Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
NezbdhNgwG.exe

Overview

General Information

Sample Name:NezbdhNgwG.exe
Original Sample Name:a650ffe73f9994ad3844fedd49ba10f3.exe
Analysis ID:1347939
MD5:a650ffe73f9994ad3844fedd49ba10f3
SHA1:958e2c74bdf856eeb7ca4dbbf9ab746d1c85e712
SHA256:1064502587b0806ba7b4c026520f1774e8b9446c68e511cf3edf1850132ae699
Tags:exenjratRAT
Infos:

Detection

Njrat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Njrat
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Uses netsh to modify the Windows network and firewall settings
Drops PE files to the startup folder
Protects its processes via BreakOnTermination flag
.NET source code references suspicious native API functions
Contains functionality to log keystrokes (.Net Source)
Machine Learning detection for sample
.NET source code contains potential unpacker
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious names
Modifies the windows firewall
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
May infect USB drives
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Contains functionality to call native functions
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Creates a start menu entry (Start Menu\Programs\Startup)

Classification

Process Tree

  • System is w10x64
  • NezbdhNgwG.exe (PID: 6952 cmdline: C:\Users\user\Desktop\NezbdhNgwG.exe MD5: A650FFE73F9994AD3844FEDD49BA10F3)
    • netsh.exe (PID: 6584 cmdline: netsh firewall add allowedprogram "C:\Users\user\Desktop\NezbdhNgwG.exe" "NezbdhNgwG.exe" ENABLE MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
      • conhost.exe (PID: 7068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • NezbdhNgwG.exe (PID: 6232 cmdline: "C:\Users\user\Desktop\NezbdhNgwG.exe" .. MD5: A650FFE73F9994AD3844FEDD49BA10F3)
  • NezbdhNgwG.exe (PID: 5228 cmdline: "C:\Users\user\Desktop\NezbdhNgwG.exe" .. MD5: A650FFE73F9994AD3844FEDD49BA10F3)
  • NezbdhNgwG.exe (PID: 3748 cmdline: "C:\Users\user\Desktop\NezbdhNgwG.exe" .. MD5: A650FFE73F9994AD3844FEDD49BA10F3)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
NjRATRedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.
  • AQUATIC PANDA
  • Earth Lusca
  • Operation C-Major
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

Malware Configuration

Threatname: Njrat

{"Host": "System.Security.Permissions.IUnrestrictedPermission", "Port": "11531", "Version": "im523", "Campaign ID": "HacKed", "Install Name": "server.exe", "Install Dir": "TEMP"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
NezbdhNgwG.exeJoeSecurity_NjratYara detected NjratJoe Security
    NezbdhNgwG.exeWindows_Trojan_Njrat_30f3c220unknownunknown
    • 0x64c1:$a1: get_Registry
    • 0x7efa:$a3: Download ERROR
    • 0x81ec:$a5: netsh firewall delete allowedprogram "
    NezbdhNgwG.exenjrat1Identify njRatBrian Wallace @botnet_hunter
    • 0x80e2:$a1: netsh firewall add allowedprogram
    • 0x82dc:$b1: [TAP]
    • 0x8282:$b2: & exit
    • 0x824e:$c1: md.exe /k ping 0 & del
    NezbdhNgwG.exeMALWARE_Win_NjRATDetects NjRAT / BladabindiditekSHen
    • 0x81ec:$s1: netsh firewall delete allowedprogram
    • 0x80e2:$s2: netsh firewall add allowedprogram
    • 0x824c:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 6B 00 20 00 70 00 69 00 6E 00 67
    • 0x7ed6:$s4: Execute ERROR
    • 0x7f36:$s4: Execute ERROR
    • 0x7efa:$s5: Download ERROR
    • 0x8292:$s6: [kl]

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8c3a19ded61c2fe03bf66a3900261406.exeJoeSecurity_NjratYara detected NjratJoe Security
      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8c3a19ded61c2fe03bf66a3900261406.exeWindows_Trojan_Njrat_30f3c220unknownunknown
      • 0x64c1:$a1: get_Registry
      • 0x7efa:$a3: Download ERROR
      • 0x81ec:$a5: netsh firewall delete allowedprogram "
      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8c3a19ded61c2fe03bf66a3900261406.exenjrat1Identify njRatBrian Wallace @botnet_hunter
      • 0x80e2:$a1: netsh firewall add allowedprogram
      • 0x82dc:$b1: [TAP]
      • 0x8282:$b2: & exit
      • 0x824e:$c1: md.exe /k ping 0 & del
      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8c3a19ded61c2fe03bf66a3900261406.exeMALWARE_Win_NjRATDetects NjRAT / BladabindiditekSHen
      • 0x81ec:$s1: netsh firewall delete allowedprogram
      • 0x80e2:$s2: netsh firewall add allowedprogram
      • 0x824c:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 6B 00 20 00 70 00 69 00 6E 00 67
      • 0x7ed6:$s4: Execute ERROR
      • 0x7f36:$s4: Execute ERROR
      • 0x7efa:$s5: Download ERROR
      • 0x8292:$s6: [kl]

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000000.1642177967.0000000000022000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_NjratYara detected NjratJoe Security
        00000000.00000000.1642177967.0000000000022000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_Njrat_30f3c220unknownunknown
        • 0x62c1:$a1: get_Registry
        • 0x7cfa:$a3: Download ERROR
        • 0x7fec:$a5: netsh firewall delete allowedprogram "
        00000000.00000000.1642177967.0000000000022000.00000002.00000001.01000000.00000003.sdmpnjrat1Identify njRatBrian Wallace @botnet_hunter
        • 0x7ee2:$a1: netsh firewall add allowedprogram
        • 0x80dc:$b1: [TAP]
        • 0x8082:$b2: & exit
        • 0x804e:$c1: md.exe /k ping 0 & del
        00000000.00000002.4081955950.00000000026C1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_NjratYara detected NjratJoe Security
          Process Memory Space: NezbdhNgwG.exe PID: 6952JoeSecurity_NjratYara detected NjratJoe Security

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.0.NezbdhNgwG.exe.20000.0.unpackJoeSecurity_NjratYara detected NjratJoe Security
              0.0.NezbdhNgwG.exe.20000.0.unpackWindows_Trojan_Njrat_30f3c220unknownunknown
              • 0x64c1:$a1: get_Registry
              • 0x7efa:$a3: Download ERROR
              • 0x81ec:$a5: netsh firewall delete allowedprogram "
              0.0.NezbdhNgwG.exe.20000.0.unpacknjrat1Identify njRatBrian Wallace @botnet_hunter
              • 0x80e2:$a1: netsh firewall add allowedprogram
              • 0x82dc:$b1: [TAP]
              • 0x8282:$b2: & exit
              • 0x824e:$c1: md.exe /k ping 0 & del
              0.0.NezbdhNgwG.exe.20000.0.unpackMALWARE_Win_NjRATDetects NjRAT / BladabindiditekSHen
              • 0x81ec:$s1: netsh firewall delete allowedprogram
              • 0x80e2:$s2: netsh firewall add allowedprogram
              • 0x824c:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 6B 00 20 00 70 00 69 00 6E 00 67
              • 0x7ed6:$s4: Execute ERROR
              • 0x7f36:$s4: Execute ERROR
              • 0x7efa:$s5: Download ERROR
              • 0x8292:$s6: [kl]

              Sigma Signatures

              No Sigma rule has matched

              Snort Signatures

              Timestamp:192.168.2.43.126.37.1849736115312814856 11/26/23-15:17:14.013168
              SID:2814856
              Source Port:49736
              Destination Port:11531
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.418.192.93.8649738115312825564 11/26/23-15:19:41.517209
              SID:2825564
              Source Port:49738
              Destination Port:11531
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.418.192.93.8649729115312033132 11/26/23-15:16:09.891923
              SID:2033132
              Source Port:49729
              Destination Port:11531
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.418.192.93.8649738115312033132 11/26/23-15:19:21.604980
              SID:2033132
              Source Port:49738
              Destination Port:11531
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.418.192.93.8649729115312825564 11/26/23-15:17:09.256355
              SID:2825564
              Source Port:49729
              Destination Port:11531
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.418.192.93.8649738115312825563 11/26/23-15:19:21.784381
              SID:2825563
              Source Port:49738
              Destination Port:11531
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.418.156.13.20949737115312814856 11/26/23-15:18:17.782445
              SID:2814856
              Source Port:49737
              Destination Port:11531
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.43.126.37.1849736115312814860 11/26/23-15:18:09.757619
              SID:2814860
              Source Port:49736
              Destination Port:11531
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.418.192.93.8649729115312814860 11/26/23-15:17:09.256355
              SID:2814860
              Source Port:49729
              Destination Port:11531
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.418.192.93.8649738115312814856 11/26/23-15:19:21.784381
              SID:2814856
              Source Port:49738
              Destination Port:11531
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.418.156.13.20949737115312033132 11/26/23-15:18:17.603963
              SID:2033132
              Source Port:49737
              Destination Port:11531
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.418.156.13.20949737115312814860 11/26/23-15:18:42.758182
              SID:2814860
              Source Port:49737
              Destination Port:11531
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.418.192.93.8649729115312814856 11/26/23-15:16:10.074575
              SID:2814856
              Source Port:49729
              Destination Port:11531
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.418.192.93.8649738115312814860 11/26/23-15:19:41.517209
              SID:2814860
              Source Port:49738
              Destination Port:11531
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.43.126.37.1849736115312033132 11/26/23-15:17:13.832319
              SID:2033132
              Source Port:49736
              Destination Port:11531
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.43.126.37.1849736115312825564 11/26/23-15:18:09.757619
              SID:2825564
              Source Port:49736
              Destination Port:11531
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.418.156.13.20949737115312825563 11/26/23-15:18:17.782445
              SID:2825563
              Source Port:49737
              Destination Port:11531
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.418.192.93.8649729115312825563 11/26/23-15:16:10.074575
              SID:2825563
              Source Port:49729
              Destination Port:11531
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.418.156.13.20949737115312825564 11/26/23-15:18:42.758182
              SID:2825564
              Source Port:49737
              Destination Port:11531
              Protocol:TCP
              Classtype:A Network Trojan was detected

