243a1760e707f2be8cf0b29ce0b1fe6
              • Opcode Fuzzy Hash: 5d9251a2228631588f9f0346e8a0d1dba20a0daf31b4d89f24191ca516e441e2
              • Instruction Fuzzy Hash: 6D11BAB5908341AFD350CF19D880A5BFBE4FB88664F14896EF898D7311D231EA048FA2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 024B0924 Relevance: .1, Instructions: 59COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000001.00000002.507604675.00000000024B0000.00000040.00000020.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_24b0000_rejdit_free_fire.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6332f8e3e3911751952f034846591f5c9ce572f359be1fce700d3f934c4d7a56
              • Instruction ID: 49531da33c50c6634584b2c9114abe14851ee7383eb6b34925bf14b517698b43
              • Opcode Fuzzy Hash: 6332f8e3e3911751952f034846591f5c9ce572f359be1fce700d3f934c4d7a56
              • Instruction Fuzzy Hash: A011E430204240DFE316CB14C540B67BB95AF8C709F28D9AEE9891B352C777D843CA61
              Uniqueness

              Uniqueness Score: -1.00%

              Function 024B05CF Relevance: .0, Instructions: 44COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000001.00000002.507604675.00000000024B0000.00000040.00000020.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_24b0000_rejdit_free_fire.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7c7e61d72055ed8a0247b47a71f50d870ca20bb4c800af41f314ee9c5d6cc068
              • Instruction ID: 49a1a7a47b27291878baba74c4ac81cbc5e202b5363f8438078086717507c38a
              • Opcode Fuzzy Hash: 7c7e61d72055ed8a0247b47a71f50d870ca20bb4c800af41f314ee9c5d6cc068
              • Instruction Fuzzy Hash: 6B01A77550D7806FD712CB16AC40862FFB8DE86520708C49FEC498B652D1257809CB72
              Uniqueness

              Uniqueness Score: -1.00%

              Function 024B09E0 Relevance: .0, Instructions: 31COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000001.00000002.507604675.00000000024B0000.00000040.00000020.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_24b0000_rejdit_free_fire.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4f31cdc15a0f649daff20f31872962bb780f798d0e56f3ea77abe80ef86f6d48
              • Instruction ID: c089ec729d13d3550883dcc0ea2f827a9a46d2fd3603daa7bff2678541e2fad2
              • Opcode Fuzzy Hash: 4f31cdc15a0f649daff20f31872962bb780f798d0e56f3ea77abe80ef86f6d48
              • Instruction Fuzzy Hash: 76F01D35144644DFD316CF00D540B66FBA2EB89718F24C6ADE9491B762C737D813DA91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 024B05F6 Relevance: .0, Instructions: 27COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000001.00000002.507604675.00000000024B0000.00000040.00000020.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_24b0000_rejdit_free_fire.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: aacf998979f5971f8c7b61d05a4ea8a11a4305c3b1b8f7ec407789031bd059b7
              • Instruction ID: a13ef89de4420afd9c9af8d39494bb2d8d70a7482c341737e6742f50a590806d
              • Opcode Fuzzy Hash: aacf998979f5971f8c7b61d05a4ea8a11a4305c3b1b8f7ec407789031bd059b7
              • Instruction Fuzzy Hash: 0FE06D76A046008BD650CF0BEC41452FB98EB88630718C07FDC0D8B700E135B5058EA6
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04A81D8B Relevance: .0, Instructions: 26COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000001.00000002.509319594.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_4a80000_rejdit_free_fire.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0ec6d2ff607d2ce70005c86f3aa4cdb227514a39caf92ca3fa5bd88bbf522027
              • Instruction ID: a71f97b80852263cb8c108bb622c483409b2b6eb7bad4e2ba1d5fd9385513756
              • Opcode Fuzzy Hash: 0ec6d2ff607d2ce70005c86f3aa4cdb227514a39caf92ca3fa5bd88bbf522027
              • Instruction Fuzzy Hash: F1E0D8729003006BD2109F06AC46B63FB98DB40A30F18C46BED0C5B702E172B514CAF1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04A824DF Relevance: .0, Instructions: 26COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000001.00000002.509319594.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_4a80000_rejdit_free_fire.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d2c8e1bb57ad9d76569c1c7ed87f4704c93c44f2e30d7ecacb24718f0b05854d
              • Instruction ID: f3385164a135874e3536676f7f98db2eb80558d53a5fd43b0e508451656575d0
              • Opcode Fuzzy Hash: d2c8e1bb57ad9d76569c1c7ed87f4704c93c44f2e30d7ecacb24718f0b05854d
              • Instruction Fuzzy Hash: A9E0D8B29403006BD2108F06AC45B63FB9CDB44A30F18C46BED0C5B742E171B5148AF1
              Uniqueness

