Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
xOg18pHQGOQK.exe

Overview

General Information

Sample name:xOg18pHQGOQK.exe
Analysis ID:1433366
MD5:7c56a11493f60539d27f4dc5e6f887e3
SHA1:bf4c0c555f3a7e3cde73d30d3d00aae4b7519732
SHA256:29fdf08b1ea7405f7a6771b74f75cd30e6247e5ffb9095abb4208c4572b4f81f
Tags:exenjRat
Infos:

Detection

Njrat
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Njrat
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Machine Learning detection for sample
Uses dynamic DNS services
Allocates memory with a write watch (potentially for evading sandboxes)
Detected TCP or UDP traffic on non-standard ports
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64
  • xOg18pHQGOQK.exe (PID: 7444 cmdline: "C:\Users\user\Desktop\xOg18pHQGOQK.exe" MD5: 7C56A11493F60539D27F4DC5E6F887E3)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
NjRATRedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.
  • AQUATIC PANDA
  • Earth Lusca
  • Operation C-Major
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

Malware Configuration

Threatname: Njrat

{"Host": "sendfiletiahforem.duckdns.org", "Port": "1998", "Campaign ID": "NYAN CAT", "Network Seprator": "@!#&^%$", "Registry": "1d3f999c897"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
xOg18pHQGOQK.exeJoeSecurity_NjratYara detected NjratJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000000.1639848862.00000000001D2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_NjratYara detected NjratJoe Security
      Process Memory Space: xOg18pHQGOQK.exe PID: 7444JoeSecurity_NjratYara detected NjratJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.0.xOg18pHQGOQK.exe.1d0000.0.unpackJoeSecurity_NjratYara detected NjratJoe Security

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          No Snort rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: xOg18pHQGOQK.exeAvira: detected
          Found malware configuration
          Source: 00000000.00000000.1639848862.00000000001D2000.00000002.00000001.01000000.00000003.sdmpMalware Configuration Extractor: Njrat {"Host": "sendfiletiahforem.duckdns.org", "Port": "1998", "Campaign ID": "NYAN CAT", "Network Seprator": "@!#&^%$", "Registry": "1d3f999c897"}
          Multi AV Scanner detection for submitted file
          Source: xOg18pHQGOQK.exeVirustotal: Detection: 72%Perma Link
          Yara detected Njrat
          Source: Yara matchFile source: xOg18pHQGOQK.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.xOg18pHQGOQK.exe.1d0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000000.1639848862.00000000001D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: xOg18pHQGOQK.exe PID: 7444, type: MEMORYSTR
          Machine Learning detection for sample
          Source: xOg18pHQGOQK.exeJoe Sandbox ML: detected
          Source: xOg18pHQGOQK.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: C:\Users\user\Desktop\xOg18pHQGOQK.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
          Source: xOg18pHQGOQK.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

          Networking

          barindex
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: sendfiletiahforem.duckdns.org
          Uses dynamic DNS services
          Source: unknownDNS query: name: sendfiletiahforem.duckdns.org
          Source: global trafficTCP traffic: 192.168.2.4:49730 -> 85.60.29.68:1998
          Source: Joe Sandbox ViewASN Name: UNI2-ASES UNI2-ASES
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficDNS traffic detected: DNS query: sendfiletiahforem.duckdns.org
          Source: xOg18pHQGOQK.exe, 00000000.00000002.4103935908.000000000090F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoft.
          Source: xOg18pHQGOQK.exe, 00000000.00000002.4103935908.000000000090F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoft.LinkId=42127

          Key, Mouse, Clipboard, Microphone and Screen Capturing

          barindex
          Contains functionality to log keystrokes (.Net Source)
          Source: xOg18pHQGOQK.exe, Keylogger.cs.Net Code: VKCodeToUnicode

          E-Banking Fraud

          barindex
          Yara detected Njrat
          Source: Yara matchFile source: xOg18pHQGOQK.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.xOg18pHQGOQK.exe.1d0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000000.1639848862.00000000001D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: xOg18pHQGOQK.exe PID: 7444, type: MEMORYSTR
          Source: xOg18pHQGOQK.exe, 00000000.00000000.1639869536.00000000001D8000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameClient1998 legion.exe4 vs xOg18pHQGOQK.exe
          Source: xOg18pHQGOQK.exe, 00000000.00000002.4103935908.00000000008AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs xOg18pHQGOQK.exe
          Source: xOg18pHQGOQK.exeBinary or memory string: OriginalFilenameClient1998 legion.exe4 vs xOg18pHQGOQK.exe
          Source: xOg18pHQGOQK.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: classification engineClassification label: mal96.troj.spyw.evad.winEXE@1/0@4/1
          Source: C:\Users\user\Desktop\xOg18pHQGOQK.exeCode function: 0_2_04B8109A AdjustTokenPrivileges,0_2_04B8109A
          Source: C:\Users\user\Desktop\xOg18pHQGOQK.exeCode function: 0_2_04B81063 AdjustTokenPrivileges,0_2_04B81063
          Source: C:\Users\user\Desktop\xOg18pHQGOQK.exeMutant created: NULL
          Source: C:\Users\user\Desktop\xOg18pHQGOQK.exeMutant created: \Sessions\1\BaseNamedObjects\1d3f999c897
          Source: C:\Users\user\Desktop\xOg18pHQGOQK.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
          Source: xOg18pHQGOQK.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: xOg18pHQGOQK.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%
          Source: C:\Users\user\Desktop\xOg18pHQGOQK.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: xOg18pHQGOQK.exeVirustotal: Detection: 72%
          Source: C:\Users\user\Desktop\xOg18pHQGOQK.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\xOg18pHQGOQK.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\xOg18pHQGOQK.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\xOg18pHQGOQK.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\xOg18pHQGOQK.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\xOg18pHQGOQK.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\xOg18pHQGOQK.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\xOg18pHQGOQK.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\xOg18pHQGOQK.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\xOg18pHQGOQK.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\xOg18pHQGOQK.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\xOg18pHQGOQK.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\Desktop\xOg18pHQGOQK.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\user\Desktop\xOg18pHQGOQK.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\xOg18pHQGOQK.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Users\user\Desktop\xOg18pHQGOQK.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Users\user\Desktop\xOg18pHQGOQK.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
          Source: xOg18pHQGOQK.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: C:\Users\user\Desktop\xOg18pHQGOQK.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
          Source: xOg18pHQGOQK.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

          Data Obfuscation

          barindex
          .NET source code contains potential unpacker
          Source: xOg18pHQGOQK.exe, Program.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
          Source: C:\Users\user\Desktop\xOg18pHQGOQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xOg18pHQGOQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xOg18pHQGOQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xOg18pHQGOQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xOg18pHQGOQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xOg18pHQGOQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xOg18pHQGOQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xOg18pHQGOQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xOg18pHQGOQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xOg18pHQGOQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xOg18pHQGOQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xOg18pHQGOQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xOg18pHQGOQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xOg18pHQGOQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xOg18pHQGOQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xOg18pHQGOQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xOg18pHQGOQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xOg18pHQGOQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xOg18pHQGOQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xOg18pHQGOQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xOg18pHQGOQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xOg18pHQGOQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xOg18pHQGOQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xOg18pHQGOQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xOg18pHQGOQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xOg18pHQGOQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xOg18pHQGOQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xOg18pHQGOQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xOg18pHQGOQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xOg18pHQGOQK.exeMemory allocated: 2770000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\xOg18pHQGOQK.exeMemory allocated: 2770000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\xOg18pHQGOQK.exeMemory allocated: 4770000 memory commit | memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\xOg18pHQGOQK.exeWindow / User API: threadDelayed 3641Jump to behavior
          Source: C:\Users\user\Desktop\xOg18pHQGOQK.exeWindow / User API: threadDelayed 5714Jump to behavior
          Source: C:\Users\user\Desktop\xOg18pHQGOQK.exeWindow / User API: foregroundWindowGot 1767Jump to behavior
          Source: C:\Users\user\Desktop\xOg18pHQGOQK.exe TID: 7448Thread sleep count: 150 > 30Jump to behavior
          Source: C:\Users\user\Desktop\xOg18pHQGOQK.exe TID: 7448Thread sleep time: -150000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\xOg18pHQGOQK.exe TID: 7504Thread sleep count: 3641 > 30Jump to behavior
          Source: C:\Users\user\Desktop\xOg18pHQGOQK.exe TID: 7448Thread sleep count: 5714 > 30Jump to behavior
          Source: C:\Users\user\Desktop\xOg18pHQGOQK.exe TID: 7448Thread sleep time: -5714000s >= -30000sJump to behavior
          Source: xOg18pHQGOQK.exe, 00000000.00000002.4103935908.000000000090F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW.WorkflowServi
          Source: xOg18pHQGOQK.exe, 00000000.00000002.4103935908.000000000090F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll"$
          Source: C:\Users\user\Desktop\xOg18pHQGOQK.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\xOg18pHQGOQK.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          .NET source code references suspicious native API functions
          Source: xOg18pHQGOQK.exe, Program.csReference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, cbName, ref lpszVer, 100)
          Source: xOg18pHQGOQK.exe, Keylogger.csReference to suspicious API methods: MapVirtualKey(a, 0u)
          Source: xOg18pHQGOQK.exe, Keylogger.csReference to suspicious API methods: GetAsyncKeyState(num2)
          Source: xOg18pHQGOQK.exe, 00000000.00000002.4104500562.00000000029FB000.00000004.00000800.00020000.00000000.sdmp, xOg18pHQGOQK.exe, 00000000.00000002.4104500562.00000000027C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
          Source: xOg18pHQGOQK.exe, 00000000.00000002.4104500562.00000000029FB000.00000004.00000800.00020000.00000000.sdmp, xOg18pHQGOQK.exe, 00000000.00000002.4104500562.00000000027C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager@9
          Source: C:\Users\user\Desktop\xOg18pHQGOQK.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected Njrat
          Source: Yara matchFile source: xOg18pHQGOQK.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.xOg18pHQGOQK.exe.1d0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000000.1639848862.00000000001D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: xOg18pHQGOQK.exe PID: 7444, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Yara detected Njrat
          Source: Yara matchFile source: xOg18pHQGOQK.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.xOg18pHQGOQK.exe.1d0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000000.1639848862.00000000001D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: xOg18pHQGOQK.exe PID: 7444, type: MEMORYSTR

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
          Native API          		1
          DLL Side-Loading          		1
          Access Token Manipulation          		2
          Virtualization/Sandbox Evasion          		1
          Input Capture          		1
          Security Software Discovery          		Remote Services1
          Input Capture          		1
          Non-Standard Port          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
          Process Injection          		1
          Disable or Modify Tools          		LSASS Memory2
          Virtualization/Sandbox Evasion          		Remote Desktop ProtocolData from Removable Media1
          Non-Application Layer Protocol          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
          DLL Side-Loading          		1
          Access Token Manipulation          		Security Account Manager1
          Process Discovery          		SMB/Windows Admin SharesData from Network Shared Drive21
          Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
          Process Injection          		NTDS1
          Application Window Discovery          		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          Software Packing          		LSA Secrets2
          System Information Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          DLL Side-Loading          		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          xOg18pHQGOQK.exe72%VirustotalBrowse
          xOg18pHQGOQK.exe100%AviraTR/Dropper.Gen7
          xOg18pHQGOQK.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          SourceDetectionScannerLabelLink
          sendfiletiahforem.duckdns.org2%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://go.microsoft.0%URL Reputationsafe
          http://go.microsoft.0%URL Reputationsafe
          sendfiletiahforem.duckdns.org2%VirustotalBrowse

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          sendfiletiahforem.duckdns.org
          		85.60.29.68
          		truetrueunknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          sendfiletiahforem.duckdns.orgtrueunknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://go.microsoft.xOg18pHQGOQK.exe, 00000000.00000002.4103935908.000000000090F000.00000004.00000020.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          http://go.microsoft.LinkId=42127xOg18pHQGOQK.exe, 00000000.00000002.4103935908.000000000090F000.00000004.00000020.00020000.00000000.sdmpfalse
            		low