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Found malware configuration
              Source: 00000000.00000002.4081955950.00000000026C1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Njrat {"Host": "System.Security.Permissions.IUnrestrictedPermission", "Port": "11531", "Version": "im523", "Campaign ID": "HacKed", "Install Name": "server.exe", "Install Dir": "TEMP"}
              Multi AV Scanner detection for submitted file
              Source: NezbdhNgwG.exeReversingLabs: Detection: 86%
              Source: NezbdhNgwG.exeVirustotal: Detection: 82%Perma Link
              Yara detected Njrat
              Source: Yara matchFile source: NezbdhNgwG.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.NezbdhNgwG.exe.20000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000000.1642177967.0000000000022000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.4081955950.00000000026C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: NezbdhNgwG.exe PID: 6952, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8c3a19ded61c2fe03bf66a3900261406.exe, type: DROPPED
              Antivirus / Scanner detection for submitted sample
              Source: NezbdhNgwG.exeAvira: detected
              Multi AV Scanner detection for domain / URL
              Source: 2.tcp.eu.ngrok.ioVirustotal: Detection: 15%Perma Link
              Antivirus detection for dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8c3a19ded61c2fe03bf66a3900261406.exeAvira: detection malicious, Label: TR/ATRAPS.Gen
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8c3a19ded61c2fe03bf66a3900261406.exeReversingLabs: Detection: 86%
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8c3a19ded61c2fe03bf66a3900261406.exeVirustotal: Detection: 82%Perma Link
              Machine Learning detection for sample
              Source: NezbdhNgwG.exeJoe Sandbox ML: detected
              Machine Learning detection for dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8c3a19ded61c2fe03bf66a3900261406.exeJoe Sandbox ML: detected
              Source: NezbdhNgwG.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
              Source: NezbdhNgwG.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: NezbdhNgwG.exe, 00000000.00000002.4081955950.00000000026C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: autorun.inf
              Source: NezbdhNgwG.exe, 00000000.00000002.4081955950.00000000026C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: [autorun]
              Source: NezbdhNgwG.exe, 00000000.00000000.1642177967.0000000000022000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: autorun.inf
              Source: NezbdhNgwG.exe, 00000000.00000000.1642177967.0000000000022000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: [autorun]
              Source: NezbdhNgwG.exeBinary or memory string: autorun.inf
              Source: NezbdhNgwG.exeBinary or memory string: [autorun]
              Source: 8c3a19ded61c2fe03bf66a3900261406.exe.0.drBinary or memory string: autorun.inf
              Source: 8c3a19ded61c2fe03bf66a3900261406.exe.0.drBinary or memory string: [autorun]

              Networking

              barindex
              Snort IDS alert for network traffic
              Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49729 -> 18.192.93.86:11531
              Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49729 -> 18.192.93.86:11531
              Source: TrafficSnort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49729 -> 18.192.93.86:11531
              Source: TrafficSnort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49729 -> 18.192.93.86:11531
              Source: TrafficSnort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49729 -> 18.192.93.86:11531
              Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49736 -> 3.126.37.18:11531
              Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49736 -> 3.126.37.18:11531
              Source: TrafficSnort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49736 -> 3.126.37.18:11531
              Source: TrafficSnort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49736 -> 3.126.37.18:11531
              Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49737 -> 18.156.13.209:11531
              Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49737 -> 18.156.13.209:11531
              Source: TrafficSnort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49737 -> 18.156.13.209:11531
              Source: TrafficSnort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49737 -> 18.156.13.209:11531
              Source: TrafficSnort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49737 -> 18.156.13.209:11531
              Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49738 -> 18.192.93.86:11531
              Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49738 -> 18.192.93.86:11531
              Source: TrafficSnort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49738 -> 18.192.93.86:11531
              Source: TrafficSnort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49738 -> 18.192.93.86:11531
              Source: TrafficSnort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49738 -> 18.192.93.86:11531
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: System.Security.Permissions.IUnrestrictedPermission
              Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
              Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
              Source: Joe Sandbox ViewIP Address: 18.192.93.86 18.192.93.86
              Source: Joe Sandbox ViewIP Address: 3.126.37.18 3.126.37.18
              Source: Joe Sandbox ViewIP Address: 18.156.13.209 18.156.13.209
              Source: global trafficTCP traffic: 192.168.2.4:49729 -> 18.192.93.86:11531
              Source: global trafficTCP traffic: 192.168.2.4:49736 -> 3.126.37.18:11531
              Source: global trafficTCP traffic: 192.168.2.4:49737 -> 18.156.13.209:11531
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: NezbdhNgwG.exe, 00000000.00000002.4081376804.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoft.
              Source: NezbdhNgwG.exe, 00000000.00000002.4081376804.000000000064F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoft.LinkId=42127
              Source: NezbdhNgwG.exe, 8c3a19ded61c2fe03bf66a3900261406.exe.0.drString found in binary or memory: https://dl.dropbox.com/s/p84aaz28t0hepul/Pass.exe?dl=0
              Source: unknownDNS traffic detected: queries for: 2.tcp.eu.ngrok.io

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Contains functionality to log keystrokes (.Net Source)
              Source: NezbdhNgwG.exe, kl.cs.Net Code: VKCodeToUnicode
              Source: 8c3a19ded61c2fe03bf66a3900261406.exe.0.dr, kl.cs.Net Code: VKCodeToUnicode

              E-Banking Fraud

              barindex
              Yara detected Njrat
              Source: Yara matchFile source: NezbdhNgwG.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.NezbdhNgwG.exe.20000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000000.1642177967.0000000000022000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.4081955950.00000000026C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: NezbdhNgwG.exe PID: 6952, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8c3a19ded61c2fe03bf66a3900261406.exe, type: DROPPED

              Operating System Destruction

              barindex
              Protects its processes via BreakOnTermination flag
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: 01 00 00 00 Jump to behavior

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: NezbdhNgwG.exe, type: SAMPLEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
              Source: NezbdhNgwG.exe, type: SAMPLEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: NezbdhNgwG.exe, type: SAMPLEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: 0.0.NezbdhNgwG.exe.20000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
              Source: 0.0.NezbdhNgwG.exe.20000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: 0.0.NezbdhNgwG.exe.20000.0.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: 00000000.00000000.1642177967.0000000000022000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
              Source: 00000000.00000000.1642177967.0000000000022000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8c3a19ded61c2fe03bf66a3900261406.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8c3a19ded61c2fe03bf66a3900261406.exe, type: DROPPEDMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8c3a19ded61c2fe03bf66a3900261406.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: NezbdhNgwG.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: NezbdhNgwG.exe, type: SAMPLEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
              Source: NezbdhNgwG.exe, type: SAMPLEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: NezbdhNgwG.exe, type: SAMPLEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: 0.0.NezbdhNgwG.exe.20000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
              Source: 0.0.NezbdhNgwG.exe.20000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: 0.0.NezbdhNgwG.exe.20000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: 00000000.00000000.1642177967.0000000000022000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
              Source: 00000000.00000000.1642177967.0000000000022000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8c3a19ded61c2fe03bf66a3900261406.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8c3a19ded61c2fe03bf66a3900261406.exe, type: DROPPEDMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8c3a19ded61c2fe03bf66a3900261406.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeCode function: 0_2_00A3170F0_2_00A3170F
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeCode function: 0_2_0060BBEA NtSetInformationProcess,0_2_0060BBEA
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeCode function: 0_2_0060BECA NtQuerySystemInformation,0_2_0060BECA
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeCode function: 0_2_0060BBC8 NtSetInformationProcess,0_2_0060BBC8
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeCode function: 0_2_0060BE8F NtQuerySystemInformation,0_2_0060BE8F
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess Stats: CPU usage > 49%
              Source: NezbdhNgwG.exe, 00000000.00000002.4081376804.000000000061E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs NezbdhNgwG.exe
              Source: NezbdhNgwG.exeReversingLabs: Detection: 86%
              Source: NezbdhNgwG.exeVirustotal: Detection: 82%
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeFile read: C:\Users\user\Desktop\NezbdhNgwG.exeJump to behavior
              Source: NezbdhNgwG.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\NezbdhNgwG.exe C:\Users\user\Desktop\NezbdhNgwG.exe
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\Desktop\NezbdhNgwG.exe" "NezbdhNgwG.exe" ENABLE
              Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\user\Desktop\NezbdhNgwG.exe "C:\Users\user\Desktop\NezbdhNgwG.exe" ..
              Source: unknownProcess created: C:\Users\user\Desktop\NezbdhNgwG.exe "C:\Users\user\Desktop\NezbdhNgwG.exe" ..
              Source: unknownProcess created: C:\Users\user\Desktop\NezbdhNgwG.exe "C:\Users\user\Desktop\NezbdhNgwG.exe" ..
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\Desktop\NezbdhNgwG.exe" "NezbdhNgwG.exe" ENABLEJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeCode function: 0_2_0060B89A AdjustTokenPrivileges,0_2_0060B89A
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeCode function: 0_2_0060B863 AdjustTokenPrivileges,0_2_0060B863
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8c3a19ded61c2fe03bf66a3900261406.exeJump to behavior
              Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@7/4@4/3
              Source: NezbdhNgwG.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\276d7f4a20a3c21c3bf6fc9bfc1915a2\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\276d7f4a20a3c21c3bf6fc9bfc1915a2\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\276d7f4a20a3c21c3bf6fc9bfc1915a2\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\276d7f4a20a3c21c3bf6fc9bfc1915a2\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7068:120:WilError_03
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeMutant created: \Sessions\1\BaseNamedObjects\8c3a19ded61c2fe03bf66a3900261406
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
              Source: NezbdhNgwG.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: NezbdhNgwG.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

              Data Obfuscation

              barindex
              .NET source code contains potential unpacker
              Source: NezbdhNgwG.exe, OK.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
              Source: 8c3a19ded61c2fe03bf66a3900261406.exe.0.dr, OK.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8c3a19ded61c2fe03bf66a3900261406.exeJump to dropped file