              Uniqueness Score: -1.00%

              Executed Functions

              Function 02A40249 Relevance: .3, Instructions: 279COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000D.00000002.317536516.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_2a40000_rejdit_free_fire.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 947f3620053ee989066347df7d36ac4a8225d375077b3ea43f66d3b67fef73fa
              • Instruction ID: 99f5856a594c71789bc0fa8e54eed1169dbbca16e713ab0cf937865f30b03844
              • Opcode Fuzzy Hash: 947f3620053ee989066347df7d36ac4a8225d375077b3ea43f66d3b67fef73fa
              • Instruction Fuzzy Hash: 56B1C136700601CFCB08EB79D554A6E77B2FBC8345F154468DA029B3A8DF729C42DBA5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02A40258 Relevance: .3, Instructions: 278COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000D.00000002.317536516.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_2a40000_rejdit_free_fire.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 571291a8637485de55a7b3b6512f5e4fe057275594d0b4b3d0d4f5b857f3bc9a
              • Instruction ID: cc3711e28f2c4ecf6cdfe79cc065712110d7f00b5bdd3b6e410608653fc53ceb
              • Opcode Fuzzy Hash: 571291a8637485de55a7b3b6512f5e4fe057275594d0b4b3d0d4f5b857f3bc9a
              • Instruction Fuzzy Hash: 3FB1CF36700601CFCB08FB79D654A6E77B2BBC8345F154468DA029B3A8DF729C42DBA5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02A402A5 Relevance: .3, Instructions: 251COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000D.00000002.317536516.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_2a40000_rejdit_free_fire.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9c56f67ddda3235c0755623b75dbca45bfd0d638893ff7dc270534a1ceab92d2
              • Instruction ID: 64e90878069ccefb88ffd416ed54e28773d652a8d2b4e364f2485919e4bb66ac
              • Opcode Fuzzy Hash: 9c56f67ddda3235c0755623b75dbca45bfd0d638893ff7dc270534a1ceab92d2
              • Instruction Fuzzy Hash: B1A1CF36B00601CFCB08FB79D550A6D77B2BBC8345F158468DA029B3A9DF729C42DBA5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02A40080 Relevance: .1, Instructions: 95COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000D.00000002.317536516.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_2a40000_rejdit_free_fire.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8d748989d2b436a168d6c103185f5ef6d9a909ac9e113fe95cbd0e6bd723620c
              • Instruction ID: 96ba2200e98e4d6c4e947a72fbde66cd6764196c79f011325fdacd5717268aed
              • Opcode Fuzzy Hash: 8d748989d2b436a168d6c103185f5ef6d9a909ac9e113fe95cbd0e6bd723620c
              • Instruction Fuzzy Hash: 6E413232604A86CFC704FF2DE68088A3BA2FB85748B54C979D4448B36EDF746906DB52
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02A40007 Relevance: .0, Instructions: 46COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000D.00000002.317536516.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_2a40000_rejdit_free_fire.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f9146717c83da4a75ffd582e71450dd9b73d9a4ec258b8146f449934936ff43f
              • Instruction ID: ce9253c54c86683247a3fd9780e2d65f5146f3068b7c4fabc0b4afcdeb3117a9
              • Opcode Fuzzy Hash: f9146717c83da4a75ffd582e71450dd9b73d9a4ec258b8146f449934936ff43f
              • Instruction Fuzzy Hash: C9019D2108E3C18FC71387B448786A07FB0AE5B200B0E41CBC4C1CF0B3C619691EE766
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02A505F6 Relevance: .0, Instructions: 27COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000D.00000002.317547754.0000000002A50000.00000040.00000020.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_2a50000_rejdit_free_fire.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0d7d6167e119ec0043772212df3bf8bbd9646f444503c6eec1a4c6e6c9c9ed7d
              • Instruction ID: 62c07bc3ebe94039f052894baea25ecb1641993b61d708484ef58845c525d785
              • Opcode Fuzzy Hash: 0d7d6167e119ec0043772212df3bf8bbd9646f444503c6eec1a4c6e6c9c9ed7d
              • Instruction Fuzzy Hash: B0E092766046004BD650DF0BFC81452F7E8EB88630718C07FDC0D8B700E239B505CEA6
              Uniqueness