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious
            85.60.29.68
            		sendfiletiahforem.duckdns.orgSpain
            		12479UNI2-ASEStrue

            General Information

            Joe Sandbox version:40.0.0 Tourmaline
            Analysis ID:1433366
            Start date and time:2024-04-29 15:20:06 +02:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 6m 12s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:6
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:xOg18pHQGOQK.exe
            Detection:MAL
            Classification:mal96.troj.spyw.evad.winEXE@1/0@4/1
            EGA Information:
            • Successful, ratio: 100%
            HCA Information:
            • Successful, ratio: 100%
            • Number of executed functions: 64
            • Number of non-executed functions: 0
            Cookbook Comments:
            • Found application associated with file extension: .exe
            • Override analysis time to 240000 for current running targets taking high CPU consumption

            Warnings

            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
            • Not all processes where analyzed, report is missing behavior information
            • Report size getting too big, too many NtQueryValueKey calls found.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            15:21:33API Interceptor1015260x Sleep call for process: xOg18pHQGOQK.exe modified

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASNs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            UNI2-ASESgVPlpwuoVV.elfGet hashmaliciousMiraiBrowse
            • 90.172.70.110
            TsDTSDr8mU.elfGet hashmaliciousMiraiBrowse
            • 95.20.61.34
            57O67GbOCj.elfGet hashmaliciousMiraiBrowse
            • 62.37.247.32
            Qymt4zooqx.elfGet hashmaliciousMiraiBrowse
            • 90.106.32.44
            mbkraX1GtP.elfGet hashmaliciousMiraiBrowse
            • 90.74.253.44
            jslLfC6rf3.elfGet hashmaliciousMiraiBrowse
            • 85.57.45.57
            VrTXQBQPLv.elfGet hashmaliciousMiraiBrowse
            • 37.35.144.23
            XMsAx1W894.elfGet hashmaliciousMiraiBrowse
            • 89.47.25.31
            00DZy4GniZ.elfGet hashmaliciousMiraiBrowse
            • 85.48.34.100
            AoHbJ6hkvi.elfGet hashmaliciousMiraiBrowse
            • 95.20.61.41

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            No created / dropped files found

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Entropy (8bit):3.8119221863019286
            TrID:
            • Win32 Executable (generic) Net Framework (10011505/4) 49.79%
            • Win32 Executable (generic) a (10002005/4) 49.75%
            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
            • Windows Screen Saver (13104/52) 0.07%
            • Win16/32 Executable Delphi generic (2074/23) 0.01%
            File name:xOg18pHQGOQK.exe
            File size:32'768 bytes
            MD5:7c56a11493f60539d27f4dc5e6f887e3
            SHA1:bf4c0c555f3a7e3cde73d30d3d00aae4b7519732
            SHA256:29fdf08b1ea7405f7a6771b74f75cd30e6247e5ffb9095abb4208c4572b4f81f
            SHA512:8fcf75040effe56f8b864e9f36b3593e88a539fc92c906ca7517cdd1133c0be0a2a344376913fc031a9d72683a6bb5bb8074d80f859347bcb7ae6f7cbf627115
            SSDEEP:384:p0bUe5XB4e0XmOlCNfSLujLFWTitTUFQqz9fObb4:ST9Bu1MZSLuntZb4
            TLSH:50E2070A7BA54125D6BC26FC9CB313210772E3478532EBAF5CDC88CA4B676D44245EEA
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...]./f.................P... .......g... ........@.. ....................................@................................

            File Icon

            Icon Hash:90cececece8e8eb0

            Static PE Info

            General

            Entrypoint:0x40678e
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Time Stamp:0x662F985D [Mon Apr 29 12:53:49 2024 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:4
            OS Version Minor:0
            File Version Major:4
            File Version Minor:0
            Subsystem Version Major:4
            Subsystem Version Minor:0
            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

            Entrypoint Preview

            Instruction
            jmp dword ptr [00402000h]
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0x673c0x4f.text
            IMAGE_DIRECTORY_ENTRY_RESOURCE0x80000x2c8.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0xa0000xc.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x20000x47940x500059924c4d8d580e74f892490a8caf5a8bFalse0.475830078125data5.299871863670247IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            .rsrc0x80000x2c80x10007944783bd9ebd6aa464da3ee45beabadFalse0.0791015625data0.7162266161967275IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .reloc0xa0000xc0x10007275e7aee2c7060ad2e48cd27e87079aFalse0.008544921875data0.013126943721219527IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountryZLIB Complexity
            RT_VERSION0x80580x26cdata0.4532258064516129

            Imports

            DLLImport
            mscoree.dll_CorExeMain

            Network Behavior

            Network Port Distribution

            TCP Packets

            TimestampSource PortDest PortSource IPDest IP
            Apr 29, 2024 15:21:05.502932072 CEST497301998192.168.2.485.60.29.68
            Apr 29, 2024 15:21:06.517497063 CEST497301998192.168.2.485.60.29.68
            Apr 29, 2024 15:21:08.533152103 CEST497301998192.168.2.485.60.29.68
            Apr 29, 2024 15:21:12.548779964 CEST497301998192.168.2.485.60.29.68
            Apr 29, 2024 15:21:20.564455986 CEST497301998192.168.2.485.60.29.68
            Apr 29, 2024 15:21:28.598450899 CEST497371998192.168.2.485.60.29.68
            Apr 29, 2024 15:21:29.611293077 CEST497371998192.168.2.485.60.29.68
            Apr 29, 2024 15:21:31.626816988 CEST497371998192.168.2.485.60.29.68
            Apr 29, 2024 15:21:35.642421961 CEST497371998192.168.2.485.60.29.68
            Apr 29, 2024 15:21:43.642503023 CEST497371998192.168.2.485.60.29.68
            Apr 29, 2024 15:21:51.659868002 CEST497381998192.168.2.485.60.29.68
            Apr 29, 2024 15:21:52.673790932 CEST497381998192.168.2.485.60.29.68
            Apr 29, 2024 15:21:54.689304113 CEST497381998192.168.2.485.60.29.68
            Apr 29, 2024 15:21:58.720491886 CEST497381998192.168.2.485.60.29.68
            Apr 29, 2024 15:22:06.720529079 CEST497381998192.168.2.485.60.29.68
            Apr 29, 2024 15:22:14.888724089 CEST497401998192.168.2.485.60.29.68
            Apr 29, 2024 15:22:15.892354965 CEST497401998192.168.2.485.60.29.68
            Apr 29, 2024 15:22:17.908006907 CEST497401998192.168.2.485.60.29.68
            Apr 29, 2024 15:22:21.924021006 CEST497401998192.168.2.485.60.29.68
            Apr 29, 2024 15:22:29.954854965 CEST497401998192.168.2.485.60.29.68
            Apr 29, 2024 15:22:37.973324060 CEST497411998192.168.2.485.60.29.68
            Apr 29, 2024 15:22:38.986042023 CEST497411998192.168.2.485.60.29.68
            Apr 29, 2024 15:22:41.001667976 CEST497411998192.168.2.485.60.29.68
            Apr 29, 2024 15:22:45.173531055 CEST497411998192.168.2.485.60.29.68
            Apr 29, 2024 15:22:53.267292976 CEST497411998192.168.2.485.60.29.68
            Apr 29, 2024 15:23:01.286709070 CEST497421998192.168.2.485.60.29.68
            Apr 29, 2024 15:23:02.298517942 CEST497421998192.168.2.485.60.29.68
            Apr 29, 2024 15:23:04.376621962 CEST497421998192.168.2.485.60.29.68
            Apr 29, 2024 15:23:08.376669884 CEST497421998192.168.2.485.60.29.68
            Apr 29, 2024 15:23:16.376738071 CEST497421998192.168.2.485.60.29.68
            Apr 29, 2024 15:23:24.533206940 CEST497431998192.168.2.485.60.29.68
            Apr 29, 2024 15:23:25.532886982 CEST497431998192.168.2.485.60.29.68
            Apr 29, 2024 15:23:27.548476934 CEST497431998192.168.2.485.60.29.68
            Apr 29, 2024 15:23:31.564188004 CEST497431998192.168.2.485.60.29.68
            Apr 29, 2024 15:23:39.579674006 CEST497431998192.168.2.485.60.29.68
            Apr 29, 2024 15:23:47.596554995 CEST497441998192.168.2.485.60.29.68
            Apr 29, 2024 15:23:48.689110041 CEST497441998192.168.2.485.60.29.68
            Apr 29, 2024 15:23:50.691854954 CEST497441998192.168.2.485.60.29.68
            Apr 29, 2024 15:23:54.892195940 CEST497441998192.168.2.485.60.29.68
            Apr 29, 2024 15:24:02.892188072 CEST497441998192.168.2.485.60.29.68
            Apr 29, 2024 15:24:10.911221027 CEST497451998192.168.2.485.60.29.68
            Apr 29, 2024 15:24:12.095316887 CEST497451998192.168.2.485.60.29.68
            Apr 29, 2024 15:24:14.095289946 CEST497451998192.168.2.485.60.29.68
            Apr 29, 2024 15:24:18.095278025 CEST497451998192.168.2.485.60.29.68
            Apr 29, 2024 15:24:26.095235109 CEST497451998192.168.2.485.60.29.68
            Apr 29, 2024 15:24:34.269404888 CEST497461998192.168.2.485.60.29.68
            Apr 29, 2024 15:24:35.282752037 CEST497461998192.168.2.485.60.29.68
            Apr 29, 2024 15:24:37.282723904 CEST497461998192.168.2.485.60.29.68
            Apr 29, 2024 15:24:41.298353910 CEST497461998192.168.2.485.60.29.68
            Apr 29, 2024 15:24:49.298335075 CEST497461998192.168.2.485.60.29.68
            Apr 29, 2024 15:24:57.912220001 CEST497471998192.168.2.485.60.29.68
            Apr 29, 2024 15:24:59.048337936 CEST497471998192.168.2.485.60.29.68
            Apr 29, 2024 15:25:01.157685041 CEST497471998192.168.2.485.60.29.68

            UDP Packets

            TimestampSource PortDest PortSource IPDest IP
            Apr 29, 2024 15:21:05.357311964 CEST6552653192.168.2.41.1.1.1
            Apr 29, 2024 15:21:05.498766899 CEST53655261.1.1.1192.168.2.4
            Apr 29, 2024 15:22:14.737595081 CEST5413253192.168.2.41.1.1.1
            Apr 29, 2024 15:22:14.887754917 CEST53541321.1.1.1192.168.2.4
            Apr 29, 2024 15:23:24.393218994 CEST5202153192.168.2.41.1.1.1
            Apr 29, 2024 15:23:24.531896114 CEST53520211.1.1.1192.168.2.4
            Apr 29, 2024 15:24:34.127686977 CEST5042953192.168.2.41.1.1.1
            Apr 29, 2024 15:24:34.268349886 CEST53504291.1.1.1192.168.2.4

            DNS Queries

            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
            Apr 29, 2024 15:21:05.357311964 CEST192.168.2.41.1.1.10x8a60Standard query (0)sendfiletiahforem.duckdns.orgA (IP address)IN (0x0001)false
            Apr 29, 2024 15:22:14.737595081 CEST192.168.2.41.1.1.10xae6cStandard query (0)sendfiletiahforem.duckdns.orgA (IP address)IN (0x0001)false
            Apr 29, 2024 15:23:24.393218994 CEST192.168.2.41.1.1.10xe664Standard query (0)sendfiletiahforem.duckdns.orgA (IP address)IN (0x0001)false
            Apr 29, 2024 15:24:34.127686977 CEST192.168.2.41.1.1.10x5207Standard query (0)sendfiletiahforem.duckdns.orgA (IP address)IN (0x0001)false