              Boot Survival

              barindex
              Drops PE files to the startup folder
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8c3a19ded61c2fe03bf66a3900261406.exeJump to dropped file
              Creates autostart registry keys with suspicious names
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 8c3a19ded61c2fe03bf66a3900261406Jump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8c3a19ded61c2fe03bf66a3900261406.exeJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8c3a19ded61c2fe03bf66a3900261406.exe\:Zone.Identifier:$DATAJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8c3a19ded61c2fe03bf66a3900261406.exeJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 8c3a19ded61c2fe03bf66a3900261406Jump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 8c3a19ded61c2fe03bf66a3900261406Jump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 8c3a19ded61c2fe03bf66a3900261406Jump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 8c3a19ded61c2fe03bf66a3900261406Jump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exe TID: 6924Thread sleep time: -650000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exe TID: 6924Thread sleep time: -4559000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exe TID: 3488Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exe TID: 2032Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exe TID: 5252Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeWindow / User API: threadDelayed 3212Jump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeWindow / User API: threadDelayed 650Jump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeWindow / User API: threadDelayed 4559Jump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeWindow / User API: foregroundWindowGot 425Jump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeWindow / User API: foregroundWindowGot 1274Jump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: NezbdhNgwG.exe, 00000000.00000002.4081376804.000000000068C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllU
              Source: netsh.exe, 00000001.00000003.1710593915.0000000000742000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              .NET source code references suspicious native API functions
              Source: NezbdhNgwG.exe, kl.csReference to suspicious API methods: MapVirtualKey(a, 0u)
              Source: NezbdhNgwG.exe, kl.csReference to suspicious API methods: GetAsyncKeyState(num2)
              Source: NezbdhNgwG.exe, OK.csReference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)
              Source: NezbdhNgwG.exe, 00000000.00000002.4081955950.00000000026C1000.00000004.00000800.00020000.00000000.sdmp, NezbdhNgwG.exe, 00000000.00000002.4081955950.00000000029CD000.00000004.00000800.00020000.00000000.sdmp, NezbdhNgwG.exe, 00000000.00000002.4081955950.00000000029B7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
              Source: NezbdhNgwG.exe, 00000000.00000002.4081955950.00000000026C1000.00000004.00000800.00020000.00000000.sdmp, NezbdhNgwG.exe, 00000000.00000002.4081955950.00000000029CD000.00000004.00000800.00020000.00000000.sdmp, NezbdhNgwG.exe, 00000000.00000002.4081955950.00000000028CB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: program managerL.
              Source: NezbdhNgwG.exe, 00000000.00000002.4081955950.00000000026C1000.00000004.00000800.00020000.00000000.sdmp, NezbdhNgwG.exe, 00000000.00000002.4081955950.0000000002A21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: program manager
              Source: NezbdhNgwG.exe, 00000000.00000002.4081955950.00000000029CD000.00000004.00000800.00020000.00000000.sdmp, NezbdhNgwG.exe, 00000000.00000002.4081955950.00000000029B7000.00000004.00000800.00020000.00000000.sdmp, NezbdhNgwG.exe, 00000000.00000002.4081955950.00000000028CB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager@9
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Lowering of HIPS / PFW / Operating System Security Settings

              barindex
              Uses netsh to modify the Windows network and firewall settings
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\Desktop\NezbdhNgwG.exe" "NezbdhNgwG.exe" ENABLE
              Modifies the windows firewall
              Source: C:\Users\user\Desktop\NezbdhNgwG.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\Desktop\NezbdhNgwG.exe" "NezbdhNgwG.exe" ENABLE

              Stealing of Sensitive Information

              barindex
              Yara detected Njrat
              Source: Yara matchFile source: NezbdhNgwG.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.NezbdhNgwG.exe.20000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000000.1642177967.0000000000022000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.4081955950.00000000026C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: NezbdhNgwG.exe PID: 6952, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8c3a19ded61c2fe03bf66a3900261406.exe, type: DROPPED

              Remote Access Functionality

              barindex
              Yara detected Njrat
              Source: Yara matchFile source: NezbdhNgwG.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.NezbdhNgwG.exe.20000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000000.1642177967.0000000000022000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.4081955950.00000000026C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: NezbdhNgwG.exe PID: 6952, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8c3a19ded61c2fe03bf66a3900261406.exe, type: DROPPED

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpactResource DevelopmentReconnaissance
              1
              Replication Through Removable Media              		1
              Native API              		221
              Registry Run Keys / Startup Folder              		1
              Access Token Manipulation              		1
              Masquerading              		1
              Input Capture              		11
              Security Software Discovery              		1
              Replication Through Removable Media              		1
              Input Capture              		Exfiltration Over Other Network Medium1
              Encrypted Channel              		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationAbuse Accessibility FeaturesAcquire InfrastructureGather Victim Identity Information
              Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts2
              Process Injection              		21
              Disable or Modify Tools              		LSASS Memory2
              Process Discovery              		Remote Desktop Protocol1
              Archive Collected Data              		Exfiltration Over Bluetooth1
              Non-Standard Port              		SIM Card SwapObtain Device Cloud BackupsNetwork Denial of ServiceDomainsCredentials
              Domain AccountsAtLogon Script (Windows)221
              Registry Run Keys / Startup Folder              		21
              Virtualization/Sandbox Evasion              		Security Account Manager21
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
              Non-Application Layer Protocol              		Data Encrypted for ImpactDNS ServerEmail Addresses
              Local AccountsCronLogin HookLogin Hook1
              Access Token Manipulation              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput CaptureTraffic Duplication11
              Application Layer Protocol              		Data DestructionVirtual Private ServerEmployee Names
              Cloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
              Process Injection              		LSA Secrets1
              Peripheral Device Discovery              		SSHKeyloggingScheduled TransferFallback ChannelsData Encrypted for ImpactServerGather Victim Network Information
              Replication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              Software Packing              		Cached Domain Credentials12
              System Information Discovery              		VNCGUI Input CaptureData Transfer Size LimitsMultiband CommunicationService StopBotnetDomain Properties

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              NezbdhNgwG.exe86%ReversingLabsByteCode-MSIL.Trojan.NjRAT
              NezbdhNgwG.exe83%VirustotalBrowse
              NezbdhNgwG.exe100%AviraTR/ATRAPS.Gen
              NezbdhNgwG.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8c3a19ded61c2fe03bf66a3900261406.exe100%AviraTR/ATRAPS.Gen
              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8c3a19ded61c2fe03bf66a3900261406.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8c3a19ded61c2fe03bf66a3900261406.exe86%ReversingLabsByteCode-MSIL.Trojan.NjRAT
              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8c3a19ded61c2fe03bf66a3900261406.exe83%VirustotalBrowse

              Unpacked PE Files

              No Antivirus matches

              Domains

              SourceDetectionScannerLabelLink
              2.tcp.eu.ngrok.io16%VirustotalBrowse

              URLs

              SourceDetectionScannerLabelLink
              http://go.microsoft.LinkId=421270%Avira URL Cloudsafe
              System.Security.Permissions.IUnrestrictedPermission0%Avira URL Cloudsafe
              http://go.microsoft.0%Avira URL Cloudsafe
              http://go.microsoft.0%VirustotalBrowse

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              2.tcp.eu.ngrok.io
              		18.192.93.86
              		truetrueunknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              System.Security.Permissions.IUnrestrictedPermissiontrue
              • Avira URL Cloud: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://go.microsoft.NezbdhNgwG.exe, 00000000.00000002.4081376804.000000000064F000.00000004.00000020.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://dl.dropbox.com/s/p84aaz28t0hepul/Pass.exe?dl=0NezbdhNgwG.exe, 8c3a19ded61c2fe03bf66a3900261406.exe.0.drfalse
                		high
                http://go.microsoft.LinkId=42127NezbdhNgwG.exe, 00000000.00000002.4081376804.000000000064F000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		low

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                18.192.93.86
                		2.tcp.eu.ngrok.ioUnited States
                		16509AMAZON-02UStrue
                3.126.37.18
                		unknownUnited States
                		16509AMAZON-02UStrue
                18.156.13.209
                		unknownUnited States
                		16509AMAZON-02UStrue

                General Information

                Joe Sandbox Version:38.0.0 Ammolite
                Analysis ID:1347939
                Start date and time:2023-11-26 15:15:11 +01:00
                Joe Sandbox Product:CloudBasic
                Overall analysis duration:0h 6m 53s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:11
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample file name:NezbdhNgwG.exe
                renamed because original name is a hash value
                Original Sample Name:a650ffe73f9994ad3844fedd49ba10f3.exe
                Detection:MAL
                Classification:mal100.troj.adwa.spyw.evad.winEXE@7/4@4/3
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 99%
                • Number of executed functions: 143
                • Number of non-executed functions: 0
                Cookbook Comments:
                • Found application associated with file extension: .exe
                • Override analysis time to 240000 for current running targets taking high CPU consumption

                Warnings

                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                • Not all processes where analyzed, report is missing behavior information
                • Report size exceeded maximum capacity and may have missing behavior information.
                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.

                Simulations

                Behavior and APIs

                TimeTypeDescription
                14:16:05AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 8c3a19ded61c2fe03bf66a3900261406 "C:\Users\user\Desktop\NezbdhNgwG.exe" ..
                14:16:14AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run 8c3a19ded61c2fe03bf66a3900261406 "C:\Users\user\Desktop\NezbdhNgwG.exe" ..
                14:16:22AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 8c3a19ded61c2fe03bf66a3900261406 "C:\Users\user\Desktop\NezbdhNgwG.exe" ..
                14:16:30AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8c3a19ded61c2fe03bf66a3900261406.exe
                15:16:40API Interceptor78095x Sleep call for process: NezbdhNgwG.exe modified

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                18.192.93.86P90GT_Invoice_Related_Property_Tax_P800.exeGet hashmaliciousRedLineBrowse
                • 2.tcp.eu.ngrok.io:17685/
                http://www.sdrclm.cn/vendor/phpdocumentor/P800/P90GT_Invoice_Related_Property_Tax_P800.exeGet hashmaliciousRedLineBrowse
                • 2.tcp.eu.ngrok.io:17685/
                3.126.37.18xdPdkPMD8u.exeGet hashmaliciousNjratBrowse
                  VBUXm77rfL.exeGet hashmaliciousNjratBrowse
                    gEuhLHV0.posh.ps1Get hashmaliciousMetasploitBrowse
                      MibKbjH4.posh.ps1Get hashmaliciousUnknownBrowse
                        kXghM8bJcm.exeGet hashmaliciousNjratBrowse
                          OUXkIxeP6k.exeGet hashmaliciousNjratBrowse
                            eI43OwXSvq.exeGet hashmaliciousNjratBrowse
                              p0zYXkMETE.exeGet hashmaliciousNjratBrowse
                                i9z1c1OtFb.exeGet hashmaliciousNjratBrowse
                                  7XyFhq6BDj.exeGet hashmaliciousNjratBrowse
                                    JYGc3o49WE.exeGet hashmaliciousNjratBrowse
                                      J6VIiRgq3w.exeGet hashmaliciousNjratBrowse
                                        cTUu5Po5Hy.exeGet hashmaliciousNjratBrowse
                                          KcWQQO3nZP.exeGet hashmaliciousNjratBrowse
                                            zep8vTa4sg.exeGet hashmaliciousNjratBrowse
                                              u1LwUkKDIF.exeGet hashmaliciousNjratBrowse
                                                QBEgLAO40T.exeGet hashmaliciousNjratBrowse
                                                  yPGBUzqVE3.exeGet hashmaliciousNjratBrowse
                                                    LMva1J8Xkv.exeGet hashmaliciousNjratBrowse
                                                      XlNjZS4E8x.exeGet hashmaliciousNjratBrowse
                                                        18.156.13.209http://www.sdrclm.cn/vendor/phpdocumentor/P800/P90GT_Invoice_Related_Property_Tax_P800.exeGet hashmaliciousRedLineBrowse
                                                        • 2.tcp.eu.ngrok.io:17685/