              Uniqueness Score: -1.00%

              Executed Functions

              Function 02BE0258 Relevance: 1.5, Strings: 1, Instructions: 278COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000E.00000002.331953997.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_14_2_2be0000_rejdit_free_fire.jbxd
              Similarity
              • API ID:
              • String ID: 8a
              • API String ID: 0-2698673895
              • Opcode ID: 4cfc378c01fb229c65be8334362638dcd33a569154b3a0b435d229ec4ad56fc4
              • Instruction ID: 192dd0eefe72853b184e1f1d5ab5f41425277c9e35ace954a27d6299be3ffc50
              • Opcode Fuzzy Hash: 4cfc378c01fb229c65be8334362638dcd33a569154b3a0b435d229ec4ad56fc4
              • Instruction Fuzzy Hash: 96B1A038700200DFCB15AB7AD45466E37F2EFC9345B1544A8D906AB3A4DF7A9CC6CBA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02BE0250 Relevance: 1.5, Strings: 1, Instructions: 274COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000E.00000002.331953997.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_14_2_2be0000_rejdit_free_fire.jbxd
              Similarity
              • API ID:
              • String ID: 8a
              • API String ID: 0-2698673895
              • Opcode ID: 6081c289dd6c8306c84d366b8c70963357de7844989e579a7ea8aa5c9e11cff5
              • Instruction ID: 89f037f2e31c7ba1f13bb492face300ff36f32645354490cd84335e5409b56b1
              • Opcode Fuzzy Hash: 6081c289dd6c8306c84d366b8c70963357de7844989e579a7ea8aa5c9e11cff5
              • Instruction Fuzzy Hash: 51A19F38700200DFCB15EB7AD45466E37E2EFC9345B1544A8D906AB3A4DF7A9CC6CBA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02BE02A5 Relevance: 1.5, Strings: 1, Instructions: 251COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000E.00000002.331953997.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_14_2_2be0000_rejdit_free_fire.jbxd
              Similarity
              • API ID:
              • String ID: 8a
              • API String ID: 0-2698673895
              • Opcode ID: 7e7a3e4cfdb2bd19cf34bc7bbba839c045aae641515bfda0e9532a8115575058
              • Instruction ID: 88fe33ddf095d04a76b4254adaf568606134a01a99864c66c2d058c076c316e6
              • Opcode Fuzzy Hash: 7e7a3e4cfdb2bd19cf34bc7bbba839c045aae641515bfda0e9532a8115575058
              • Instruction Fuzzy Hash: 31A1AF38700200DFCB19AB7AD45466D37E2EFC9345B1944A8D906AB3A4DF7A9CC6CB61
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02BE0080 Relevance: .1, Instructions: 95COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000E.00000002.331953997.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_14_2_2be0000_rejdit_free_fire.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7fe5168469351517dac655ea1d57494b9d53ddab67992700e5009e0b92baf6a2
              • Instruction ID: 53be1d37d1ef7267497f43760ffe3d8e0190cd33bf6351f939c385c3df6ed5a9
              • Opcode Fuzzy Hash: 7fe5168469351517dac655ea1d57494b9d53ddab67992700e5009e0b92baf6a2
              • Instruction Fuzzy Hash: F4415238604245DFC704EF3AE48488A3BE2FBC574875486B9E4049B229DF786DCACB52
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02CF05CF Relevance: .0, Instructions: 47COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000E.00000002.331975775.0000000002CF0000.00000040.00000020.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_14_2_2cf0000_rejdit_free_fire.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8442f3e33a68ce1701b4172f3e4bb7833b967bccafdc3d87527b01d4942c4258
              • Instruction ID: f51e70d2989c40e173824412e44dd74b6e866aec4cc2278532c3c1d13a3cd13f
              • Opcode Fuzzy Hash: 8442f3e33a68ce1701b4172f3e4bb7833b967bccafdc3d87527b01d4942c4258
              • Instruction Fuzzy Hash: 0D01A2B550D7806FD7128B16EC40863FFB8EE87270708C0AFEC498B652D225A909CB62
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02BE0006 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000E.00000002.331953997.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_14_2_2be0000_rejdit_free_fire.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bb49f8f2d872476a9d17d2ff8df991dedba45a400385e18ffa430def29d38cca
              • Instruction ID: 3814b112f17c2f79f9c2d97724ec03b7f7e7ef17e4f2bbcd51ab9458bc309243
              • Opcode Fuzzy Hash: bb49f8f2d872476a9d17d2ff8df991dedba45a400385e18ffa430def29d38cca
              • Instruction Fuzzy Hash: 2001008684E3D19FD32346740C7AA92BFB48E63012B4E05DB88D5CB1E7E50C5A0AD363
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02CF05F6 Relevance: .0, Instructions: 27COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000E.00000002.331975775.0000000002CF0000.00000040.00000020.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_14_2_2cf0000_rejdit_free_fire.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a49f41358b4aff8df0be8a3e43a2fd336e7a2a3be9ddf49fee29ee652aba7d71
              • Instruction ID: 82b0d3dae7d6087de604e0869844c90ba538976a889d08a1ef2bb9b9c5338acd
              • Opcode Fuzzy Hash: a49f41358b4aff8df0be8a3e43a2fd336e7a2a3be9ddf49fee29ee652aba7d71
              • Instruction Fuzzy Hash: A3E012B6A486045BD650DF0BEC41456F7D8EB88630718C47FDC0D8B711E679B505CEA6
              Uniqueness