            DNS Answers

            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
            Apr 29, 2024 15:21:05.498766899 CEST1.1.1.1192.168.2.40x8a60No error (0)sendfiletiahforem.duckdns.org85.60.29.68A (IP address)IN (0x0001)false
            Apr 29, 2024 15:22:14.887754917 CEST1.1.1.1192.168.2.40xae6cNo error (0)sendfiletiahforem.duckdns.org85.60.29.68A (IP address)IN (0x0001)false
            Apr 29, 2024 15:23:24.531896114 CEST1.1.1.1192.168.2.40xe664No error (0)sendfiletiahforem.duckdns.org85.60.29.68A (IP address)IN (0x0001)false
            Apr 29, 2024 15:24:34.268349886 CEST1.1.1.1192.168.2.40x5207No error (0)sendfiletiahforem.duckdns.org85.60.29.68A (IP address)IN (0x0001)false

            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            System Behavior

            General

            Target ID:0
            Start time:15:20:53
            Start date:29/04/2024
            Path:C:\Users\user\Desktop\xOg18pHQGOQK.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\xOg18pHQGOQK.exe"
            Imagebase:0x1d0000
            File size:32'768 bytes
            MD5 hash:7C56A11493F60539D27F4DC5E6F887E3
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000000.1639848862.00000000001D2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
            Reputation:low
            Has exited:false

            Disassembly

            Reset < >

              Execution Graph

              Execution Coverage:17.2%
              Dynamic/Decrypted Code Coverage:98.1%
              Signature Coverage:5.6%
              Total number of Nodes:108
              Total number of Limit Nodes:4
              execution_graph 2691 abac2a 2692 abac68 DuplicateHandle 2691->2692 2694 abaca0 2691->2694 2693 abac76 2692->2693 2694->2692 2800 4b802ba 2801 4b802c1 GetComputerNameW 2800->2801 2803 4b80344 2801->2803 2804 aba2ae 2805 aba2b2 SetErrorMode 2804->2805 2807 aba31b 2805->2807 2808 4b813b3 2810 4b813d6 SetProcessWorkingSetSize 2808->2810 2811 4b81437 2810->2811 2852 4b80e22 2855 4b80e52 WSAConnect 2852->2855 2854 4b80ea6 2855->2854 2735 4b8109a 2737 4b810c9 AdjustTokenPrivileges 2735->2737 2738 4b810eb 2737->2738 2856 abac03 2857 abac2a DuplicateHandle 2856->2857 2859 abac76 2857->2859 2860 4b81610 2861 4b81632 RegCreateKeyExW 2860->2861 2863 4b816dc 2861->2863 2864 4b81715 2865 4b81758 FormatMessageW 2864->2865 2867 4b817e2 2865->2867 2812 abad9f 2813 abadce closesocket 2812->2813 2815 abae08 2813->2815 2788 abb61e 2791 abb656 CreateFileW 2788->2791 2790 abb6a5 2791->2790 2872 aba612 2874 aba646 CreateMutexW 2872->2874 2875 aba6c1 2874->2875 2876 aba710 2877 aba74e FindCloseChangeNotification 2876->2877 2879 aba788 2877->2879 2816 4b805fa 2817 4b8061a MapViewOfFile 2816->2817 2819 4b806a1 2817->2819 2820 abbeee 2821 abbf0e WSASocketW 2820->2821 2823 abbf82 2821->2823 2880 aba462 2882 aba486 RegSetValueExW 2880->2882 2883 aba507 2882->2883 2884 4b81063 2885 4b8106d AdjustTokenPrivileges 2884->2885 2887 4b810eb 2885->2887 2888 aba370 2889 aba392 RegQueryValueExW 2888->2889 2891 aba41b 2889->2891 2722 abb9f6 2725 abba2b ReadFile 2722->2725 2724 abba5d 2725->2724 2824 4b811e5 2825 4b81216 GetExitCodeProcess 2824->2825 2827 4b81274 2825->2827 2730 4b802e6 2731 4b80336 GetComputerNameW 2730->2731 2732 4b80344 2731->2732 2828 abb6f4 2830 abb736 GetFileType 2828->2830 2831 abb798 2830->2831 2747 abadce 2748 abadfa closesocket 2747->2748 2749 abae30 2747->2749 2750 abae08 2748->2750 2749->2748 2755 aba74e 2756 aba77a FindCloseChangeNotification 2755->2756 2757 aba7b9 2755->2757 2758 aba788 2756->2758 2757->2756 2832 4b80ede 2834 4b80f1a LookupPrivilegeValueW 2832->2834 2835 4b80f6a 2834->2835 2896 4b80c50 2898 4b80c72 getaddrinfo 2896->2898 2899 4b80d1f 2898->2899 2836 aba7c7 2838 aba7fa RegOpenKeyExW 2836->2838 2839 aba888 2838->2839 2767 aba646 2768 aba67e CreateMutexW 2767->2768 2770 aba6c1 2768->2770 2779 49803e8 KiUserExceptionDispatcher 2780 498042c 2779->2780 2900 4b80b48 2901 4b80b66 GetProcessTimes 2900->2901 2903 4b80bed 2901->2903 2781 aba2da 2782 aba32f 2781->2782 2783 aba306 SetErrorMode 2781->2783 2782->2783 2784 aba31b 2783->2784 2840 abb5de 2843 abb61e CreateFileW 2840->2843 2842 abb6a5 2843->2842 2844 4b812cf 2845 4b812f2 GetProcessWorkingSetSize 2844->2845 2847 4b81353 2845->2847 2904 4b80444 2905 4b8046a ConvertStringSecurityDescriptorToSecurityDescriptorW 2904->2905 2907 4b804e3 2905->2907 2848 abb9d6 2850 abb9f6 ReadFile 2848->2850 2851 abba5d 2850->2851

              Executed Functions

              Function 04B81063 Relevance: 1.6, APIs: 1, Instructions: 75COMMON
              Download Yara Rule
              APIs
              • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 04B810E3
              Memory Dump Source
              • Source File: 00000000.00000002.4105872073.0000000004B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_4b80000_xOg18pHQGOQK.jbxd
              Similarity
              • API ID: AdjustPrivilegesToken
              • String ID:
              • API String ID: 2874748243-0
              • Opcode ID: 4918b8b51500f719c38d62b9a525f8e6c3ccbf05e859c2edf86c62db65635130
              • Instruction ID: 265d8549c1198a65d058e176a44dd727bd7c19cd36d7aa811c5046561a838397
              • Opcode Fuzzy Hash: 4918b8b51500f719c38d62b9a525f8e6c3ccbf05e859c2edf86c62db65635130
              • Instruction Fuzzy Hash: DD21BC76509384AFEB228F25DC40B52BFF4EF06310F0984DAE9858B563D274A908DB62
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04B8109A Relevance: 1.6, APIs: 1, Instructions: 52COMMON
              Download Yara Rule
              APIs
              • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 04B810E3
              Memory Dump Source
              • Source File: 00000000.00000002.4105872073.0000000004B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_4b80000_xOg18pHQGOQK.jbxd
              Similarity
              • API ID: AdjustPrivilegesToken
              • String ID:
              • API String ID: 2874748243-0
              • Opcode ID: 7d212cea786d639b1637eb7c491796d7d3288935a13659912025189287c2c476
              • Instruction ID: 2413c06f35a07d4684d4469c88116b3d68423be90b67fd0043528c2e7a163140
              • Opcode Fuzzy Hash: 7d212cea786d639b1637eb7c491796d7d3288935a13659912025189287c2c476
              • Instruction Fuzzy Hash: 00119E326012449FDB20DF69DD84B66FBE4EF04220F08C4AEED468B652D375E418DB61
              Uniqueness

              Uniqueness Score: -1.00%

              Function 049803F8 Relevance: 1.6, APIs: 1, Instructions: 104COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 0 49803f8-4980436 KiUserExceptionDispatcher 3 4980439-498043f 0->3 4 498052d-498053e 3->4 5 4980445-4980448 3->5 6 498044a 5->6 31 498044c call 840606 6->31 32 498044c call 8405e1 6->32 8 4980451-4980472 11 49804b9-49804bc 8->11 12 4980474-4980476 8->12 11->4 13 49804be-49804c4 11->13 33 4980478 call 840606 12->33 34 4980478 call 8405e1 12->34 35 4980478 call 4980ce6 12->35 13->6 14 49804c6-49804cd 13->14 16 498051e 14->16 17 49804cf-49804e5 14->17 15 498047e-4980485 18 49804b6 15->18 19 4980487-49804ae 15->19 22 4980528 16->22 17->4 23 49804e7-49804ef 17->23 18->11 19->18 22->3 24 4980510-4980516 23->24 25 49804f1-49804fc 23->25 24->16 25->4 27 49804fe-4980508 25->27 27->24 31->8 32->8 33->15 34->15 35->15
              APIs
              • KiUserExceptionDispatcher.NTDLL ref: 0498041F
              Memory Dump Source
              • Source File: 00000000.00000002.4105698634.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_4980000_xOg18pHQGOQK.jbxd
              Similarity
              • API ID: DispatcherExceptionUser
              • String ID:
              • API String ID: 6842923-0
              • Opcode ID: 3c5f210c7314e2afcb4ed8e1921552faeb169fef77707b03c98de0a771d5c774
              • Instruction ID: 9a50575da4d8ab4f19895e601236fc99ca8c5e3d60be40115d5cf3b2d8978ad2
              • Opcode Fuzzy Hash: 3c5f210c7314e2afcb4ed8e1921552faeb169fef77707b03c98de0a771d5c774
              • Instruction Fuzzy Hash: D5318031A002048FCB14EF7DC98499DB7E6EF88214B198479D809DB35AEB74ED85CBA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00ABB5DE Relevance: 1.6, APIs: 1, Instructions: 103fileCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 36 abb5de-abb676 40 abb67b-abb687 36->40 41 abb678 36->41 42 abb689 40->42 43 abb68c-abb695 40->43 41->40 42->43 44 abb697-abb6bb CreateFileW 43->44 45 abb6e6-abb6eb 43->45 48 abb6ed-abb6f2 44->48 49 abb6bd-abb6e3 44->49 45->44 48->49
              APIs
              • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00ABB69D
              Memory Dump Source
              • Source File: 00000000.00000002.4104176954.0000000000ABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ABA000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_aba000_xOg18pHQGOQK.jbxd
              Similarity
              • API ID: CreateFile
              • String ID:
              • API String ID: 823142352-0
              • Opcode ID: cb6a5dd7ad20c188c1a18f99dcba57be42a0a1d9b9c26c40504272ac206c84da
              • Instruction ID: 0f9704e16e1192660b4ea99926453fe3ce1daaefa331760badcc89177dda02ba
              • Opcode Fuzzy Hash: cb6a5dd7ad20c188c1a18f99dcba57be42a0a1d9b9c26c40504272ac206c84da
              • Instruction Fuzzy Hash: 15318071505380AFE722CB65DC44BA2BFE8EF16314F08849AE9848B653D375E909DB71
              Uniqueness