                                                        Domains

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        2.tcp.eu.ngrok.ioxdPdkPMD8u.exeGet hashmaliciousNjratBrowse
                                                        • 18.192.93.86
                                                        VBUXm77rfL.exeGet hashmaliciousNjratBrowse
                                                        • 18.192.93.86
                                                        1UGdjTlX5v.exeGet hashmaliciousNjratBrowse
                                                        • 18.157.68.73
                                                        kXghM8bJcm.exeGet hashmaliciousNjratBrowse
                                                        • 18.192.93.86
                                                        OUXkIxeP6k.exeGet hashmaliciousNjratBrowse
                                                        • 3.126.37.18
                                                        QzzmZiGinp.exeGet hashmaliciousNjratBrowse
                                                        • 18.156.13.209
                                                        eI43OwXSvq.exeGet hashmaliciousNjratBrowse
                                                        • 18.197.239.5
                                                        p0zYXkMETE.exeGet hashmaliciousNjratBrowse
                                                        • 18.157.68.73
                                                        i9z1c1OtFb.exeGet hashmaliciousNjratBrowse
                                                        • 18.157.68.73
                                                        aF73k2XwGj.exeGet hashmaliciousNjratBrowse
                                                        • 18.192.93.86
                                                        7XyFhq6BDj.exeGet hashmaliciousNjratBrowse
                                                        • 3.126.37.18
                                                        JYGc3o49WE.exeGet hashmaliciousNjratBrowse
                                                        • 18.157.68.73
                                                        J6VIiRgq3w.exeGet hashmaliciousNjratBrowse
                                                        • 3.126.37.18
                                                        cTUu5Po5Hy.exeGet hashmaliciousNjratBrowse
                                                        • 3.126.37.18
                                                        7JdbeSrZ6s.exeGet hashmaliciousNjratBrowse
                                                        • 3.127.138.57
                                                        KcWQQO3nZP.exeGet hashmaliciousNjratBrowse
                                                        • 3.126.37.18
                                                        zep8vTa4sg.exeGet hashmaliciousNjratBrowse
                                                        • 18.156.13.209
                                                        umyExrpkSF.exeGet hashmaliciousNjratBrowse
                                                        • 18.192.93.86
                                                        u1LwUkKDIF.exeGet hashmaliciousNjratBrowse
                                                        • 18.192.93.86
                                                        QBEgLAO40T.exeGet hashmaliciousNjratBrowse
                                                        • 3.126.37.18

                                                        ASNs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        AMAZON-02USAcknowledge_Letter.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                        • 13.248.169.48
                                                        Summon_From_SARS.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                        • 13.248.169.48
                                                        klWGq3yDcQ.exeGet hashmaliciousUnknownBrowse
                                                        • 3.111.240.6
                                                        x4vHvrR5KfYz.exeGet hashmaliciousRemcosBrowse
                                                        • 3.132.233.132
                                                        https://www.ukotayc.online/loginGet hashmaliciousUnknownBrowse
                                                        • 52.196.133.58
                                                        https://www.clauxtw.space/loginGet hashmaliciousUnknownBrowse
                                                        • 18.180.185.133
                                                        https://www.kmb.net.cn/loginGet hashmaliciousUnknownBrowse
                                                        • 3.141.130.14
                                                        https://www.ydjlseub.asia/loginGet hashmaliciousUnknownBrowse
                                                        • 52.196.133.58
                                                        https://netflix.cnetms.info/Get hashmaliciousUnknownBrowse
                                                        • 3.162.125.65
                                                        Clylm.exeGet hashmaliciousClipboard HijackerBrowse
                                                        • 45.112.123.225
                                                        C4PROloader.exeGet hashmaliciousClipboard HijackerBrowse
                                                        • 45.112.123.225
                                                        imaginebeingarm7.elfGet hashmaliciousMirai, MoobotBrowse
                                                        • 54.185.230.120
                                                        imaginebeingx86.elfGet hashmaliciousMirai, MoobotBrowse
                                                        • 52.13.83.141
                                                        YEcmxSymXx.elfGet hashmaliciousMiraiBrowse
                                                        • 13.125.237.176
                                                        H2OePICEV5.elfGet hashmaliciousMiraiBrowse
                                                        • 44.248.108.40
                                                        RMPDrCqc6N.elfGet hashmaliciousMiraiBrowse
                                                        • 71.152.84.55
                                                        syms.arm.elfGet hashmaliciousMiraiBrowse
                                                        • 65.1.108.0
                                                        aMGTc878Pm.exeGet hashmaliciousFormBookBrowse
                                                        • 76.76.21.22
                                                        8MlaKaB5fV.exeGet hashmaliciousFormBookBrowse
                                                        • 76.76.21.61
                                                        https://helpdesk-center-id-1576761.vercel.app/#/Get hashmaliciousUnknownBrowse
                                                        • 76.76.21.164
                                                        AMAZON-02USAcknowledge_Letter.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                        • 13.248.169.48
                                                        Summon_From_SARS.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                        • 13.248.169.48
                                                        klWGq3yDcQ.exeGet hashmaliciousUnknownBrowse
                                                        • 3.111.240.6
                                                        x4vHvrR5KfYz.exeGet hashmaliciousRemcosBrowse
                                                        • 3.132.233.132
                                                        https://www.ukotayc.online/loginGet hashmaliciousUnknownBrowse
                                                        • 52.196.133.58
                                                        https://www.clauxtw.space/loginGet hashmaliciousUnknownBrowse
                                                        • 18.180.185.133
                                                        https://www.kmb.net.cn/loginGet hashmaliciousUnknownBrowse
                                                        • 3.141.130.14
                                                        https://www.ydjlseub.asia/loginGet hashmaliciousUnknownBrowse
                                                        • 52.196.133.58
                                                        https://netflix.cnetms.info/Get hashmaliciousUnknownBrowse
                                                        • 3.162.125.65
                                                        Clylm.exeGet hashmaliciousClipboard HijackerBrowse
                                                        • 45.112.123.225
                                                        C4PROloader.exeGet hashmaliciousClipboard HijackerBrowse
                                                        • 45.112.123.225
                                                        imaginebeingarm7.elfGet hashmaliciousMirai, MoobotBrowse
                                                        • 54.185.230.120
                                                        imaginebeingx86.elfGet hashmaliciousMirai, MoobotBrowse
                                                        • 52.13.83.141
                                                        YEcmxSymXx.elfGet hashmaliciousMiraiBrowse
                                                        • 13.125.237.176
                                                        H2OePICEV5.elfGet hashmaliciousMiraiBrowse
                                                        • 44.248.108.40
                                                        RMPDrCqc6N.elfGet hashmaliciousMiraiBrowse
                                                        • 71.152.84.55
                                                        syms.arm.elfGet hashmaliciousMiraiBrowse
                                                        • 65.1.108.0
                                                        aMGTc878Pm.exeGet hashmaliciousFormBookBrowse
                                                        • 76.76.21.22
                                                        8MlaKaB5fV.exeGet hashmaliciousFormBookBrowse
                                                        • 76.76.21.61
                                                        https://helpdesk-center-id-1576761.vercel.app/#/Get hashmaliciousUnknownBrowse
                                                        • 76.76.21.164

                                                        JA3 Fingerprints

                                                        No context

                                                        Dropped Files

                                                        No context

                                                        Created / dropped Files

                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\NezbdhNgwG.exe.log

                                                        Download File
                                                        Process:C:\Users\user\Desktop\NezbdhNgwG.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):525
                                                        Entropy (8bit):5.259753436570609
                                                        Encrypted:false
                                                        SSDEEP:12:Q3LaJU2C9XAn10Ug+9pfu9t0U29xtUz1B0U2uk71K6xhk7v:MLF2CpI3zffup29Iz52Ve
                                                        MD5:260E01CC001F9C4643CA7A62F395D747
                                                        SHA1:492AD0ACE3A9C8736909866EEA168962D418BE5A
                                                        SHA-256:4BC52CCF866F489772A6919A0CC2C55B1432729D6BDF29E17E5853ABDFAB6030
                                                        SHA-512:01AF7D75257E3DBD460E328F5C057D0367B83D3D9397E89CA3AE54AB9B2842D62352D8CCB4BE98ACE0C5667846759D32C199DE39ECCD0CF9CD6A83267D27E7C4
                                                        Malicious:false
                                                        Reputation:moderate, very likely benign file
                                                        Preview:1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7d443c6c007fe8696f9aa6ff1da53ef7\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..

                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8c3a19ded61c2fe03bf66a3900261406.exe

                                                        Download File
                                                        Process:C:\Users\user\Desktop\NezbdhNgwG.exe
                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):36864
                                                        Entropy (8bit):5.525477592058185
                                                        Encrypted:false
                                                        SSDEEP:384:OOtvEiTbTvpWNcZ0y8fvCv3v3cLkacpjrAF+rMRTyN/0L+EcoinblneHQM3epzX6:7t7TZ38fvCv3E1c1rM+rMRa8Numzt
                                                        MD5:A650FFE73F9994AD3844FEDD49BA10F3
                                                        SHA1:958E2C74BDF856EEB7CA4DBBF9AB746D1C85E712
                                                        SHA-256:1064502587B0806BA7B4C026520F1774E8B9446C68E511CF3EDF1850132AE699
                                                        SHA-512:A303032B3E83C43D0FDCC043C2E804061CEB04F60068E19367E27F903455028740A034FDC336A2FA52165022997FF60795CAA71555A41577C89834B9EE4B3F97
                                                        Malicious:true
                                                        Yara Hits:
                                                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8c3a19ded61c2fe03bf66a3900261406.exe, Author: Joe Security
                                                        • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8c3a19ded61c2fe03bf66a3900261406.exe, Author: unknown
                                                        • Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8c3a19ded61c2fe03bf66a3900261406.exe, Author: Brian Wallace @botnet_hunter
                                                        • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8c3a19ded61c2fe03bf66a3900261406.exe, Author: ditekSHen
                                                        Antivirus:
                                                        • Antivirus: Avira, Detection: 100%
                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                        • Antivirus: ReversingLabs, Detection: 86%
                                                        • Antivirus: Virustotal, Detection: 83%, Browse
                                                        Reputation:low
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....G[e................................. ........@.. ....................................@.................................l...O.................................................................................... ............... ..H............text....... ...................... ..`.reloc..............................@..B................................................................H........e...E..........................................................&.(......**..(......*.s.........s.........s.........s..........*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8c3a19ded61c2fe03bf66a3900261406.exe:Zone.Identifier

                                                        Download File
                                                        Process:C:\Users\user\Desktop\NezbdhNgwG.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):26
                                                        Entropy (8bit):3.95006375643621
                                                        Encrypted:false
                                                        SSDEEP:3:ggPYV:rPYV
                                                        MD5:187F488E27DB4AF347237FE461A079AD
                                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                        Malicious:false
                                                        Reputation:high, very likely benign file
                                                        Preview:[ZoneTransfer]....ZoneId=0

                                                        \Device\ConDrv

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\netsh.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):313
                                                        Entropy (8bit):4.971939296804078
                                                        Encrypted:false
                                                        SSDEEP:6:/ojfKsUTGN8Ypox42k9L+DbGMKeQE+vigqAZs2E+AYeDPO+Yswyha:wjPIGNrkHk9iaeIM6ADDPOHyha
                                                        MD5:689E2126A85BF55121488295EE068FA1
                                                        SHA1:09BAAA253A49D80C18326DFBCA106551EBF22DD6
                                                        SHA-256:D968A966EF474068E41256321F77807A042F1965744633D37A203A705662EC25
                                                        SHA-512:C3736A8FC7E6573FA1B26FE6A901C05EE85C55A4A276F8F569D9EADC9A58BEC507D1BB90DBF9EA62AE79A6783178C69304187D6B90441D82E46F5F56172B5C5C
                                                        Malicious:false
                                                        Reputation:high, very likely benign file
                                                        Preview:..IMPORTANT: Command executed successfully...However, "netsh firewall" is deprecated;..use "netsh advfirewall firewall" instead...For more information on using "netsh advfirewall firewall" commands..instead of "netsh firewall", see KB article 947709..at https://go.microsoft.com/fwlink/?linkid=121488 .....Ok.....