              Uniqueness Score: -1.00%

              Execution Graph

              Execution Coverage:12.4%
              Dynamic/Decrypted Code Coverage:100%
              Signature Coverage:0%
              Total number of Nodes:12
              Total number of Limit Nodes:0
              execution_graph 1038 146a646 1040 146a67e CreateMutexW 1038->1040 1041 146a6c1 1040->1041 1050 146a612 1051 146a646 CreateMutexW 1050->1051 1053 146a6c1 1051->1053 1054 146a462 1055 146a486 RegSetValueExW 1054->1055 1057 146a507 1055->1057 1058 146a361 1060 146a392 RegQueryValueExW 1058->1060 1061 146a41b 1060->1061

              Callgraph

              Executed Functions

              Function 05530258 Relevance: 2.8, Strings: 2, Instructions: 278COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 0 5530258-5530279 2 55302c0-55302f8 0->2 3 553027b-55302b6 0->3 10 55302fa 2->10 11 55302ff-553030c 2->11 3->2 10->11 13 5530343-5530407 11->13 14 553030e-5530338 11->14 33 5530409-553043b 13->33 34 553044e-553045f 13->34 14->13 33->34 37 5530461-5530467 34->37 38 553046a-5530475 34->38 37->38 41 55306b4-55306ca 38->41 42 553047b-5530481 38->42 41->34 44 5530483-5530496 42->44 45 55304a9-55304ad 42->45 44->45 47 55304e9-55304f0 45->47 48 55304af-55304ca 45->48 47->34 50 55304f6-5530562 47->50 48->47 58 55304cc-55304e1 48->58 66 5530564-55305bc 50->66 67 55305cf-553063b 50->67 58->47 66->67 67->34 79 5530641-5530699 67->79 79->34
              Strings
              Memory Dump Source
              • Source File: 0000000F.00000002.350680278.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_5530000_rejdit_free_fire.jbxd
              Similarity
              • API ID:
              • String ID: \Lq^$-\Lq^
              • API String ID: 0-2626571618
              • Opcode ID: a26b81e0524dfe2f0b2c9bac405d1d17a280c5b65ac971e6e149931cc3cf93ef
              • Instruction ID: bd98c6778fabac6eca80af51a165f84b04837461897cccd532c6cf71ae7d301c
              • Opcode Fuzzy Hash: a26b81e0524dfe2f0b2c9bac405d1d17a280c5b65ac971e6e149931cc3cf93ef
              • Instruction Fuzzy Hash: 6BB19730B00301CFCB58EB79D454A7E77AAFB88345F155469D8069B3A4DF3AAC42CB91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0553024A Relevance: 2.8, Strings: 2, Instructions: 276COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 85 553024a-5530279 88 55302c0-55302f8 85->88 89 553027b-55302b6 85->89 96 55302fa 88->96 97 55302ff-553030c 88->97 89->88 96->97 99 5530343-5530407 97->99 100 553030e-5530338 97->100 119 5530409-553043b 99->119 120 553044e-553045f 99->120 100->99 119->120 123 5530461-5530467 120->123 124 553046a-5530475 120->124 123->124 127 55306b4-55306ca 124->127 128 553047b-5530481 124->128 127->120 130 5530483-5530496 128->130 131 55304a9-55304ad 128->131 130->131 133 55304e9-55304f0 131->133 134 55304af-55304ca 131->134 133->120 136 55304f6-5530562 133->136 134->133 144 55304cc-55304e1 134->144 152 5530564-55305bc 136->152 153 55305cf-553063b 136->153 144->133 152->153 153->120 165 5530641-5530699 153->165 165->120
              Strings
              Memory Dump Source
              • Source File: 0000000F.00000002.350680278.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_5530000_rejdit_free_fire.jbxd
              Similarity
              • API ID:
              • String ID: \Lq^$-\Lq^
              • API String ID: 0-2626571618
              • Opcode ID: dfd960b7377c72f4d275f0c24397fb24dfcfe29cb0cca52a8b4f93641175bea7
              • Instruction ID: eb2d3ba60805a0f54d5c8f3bf5976934bb010d99586c5aa5d42b6ff2221453be
              • Opcode Fuzzy Hash: dfd960b7377c72f4d275f0c24397fb24dfcfe29cb0cca52a8b4f93641175bea7