              Uniqueness Score: -1.00%

              Function 049803E8 Relevance: 1.6, APIs: 1, Instructions: 100COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 52 49803e8-4980425 KiUserExceptionDispatcher 53 498042c-4980436 52->53 55 4980439-498043f 53->55 56 498052d-498053e 55->56 57 4980445-4980448 55->57 58 498044a 57->58 83 498044c call 840606 58->83 84 498044c call 8405e1 58->84 60 4980451-4980472 63 49804b9-49804bc 60->63 64 4980474-4980476 60->64 63->56 65 49804be-49804c4 63->65 85 4980478 call 840606 64->85 86 4980478 call 8405e1 64->86 87 4980478 call 4980ce6 64->87 65->58 66 49804c6-49804cd 65->66 68 498051e 66->68 69 49804cf-49804e5 66->69 67 498047e-4980485 70 49804b6 67->70 71 4980487-49804ae 67->71 74 4980528 68->74 69->56 75 49804e7-49804ef 69->75 70->63 71->70 74->55 76 4980510-4980516 75->76 77 49804f1-49804fc 75->77 76->68 77->56 79 49804fe-4980508 77->79 79->76 83->60 84->60 85->67 86->67 87->67
              APIs
              • KiUserExceptionDispatcher.NTDLL ref: 0498041F
              Memory Dump Source
              • Source File: 00000000.00000002.4105698634.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_4980000_xOg18pHQGOQK.jbxd
              Similarity
              • API ID: DispatcherExceptionUser
              • String ID:
              • API String ID: 6842923-0
              • Opcode ID: d6eda4b96558c607bb4b545bed33281066617cc49525786a640a5fb799c44381
              • Instruction ID: 3303b9883d7304404a1f863c5b432caac34b6667ce9e4fd694599b4a6ad08ca8
              • Opcode Fuzzy Hash: d6eda4b96558c607bb4b545bed33281066617cc49525786a640a5fb799c44381
              • Instruction Fuzzy Hash: 6E319371A002008FCB14DF79C99499DB7F6AF88304B1981BDD809DB35AEB78DD85CBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04B81610 Relevance: 1.6, APIs: 1, Instructions: 100registryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 88 4b81610-4b8168a 92 4b8168c 88->92 93 4b8168f-4b8169b 88->93 92->93 94 4b8169d 93->94 95 4b816a0-4b816a9 93->95 94->95 96 4b816ab 95->96 97 4b816ae-4b816c5 95->97 96->97 99 4b81707-4b8170c 97->99 100 4b816c7-4b816da RegCreateKeyExW 97->100 99->100 101 4b816dc-4b81704 100->101 102 4b8170e-4b81713 100->102 102->101
              APIs
              • RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 04B816CD
              Memory Dump Source
              • Source File: 00000000.00000002.4105872073.0000000004B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_4b80000_xOg18pHQGOQK.jbxd
              Similarity
              • API ID: Create
              • String ID:
              • API String ID: 2289755597-0
              • Opcode ID: 6950a32ce1c3af14cd40fbcfa5ca366000e21dca4a9767e788d48fbd50175027
              • Instruction ID: 2cbf4fd2f961067b657a03ff1dcd9fedb7e154f45c8b0ebde6d60cbc826c03ad
              • Opcode Fuzzy Hash: 6950a32ce1c3af14cd40fbcfa5ca366000e21dca4a9767e788d48fbd50175027
              • Instruction Fuzzy Hash: F331ADB2501344AFE7229F25CC44FA7BBECEF19614F08859EF985CB652D224E809CB71
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00ABBE04 Relevance: 1.6, APIs: 1, Instructions: 97registryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 107 abbe04-abbe1b 109 abbe3d-abbe6f 107->109 110 abbe1d-abbe3c 107->110 114 abbe72-abbeca RegQueryValueExW 109->114 110->109 116 abbed0-abbee6 114->116
              APIs
              • RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 00ABBEC2
              Memory Dump Source
              • Source File: 00000000.00000002.4104176954.0000000000ABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ABA000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_aba000_xOg18pHQGOQK.jbxd
              Similarity
              • API ID: QueryValue
              • String ID:
              • API String ID: 3660427363-0
              • Opcode ID: e74e0c5c2358fb1f5225c30783dddc4129853c3c7ff3cacab2e7e3464eba833a
              • Instruction ID: b92c864fb6bebf29c0059d5e14148040472f19cc0a93d5f676841bd38b3a0304
              • Opcode Fuzzy Hash: e74e0c5c2358fb1f5225c30783dddc4129853c3c7ff3cacab2e7e3464eba833a
              • Instruction Fuzzy Hash: 86317C2510E3C06FD3138B258C21A61BFB4EF47614F0E85CBD8C49B6A3D269A919D7B2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00ABA7C7 Relevance: 1.6, APIs: 1, Instructions: 95registryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 117 aba7c7-aba855 121 aba85a-aba871 117->121 122 aba857 117->122 124 aba8b3-aba8b8 121->124 125 aba873-aba886 RegOpenKeyExW 121->125 122->121 124->125 126 aba8ba-aba8bf 125->126 127 aba888-aba8b0 125->127 126->127
              APIs
              • RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 00ABA879
              Memory Dump Source
              • Source File: 00000000.00000002.4104176954.0000000000ABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ABA000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_aba000_xOg18pHQGOQK.jbxd
              Similarity
              • API ID: Open
              • String ID:
              • API String ID: 71445658-0
              • Opcode ID: 1e568ac709f76aeaaa801399d2466fae4bfdfc506deb7715785c59b31dd58737
              • Instruction ID: cb28ddba2a313533b4285ff276a2bebe774649cec60f6b3122280df109455b9f
              • Opcode Fuzzy Hash: 1e568ac709f76aeaaa801399d2466fae4bfdfc506deb7715785c59b31dd58737
              • Instruction Fuzzy Hash: 9F31A7B24083846FE7228B51DC44FA7BFBCEF16314F08859AE985CB653D265E909C771
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04B81715 Relevance: 1.6, APIs: 1, Instructions: 93windowCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 147 4b81715-4b81787 149 4b8178a-4b817dc FormatMessageW 147->149 151 4b817e2-4b8180b 149->151
              APIs
              • FormatMessageW.KERNELBASE(?,00000E24,?,?), ref: 04B817DA
              Memory Dump Source
              • Source File: 00000000.00000002.4105872073.0000000004B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_4b80000_xOg18pHQGOQK.jbxd
              Similarity
              • API ID: FormatMessage
              • String ID:
              • API String ID: 1306739567-0
              • Opcode ID: df74f57461e95e4e91c11765624003c1aaa3d1af416a86b6ebbeaf342a1aa9f2
              • Instruction ID: 7e3d971d63065d2c40a917db9459970974a3d7656f9c1a68bd876d21d412b136
              • Opcode Fuzzy Hash: df74f57461e95e4e91c11765624003c1aaa3d1af416a86b6ebbeaf342a1aa9f2
              • Instruction Fuzzy Hash: 71318F7250D3C05FD7038B758C66A66BFB4EF47610F0A84CBD8849F6A3E6246919C7A2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04B80C50 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 132 4b80c50-4b80d0f 138 4b80d61-4b80d66 132->138 139 4b80d11-4b80d19 getaddrinfo 132->139 138->139 140 4b80d1f-4b80d31 139->140 142 4b80d68-4b80d6d 140->142 143 4b80d33-4b80d5e 140->143 142->143
              APIs
              • getaddrinfo.WS2_32(?,00000E24), ref: 04B80D17
              Memory Dump Source
              • Source File: 00000000.00000002.4105872073.0000000004B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_4b80000_xOg18pHQGOQK.jbxd
              Similarity
              • API ID: getaddrinfo
              • String ID:
              • API String ID: 300660673-0
              • Opcode ID: fe5810da0d989495e74150dcbff43eaa452733ec5989c50da405045f39a26628
              • Instruction ID: 83da2dfcc2913b4b1b837c55164bb62735b2851993cfc65ba03e169a7505b9f8
              • Opcode Fuzzy Hash: fe5810da0d989495e74150dcbff43eaa452733ec5989c50da405045f39a26628
              • Instruction Fuzzy Hash: DA31AFB1504344AFE721DB50CC44FA6BBACEF14314F04889AFA489B681D274E908CB71
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00ABA612 Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 153 aba612-aba695 157 aba69a-aba6a3 153->157 158 aba697 153->158 159 aba6a8-aba6b1 157->159 160 aba6a5 157->160 158->157 161 aba6b3-aba6d7 CreateMutexW 159->161 162 aba702-aba707 159->162 160->159 165 aba709-aba70e 161->165 166 aba6d9-aba6ff 161->166 162->161 165->166
              APIs
              • CreateMutexW.KERNELBASE(?,?), ref: 00ABA6B9
              Memory Dump Source
              • Source File: 00000000.00000002.4104176954.0000000000ABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ABA000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_aba000_xOg18pHQGOQK.jbxd
              Similarity
              • API ID: CreateMutex
              • String ID:
              • API String ID: 1964310414-0
              • Opcode ID: 518c5e0b56b3d50e5633e316bbf34a08dd8a6ffb4b5dae62da04559871484653
              • Instruction ID: 29d005befb38cdd894c5a34a64e7b4ec6de4772cc8ff340b7f75861e8449cc8e
              • Opcode Fuzzy Hash: 518c5e0b56b3d50e5633e316bbf34a08dd8a6ffb4b5dae62da04559871484653
              • Instruction Fuzzy Hash: 7D3181B55093806FE712CB25DC45B96BFF8EF16314F08849AE984CB293D375E909C762
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04B80B48 Relevance: 1.6, APIs: 1, Instructions: 89timeCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 184 4b80b48-4b80bdd 189 4b80c2a-4b80c2f 184->189 190 4b80bdf-4b80be7 GetProcessTimes 184->190 189->190 192 4b80bed-4b80bff 190->192 193 4b80c31-4b80c36 192->193 194 4b80c01-4b80c27 192->194 193->194
              APIs
              • GetProcessTimes.KERNELBASE(?,00000E24,C7E5503A,00000000,00000000,00000000,00000000), ref: 04B80BE5
              Memory Dump Source
              • Source File: 00000000.00000002.4105872073.0000000004B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_4b80000_xOg18pHQGOQK.jbxd
              Similarity
              • API ID: ProcessTimes
              • String ID:
              • API String ID: 1995159646-0
              • Opcode ID: 29cbb17dd1d8905250658e39c6195ef8a459d2636c83a05c5dae70169216e6bf
              • Instruction ID: 036bbe159066dd75a7ac33a275e6270bebc425071e97db9dd1f89302a4d708d5
              • Opcode Fuzzy Hash: 29cbb17dd1d8905250658e39c6195ef8a459d2636c83a05c5dae70169216e6bf
              • Instruction Fuzzy Hash: 703106725093806FE7228F60DC44F96BFB8EF16314F0984DAE984CF593D225A909CB71
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04B80444 Relevance: 1.6, APIs: 1, Instructions: 89COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 169 4b80444-4b804c5 173 4b804ca-4b804d3 169->173 174 4b804c7 169->174 175 4b8052b-4b80530 173->175 176 4b804d5-4b804dd ConvertStringSecurityDescriptorToSecurityDescriptorW 173->176 174->173 175->176 177 4b804e3-4b804f5 176->177 179 4b80532-4b80537 177->179 180 4b804f7-4b80528 177->180 179->180
              APIs
              • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 04B804DB
              Memory Dump Source
              • Source File: 00000000.00000002.4105872073.0000000004B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_4b80000_xOg18pHQGOQK.jbxd
              Similarity
              • API ID: DescriptorSecurity$ConvertString
              • String ID:
              • API String ID: 3907675253-0
              • Opcode ID: 19032a88481a75df4e09979a7526c46f9cd57826d19d3ad17224c6e304232f7e
              • Instruction ID: 73660513d730b3fcba16040505f8cca996a954da8e7e50dfe7bf19790e9ab1de
              • Opcode Fuzzy Hash: 19032a88481a75df4e09979a7526c46f9cd57826d19d3ad17224c6e304232f7e
              • Instruction Fuzzy Hash: 36318171504344AFE721DF64DC45FA6BBB8EF05214F08849AE945DB652D274E908CB71
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04B81632 Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 197 4b81632-4b8168a 200 4b8168c 197->200 201 4b8168f-4b8169b 197->201 200->201 202 4b8169d 201->202 203 4b816a0-4b816a9 201->203 202->203 204 4b816ab 203->204 205 4b816ae-4b816c5 203->205 204->205 207 4b81707-4b8170c 205->207 208 4b816c7-4b816da RegCreateKeyExW 205->208 207->208 209 4b816dc-4b81704 208->209 210 4b8170e-4b81713 208->210 210->209
              APIs
              • RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 04B816CD
              Memory Dump Source
              • Source File: 00000000.00000002.4105872073.0000000004B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_4b80000_xOg18pHQGOQK.jbxd
              Similarity
              • API ID: Create
              • String ID:
              • API String ID: 2289755597-0
              • Opcode ID: b0cb5dcd30fb1b55664c8a62d316fa771c126f67717d4342ec121281dbc083f5
              • Instruction ID: 4c06e18c37c928ec1e4797fe7c1fd6e2392b255b39d0dc4ede3124f16f4a3466
              • Opcode Fuzzy Hash: b0cb5dcd30fb1b55664c8a62d316fa771c126f67717d4342ec121281dbc083f5
              • Instruction Fuzzy Hash: F52191B6600204AFE721DE15CC44FA7B7ECEF14214F08849AE985C6651E724F409CA71
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04B80C72 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 215 4b80c72-4b80d0f 220 4b80d61-4b80d66 215->220 221 4b80d11-4b80d19 getaddrinfo 215->221 220->221 222 4b80d1f-4b80d31 221->222 224 4b80d68-4b80d6d 222->224 225 4b80d33-4b80d5e 222->225 224->225
              APIs
              • getaddrinfo.WS2_32(?,00000E24), ref: 04B80D17
              Memory Dump Source
              • Source File: 00000000.00000002.4105872073.0000000004B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_4b80000_xOg18pHQGOQK.jbxd
              Similarity
              • API ID: getaddrinfo
              • String ID:
              • API String ID: 300660673-0
              • Opcode ID: f6dc041505360f23111a848c48f501eb0dc07d3eb49e05e66c3633573d8b981f
              • Instruction ID: e670edfc14abbc72988ea77b53da88e9f8f45b90f4fee8e277c477c0b28a9098
              • Opcode Fuzzy Hash: f6dc041505360f23111a848c48f501eb0dc07d3eb49e05e66c3633573d8b981f
              • Instruction Fuzzy Hash: BD219171500204AEEB31EF50CC45FA6F7ACEF14714F04889AFA489A685D675F508CBB1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00ABA370 Relevance: 1.6, APIs: 1, Instructions: 80registryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 229 aba370-aba3cf 232 aba3d1 229->232 233 aba3d4-aba3dd 229->233 232->233 234 aba3df 233->234 235 aba3e2-aba3e8 233->235 234->235 236 aba3ea 235->236 237 aba3ed-aba404 235->237 236->237 239 aba43b-aba440 237->239 240 aba406-aba419 RegQueryValueExW 237->240 239->240 241 aba41b-aba438 240->241 242 aba442-aba447 240->242 242->241