                                                        Static File Info

                                                        General

                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Entropy (8bit):5.525477592058185
                                                        TrID:
                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                        • Win32 Executable (generic) a (10002005/4) 49.75%
                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                        • Windows Screen Saver (13104/52) 0.07%
                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                        File name:NezbdhNgwG.exe
                                                        File size:36'864 bytes
                                                        MD5:a650ffe73f9994ad3844fedd49ba10f3
                                                        SHA1:958e2c74bdf856eeb7ca4dbbf9ab746d1c85e712
                                                        SHA256:1064502587b0806ba7b4c026520f1774e8b9446c68e511cf3edf1850132ae699
                                                        SHA512:a303032b3e83c43d0fdcc043c2e804061ceb04f60068e19367e27f903455028740a034fdc336a2fa52165022997ff60795caa71555a41577c89834b9ee4b3f97
                                                        SSDEEP:384:OOtvEiTbTvpWNcZ0y8fvCv3v3cLkacpjrAF+rMRTyN/0L+EcoinblneHQM3epzX6:7t7TZ38fvCv3E1c1rM+rMRa8Numzt
                                                        TLSH:C8F22A4D7BE08168D9FD067B05B2E4130776E04B5E23DD0D8EF2A4EA37636D18B54EA2
                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....G[e................................. ........@.. ....................................@................................

                                                        File Icon

                                                        Icon Hash:90cececece8e8eb0

                                                        Static PE Info

                                                        General

                                                        Entrypoint:0x40abbe
                                                        Entrypoint Section:.text
                                                        Digitally signed:false
                                                        Imagebase:0x400000
                                                        Subsystem:windows gui
                                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                        Time Stamp:0x655B47B0 [Mon Nov 20 11:49:04 2023 UTC]
                                                        TLS Callbacks:
                                                        CLR (.Net) Version:
                                                        OS Version Major:4
                                                        OS Version Minor:0
                                                        File Version Major:4
                                                        File Version Minor:0
                                                        Subsystem Version Major:4
                                                        Subsystem Version Minor:0
                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                        Entrypoint Preview

                                                        Instruction
                                                        jmp dword ptr [00402000h]
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al

                                                        Data Directories

                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xab6c0x4f.text
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xc0000xc.reloc
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                        Sections

                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        .text0x20000x8bc40x8c00False0.4636997767857143data5.608731270610776IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                        .reloc0xc0000xc0x200False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                        Imports

                                                        DLLImport
                                                        mscoree.dll_CorExeMain

                                                        Network Behavior

                                                        Snort IDS Alerts

                                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                        192.168.2.43.126.37.1849736115312814856 11/26/23-15:17:14.013168TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4973611531192.168.2.43.126.37.18
                                                        192.168.2.418.192.93.8649738115312825564 11/26/23-15:19:41.517209TCP2825564ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)4973811531192.168.2.418.192.93.86
                                                        192.168.2.418.192.93.8649729115312033132 11/26/23-15:16:09.891923TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4972911531192.168.2.418.192.93.86
                                                        192.168.2.418.192.93.8649738115312033132 11/26/23-15:19:21.604980TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4973811531192.168.2.418.192.93.86
                                                        192.168.2.418.192.93.8649729115312825564 11/26/23-15:17:09.256355TCP2825564ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)4972911531192.168.2.418.192.93.86
                                                        192.168.2.418.192.93.8649738115312825563 11/26/23-15:19:21.784381TCP2825563ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)4973811531192.168.2.418.192.93.86
                                                        192.168.2.418.156.13.20949737115312814856 11/26/23-15:18:17.782445TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4973711531192.168.2.418.156.13.209
                                                        192.168.2.43.126.37.1849736115312814860 11/26/23-15:18:09.757619TCP2814860ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)4973611531192.168.2.43.126.37.18
                                                        192.168.2.418.192.93.8649729115312814860 11/26/23-15:17:09.256355TCP2814860ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)4972911531192.168.2.418.192.93.86
                                                        192.168.2.418.192.93.8649738115312814856 11/26/23-15:19:21.784381TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4973811531192.168.2.418.192.93.86
                                                        192.168.2.418.156.13.20949737115312033132 11/26/23-15:18:17.603963TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4973711531192.168.2.418.156.13.209
                                                        192.168.2.418.156.13.20949737115312814860 11/26/23-15:18:42.758182TCP2814860ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)4973711531192.168.2.418.156.13.209
                                                        192.168.2.418.192.93.8649729115312814856 11/26/23-15:16:10.074575TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4972911531192.168.2.418.192.93.86
                                                        192.168.2.418.192.93.8649738115312814860 11/26/23-15:19:41.517209TCP2814860ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)4973811531192.168.2.418.192.93.86
                                                        192.168.2.43.126.37.1849736115312033132 11/26/23-15:17:13.832319TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4973611531192.168.2.43.126.37.18
                                                        192.168.2.43.126.37.1849736115312825564 11/26/23-15:18:09.757619TCP2825564ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)4973611531192.168.2.43.126.37.18
                                                        192.168.2.418.156.13.20949737115312825563 11/26/23-15:18:17.782445TCP2825563ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)4973711531192.168.2.418.156.13.209
                                                        192.168.2.418.192.93.8649729115312825563 11/26/23-15:16:10.074575TCP2825563ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)4972911531192.168.2.418.192.93.86
                                                        192.168.2.418.156.13.20949737115312825564 11/26/23-15:18:42.758182TCP2825564ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)4973711531192.168.2.418.156.13.209