              • Instruction Fuzzy Hash: E8B19730B00301CFCB58EB79D458A7E77AAFB88345F155569D8069B3A4DF3AAC42CB91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 055302A5 Relevance: 2.8, Strings: 2, Instructions: 251COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 171 55302a5-55302f8 179 55302fa 171->179 180 55302ff-553030c 171->180 179->180 182 5530343-5530407 180->182 183 553030e-5530338 180->183 202 5530409-553043b 182->202 203 553044e-553045f 182->203 183->182 202->203 206 5530461-5530467 203->206 207 553046a-5530475 203->207 206->207 210 55306b4-55306ca 207->210 211 553047b-5530481 207->211 210->203 213 5530483-5530496 211->213 214 55304a9-55304ad 211->214 213->214 216 55304e9-55304f0 214->216 217 55304af-55304ca 214->217 216->203 219 55304f6-5530562 216->219 217->216 227 55304cc-55304e1 217->227 235 5530564-55305bc 219->235 236 55305cf-553063b 219->236 227->216 235->236 236->203 248 5530641-5530699 236->248 248->203
              Strings
              Memory Dump Source
              • Source File: 0000000F.00000002.350680278.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_5530000_rejdit_free_fire.jbxd
              Similarity
              • API ID:
              • String ID: \Lq^$-\Lq^
              • API String ID: 0-2626571618
              • Opcode ID: fb3920d8bd3eaa5de5dc53d30be2a5c2adc6b2350924f025f5e59be3f0a2a601
              • Instruction ID: e6ccb3798965981724e502ed05e47e334c9046b6d11ba8041740bc3acb532ee0
              • Opcode Fuzzy Hash: fb3920d8bd3eaa5de5dc53d30be2a5c2adc6b2350924f025f5e59be3f0a2a601
              • Instruction Fuzzy Hash: CDA18530B00301CFCB59EB79D454A7D37AAFB88345F255569D8069B3A8DF3AAC42CB91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0146A612 Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 254 146a612-146a695 258 146a697 254->258 259 146a69a-146a6a3 254->259 258->259 260 146a6a5 259->260 261 146a6a8-146a6b1 259->261 260->261 262 146a702-146a707 261->262 263 146a6b3-146a6d7 CreateMutexW 261->263 262->263 266 146a709-146a70e 263->266 267 146a6d9-146a6ff 263->267 266->267
              APIs
              • CreateMutexW.KERNELBASE(?,?), ref: 0146A6B9
              Memory Dump Source
              • Source File: 0000000F.00000002.350200744.000000000146A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146A000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_146a000_rejdit_free_fire.jbxd
              Similarity
              • API ID: CreateMutex
              • String ID:
              • API String ID: 1964310414-0
              • Opcode ID: 6cafa4d7e4cd6ecaab840c5c8cca9426c579dc931db24a7ea9ca66b3cd03f0f1
              • Instruction ID: 44050f8a7669ce7dec4996f1a58801d822be474593a2e0672ffbc793b6ddae64
              • Opcode Fuzzy Hash: 6cafa4d7e4cd6ecaab840c5c8cca9426c579dc931db24a7ea9ca66b3cd03f0f1
              • Instruction Fuzzy Hash: E831AFB15097806FE712CB25CC84B56FFF8EF06314F18849AE9849B2A3D375E909C762
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0146A361 Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 270 146a361-146a3cf 273 146a3d4-146a3dd 270->273 274 146a3d1 270->274 275 146a3e2-146a3e8 273->275 276 146a3df 273->276 274->273 277 146a3ed-146a404 275->277 278 146a3ea 275->278 276->275 280 146a406-146a419 RegQueryValueExW 277->280 281 146a43b-146a440 277->281 278->277 282 146a442-146a447 280->282 283 146a41b-146a438 280->283 281->280 282->283
              APIs
              • RegQueryValueExW.KERNELBASE(?,00000E2C,272698DC,00000000,00000000,00000000,00000000), ref: 0146A40C
              Memory Dump Source
              • Source File: 0000000F.00000002.350200744.000000000146A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146A000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_146a000_rejdit_free_fire.jbxd
              Similarity
              • API ID: QueryValue
              • String ID:
              • API String ID: 3660427363-0
              • Opcode ID: 01c623be50dae91207436600622e66c92a85d5647ec7f4df8242747854a6c0ec
              • Instruction ID: eb926a5b888076659faa442da0f9feecea8b06c7b1d39b368610b81b7b581c34
              • Opcode Fuzzy Hash: 01c623be50dae91207436600622e66c92a85d5647ec7f4df8242747854a6c0ec
              • Instruction Fuzzy Hash: B7317F71104740AFE722CB25CC84F53BFBCEF06714F18849BE9859B2A2D264E849CB62