              APIs
              • RegQueryValueExW.KERNELBASE(?,00000E24,C7E5503A,00000000,00000000,00000000,00000000), ref: 00ABA40C
              Memory Dump Source
              • Source File: 00000000.00000002.4104176954.0000000000ABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ABA000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_aba000_xOg18pHQGOQK.jbxd
              Similarity
              • API ID: QueryValue
              • String ID:
              • API String ID: 3660427363-0
              • Opcode ID: b07220df69621c11745a15709b05756f7749f710fb6f7c659521e4ded1e2f0ae
              • Instruction ID: 956704a441986aba649d08fe44bdd43342eccb014db60f877987977ff33d1394
              • Opcode Fuzzy Hash: b07220df69621c11745a15709b05756f7749f710fb6f7c659521e4ded1e2f0ae
              • Instruction Fuzzy Hash: 30215A76504744AFD721CB11DC84FA6BBFCEF15610F08849AE985CB692D364E908CB72
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00ABB6F4 Relevance: 1.6, APIs: 1, Instructions: 79COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 246 abb6f4-abb781 250 abb783-abb796 GetFileType 246->250 251 abb7b6-abb7bb 246->251 252 abb798-abb7b5 250->252 253 abb7bd-abb7c2 250->253 251->250 253->252
              APIs
              • GetFileType.KERNELBASE(?,00000E24,C7E5503A,00000000,00000000,00000000,00000000), ref: 00ABB789
              Memory Dump Source
              • Source File: 00000000.00000002.4104176954.0000000000ABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ABA000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_aba000_xOg18pHQGOQK.jbxd
              Similarity
              • API ID: FileType
              • String ID:
              • API String ID: 3081899298-0
              • Opcode ID: 2c688d2acaf22609fca0bc3e8b347257dab1e44513765b173141b476cf7622d2
              • Instruction ID: 1f02e3df8eee0bb0de554d4f4826c1ff804138a332adb52452b340c9a66f5144
              • Opcode Fuzzy Hash: 2c688d2acaf22609fca0bc3e8b347257dab1e44513765b173141b476cf7622d2
              • Instruction Fuzzy Hash: AD21FB754093806FE712CB15DC41FA2BFBCEF56324F0985D6E9808B293D364A909C771
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04B811E5 Relevance: 1.6, APIs: 1, Instructions: 79COMMON
              Download Yara Rule
              APIs
              • GetExitCodeProcess.KERNELBASE(?,00000E24,C7E5503A,00000000,00000000,00000000,00000000), ref: 04B8126C
              Memory Dump Source
              • Source File: 00000000.00000002.4105872073.0000000004B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_4b80000_xOg18pHQGOQK.jbxd
              Similarity
              • API ID: CodeExitProcess
              • String ID:
              • API String ID: 3861947596-0
              • Opcode ID: 19733db5f5b441b2fcfb09b109da419c83967e6817ba4c90b58b25139ea5a834
              • Instruction ID: adca08148c46d224fd8b1fada12b6ac51bb4f7c4d2ead37cc4f7e756e7370384
              • Opcode Fuzzy Hash: 19733db5f5b441b2fcfb09b109da419c83967e6817ba4c90b58b25139ea5a834
              • Instruction Fuzzy Hash: BF21C1715093806FEB12CB24DC44F96BFB8EF42214F0884DAE984DF692D268A908C771
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00ABBEEE Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON
              Download Yara Rule
              APIs
              • WSASocketW.WS2_32(?,?,?,?,?), ref: 00ABBF7A
              Memory Dump Source
              • Source File: 00000000.00000002.4104176954.0000000000ABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ABA000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_aba000_xOg18pHQGOQK.jbxd
              Similarity
              • API ID: Socket
              • String ID:
              • API String ID: 38366605-0
              • Opcode ID: 0eed7b750e5fa3a1ce5f2930343123c212b8f8aafeeb3582c678f6fd101025ee
              • Instruction ID: 8fd3cd313b0c489c660df7da938bec64139f9faeb22babca77657e186d8e427a
              • Opcode Fuzzy Hash: 0eed7b750e5fa3a1ce5f2930343123c212b8f8aafeeb3582c678f6fd101025ee
              • Instruction Fuzzy Hash: AE219E71409380AFE722CF51DC44FA6FFB8EF15210F08889AE9858B652D375E808CB62
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00ABA462 Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON
              Download Yara Rule
              APIs
              • RegSetValueExW.KERNELBASE(?,00000E24,C7E5503A,00000000,00000000,00000000,00000000), ref: 00ABA4F8
              Memory Dump Source
              • Source File: 00000000.00000002.4104176954.0000000000ABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ABA000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_aba000_xOg18pHQGOQK.jbxd
              Similarity
              • API ID: Value
              • String ID:
              • API String ID: 3702945584-0
              • Opcode ID: bbc24629aebf5d7ae8ed90b26c1783c55e1b5ec41361b4be2a563ec0e47a4e0a
              • Instruction ID: a9567bf94feab4e961dca7cfde177d8fa0cd56a36623623e2772517bc08cee78
              • Opcode Fuzzy Hash: bbc24629aebf5d7ae8ed90b26c1783c55e1b5ec41361b4be2a563ec0e47a4e0a
              • Instruction Fuzzy Hash: D52190725043806FD722CF11DC44FA7BFBCEF56214F08859AE985DB652D264E948CB72
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04B805FA Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.4105872073.0000000004B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_4b80000_xOg18pHQGOQK.jbxd
              Similarity
              • API ID: FileView
              • String ID:
              • API String ID: 3314676101-0
              • Opcode ID: fba37fda7d71294101dfc3bfbf51b3c951c7c43d37aeaff6363770b1a794f158
              • Instruction ID: 46b9ce0bcd80bf3ee532a7ebfa010159d8903a002678cc1fa146a1339e04b0c1
              • Opcode Fuzzy Hash: fba37fda7d71294101dfc3bfbf51b3c951c7c43d37aeaff6363770b1a794f158
              • Instruction Fuzzy Hash: 2921B171405340AFE722CF55CC44F96FBF8EF19214F04849EE9848B652D375E908CB61
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00ABB61E Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
              Download Yara Rule
              APIs
              • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00ABB69D
              Memory Dump Source
              • Source File: 00000000.00000002.4104176954.0000000000ABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ABA000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_aba000_xOg18pHQGOQK.jbxd
              Similarity
              • API ID: CreateFile
              • String ID:
              • API String ID: 823142352-0
              • Opcode ID: 744281c7a509ad99b5e1f38e406a6860f0eb6675b108de26dec6b1de6b39cf46
              • Instruction ID: 79e5b8c51abc80a18b9ff6174a8603b34b2b937c398fe51788e8476cfa1563d9
              • Opcode Fuzzy Hash: 744281c7a509ad99b5e1f38e406a6860f0eb6675b108de26dec6b1de6b39cf46
              • Instruction Fuzzy Hash: B521A171504204AFE721CF65DD85FA6FBE8EF18314F08886AE9858B756D3B5E808CB71
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04B8046A Relevance: 1.6, APIs: 1, Instructions: 76COMMON
              Download Yara Rule
              APIs
              • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 04B804DB
              Memory Dump Source
              • Source File: 00000000.00000002.4105872073.0000000004B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_4b80000_xOg18pHQGOQK.jbxd
              Similarity
              • API ID: DescriptorSecurity$ConvertString
              • String ID:
              • API String ID: 3907675253-0
              • Opcode ID: 4667543bea18f119cc7709d3e2318c5f58d1189d16652f4ffbfdf7360399d33a
              • Instruction ID: e96a8c0aebb3fb20fc3e6ee33d2edfc13082c481049b3a68518a054c24c93331
              • Opcode Fuzzy Hash: 4667543bea18f119cc7709d3e2318c5f58d1189d16652f4ffbfdf7360399d33a
              • Instruction Fuzzy Hash: 1021D472600204AFEB20EF24DC44FAABBECEF14314F0888AAED45DB641D774E508CA71
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04B8035E Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON
              Download Yara Rule
              APIs
              • RegQueryValueExW.KERNELBASE(?,00000E24,C7E5503A,00000000,00000000,00000000,00000000), ref: 04B803F0
              Memory Dump Source
              • Source File: 00000000.00000002.4105872073.0000000004B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_4b80000_xOg18pHQGOQK.jbxd
              Similarity
              • API ID: QueryValue
              • String ID:
              • API String ID: 3660427363-0
              • Opcode ID: 22f45efe7263ee9b8a6abe4080ec81c937cd7e2e5415f094d97740a397974392
              • Instruction ID: 4bde65a139804e2769917195784bd8a77ca75c8b9f91099ca0d080b06908cbe2
              • Opcode Fuzzy Hash: 22f45efe7263ee9b8a6abe4080ec81c937cd7e2e5415f094d97740a397974392
              • Instruction Fuzzy Hash: 2F21AF72504344AFD722DF15CC44F97BBF8EF19210F08849AE985DB652D364E908CB71
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04B80EDE Relevance: 1.6, APIs: 1, Instructions: 75COMMON
              Download Yara Rule
              APIs
              • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 04B80F62
              Memory Dump Source
              • Source File: 00000000.00000002.4105872073.0000000004B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_4b80000_xOg18pHQGOQK.jbxd
              Similarity
              • API ID: LookupPrivilegeValue
              • String ID:
              • API String ID: 3899507212-0
              • Opcode ID: 3acf0aef0e532e5c895e5cb2a9f72a03dc690965ecc1afcfae5908ee77683513
              • Instruction ID: 8cbb3327fc7bfea6119177d10c7c9f808931125d8c52d4fc1e69a91686d3151e
              • Opcode Fuzzy Hash: 3acf0aef0e532e5c895e5cb2a9f72a03dc690965ecc1afcfae5908ee77683513
              • Instruction Fuzzy Hash: 59214C725093805FDB12DB25DC95BA2BFE8EF46210F0D84DAE885CB663D224A908D761
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00ABA7FA Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON
              Download Yara Rule
              APIs
              • RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 00ABA879
              Memory Dump Source
              • Source File: 00000000.00000002.4104176954.0000000000ABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ABA000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_aba000_xOg18pHQGOQK.jbxd
              Similarity
              • API ID: Open
              • String ID:
              • API String ID: 71445658-0
              • Opcode ID: 13c3f502ebf15660559d65ac6da96b947e39d865f34c2df478dd8f2078b1c87b
              • Instruction ID: cb59ea739f070276f318c427c4b2afc7955d76bc840bb4aaea5ba42a3665e83b
              • Opcode Fuzzy Hash: 13c3f502ebf15660559d65ac6da96b947e39d865f34c2df478dd8f2078b1c87b
              • Instruction Fuzzy Hash: 9C21CF72500204AEE7219F55DC44FABFBACEF24314F04846AE9458AA52D735E8098AB2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04B813B3 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
              Download Yara Rule
              APIs
              • SetProcessWorkingSetSize.KERNEL32(?,00000E24,C7E5503A,00000000,00000000,00000000,00000000), ref: 04B8142F
              Memory Dump Source
              • Source File: 00000000.00000002.4105872073.0000000004B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_4b80000_xOg18pHQGOQK.jbxd
              Similarity
              • API ID: ProcessSizeWorking
              • String ID:
              • API String ID: 3584180929-0
              • Opcode ID: 7ad9ab41676a656f9d5ded54473820379432cd1313a4dfd23c86d47716e7a9dd
              • Instruction ID: 05163784e9c2060871f34c8943dee6e9bc0ee2703e6828b89861f5571f7617ca
              • Opcode Fuzzy Hash: 7ad9ab41676a656f9d5ded54473820379432cd1313a4dfd23c86d47716e7a9dd
              • Instruction Fuzzy Hash: 212104715093846FE722CF14CC44FA6BFB8EF05210F08C49AE984CB252D234E908CB71
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04B812CF Relevance: 1.6, APIs: 1, Instructions: 73COMMON
              Download Yara Rule
              APIs
              • GetProcessWorkingSetSize.KERNEL32(?,00000E24,C7E5503A,00000000,00000000,00000000,00000000), ref: 04B8134B
              Memory Dump Source
              • Source File: 00000000.00000002.4105872073.0000000004B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_4b80000_xOg18pHQGOQK.jbxd
              Similarity
              • API ID: ProcessSizeWorking
              • String ID:
              • API String ID: 3584180929-0
              • Opcode ID: 7ad9ab41676a656f9d5ded54473820379432cd1313a4dfd23c86d47716e7a9dd
              • Instruction ID: 7a6b28d0fbfa56c58816c73919ac4468149480687b619f3335ff379382286ae0
              • Opcode Fuzzy Hash: 7ad9ab41676a656f9d5ded54473820379432cd1313a4dfd23c86d47716e7a9dd
              • Instruction Fuzzy Hash: 4521C2715093806FE722CF15DC44FA6BFA8EF46214F08C49AE985DB696D274E908CBB1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00ABA646 Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
              Download Yara Rule
              APIs
              • CreateMutexW.KERNELBASE(?,?), ref: 00ABA6B9
              Memory Dump Source
              • Source File: 00000000.00000002.4104176954.0000000000ABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ABA000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_aba000_xOg18pHQGOQK.jbxd
              Similarity
              • API ID: CreateMutex
              • String ID:
              • API String ID: 1964310414-0
              • Opcode ID: 2385662be18cd149bb25a1360dd1a62a4c12c69aa732a8d90e57db74401e58e5
              • Instruction ID: a1eee953d42408a9a7463494a58b22c7fc41e6788829f7788b55395e2d4ceeb0
              • Opcode Fuzzy Hash: 2385662be18cd149bb25a1360dd1a62a4c12c69aa732a8d90e57db74401e58e5
              • Instruction Fuzzy Hash: BB21B0B56042009FE720CF25CD45BA6FBE8EF24314F088469E984CB746D775E808CA72