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Nov 26, 2023 15:16:09.431395054 CET4972911531192.168.2.418.192.93.86
                                                        Nov 26, 2023 15:16:09.613898039 CET115314972918.192.93.86192.168.2.4
                                                        Nov 26, 2023 15:16:09.614084959 CET4972911531192.168.2.418.192.93.86
                                                        Nov 26, 2023 15:16:09.891922951 CET4972911531192.168.2.418.192.93.86
                                                        Nov 26, 2023 15:16:10.074409962 CET115314972918.192.93.86192.168.2.4
                                                        Nov 26, 2023 15:16:10.074574947 CET4972911531192.168.2.418.192.93.86
                                                        Nov 26, 2023 15:16:10.256975889 CET115314972918.192.93.86192.168.2.4
                                                        Nov 26, 2023 15:16:15.083389044 CET4972911531192.168.2.418.192.93.86
                                                        Nov 26, 2023 15:16:15.265846968 CET115314972918.192.93.86192.168.2.4
                                                        Nov 26, 2023 15:16:23.741148949 CET4972911531192.168.2.418.192.93.86
                                                        Nov 26, 2023 15:16:23.923768997 CET115314972918.192.93.86192.168.2.4
                                                        Nov 26, 2023 15:16:39.092544079 CET115314972918.192.93.86192.168.2.4
                                                        Nov 26, 2023 15:16:39.092727900 CET4972911531192.168.2.418.192.93.86
                                                        Nov 26, 2023 15:16:41.709747076 CET4972911531192.168.2.418.192.93.86
                                                        Nov 26, 2023 15:16:41.892309904 CET115314972918.192.93.86192.168.2.4
                                                        Nov 26, 2023 15:16:57.016311884 CET115314972918.192.93.86192.168.2.4
                                                        Nov 26, 2023 15:16:57.016413927 CET4972911531192.168.2.418.192.93.86
                                                        Nov 26, 2023 15:17:07.959525108 CET4972911531192.168.2.418.192.93.86
                                                        Nov 26, 2023 15:17:08.141911030 CET115314972918.192.93.86192.168.2.4
                                                        Nov 26, 2023 15:17:09.256355047 CET4972911531192.168.2.418.192.93.86
                                                        Nov 26, 2023 15:17:09.438638926 CET115314972918.192.93.86192.168.2.4
                                                        Nov 26, 2023 15:17:11.288283110 CET115314972918.192.93.86192.168.2.4
                                                        Nov 26, 2023 15:17:11.288377047 CET4972911531192.168.2.418.192.93.86
                                                        Nov 26, 2023 15:17:13.511118889 CET4972911531192.168.2.418.192.93.86
                                                        Nov 26, 2023 15:17:13.646476984 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:13.693680048 CET115314972918.192.93.86192.168.2.4
                                                        Nov 26, 2023 15:17:13.827280045 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:13.827383041 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:13.832319021 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:14.013078928 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:14.013168097 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:14.193963051 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:14.912760973 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:15.093735933 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:15.093784094 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:15.274584055 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:16.178138018 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:16.360241890 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:16.360415936 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:16.541205883 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:16.541291952 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:16.731105089 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:16.731301069 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:16.912110090 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:16.912249088 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:17.093115091 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:17.093211889 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:17.274190903 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:17.274279118 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:17.456373930 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:17.456563950 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:17.637754917 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:17.637888908 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:17.818708897 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:17.818789959 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:17.999633074 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:17.999723911 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:18.180509090 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:18.180625916 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:18.361455917 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:18.361572981 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:18.542367935 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:18.542448044 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:18.723185062 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:18.723284960 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:18.905602932 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:18.905719995 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:19.086555004 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:19.086636066 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:19.267574072 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:19.267708063 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:19.448591948 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:19.448720932 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:19.631359100 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:19.631494999 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:19.812367916 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:19.812484026 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:19.993233919 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:19.993338108 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:20.176121950 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:20.176201105 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:20.357003927 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:20.357183933 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:20.541517973 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:20.541636944 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:20.722486019 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:20.722621918 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:20.903361082 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:20.903435946 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:21.084799051 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:21.084894896 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:21.265791893 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:21.265886068 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:21.446891069 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:21.446953058 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:21.627641916 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:21.627721071 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:21.809509993 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:21.809664965 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:21.990515947 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:21.990611076 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:22.171487093 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:22.171616077 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:22.352520943 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:22.352648973 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:22.533507109 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:22.533708096 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:22.714728117 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:22.714838982 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:22.895659924 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:22.895736933 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:23.076895952 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:23.077022076 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:23.258374929 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:23.258526087 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:23.439542055 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:23.439721107 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:23.620600939 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:23.620687008 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:23.801623106 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:23.801693916 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:23.982521057 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:23.982631922 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:24.163747072 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:24.163856030 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:24.344638109 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:24.344705105 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:24.527699947 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:24.527820110 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:24.708728075 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:24.708949089 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:24.889877081 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:24.889972925 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:25.070867062 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:25.070955992 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:25.251899004 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:25.252110958 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:25.433146954 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:25.433233023 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:25.614097118 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:25.614195108 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:25.795162916 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:25.795258045 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:25.976160049 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:25.976272106 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:26.157118082 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:26.157301903 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:26.338130951 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:26.338224888 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:26.519217968 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:26.519280910 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:26.700170994 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:26.700249910 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:26.881000996 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:26.881072998 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:27.061888933 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:27.061961889 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:27.243763924 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:27.243838072 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:27.428391933 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:27.428487062 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:27.609548092 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:27.609725952 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:27.790766954 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:29.684566975 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:29.865417957 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:29.865689039 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:30.049297094 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:30.049613953 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:30.230443001 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:30.230523109 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:30.411613941 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:30.411756039 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:30.592603922 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:30.592812061 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:30.774288893 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:30.774349928 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:30.956262112 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:30.956358910 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:31.139028072 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:31.139128923 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:31.319935083 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:31.320152044 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:31.501025915 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:31.501205921 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:31.681994915 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:31.682178974 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:31.862992048 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:31.863246918 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:32.044050932 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:32.044274092 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:32.228190899 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:32.228288889 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:32.409133911 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:32.409328938 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:32.590173960 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:32.590257883 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:32.771114111 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:32.771321058 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:32.952178001 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:32.952258110 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:33.136365891 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:33.136475086 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:33.317339897 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:33.317464113 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:33.498316050 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:33.498522043 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:17:33.679425001 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:48.745446920 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:17:48.745522976 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:18:03.929421902 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:18:03.932360888 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:18:09.757618904 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:18:09.938425064 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:18:15.286236048 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:18:15.286333084 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:18:17.287522078 CET4973611531192.168.2.43.126.37.18
                                                        Nov 26, 2023 15:18:17.423034906 CET4973711531192.168.2.418.156.13.209
                                                        Nov 26, 2023 15:18:17.468398094 CET11531497363.126.37.18192.168.2.4
                                                        Nov 26, 2023 15:18:17.601541996 CET115314973718.156.13.209192.168.2.4
                                                        Nov 26, 2023 15:18:17.601739883 CET4973711531192.168.2.418.156.13.209
                                                        Nov 26, 2023 15:18:17.603962898 CET4973711531192.168.2.418.156.13.209
                                                        Nov 26, 2023 15:18:17.782394886 CET115314973718.156.13.209192.168.2.4
                                                        Nov 26, 2023 15:18:17.782444954 CET4973711531192.168.2.418.156.13.209
                                                        Nov 26, 2023 15:18:17.960891962 CET115314973718.156.13.209192.168.2.4
                                                        Nov 26, 2023 15:18:20.521955967 CET4973711531192.168.2.418.156.13.209
                                                        Nov 26, 2023 15:18:20.700448036 CET115314973718.156.13.209192.168.2.4
                                                        Nov 26, 2023 15:18:34.616025925 CET4973711531192.168.2.418.156.13.209
                                                        Nov 26, 2023 15:18:34.794645071 CET115314973718.156.13.209192.168.2.4
                                                        Nov 26, 2023 15:18:42.758182049 CET4973711531192.168.2.418.156.13.209
                                                        Nov 26, 2023 15:18:42.936748981 CET115314973718.156.13.209192.168.2.4
                                                        Nov 26, 2023 15:18:58.072940111 CET115314973718.156.13.209192.168.2.4
                                                        Nov 26, 2023 15:18:58.073147058 CET4973711531192.168.2.418.156.13.209
                                                        Nov 26, 2023 15:19:13.253568888 CET115314973718.156.13.209192.168.2.4
                                                        Nov 26, 2023 15:19:13.253739119 CET4973711531192.168.2.418.156.13.209
                                                        Nov 26, 2023 15:19:19.284349918 CET115314973718.156.13.209192.168.2.4
                                                        Nov 26, 2023 15:19:19.284482956 CET4973711531192.168.2.418.156.13.209
                                                        Nov 26, 2023 15:19:21.287312031 CET4973711531192.168.2.418.156.13.209
                                                        Nov 26, 2023 15:19:21.423450947 CET4973811531192.168.2.418.192.93.86
                                                        Nov 26, 2023 15:19:21.466115952 CET115314973718.156.13.209192.168.2.4
                                                        Nov 26, 2023 15:19:21.602653980 CET115314973818.192.93.86192.168.2.4
                                                        Nov 26, 2023 15:19:21.602735043 CET4973811531192.168.2.418.192.93.86
                                                        Nov 26, 2023 15:19:21.604979992 CET4973811531192.168.2.418.192.93.86
                                                        Nov 26, 2023 15:19:21.784280062 CET115314973818.192.93.86192.168.2.4
                                                        Nov 26, 2023 15:19:21.784380913 CET4973811531192.168.2.418.192.93.86
                                                        Nov 26, 2023 15:19:21.963493109 CET115314973818.192.93.86192.168.2.4
                                                        Nov 26, 2023 15:19:24.662637949 CET4973811531192.168.2.418.192.93.86
                                                        Nov 26, 2023 15:19:24.841862917 CET115314973818.192.93.86192.168.2.4
                                                        Nov 26, 2023 15:19:32.054653883 CET4973811531192.168.2.418.192.93.86
                                                        Nov 26, 2023 15:19:32.233968019 CET115314973818.192.93.86192.168.2.4
                                                        Nov 26, 2023 15:19:33.476535082 CET4973811531192.168.2.418.192.93.86
                                                        Nov 26, 2023 15:19:33.655824900 CET115314973818.192.93.86192.168.2.4
                                                        Nov 26, 2023 15:19:39.420361996 CET4973811531192.168.2.418.192.93.86
                                                        Nov 26, 2023 15:19:39.599628925 CET115314973818.192.93.86192.168.2.4
                                                        Nov 26, 2023 15:19:39.617821932 CET4973811531192.168.2.418.192.93.86
                                                        Nov 26, 2023 15:19:39.798747063 CET115314973818.192.93.86192.168.2.4
                                                        Nov 26, 2023 15:19:40.799016953 CET4973811531192.168.2.418.192.93.86
                                                        Nov 26, 2023 15:19:40.978250027 CET115314973818.192.93.86192.168.2.4
                                                        Nov 26, 2023 15:19:40.978458881 CET4973811531192.168.2.418.192.93.86
                                                        Nov 26, 2023 15:19:41.158391953 CET115314973818.192.93.86192.168.2.4
                                                        Nov 26, 2023 15:19:41.158543110 CET4973811531192.168.2.418.192.93.86
                                                        Nov 26, 2023 15:19:41.337805033 CET115314973818.192.93.86192.168.2.4
                                                        Nov 26, 2023 15:19:41.337951899 CET4973811531192.168.2.418.192.93.86
                                                        Nov 26, 2023 15:19:41.517117023 CET115314973818.192.93.86192.168.2.4
                                                        Nov 26, 2023 15:19:41.517209053 CET4973811531192.168.2.418.192.93.86
                                                        Nov 26, 2023 15:19:41.696475029 CET115314973818.192.93.86192.168.2.4
                                                        Nov 26, 2023 15:19:56.724064112 CET115314973818.192.93.86192.168.2.4
                                                        Nov 26, 2023 15:19:56.724136114 CET4973811531192.168.2.418.192.93.86

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Nov 26, 2023 15:16:09.294425011 CET5438653192.168.2.41.1.1.1
                                                        Nov 26, 2023 15:16:09.428083897 CET53543861.1.1.1192.168.2.4
                                                        Nov 26, 2023 15:17:13.512598038 CET5651253192.168.2.41.1.1.1
                                                        Nov 26, 2023 15:17:13.645319939 CET53565121.1.1.1192.168.2.4
                                                        Nov 26, 2023 15:18:17.289370060 CET5639353192.168.2.41.1.1.1
                                                        Nov 26, 2023 15:18:17.421515942 CET53563931.1.1.1192.168.2.4
                                                        Nov 26, 2023 15:19:21.288693905 CET5180053192.168.2.41.1.1.1
                                                        Nov 26, 2023 15:19:21.422415972 CET53518001.1.1.1192.168.2.4

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                        Nov 26, 2023 15:16:09.294425011 CET192.168.2.41.1.1.10x1413Standard query (0)2.tcp.eu.ngrok.ioA (IP address)IN (0x0001)false
                                                        Nov 26, 2023 15:17:13.512598038 CET192.168.2.41.1.1.10x77c0Standard query (0)2.tcp.eu.ngrok.ioA (IP address)IN (0x0001)false
                                                        Nov 26, 2023 15:18:17.289370060 CET192.168.2.41.1.1.10xe20dStandard query (0)2.tcp.eu.ngrok.ioA (IP address)IN (0x0001)false
                                                        Nov 26, 2023 15:19:21.288693905 CET192.168.2.41.1.1.10x8067Standard query (0)2.tcp.eu.ngrok.ioA (IP address)IN (0x0001)false

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                        Nov 26, 2023 15:16:09.428083897 CET1.1.1.1192.168.2.40x1413No error (0)2.tcp.eu.ngrok.io18.192.93.86A (IP address)IN (0x0001)false
                                                        Nov 26, 2023 15:17:13.645319939 CET1.1.1.1192.168.2.40x77c0No error (0)2.tcp.eu.ngrok.io3.126.37.18A (IP address)IN (0x0001)false
                                                        Nov 26, 2023 15:18:17.421515942 CET1.1.1.1192.168.2.40xe20dNo error (0)2.tcp.eu.ngrok.io18.156.13.209A (IP address)IN (0x0001)false
                                                        Nov 26, 2023 15:19:21.422415972 CET1.1.1.1192.168.2.40x8067No error (0)2.tcp.eu.ngrok.io18.192.93.86A (IP address)IN (0x0001)false

                                                        Statistics

                                                        CPU Usage

                                                        Click to jump to process

                                                        Memory Usage

                                                        Click to jump to process

                                                        High Level Behavior Distribution

                                                        Click to dive into process behavior distribution

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        General

                                                        Target ID:0
                                                        Start time:15:15:59
                                                        Start date:26/11/2023
                                                        Path:C:\Users\user\Desktop\NezbdhNgwG.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\Users\user\Desktop\NezbdhNgwG.exe
                                                        Imagebase:0x20000
                                                        File size:36'864 bytes
                                                        MD5 hash:A650FFE73F9994AD3844FEDD49BA10F3
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET
                                                        Yara matches:
                                                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000000.1642177967.0000000000022000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                        • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000000.00000000.1642177967.0000000000022000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                                        • Rule: njrat1, Description: Identify njRat, Source: 00000000.00000000.1642177967.0000000000022000.00000002.00000001.01000000.00000003.sdmp, Author: Brian Wallace @botnet_hunter
                                                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000002.4081955950.00000000026C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        Reputation:low
                                                        Has exited:false