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0146A462 Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 287 146a462-146a4c3 290 146a4c5 287->290 291 146a4c8-146a4d4 287->291 290->291 292 146a4d6 291->292 293 146a4d9-146a4f0 291->293 292->293 295 146a527-146a52c 293->295 296 146a4f2-146a505 RegSetValueExW 293->296 295->296 297 146a507-146a524 296->297 298 146a52e-146a533 296->298 298->297
              APIs
              • RegSetValueExW.KERNELBASE(?,00000E2C,272698DC,00000000,00000000,00000000,00000000), ref: 0146A4F8
              Memory Dump Source
              • Source File: 0000000F.00000002.350200744.000000000146A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146A000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_146a000_rejdit_free_fire.jbxd
              Similarity
              • API ID: Value
              • String ID:
              • API String ID: 3702945584-0
              • Opcode ID: 62dd7be93cf23e542aeb3997611f9aa539a96b3d5751863f3299f734d82e95b0
              • Instruction ID: 4a0600b9c56f1d6bfa5b49b280db080c8c2e0306c265e5f921286eaca6b1cc4a
              • Opcode Fuzzy Hash: 62dd7be93cf23e542aeb3997611f9aa539a96b3d5751863f3299f734d82e95b0
              • Instruction Fuzzy Hash: CD2181721047806FEB228B25DC44F67BFBCEF46714F18849BE9859B252D264E448C772
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0146A646 Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 302 146a646-146a695 305 146a697 302->305 306 146a69a-146a6a3 302->306 305->306 307 146a6a5 306->307 308 146a6a8-146a6b1 306->308 307->308 309 146a702-146a707 308->309 310 146a6b3-146a6bb CreateMutexW 308->310 309->310 312 146a6c1-146a6d7 310->312 313 146a709-146a70e 312->313 314 146a6d9-146a6ff 312->314 313->314
              APIs
              • CreateMutexW.KERNELBASE(?,?), ref: 0146A6B9
              Memory Dump Source
              • Source File: 0000000F.00000002.350200744.000000000146A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146A000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_146a000_rejdit_free_fire.jbxd
              Similarity
              • API ID: CreateMutex
              • String ID:
              • API String ID: 1964310414-0
              • Opcode ID: 1fd857b0941907d4fd878286d951daef6a6322c3561ec66898015e296d6fbc45
              • Instruction ID: 39a2f50ef50ed36cce58e700b7ca91ef1b4b68ecde2e4e8d803cf832fe1f95a6
              • Opcode Fuzzy Hash: 1fd857b0941907d4fd878286d951daef6a6322c3561ec66898015e296d6fbc45
              • Instruction Fuzzy Hash: A521B071600640AFE721DF29CD85B66FBECEF04314F18846AED899B252D675E805CA62
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0146A392 Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 317 146a392-146a3cf 319 146a3d4-146a3dd 317->319 320 146a3d1 317->320 321 146a3e2-146a3e8 319->321 322 146a3df 319->322 320->319 323 146a3ed-146a404 321->323 324 146a3ea 321->324 322->321 326 146a406-146a419 RegQueryValueExW 323->326 327 146a43b-146a440 323->327 324->323 328 146a442-146a447 326->328 329 146a41b-146a438 326->329 327->326 328->329
              APIs
              • RegQueryValueExW.KERNELBASE(?,00000E2C,272698DC,00000000,00000000,00000000,00000000), ref: 0146A40C
              Memory Dump Source
              • Source File: 0000000F.00000002.350200744.000000000146A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146A000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_146a000_rejdit_free_fire.jbxd
              Similarity
              • API ID: QueryValue
              • String ID:
              • API String ID: 3660427363-0
              • Opcode ID: 88b4971ba5bef9cd09c1c6bdf01e0d5ba283848153b2da5b14c79fe3c75dc31c
              • Instruction ID: 890ae90ada7ab1320a749627a5e44571869dfa7730c7ff13229f8345aeb5ed1f
              • Opcode Fuzzy Hash: 88b4971ba5bef9cd09c1c6bdf01e0d5ba283848153b2da5b14c79fe3c75dc31c
              • Instruction Fuzzy Hash: 34214F75500604AEEB21CF19DC84F67BBECEF04714F18846BE9459B252D674E849CA72