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00ABB9D6 Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON
              Download Yara Rule
              APIs
              • ReadFile.KERNELBASE(?,00000E24,C7E5503A,00000000,00000000,00000000,00000000), ref: 00ABBA55
              Memory Dump Source
              • Source File: 00000000.00000002.4104176954.0000000000ABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ABA000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_aba000_xOg18pHQGOQK.jbxd
              Similarity
              • API ID: FileRead
              • String ID:
              • API String ID: 2738559852-0
              • Opcode ID: 1d88709baf40602b259479bb19a6da13418b85fab8f9ae22c33c6bfc80d43e52
              • Instruction ID: 1312d8e9381ebc769c633852b47d7c8c95f4dfada32d9b26851cf88b702ba9fd
              • Opcode Fuzzy Hash: 1d88709baf40602b259479bb19a6da13418b85fab8f9ae22c33c6bfc80d43e52
              • Instruction Fuzzy Hash: 4821CF72404380AFDB22CF51DC44F96BFB8EF55310F08889AE9849B656C274A908CBB2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00ABA392 Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
              Download Yara Rule
              APIs
              • RegQueryValueExW.KERNELBASE(?,00000E24,C7E5503A,00000000,00000000,00000000,00000000), ref: 00ABA40C
              Memory Dump Source
              • Source File: 00000000.00000002.4104176954.0000000000ABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ABA000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_aba000_xOg18pHQGOQK.jbxd
              Similarity
              • API ID: QueryValue
              • String ID:
              • API String ID: 3660427363-0
              • Opcode ID: 87f19af1df869f3822a227f4f5ac81ecac00e635adef2a476a3245eca9391b28
              • Instruction ID: 6ba264025a1ab42de33595f43a5173188a52eedb04c2d11883c8e0bd26baf3b9
              • Opcode Fuzzy Hash: 87f19af1df869f3822a227f4f5ac81ecac00e635adef2a476a3245eca9391b28
              • Instruction Fuzzy Hash: 79218E75600204AFE720CF15CC84FA6B7ECEF24714F04C46AE946CB652D7B4E809CA72
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00ABBF0E Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON
              Download Yara Rule
              APIs
              • WSASocketW.WS2_32(?,?,?,?,?), ref: 00ABBF7A
              Memory Dump Source
              • Source File: 00000000.00000002.4104176954.0000000000ABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ABA000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_aba000_xOg18pHQGOQK.jbxd
              Similarity
              • API ID: Socket
              • String ID:
              • API String ID: 38366605-0
              • Opcode ID: 680c0b49f846670f5e8e484ed83082189c5b8adcad50113740f29b31d620a1a5
              • Instruction ID: 600ffb70bdbbf4df20641ebbacd632929541febac1e98a7a373f93cf54a82ea8
              • Opcode Fuzzy Hash: 680c0b49f846670f5e8e484ed83082189c5b8adcad50113740f29b31d620a1a5
              • Instruction Fuzzy Hash: 1E21A171504200AFEB21CF65DD45FA6FBE8EF18324F04886AE9858A656D3B5E408DB71
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04B80E22 Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON
              Download Yara Rule
              APIs
              • WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 04B80E9E
              Memory Dump Source
              • Source File: 00000000.00000002.4105872073.0000000004B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_4b80000_xOg18pHQGOQK.jbxd
              Similarity
              • API ID: Connect
              • String ID:
              • API String ID: 3144859779-0
              • Opcode ID: b30941c0f26a0f39f4740c801460db10ae96e402516ad8c9904c1b4b542f51bf
              • Instruction ID: a21bc75dc4512d1de0d3a2b87fa88513c6a998bbed458d19eda6a139f0d5b659
              • Opcode Fuzzy Hash: b30941c0f26a0f39f4740c801460db10ae96e402516ad8c9904c1b4b542f51bf
              • Instruction Fuzzy Hash: 2F219F71508384AFDB228F55DC44B62BFF4EF06310F0988DEED858B662D275A818DB61
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04B8061A Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.4105872073.0000000004B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_4b80000_xOg18pHQGOQK.jbxd
              Similarity
              • API ID: FileView
              • String ID:
              • API String ID: 3314676101-0
              • Opcode ID: 1827ed9c6d412ef88bff42647330c01392fd31d0e7a241bf39954c6dd8278fe3
              • Instruction ID: 31e47054ee1305f664e4553a2301552f0c1736177e5ebd85f351e02e54f39830
              • Opcode Fuzzy Hash: 1827ed9c6d412ef88bff42647330c01392fd31d0e7a241bf39954c6dd8278fe3
              • Instruction Fuzzy Hash: C621DE71500200AFEB21EF55CC84FA6FBE8EF18224F0484ADE9859B655D375F408CBA2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00ABA486 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
              Download Yara Rule
              APIs
              • RegSetValueExW.KERNELBASE(?,00000E24,C7E5503A,00000000,00000000,00000000,00000000), ref: 00ABA4F8
              Memory Dump Source
              • Source File: 00000000.00000002.4104176954.0000000000ABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ABA000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_aba000_xOg18pHQGOQK.jbxd
              Similarity
              • API ID: Value
              • String ID:
              • API String ID: 3702945584-0
              • Opcode ID: aaeccdcb3c45db9b4a9359b43861add652eafe9715a08fbc5570a0fdfa292102
              • Instruction ID: 3eaf7611c9d1540b5aa38657405f777690d7d7d1f5db11804b4f29e673da77c5
              • Opcode Fuzzy Hash: aaeccdcb3c45db9b4a9359b43861add652eafe9715a08fbc5570a0fdfa292102
              • Instruction Fuzzy Hash: A011AF72500200AFE7318F15DC44FA6BBECEF24714F04855AE9459A752D374E908CAB2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04B8037E Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
              Download Yara Rule
              APIs
              • RegQueryValueExW.KERNELBASE(?,00000E24,C7E5503A,00000000,00000000,00000000,00000000), ref: 04B803F0
              Memory Dump Source
              • Source File: 00000000.00000002.4105872073.0000000004B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_4b80000_xOg18pHQGOQK.jbxd
              Similarity
              • API ID: QueryValue
              • String ID:
              • API String ID: 3660427363-0
              • Opcode ID: cff9dee0970140b83c752cc75c158e6fb063d27034b22be1698d47a3074567a6
              • Instruction ID: fd0d2dcb2d0e3d79076f5e7f83ef3aeb577af4c07faf702a3a963199422949c3
              • Opcode Fuzzy Hash: cff9dee0970140b83c752cc75c158e6fb063d27034b22be1698d47a3074567a6
              • Instruction Fuzzy Hash: 3F11AC72600604AFE731EE15CC84FA6B7E8EF18764F0884AAE9459BA51D374F408CAB1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00ABA710 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
              Download Yara Rule
              APIs
              • FindCloseChangeNotification.KERNELBASE(?), ref: 00ABA780
              Memory Dump Source
              • Source File: 00000000.00000002.4104176954.0000000000ABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ABA000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_aba000_xOg18pHQGOQK.jbxd
              Similarity
              • API ID: ChangeCloseFindNotification
              • String ID:
              • API String ID: 2591292051-0
              • Opcode ID: 4c7f7d0fb24af3eb0b8946d9dedf006746747a1fb7156bb6e651783390369ec2
              • Instruction ID: 55bf5189a183619e712d8c414d5850c764f06d29430c9764f15da5f9c7892486
              • Opcode Fuzzy Hash: 4c7f7d0fb24af3eb0b8946d9dedf006746747a1fb7156bb6e651783390369ec2
              • Instruction Fuzzy Hash: 3B21D2B15083809FD712CB55DD86B92BFA8EF12324F09849BED858B653D234A909CBA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04B80B86 Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON
              Download Yara Rule
              APIs
              • GetProcessTimes.KERNELBASE(?,00000E24,C7E5503A,00000000,00000000,00000000,00000000), ref: 04B80BE5
              Memory Dump Source
              • Source File: 00000000.00000002.4105872073.0000000004B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_4b80000_xOg18pHQGOQK.jbxd
              Similarity
              • API ID: ProcessTimes
              • String ID:
              • API String ID: 1995159646-0
              • Opcode ID: 32afd1321ad8664d1302c886f272b40f61e233428fc8743e16c5a34a01074cbb
              • Instruction ID: 883dc94d468199fb044c8a97d0ccc916ffa706a397a7dccb041dd9b679e18f59
              • Opcode Fuzzy Hash: 32afd1321ad8664d1302c886f272b40f61e233428fc8743e16c5a34a01074cbb
              • Instruction Fuzzy Hash: 7F11D072600200AFEB21DF55DC44FAAFBA8EF14324F04C8AAED45DAA55D375E408DBB1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04B812F2 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
              Download Yara Rule
              APIs
              • GetProcessWorkingSetSize.KERNEL32(?,00000E24,C7E5503A,00000000,00000000,00000000,00000000), ref: 04B8134B
              Memory Dump Source
              • Source File: 00000000.00000002.4105872073.0000000004B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_4b80000_xOg18pHQGOQK.jbxd
              Similarity
              • API ID: ProcessSizeWorking
              • String ID:
              • API String ID: 3584180929-0
              • Opcode ID: 09def2408e23934bc9416a0b0bea3e16fddc09cb01814fd6e351af9dd90c57a2
              • Instruction ID: 272bed321735806f299cf5707c154b9f00393b190e59954f80bf5ee5d19ccf16
              • Opcode Fuzzy Hash: 09def2408e23934bc9416a0b0bea3e16fddc09cb01814fd6e351af9dd90c57a2
              • Instruction Fuzzy Hash: E2110471600200AFE720CF14DC44FAABBE8EF14224F04C4AAE945DBA45D374E408CBB1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04B813D6 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
              Download Yara Rule
              APIs
              • SetProcessWorkingSetSize.KERNEL32(?,00000E24,C7E5503A,00000000,00000000,00000000,00000000), ref: 04B8142F
              Memory Dump Source
              • Source File: 00000000.00000002.4105872073.0000000004B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_4b80000_xOg18pHQGOQK.jbxd
              Similarity
              • API ID: ProcessSizeWorking
              • String ID:
              • API String ID: 3584180929-0
              • Opcode ID: 09def2408e23934bc9416a0b0bea3e16fddc09cb01814fd6e351af9dd90c57a2
              • Instruction ID: 2ab5f7388a4d5afb0b832b93fe58ece7348ee1213ca7a77d090281321b54cbab
              • Opcode Fuzzy Hash: 09def2408e23934bc9416a0b0bea3e16fddc09cb01814fd6e351af9dd90c57a2
              • Instruction Fuzzy Hash: 32110471600204AFEB20CF58DC44FA6B7A8EF14224F08C8AAED45DB655D374E508CBB1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00ABAC03 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
              Download Yara Rule
              APIs
              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00ABAC6E
              Memory Dump Source
              • Source File: 00000000.00000002.4104176954.0000000000ABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ABA000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_aba000_xOg18pHQGOQK.jbxd
              Similarity
              • API ID: DuplicateHandle
              • String ID:
              • API String ID: 3793708945-0
              • Opcode ID: 0ba42e3353931a6b41795905f4217fe9d959fe5900983ccb12ba62be638617b4
              • Instruction ID: f18d925bc988f30def52df068b0eb2ececdddffb520004f39469deee1d9296de
              • Opcode Fuzzy Hash: 0ba42e3353931a6b41795905f4217fe9d959fe5900983ccb12ba62be638617b4
              • Instruction Fuzzy Hash: 7D118471409380AFDB228F51DC44A62FFF8EF5A310F0888DAED858B563D275A918DB71
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04B81216 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
              Download Yara Rule
              APIs
              • GetExitCodeProcess.KERNELBASE(?,00000E24,C7E5503A,00000000,00000000,00000000,00000000), ref: 04B8126C
              Memory Dump Source
              • Source File: 00000000.00000002.4105872073.0000000004B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_4b80000_xOg18pHQGOQK.jbxd
              Similarity
              • API ID: CodeExitProcess
              • String ID:
              • API String ID: 3861947596-0
              • Opcode ID: 4a677e1507c12b92e0ac78afc6e188e7253d8b7cbd9b0fb6b83e8a64abac2750
              • Instruction ID: 36fcba9660283c98eee1bc57457830e40997860cd8afa010fbccdc8e423f8fcc
              • Opcode Fuzzy Hash: 4a677e1507c12b92e0ac78afc6e188e7253d8b7cbd9b0fb6b83e8a64abac2750
              • Instruction Fuzzy Hash: BA11E371601200AFEB21DF19DC44FAAB7A8DF54224F04C4AAED45DB785D678F508CBB1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00ABB9F6 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
              Download Yara Rule
              APIs
              • ReadFile.KERNELBASE(?,00000E24,C7E5503A,00000000,00000000,00000000,00000000), ref: 00ABBA55
              Memory Dump Source
              • Source File: 00000000.00000002.4104176954.0000000000ABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ABA000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_aba000_xOg18pHQGOQK.jbxd
              Similarity
              • API ID: FileRead
              • String ID:
              • API String ID: 2738559852-0
              • Opcode ID: 8ffaaa09715200cfae129a911ea60ef31623e98336961cbbcab3ed8171103912
              • Instruction ID: b6effb3b52092116e2a037f5938c7f32b032b47b799ba761fa5e8e0aae5ef759
              • Opcode Fuzzy Hash: 8ffaaa09715200cfae129a911ea60ef31623e98336961cbbcab3ed8171103912
              • Instruction Fuzzy Hash: 1511C172900200AFEB21CF55DC44FA6FBE8EF14324F04C86AE9859B656D375E908DBB1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04B802BA Relevance: 1.6, APIs: 1, Instructions: 59COMMON