                                                        General

                                                        Target ID:1
                                                        Start time:15:16:05
                                                        Start date:26/11/2023
                                                        Path:C:\Windows\SysWOW64\netsh.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:netsh firewall add allowedprogram "C:\Users\user\Desktop\NezbdhNgwG.exe" "NezbdhNgwG.exe" ENABLE
                                                        Imagebase:0x1560000
                                                        File size:82'432 bytes
                                                        MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate
                                                        Has exited:true

                                                        General

                                                        Target ID:2
                                                        Start time:15:16:05
                                                        Start date:26/11/2023
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff7699e0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:4
                                                        Start time:15:16:14
                                                        Start date:26/11/2023
                                                        Path:C:\Users\user\Desktop\NezbdhNgwG.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\NezbdhNgwG.exe" ..
                                                        Imagebase:0x330000
                                                        File size:36'864 bytes
                                                        MD5 hash:A650FFE73F9994AD3844FEDD49BA10F3
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:.Net C# or VB.NET
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:6
                                                        Start time:15:16:22
                                                        Start date:26/11/2023
                                                        Path:C:\Users\user\Desktop\NezbdhNgwG.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\NezbdhNgwG.exe" ..
                                                        Imagebase:0x9f0000
                                                        File size:36'864 bytes
                                                        MD5 hash:A650FFE73F9994AD3844FEDD49BA10F3
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:.Net C# or VB.NET
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:9
                                                        Start time:15:16:30
                                                        Start date:26/11/2023
                                                        Path:C:\Users\user\Desktop\NezbdhNgwG.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\NezbdhNgwG.exe" ..
                                                        Imagebase:0x1c0000
                                                        File size:36'864 bytes
                                                        MD5 hash:A650FFE73F9994AD3844FEDD49BA10F3
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:.Net C# or VB.NET
                                                        Reputation:low
                                                        Has exited:true

                                                        Disassembly

                                                        Reset < >

                                                          Execution Graph

                                                          Execution Coverage:17.9%
                                                          Dynamic/Decrypted Code Coverage:100%
                                                          Signature Coverage:13.1%
                                                          Total number of Nodes:175
                                                          Total number of Limit Nodes:7
                                                          execution_graph 6528 bc12b6 6529 bc12ee ConvertStringSecurityDescriptorToSecurityDescriptorW 6528->6529 6531 bc132f 6529->6531 6536 60aeea 6538 60af1f GetFileType 6536->6538 6539 60af4c 6538->6539 6540 a316a8 6541 a312f2 6540->6541 6546 a31c09 6541->6546 6555 a31c3a 6541->6555 6564 a31c27 6541->6564 6573 a3170f 6541->6573 6547 a31c10 6546->6547 6582 a30310 6547->6582 6549 a31cf5 6550 a30310 2 API calls 6549->6550 6551 a31d5e 6550->6551 6552 a31d84 6551->6552 6586 a32510 6551->6586 6590 a324af 6551->6590 6556 a31c41 6555->6556 6557 a30310 2 API calls 6556->6557 6558 a31cf5 6557->6558 6559 a30310 2 API calls 6558->6559 6560 a31d5e 6559->6560 6561 a31d84 6560->6561 6562 a32510 2 API calls 6560->6562 6563 a324af 2 API calls 6560->6563 6562->6561 6563->6561 6565 a31c2e 6564->6565 6566 a30310 2 API calls 6565->6566 6567 a31cf5 6566->6567 6568 a30310 2 API calls 6567->6568 6569 a31d5e 6568->6569 6570 a31d84 6569->6570 6571 a32510 2 API calls 6569->6571 6572 a324af 2 API calls 6569->6572 6571->6570 6572->6570 6574 a31715 6573->6574 6575 a30310 2 API calls 6574->6575 6576 a31cf5 6575->6576 6577 a30310 2 API calls 6576->6577 6578 a31d5e 6577->6578 6579 a31d84 6578->6579 6580 a32510 2 API calls 6578->6580 6581 a324af 2 API calls 6578->6581 6580->6579 6581->6579 6584 a30322 6582->6584 6583 a30348 6583->6549 6584->6583 6594 a31257 6584->6594 6587 a3253b 6586->6587 6588 a32583 6587->6588 6607 a32b28 6587->6607 6588->6552 6591 a324b8 6590->6591 6592 a324e4 6591->6592 6593 a32b28 2 API calls 6591->6593 6592->6552 6593->6592 6595 a3128c 6594->6595 6598 a312a9 6595->6598 6599 60bbc8 6595->6599 6603 60bbea 6595->6603 6598->6583 6600 60bbea NtSetInformationProcess 6599->6600 6602 60bc34 6600->6602 6602->6598 6604 60bc4a 6603->6604 6605 60bc1f NtSetInformationProcess 6603->6605 6604->6605 6606 60bc34 6605->6606 6606->6598 6608 a32b2e 6607->6608 6612 bc1cc6 6608->6612 6615 bc1c32 6608->6615 6609 a32b98 6609->6588 6613 bc1d16 GetVolumeInformationA 6612->6613 6614 bc1d1e 6613->6614 6614->6609 6616 bc1c6c GetVolumeInformationA 6615->6616 6618 bc1d1e 6616->6618 6618->6609 6677 bc2ef2 6678 bc2f1b select 6677->6678 6680 bc2f50 6678->6680 6619 bc30aa 6621 bc30df SetProcessWorkingSetSize 6619->6621 6622 bc310b 6621->6622 6623 bc1ba6 6625 bc1bdb WSAConnect 6623->6625 6626 bc1bfa 6625->6626 6684 60a93a 6685 60a969 WaitForInputIdle 6684->6685 6686 60a99f 6684->6686 6687 60a977 6685->6687 6686->6685 6688 bc1466 6689 bc149e MapViewOfFile 6688->6689 6691 bc14ed 6689->6691 6627 a303bd 6628 a303c4 6627->6628 6629 a305bf 6628->6629 6630 a31257 2 API calls 6628->6630 6630->6629 6631 60b67e 6632 60b6a7 LookupPrivilegeValueW 6631->6632 6634 60b6ce 6632->6634 6635 bc0c22 6637 bc0c57 ReadFile 6635->6637 6638 bc0c89 6637->6638 6639 60a2fe 6640 60a353 6639->6640 6641 60a32a SetErrorMode 6639->6641 6640->6641 6642 60a33f 6641->6642 6692 60a0be 6693 60a10e EnumWindows 6692->6693 6694 60a116 6693->6694 6643 60a646 6645 60a67e CreateMutexW 6643->6645 6646 60a6c1 6645->6646 6695 60be06 6698 60be32 K32EnumProcesses 6695->6698 6697 60be4e 6698->6697 6699 bc18da 6700 bc190f GetProcessTimes 6699->6700 6702 bc1941 6700->6702 6703 60a486 6704 60a4bb RegSetValueExW 6703->6704 6706 60a507 6704->6706 6707 60aa86 6708 60aabe RegOpenKeyExW 6707->6708 6710 60ab14 6708->6710 6711 60a186 6712 60a1f3 6711->6712 6713 60a1bb send 6711->6713 6712->6713 6714 60a1c9 6713->6714 6647 bc2e16 6649 bc2e4b ioctlsocket 6647->6649 6650 bc2e77 6649->6650 6651 60beca 6652 60bf2a 6651->6652 6653 60beff NtQuerySystemInformation 6651->6653 6652->6653 6654 60bf14 6653->6654 6715 60ad0a 6716 60ad33 CopyFileW 6715->6716 6718 60ad5a 6716->6718 6655 bc0192 6656 bc0208 6655->6656 6657 bc01d0 DuplicateHandle 6655->6657 6656->6657 6658 bc01de 6657->6658 6659 60a74e 6660 60a7b9 6659->6660 6661 60a77a FindCloseChangeNotification 6659->6661 6660->6661 6662 60a788 6661->6662 6719 60bb0e 6720 60bb43 GetExitCodeProcess 6719->6720 6722 60bb6c 6720->6722 6723 bc1f52 6725 bc1f8d LoadLibraryA 6723->6725 6726 bc1fca 6725->6726 6727 60ab8e 6729 60abb7 SetFileAttributesW 6727->6729 6730 60abd3 6729->6730 6663 60add2 6664 60ae0a CreateFileW 6663->6664 6666 60ae59 6664->6666 6731 60a392 6732 60a3c7 RegQueryValueExW 6731->6732 6734 60a41b 6732->6734 6667 a30f90 KiUserExceptionDispatcher 6668 a30fc4 6667->6668 6669 bc0e8a 6672 bc0ec2 WSASocketW 6669->6672 6671 bc0efe 6672->6671 6673 bc170a 6674 bc173f shutdown 6673->6674 6676 bc1768 6674->6676 6739 bc2fc6 6742 bc2ffb GetProcessWorkingSetSize 6739->6742 6741 bc3027 6742->6741 6743 bc19c6 6744 bc1a01 getaddrinfo 6743->6744 6746 bc1a73 6744->6746 6747 bc2c46 6748 bc2c7e RegCreateKeyExW 6747->6748 6750 bc2cf0 6748->6750 6751 60b89a 6753 60b8c9 AdjustTokenPrivileges 6751->6753 6754 60b8eb 6753->6754