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0146A486 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 333 146a486-146a4c3 335 146a4c5 333->335 336 146a4c8-146a4d4 333->336 335->336 337 146a4d6 336->337 338 146a4d9-146a4f0 336->338 337->338 340 146a527-146a52c 338->340 341 146a4f2-146a505 RegSetValueExW 338->341 340->341 342 146a507-146a524 341->342 343 146a52e-146a533 341->343 343->342
              APIs
              • RegSetValueExW.KERNELBASE(?,00000E2C,272698DC,00000000,00000000,00000000,00000000), ref: 0146A4F8
              Memory Dump Source
              • Source File: 0000000F.00000002.350200744.000000000146A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146A000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_146a000_rejdit_free_fire.jbxd
              Similarity
              • API ID: Value
              • String ID:
              • API String ID: 3702945584-0
              • Opcode ID: 15817f5d22f85694634ec409e6d9834bdf2070e9a2fdcf58535c35b9047570a8
              • Instruction ID: 0abc639ac206a529cd8cc33906746c1c5f254aa6b4458a7b1000e3ad329f9d5c
              • Opcode Fuzzy Hash: 15817f5d22f85694634ec409e6d9834bdf2070e9a2fdcf58535c35b9047570a8
              • Instruction Fuzzy Hash: 6B117CB2500600AFEB21DE19DC85B67BBACEF04718F18856BED45AB652D670E4488A72
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0146247C Relevance: .2, Instructions: 218COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 347 146247c-146247f 348 1462481 347->348 349 146241d-1462421 347->349 350 1462483 348->350 351 1462461-1462463 348->351 354 1462484 350->354 355 1462485-1462488 350->355 352 1462476 351->352 353 1462465-1462472 351->353 353->352 354->355 356 1462489-146248b 355->356 356->356 357 146248d-146248e 356->357 359 1462491-1462497 357->359 360 1462419 359->360 361 1462499 359->361 362 146249a-146249b 361->362 363 1462479-146247b 361->363 364 146249d-14624a3 362->364 363->347 365 14624a5 364->365 366 146243d-146244d 364->366 365->355 368 14624a7 365->368 369 14624dd-14624df 368->369 370 14624a9-14624ab 368->370 371 14624e1 369->371 372 1462549-146254b 369->372 373 14624ad-14624b1 370->373 374 14624e3-14624eb 371->374 375 14624c1-14624c7 371->375 376 1462511-1462516 372->376 377 146254d-146255f 372->377 373->359 378 14624b3 373->378 386 1462565-146256f 374->386 387 14624ed 374->387 379 1462459-146245b 375->379 380 14624c9 375->380 385 1462521-1462523 376->385 382 1462561-1462563 377->382 383 14624b5-14624bb 378->383 379->351 380->370 384 14624cb 380->384 382->386 388 14624f1-14624f7 382->388 383->363 389 14624bd 383->389 392 14624cd-14624d3 384->392 393 1462529-146252f call 14625a0 385->393 386->385 390 1462571-146257b 386->390 387->392 394 14624ef 387->394 388->380 395 14624f9 388->395 389->364 391 14624bf 389->391 390->393 398 146257d-146257e 390->398 391->373 391->375 392->359 399 14624d5 392->399 407 1462531-1462537 393->407 394->388 396 14624fb-1462503 395->396 397 14624d9-14624db 395->397 405 1462505-146250f 396->405 406 1462539-1462547 396->406 397->369 402 1462581-1462587 398->402 399->383 403 14624d7 399->403 402->407 408 1462589-14625ab 402->408 403->372 403->397 405->364 405->376 406->372 407->406 408->402 412 14625ad-14625b7 408->412 413 14625bd-14625c3 412->413 414 14625b9-14625ba 412->414 413->382 415 14625c5-14625db 413->415 414->413 417 14625dd-14625e7 415->417 417->417 418 14625e9-14625ff 417->418 418->417 420 1462601-1462614 418->420
              Memory Dump Source
              • Source File: 0000000F.00000002.350190936.0000000001462000.00000040.00000800.00020000.00000000.sdmp, Offset: 01462000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_1462000_rejdit_free_fire.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b60c61a6db9fc4c477dbad173cc97da512baac68f1e7faca70ab120ee04404fa
              • Instruction ID: 450b8844bb5ed94d9d341061c99ffb0e7d4720ae868d7bad6e84ad2ee603d18b
              • Opcode Fuzzy Hash: b60c61a6db9fc4c477dbad173cc97da512baac68f1e7faca70ab120ee04404fa
              • Instruction Fuzzy Hash: A471A06190E3D16FC7238B2899749647F79AE4322D35D41EBC485CF1B3E2B6884AC367
              Uniqueness