              Download Yara Rule
              APIs
              • GetComputerNameW.KERNEL32(?,00000E24,?,?), ref: 04B80336
              Memory Dump Source
              • Source File: 00000000.00000002.4105872073.0000000004B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_4b80000_xOg18pHQGOQK.jbxd
              Similarity
              • API ID: ComputerName
              • String ID:
              • API String ID: 3545744682-0
              • Opcode ID: 6806779b3b356e88cd3994614064ffda9b5057e6ca3affe3eed490428e698059
              • Instruction ID: defa2de940611f3ba1313e6794d8248d4f816a7a3050cded830453c6ded1c52b
              • Opcode Fuzzy Hash: 6806779b3b356e88cd3994614064ffda9b5057e6ca3affe3eed490428e698059
              • Instruction Fuzzy Hash: DC11C4715093806FD311CB15CC45F26FFB8EF86620F09818FE8489B693D625B919CBA2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00ABA2AE Relevance: 1.6, APIs: 1, Instructions: 54COMMON
              Download Yara Rule
              APIs
              • SetErrorMode.KERNELBASE(?), ref: 00ABA30C
              Memory Dump Source
              • Source File: 00000000.00000002.4104176954.0000000000ABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ABA000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_aba000_xOg18pHQGOQK.jbxd
              Similarity
              • API ID: ErrorMode
              • String ID:
              • API String ID: 2340568224-0
              • Opcode ID: cf310ccc45348e6d9c238dd1d616518077df8feb39cef5c25d76da49c4c299a0
              • Instruction ID: 955180c26c02ef60b7c828b588cd3f59c20da607cad3bdc0d0eb5c2d62e8989c
              • Opcode Fuzzy Hash: cf310ccc45348e6d9c238dd1d616518077df8feb39cef5c25d76da49c4c299a0
              • Instruction Fuzzy Hash: 1D1191754093C06FD7228B15DD44B62BFB8EF56224F0980CAED848F263D225A808DB72
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04B80F1A Relevance: 1.6, APIs: 1, Instructions: 53COMMON
              Download Yara Rule
              APIs
              • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 04B80F62
              Memory Dump Source
              • Source File: 00000000.00000002.4105872073.0000000004B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_4b80000_xOg18pHQGOQK.jbxd
              Similarity
              • API ID: LookupPrivilegeValue
              • String ID:
              • API String ID: 3899507212-0
              • Opcode ID: d772c5006c4f30aa4d9f9b660253add8cb976daf5466c3d11146d46164fe3a82
              • Instruction ID: 2e977eae3f9b2b8392ca1c4492574cb2eb57a1ddfe76dc956f1e2e67987eee9f
              • Opcode Fuzzy Hash: d772c5006c4f30aa4d9f9b660253add8cb976daf5466c3d11146d46164fe3a82
              • Instruction Fuzzy Hash: 3A1182726002008FDB20EF19DD84B56FBE8EF04250F08C4AEEC49CB752E274F408CA61
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00ABB736 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
              Download Yara Rule
              APIs
              • GetFileType.KERNELBASE(?,00000E24,C7E5503A,00000000,00000000,00000000,00000000), ref: 00ABB789
              Memory Dump Source
              • Source File: 00000000.00000002.4104176954.0000000000ABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ABA000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_aba000_xOg18pHQGOQK.jbxd
              Similarity
              • API ID: FileType
              • String ID:
              • API String ID: 3081899298-0
              • Opcode ID: 52d179c572a77e4bb733ff2c8dd1c2b8f12dbe607e331826195f3dd48bdd2a48
              • Instruction ID: dc226cc0574952620f0f1ef2f7a27807094815b2297b0a191bb0e9a68a135e7e
              • Opcode Fuzzy Hash: 52d179c572a77e4bb733ff2c8dd1c2b8f12dbe607e331826195f3dd48bdd2a48
              • Instruction Fuzzy Hash: EE01C071510204AFE720CB15DD84FA6FBACDF64724F14C0A6EE459B746D7B8E8488AB1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00ABAD9F Relevance: 1.6, APIs: 1, Instructions: 52COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.4104176954.0000000000ABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ABA000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_aba000_xOg18pHQGOQK.jbxd
              Similarity
              • API ID: closesocket
              • String ID:
              • API String ID: 2781271927-0
              • Opcode ID: 11e973c512f9fde0f5ff112c5e3e60af1ef7746896781097a84b9b5cdd33c3d1
              • Instruction ID: 777e9f662bdc707b4a4cc5845bfb3dc3db225147f15bcda29f5514230ec5f377
              • Opcode Fuzzy Hash: 11e973c512f9fde0f5ff112c5e3e60af1ef7746896781097a84b9b5cdd33c3d1
              • Instruction Fuzzy Hash: 39110271408380AFDB12CF10DC84B92BFB4EF06324F0884DAED449F253D275A808CBA2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04B80E52 Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON
              Download Yara Rule
              APIs
              • WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 04B80E9E
              Memory Dump Source
              • Source File: 00000000.00000002.4105872073.0000000004B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_4b80000_xOg18pHQGOQK.jbxd
              Similarity
              • API ID: Connect
              • String ID:
              • API String ID: 3144859779-0
              • Opcode ID: 6f77c8a6834e04a53ad61faec421aee3b5e2dd4e3b04c3dea036244a10e56c96
              • Instruction ID: 7afd7c3412b9cfd3f81875a5938d92f4deb749258c60caaa01176530d2598c6c
              • Opcode Fuzzy Hash: 6f77c8a6834e04a53ad61faec421aee3b5e2dd4e3b04c3dea036244a10e56c96
              • Instruction Fuzzy Hash: FD115A369002049FEB20DF55D984B62FBE4EF08351F0888AAED899B622D375F418DB61
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04B8178A Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
              Download Yara Rule
              APIs
              • FormatMessageW.KERNELBASE(?,00000E24,?,?), ref: 04B817DA
              Memory Dump Source
              • Source File: 00000000.00000002.4105872073.0000000004B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_4b80000_xOg18pHQGOQK.jbxd
              Similarity
              • API ID: FormatMessage
              • String ID:
              • API String ID: 1306739567-0
              • Opcode ID: 16674e0a97bca5c007d12d8a3643cf82991e4575d76540cdb65335d249862fe4
              • Instruction ID: c175e9131a7bcd77522b538f167ebf6180f88b2f7854f9e032b1ec274dee4a9e
              • Opcode Fuzzy Hash: 16674e0a97bca5c007d12d8a3643cf82991e4575d76540cdb65335d249862fe4
              • Instruction Fuzzy Hash: D601B171600200ABD310DF16CC45B66FBE8EB88A20F14811AEC489BB45D735F915CBE1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00ABAC2A Relevance: 1.5, APIs: 1, Instructions: 45COMMON
              Download Yara Rule
              APIs
              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00ABAC6E
              Memory Dump Source
              • Source File: 00000000.00000002.4104176954.0000000000ABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ABA000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_aba000_xOg18pHQGOQK.jbxd
              Similarity
              • API ID: DuplicateHandle
              • String ID:
              • API String ID: 3793708945-0
              • Opcode ID: f5f40e76bc3bf5333202ee9bfda3f3004b2ab2022b295de4dfad01e8468db8ae
              • Instruction ID: 056bb4cd37e489e2e0d939e0f802292ad3e64ee87fb572ec86acce76cd454d59
              • Opcode Fuzzy Hash: f5f40e76bc3bf5333202ee9bfda3f3004b2ab2022b295de4dfad01e8468db8ae
              • Instruction Fuzzy Hash: 3701AD325002409FDB21CF95D944B62FFF4EF58320F08C8AAED498AA16C335E418DF62
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00ABBE72 Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON
              Download Yara Rule
              APIs
              • RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 00ABBEC2
              Memory Dump Source
              • Source File: 00000000.00000002.4104176954.0000000000ABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ABA000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_aba000_xOg18pHQGOQK.jbxd
              Similarity
              • API ID: QueryValue
              • String ID:
              • API String ID: 3660427363-0
              • Opcode ID: 374b7a3705379f7df48f94290b76dc4726d42bc2a8b104367da705f53d757a12
              • Instruction ID: 80dba11ac92110b92b204ff689bcab9d724a61f87b6d20cbf002aa34a234fda3
              • Opcode Fuzzy Hash: 374b7a3705379f7df48f94290b76dc4726d42bc2a8b104367da705f53d757a12
              • Instruction Fuzzy Hash: 0801A271500200ABD310DF16CC46B66FBE8FB88A24F14811AEC489BB41D775F925CBE6
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00ABA74E Relevance: 1.5, APIs: 1, Instructions: 43COMMON
              Download Yara Rule
              APIs
              • FindCloseChangeNotification.KERNELBASE(?), ref: 00ABA780
              Memory Dump Source
              • Source File: 00000000.00000002.4104176954.0000000000ABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ABA000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_aba000_xOg18pHQGOQK.jbxd
              Similarity
              • API ID: ChangeCloseFindNotification
              • String ID:
              • API String ID: 2591292051-0
              • Opcode ID: eb0244eea2aa04f38d17b246a29c9ad18ba36ec5728ca67867ab7ba45f35fb81
              • Instruction ID: 81e0429f743a3b33e3c629875a54d25da92218cb8cb5bc79e9a44fe5caecc888
              • Opcode Fuzzy Hash: eb0244eea2aa04f38d17b246a29c9ad18ba36ec5728ca67867ab7ba45f35fb81
              • Instruction Fuzzy Hash: E501D4715042009FEB10CF15D9847A5FBE8DF14320F08C4ABDC45CF752D675E448CAA2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04B802E6 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
              Download Yara Rule
              APIs
              • GetComputerNameW.KERNEL32(?,00000E24,?,?), ref: 04B80336
              Memory Dump Source
              • Source File: 00000000.00000002.4105872073.0000000004B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_4b80000_xOg18pHQGOQK.jbxd
              Similarity
              • API ID: ComputerName
              • String ID:
              • API String ID: 3545744682-0
              • Opcode ID: ac04cf3afc265583e1ab1bd6925ce72cb50d512d7727804b3b52eddfe2adef60
              • Instruction ID: eb0c5b3579d2241d2af4b2ce6d0178506388a8e6d9465faeed83a87ebfb893e6
              • Opcode Fuzzy Hash: ac04cf3afc265583e1ab1bd6925ce72cb50d512d7727804b3b52eddfe2adef60
              • Instruction Fuzzy Hash: 7B01D671500200ABD310DF16CC46B66FBE8FB88A24F148159EC089BB41D735F915CBE6
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00ABADCE Relevance: 1.5, APIs: 1, Instructions: 39COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.4104176954.0000000000ABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ABA000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_aba000_xOg18pHQGOQK.jbxd
              Similarity
              • API ID: closesocket
              • String ID:
              • API String ID: 2781271927-0
              • Opcode ID: 67fcb31a0f06092384b7dac4b13e08d0d2c8efc8e67bf6847ec32235fc0b7049
              • Instruction ID: 8bd544d8eea94a14d799be7ab54de5d4227b17770847338e119872d116a55091
              • Opcode Fuzzy Hash: 67fcb31a0f06092384b7dac4b13e08d0d2c8efc8e67bf6847ec32235fc0b7049
              • Instruction Fuzzy Hash: B301D1719042409FEB20CF15D9847A2FBE8EF54324F08C4AADD499F756D279E448DBA2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00ABA2DA Relevance: 1.5, APIs: 1, Instructions: 35COMMON
              Download Yara Rule
              APIs
              • SetErrorMode.KERNELBASE(?), ref: 00ABA30C
              Memory Dump Source
              • Source File: 00000000.00000002.4104176954.0000000000ABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ABA000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_aba000_xOg18pHQGOQK.jbxd
              Similarity
              • API ID: ErrorMode
              • String ID:
              • API String ID: 2340568224-0
              • Opcode ID: 93a2d8a3aff1a46d24fe99f8ac6c00f23e797386a03c73a816fa1a0d7c999ac5
              • Instruction ID: 85b5f060ab77b981691afd6217662524b6598fd77acd7b6e55e04712c5f0f4c4
              • Opcode Fuzzy Hash: 93a2d8a3aff1a46d24fe99f8ac6c00f23e797386a03c73a816fa1a0d7c999ac5
              • Instruction Fuzzy Hash: E8F0AF795042449FDB20CF05D9847A1FBE4EF14724F08C0AADD094F752D379A848DAA2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 008407C4 Relevance: .1, Instructions: 59COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.4103885556.0000000000840000.00000040.00000020.00020000.00000000.sdmp, Offset: 00840000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_840000_xOg18pHQGOQK.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dd0ae2de67fbb61d5d2882eb62a0bc698de62577dff76774ea51714c09b5ab53
              • Instruction ID: 34c673bf12c67edff07ebd4b6ad6f2e65d199bece2ec49bf975fe06058ea50d5
              • Opcode Fuzzy Hash: dd0ae2de67fbb61d5d2882eb62a0bc698de62577dff76774ea51714c09b5ab53
              • Instruction Fuzzy Hash: 3811C0302082889FD315CB10DA40B16B7A5FB88708F24C9BCE6499BB53C77BD802DA91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00840794 Relevance: .1, Instructions: 51COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.4103885556.0000000000840000.00000040.00000020.00020000.00000000.sdmp, Offset: 00840000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_840000_xOg18pHQGOQK.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1fbe6188fbbe00f4c758343e03f57761cbb737fcfd3a67103725156d32d998a3
              • Instruction ID: ad93678541536253439d9737c3b9c88525592f8b74d99307e5ca99823a98a0e8
              • Opcode Fuzzy Hash: 1fbe6188fbbe00f4c758343e03f57761cbb737fcfd3a67103725156d32d998a3
              • Instruction Fuzzy Hash: 4121597550D2C49FC703CB10D990B11BFB1BB56308F1986EED5899B6A3D23A8806CB92
              Uniqueness

              Uniqueness Score: -1.00%

              Function 008405E1 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.4103885556.0000000000840000.00000040.00000020.00020000.00000000.sdmp, Offset: 00840000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_840000_xOg18pHQGOQK.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1ff39d7715fca73104dbdcb2237793456f549993f6901553e1aa2b12f1616cf7
              • Instruction ID: c4e938d1b3d813a6c42197f14e57d8aae9269a03c7931ec23ac10eac10eaf3f9
              • Opcode Fuzzy Hash: 1ff39d7715fca73104dbdcb2237793456f549993f6901553e1aa2b12f1616cf7
              • Instruction Fuzzy Hash: 150186B65097806FD7118B459C51862FFB8EB86620709C4EFEC498B652D225BC08CBB2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0084076A Relevance: .0, Instructions: 42COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.4103885556.0000000000840000.00000040.00000020.00020000.00000000.sdmp, Offset: 00840000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_840000_xOg18pHQGOQK.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1d4ede8653dfc281391931ae251d75d99f2bac9b6db92f0e452a88dfad840e28
              • Instruction ID: 85e5da332ed4804b821f06d45aeca45b7c98ab65f74c1211961203362a096ef6
              • Opcode Fuzzy Hash: 1d4ede8653dfc281391931ae251d75d99f2bac9b6db92f0e452a88dfad840e28
              • Instruction Fuzzy Hash: 4511653510D2C4DFC302CB10C940B55BFB1FB4A308F2486EAD5858B6A3C33A9816CF52
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00840880 Relevance: .0, Instructions: 31COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.4103885556.0000000000840000.00000040.00000020.00020000.00000000.sdmp, Offset: 00840000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_840000_xOg18pHQGOQK.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0e3ffe0ab8b8bec43b0eca7ca5da45ad1ed39b609236ae5c53b800e7332b5d85
              • Instruction ID: 7cb4832980bc4c00c3eae3df730c56cd8d9b2bdda8a1bd90209d146c956e637e
              • Opcode Fuzzy Hash: 0e3ffe0ab8b8bec43b0eca7ca5da45ad1ed39b609236ae5c53b800e7332b5d85
              • Instruction Fuzzy Hash: B6F0FB35108644DFC305CB00D940B16FBA2FB89718F24CAADE94917A62C737E812DE81
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00840606 Relevance: .0, Instructions: 27COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.4103885556.0000000000840000.00000040.00000020.00020000.00000000.sdmp, Offset: 00840000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_840000_xOg18pHQGOQK.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 68481fd6103035eac5ed301ec4be2c82ea242eb47d2de074b959f874f2067b23
              • Instruction ID: e81afd59ada3b2595f85516ffce6e9db71eee7e8ae9eecfe957743da0d1a69c7
              • Opcode Fuzzy Hash: 68481fd6103035eac5ed301ec4be2c82ea242eb47d2de074b959f874f2067b23
              • Instruction Fuzzy Hash: F5E092B66006044B9650CF0AED41452F7D8EB84630B08C47FDC0D8BB01E235B508CAA6
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00AB23F4 Relevance: .0, Instructions: 15COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.4104144321.0000000000AB2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB2000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_ab2000_xOg18pHQGOQK.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d60d8472d52560b633bd3f5b17a862095f6e67186cd3c4952fcfd4d77cc1604d
              • Instruction ID: b553199ec3b02698f12a8b2604099d8a56af70ba837d71690fad453b117f9321
              • Opcode Fuzzy Hash: d60d8472d52560b633bd3f5b17a862095f6e67186cd3c4952fcfd4d77cc1604d
              • Instruction Fuzzy Hash: 08D02E392406D04FD3228B0CC2A8BC53BD8AF41704F0A08FAA800CBB63CB28D880E600
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00AB23BC Relevance: .0, Instructions: 14COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.4104144321.0000000000AB2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB2000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_ab2000_xOg18pHQGOQK.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2a93ee25a8a3050849ceb71ba2531382f42d1f5e5621d70704357fc1a63d6d7f
              • Instruction ID: cadca5021a23159d60a826223a497be62ebde12215e362dc8ee32178803b3dd1
              • Opcode Fuzzy Hash: 2a93ee25a8a3050849ceb71ba2531382f42d1f5e5621d70704357fc1a63d6d7f
              • Instruction Fuzzy Hash: 77D05E342002814BD725DB0CC6D4F9937D8AB45714F0648E9AC108F762C7A8D8C0DA10
              Uniqueness

              Uniqueness Score: -1.00%