              Uniqueness Score: -1.00%

              Function 05530080 Relevance: .1, Instructions: 94COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 422 5530080-5530123 431 553012e-5530240 422->431
              Memory Dump Source
              • Source File: 0000000F.00000002.350680278.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_5530000_rejdit_free_fire.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0f75ff395847b728c2b1999dc4b3babb7fe3115dcc7fb84ac0eb407c931f3e39
              • Instruction ID: 60ffdcc694881c45cc0a0a14f3f355299bf0c5c120aa56965b331aa07616b14e
              • Opcode Fuzzy Hash: 0f75ff395847b728c2b1999dc4b3babb7fe3115dcc7fb84ac0eb407c931f3e39
              • Instruction Fuzzy Hash: 22412430A05345CFCB44DF39E4409AB7BAEFB88708F54AAB9D4444B268DB785C46CF82
              Uniqueness

              Uniqueness Score: -1.00%

              Function 05530006 Relevance: .0, Instructions: 48COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 450 5530006-553006d 452 5530070 call 14d05cf 450->452 453 5530070 call 55302a5 450->453 454 5530070 call 553024a 450->454 455 5530070 call 5530258 450->455 456 5530070 call 14d05f6 450->456 451 5530076 452->451 453->451 454->451 455->451 456->451
              Memory Dump Source
              • Source File: 0000000F.00000002.350680278.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_5530000_rejdit_free_fire.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 99b129ad8095a9f2e6c383f98fd00bdbb162d57db30135205aac684d2a8f16b6
              • Instruction ID: 2d79320dc53249bcee3431dde91253143ca12623855b14466244909f35f6391b
              • Opcode Fuzzy Hash: 99b129ad8095a9f2e6c383f98fd00bdbb162d57db30135205aac684d2a8f16b6
              • Instruction Fuzzy Hash: 8F014DA648E3C15FC7438B649CA56813FB8AE5722070E15C79880CF1A7D62CA91DE732
              Uniqueness

              Uniqueness Score: -1.00%

              Function 014D05CF Relevance: .0, Instructions: 44COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 457 14d05cf-14d0610 459 14d0616-14d0633 457->459
              Memory Dump Source
              • Source File: 0000000F.00000002.350247499.00000000014D0000.00000040.00000020.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_14d0000_rejdit_free_fire.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 014b1af778ce6bbbe2f0634aa0a50b34c0a70d067248ecff55ef0af9cbc2aa57
              • Instruction ID: 1553f7f1630dd3df1f2303a5998250c5c587a4901141fb6e825920ed6df8742e
              • Opcode Fuzzy Hash: 014b1af778ce6bbbe2f0634aa0a50b34c0a70d067248ecff55ef0af9cbc2aa57
              • Instruction Fuzzy Hash: FB01D6B550D3806FD712CB1AAC40863FFB8DF8662070CC0AFEC898B653D125A909CB76
              Uniqueness

              Uniqueness Score: -1.00%

              Function 014D05F6 Relevance: .0, Instructions: 27COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 460 14d05f6-14d0610 461 14d0616-14d0633 460->461
              Memory Dump Source
              • Source File: 0000000F.00000002.350247499.00000000014D0000.00000040.00000020.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_14d0000_rejdit_free_fire.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 432795beb6197bb24fe16ee6a7cc7b92f9ccc25b4fd2757fde76950ef7a12c86
              • Instruction ID: 546b9ddcd48e8475be998b3688a66c574991e3e254ba239a598e37cb616afab8
              • Opcode Fuzzy Hash: 432795beb6197bb24fe16ee6a7cc7b92f9ccc25b4fd2757fde76950ef7a12c86
              • Instruction Fuzzy Hash: 67E06DB66046004B9650DF0BEC81452FB98EB88630B18C07FDC0D8B701E535B5098EA6
              Uniqueness

              Uniqueness Score: -1.00%

              Function 014623F4 Relevance: .0, Instructions: 15COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 462 14623f4-14623ff 463 1462412-1462417 462->463 464 1462401-146240e 462->464 465 146241a 463->465 466 1462419 463->466 464->463 467 1462420-1462421 465->467
              Memory Dump Source
              • Source File: 0000000F.00000002.350190936.0000000001462000.00000040.00000800.00020000.00000000.sdmp, Offset: 01462000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_1462000_rejdit_free_fire.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e5eee45171d0bbde40c1cb5c5d3ccb681978349e0a5e14cb88e694ff03e6b27b
              • Instruction ID: 6fd87727f35efba15a8d98f753f4fb1eed8979580acd4de337e2492e38322731
              • Opcode Fuzzy Hash: e5eee45171d0bbde40c1cb5c5d3ccb681978349e0a5e14cb88e694ff03e6b27b
              • Instruction Fuzzy Hash: DDD05B752156915FD3168A1CC1A8F653FE4AF51708F4644FAD8408B773C764D581D101
              Uniqueness

              Uniqueness Score: -1.00%

              Function 014623BC Relevance: .0, Instructions: 14COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000F.00000002.350190936.0000000001462000.00000040.00000800.00020000.00000000.sdmp, Offset: 01462000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_1462000_rejdit_free_fire.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1a672e1ea668806f9bc777a1b1b0aa9e29b7b22a528bdfcb768011dc8b9204b5
              • Instruction ID: aba49f41b2352ddde0a1b730d3c63e18f575658cca90eae20100d715a8821770
              • Opcode Fuzzy Hash: 1a672e1ea668806f9bc777a1b1b0aa9e29b7b22a528bdfcb768011dc8b9204b5
              • Instruction Fuzzy Hash: D2D05E343002814BDB15DB1CC594F5A3BD8AB41B08F0644EAAC008B772C3B4D8C1C601
              Uniqueness

              Uniqueness Score: -1.00%