                                                          Executed Functions

                                                          Function 0060B863 Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 0060B8E3
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081364218.000000000060A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0060A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_60a000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: AdjustPrivilegesToken
                                                          • String ID:
                                                          • API String ID: 2874748243-0
                                                          • Opcode ID: 729e8e35b5392b9e5f46e9c69dc9c990b9def7551a5a6369a65d855d142f8e31
                                                          • Instruction ID: e93a8ffba069c0981ad0e081a5eba6f157fe0a0d5fd86f5cadd28650b86ebfde
                                                          • Opcode Fuzzy Hash: 729e8e35b5392b9e5f46e9c69dc9c990b9def7551a5a6369a65d855d142f8e31
                                                          • Instruction Fuzzy Hash: 9E21B1755097809FDB228F25DC40B92BFB4EF16310F08849AE9848B6A3D2709908DB62
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0060BE8F Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtQuerySystemInformation.NTDLL ref: 0060BF05
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081364218.000000000060A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0060A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_60a000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: InformationQuerySystem
                                                          • String ID:
                                                          • API String ID: 3562636166-0
                                                          • Opcode ID: 005e137009ecfc2c4a77ada18dacc7e29bf15279f97c9516f85a66afde317cbb
                                                          • Instruction ID: 3c359f932ad71176328de2905c6a795550322560f063fe275235b324788d06e7
                                                          • Opcode Fuzzy Hash: 005e137009ecfc2c4a77ada18dacc7e29bf15279f97c9516f85a66afde317cbb
                                                          • Instruction Fuzzy Hash: 1421DEB54097C09FDB238B20DC41A52FFB0EF17314F0980CBE9848B1A3D265A90DDB62
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0060B89A Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 0060B8E3
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081364218.000000000060A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0060A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_60a000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: AdjustPrivilegesToken
                                                          • String ID:
                                                          • API String ID: 2874748243-0
                                                          • Opcode ID: 769f16ef42afa41d902ac3f844881a3ee2d5e73b8d099ab7b3111810904de358
                                                          • Instruction ID: d86f97f508812bc48b3d8783795a17ded90c76470cc8551486f9bac946a09b42
                                                          • Opcode Fuzzy Hash: 769f16ef42afa41d902ac3f844881a3ee2d5e73b8d099ab7b3111810904de358
                                                          • Instruction Fuzzy Hash: 8F1182726007409FEB20CF55D984B66FBE8EF05320F08C86ADE458B661D375E818DF62
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0060BBC8 Relevance: 1.6, APIs: 1, Instructions: 50nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtSetInformationProcess.NTDLL ref: 0060BC25
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081364218.000000000060A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0060A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_60a000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: InformationProcess
                                                          • String ID:
                                                          • API String ID: 1801817001-0
                                                          • Opcode ID: c162e9a90655596e5df6ecf3a1786eabfd3a161d51917b589798107ddcfcd5d9
                                                          • Instruction ID: a3d513a5dc1b772a330c367c40cab5a1d41f2581df5f8da38376b06252b7e710
                                                          • Opcode Fuzzy Hash: c162e9a90655596e5df6ecf3a1786eabfd3a161d51917b589798107ddcfcd5d9
                                                          • Instruction Fuzzy Hash: 7B11CE71549780AFDB228F11DC44E62FFB4EF16324F09C49EEE844B662C275A918DB62
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0060BBEA Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtSetInformationProcess.NTDLL ref: 0060BC25
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081364218.000000000060A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0060A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_60a000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: InformationProcess
                                                          • String ID:
                                                          • API String ID: 1801817001-0
                                                          • Opcode ID: 0fdc7180e7b2fab19ad77a4287982a7ceca401d9063e2513c8024d9d7bbbf743
                                                          • Instruction ID: 817fd653cd927eea335f7aab0004c612527529d198f9c1de6d41308dc3cfb722
                                                          • Opcode Fuzzy Hash: 0fdc7180e7b2fab19ad77a4287982a7ceca401d9063e2513c8024d9d7bbbf743
                                                          • Instruction Fuzzy Hash: A301AD715406409FEB208F05D984B62FBE0EF08724F08C4AADE490B7A2C775E458DFA2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0060BECA Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtQuerySystemInformation.NTDLL ref: 0060BF05
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081364218.000000000060A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0060A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_60a000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: InformationQuerySystem
                                                          • String ID:
                                                          • API String ID: 3562636166-0
                                                          • Opcode ID: 0fdc7180e7b2fab19ad77a4287982a7ceca401d9063e2513c8024d9d7bbbf743
                                                          • Instruction ID: 03d6ff5109933f3a4744e5f3984eb5dd5caf55c455c66c0ec8d8cbafdfb5f2e4
                                                          • Opcode Fuzzy Hash: 0fdc7180e7b2fab19ad77a4287982a7ceca401d9063e2513c8024d9d7bbbf743
                                                          • Instruction Fuzzy Hash: BA01AD715406409FDB208F05ED84B62FBE0EF08724F08C4AADE490B792D375E818DFA2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00A3170F Relevance: .7, Instructions: 684COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081833983.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_a30000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2e9f39999ab26ab773f549dacc9ea2f448b2ae822db3892754bb8d05e6d30b59
                                                          • Instruction ID: 182156102e87495d0a7e16b0e911bf8ca1dc1966a455e05590b64409490f656e
                                                          • Opcode Fuzzy Hash: 2e9f39999ab26ab773f549dacc9ea2f448b2ae822db3892754bb8d05e6d30b59
                                                          • Instruction Fuzzy Hash: 67327B307102018BDB18EB79D5617BE77E6AF88308F14842AE446DB799DF38DC46CBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00A30F90 Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 126 a30f90-a30fcb KiUserExceptionDispatcher 129 a30fd3 126->129 130 a30fd5-a3100e 129->130 134 a31010-a31012 130->134 135 a3105d-a31060 130->135 162 a31014 call a32121 134->162 163 a31014 call bd0606 134->163 164 a31014 call bd05e0 134->164 136 a31062-a31070 135->136 137 a310dd-a310fa 135->137 136->130 138 a31076-a3107a 136->138 141 a310ce-a310d8 138->141 142 a3107c-a3108d 138->142 139 a3101a-a31029 143 a3102b-a3102e 139->143 144 a3105a 139->144 141->129 142->137 149 a3108f-a3109f 142->149 159 a31030 call a32f79 143->159 160 a31030 call bd0606 143->160 161 a31030 call bd05e0 143->161 144->135 148 a31036-a31052 148->144 151 a310a1-a310ac 149->151 152 a310c0-a310c6 149->152 151->137 154 a310ae-a310b8 151->154 152->141 154->152 159->148 160->148 161->148 162->139 163->139 164->139
                                                          APIs
                                                          • KiUserExceptionDispatcher.NTDLL ref: 00A30FB7
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081833983.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_a30000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: DispatcherExceptionUser
                                                          • String ID:
                                                          • API String ID: 6842923-0
                                                          • Opcode ID: ed2487b9d598487b1a129f966948d7b872ed06fd0551c5184404b4205bf961ce
                                                          • Instruction ID: fc003c43184c0136776c15300493cf56edb8505db480b579541fbd1cb74762d6
                                                          • Opcode Fuzzy Hash: ed2487b9d598487b1a129f966948d7b872ed06fd0551c5184404b4205bf961ce
                                                          • Instruction Fuzzy Hash: 0D418D317102018FCB14DF78D8946AEB7A6AF84204F148479E809DB39ADF39CD86CBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00A30F80 Relevance: 1.6, APIs: 1, Instructions: 112COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 165 a30f80-a30f88 166 a30f8a-a30f96 165->166 167 a30f98-a30fbd KiUserExceptionDispatcher 165->167 166->167 168 a30fc4-a30fcb 167->168 170 a30fd3 168->170 171 a30fd5-a3100e 170->171 175 a31010-a31012 171->175 176 a3105d-a31060 171->176 203 a31014 call a32121 175->203 204 a31014 call bd0606 175->204 205 a31014 call bd05e0 175->205 177 a31062-a31070 176->177 178 a310dd-a310fa 176->178 177->171 179 a31076-a3107a 177->179 182 a310ce-a310d8 179->182 183 a3107c-a3108d 179->183 180 a3101a-a31029 184 a3102b-a3102e 180->184 185 a3105a 180->185 182->170 183->178 190 a3108f-a3109f 183->190 200 a31030 call a32f79 184->200 201 a31030 call bd0606 184->201 202 a31030 call bd05e0 184->202 185->176 189 a31036-a31052 189->185 192 a310a1-a310ac 190->192 193 a310c0-a310c6 190->193 192->178 195 a310ae-a310b8 192->195 193->182 195->193 200->189 201->189 202->189 203->180 204->180 205->180
                                                          APIs
                                                          • KiUserExceptionDispatcher.NTDLL ref: 00A30FB7
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081833983.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_a30000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: DispatcherExceptionUser
                                                          • String ID:
                                                          • API String ID: 6842923-0
                                                          • Opcode ID: 7c6315d2dbbdffe9624b6d7628e9c32d7e3411a15946809b9055d8ea46a9cf6f
                                                          • Instruction ID: 2b75932573bf15d80f22c2c7478752fd9607051d14888eddaf4d1be0c5744e5a
                                                          • Opcode Fuzzy Hash: 7c6315d2dbbdffe9624b6d7628e9c32d7e3411a15946809b9055d8ea46a9cf6f
                                                          • Instruction Fuzzy Hash: 304162357102018FCB14DF34C994AAA77E6AF45314F188479E805DF39AEB39DD86CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00BC1C32 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 206 bc1c32-bc1d18 GetVolumeInformationA 210 bc1d1e-bc1d47 206->210
                                                          APIs
                                                          • GetVolumeInformationA.KERNEL32(?,00000E24,?,?), ref: 00BC1D16
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081928156.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_bc0000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: InformationVolume
                                                          • String ID:
                                                          • API String ID: 2039140958-0
                                                          • Opcode ID: b7291da6b801768a785cdbcddc123975f2e1e5e9ccae04df93e7347913342554
                                                          • Instruction ID: be6da567c2a3887278f40a8314ca13e9e6e5a1594a216210bbcb056d63bccc4a
                                                          • Opcode Fuzzy Hash: b7291da6b801768a785cdbcddc123975f2e1e5e9ccae04df93e7347913342554
                                                          • Instruction Fuzzy Hash: EA415C6150E3C16FD3038B358C61AA2BFB4AF47210F1E85CBD8C4CF5A3D6246959C7A2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00BC2C1A Relevance: 1.6, APIs: 1, Instructions: 99registryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 212 bc2c1a-bc2c9e 216 bc2ca0 212->216 217 bc2ca3-bc2caf 212->217 216->217 218 bc2cb4-bc2cbd 217->218 219 bc2cb1 217->219 220 bc2cbf 218->220 221 bc2cc2-bc2cd9 218->221 219->218 220->221 223 bc2d1b-bc2d20 221->223 224 bc2cdb-bc2cee RegCreateKeyExW 221->224 223->224 225 bc2cf0-bc2d18 224->225 226 bc2d22-bc2d27 224->226 226->225
                                                          APIs
                                                          • RegCreateKeyExW.KERNEL32(?,00000E24), ref: 00BC2CE1
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081928156.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_bc0000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: Create
                                                          • String ID:
                                                          • API String ID: 2289755597-0
                                                          • Opcode ID: 0f563ae741bbffee00e9abfc645e23ebd5faf467cf8169e46cdd5bf9b55a86b7
                                                          • Instruction ID: c152077f7004067e9296a15f8aefe1dfe0e52900a27e4a162e7d520603b51413
                                                          • Opcode Fuzzy Hash: 0f563ae741bbffee00e9abfc645e23ebd5faf467cf8169e46cdd5bf9b55a86b7
                                                          • Instruction Fuzzy Hash: 06316F72504744AFE7218F65CC44FA7BBFCEF19314F08859AE9858B662D324E909CB61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00BC0D77 Relevance: 1.6, APIs: 1, Instructions: 98registryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 231 bc0d77-bc0d97 232 bc0db9-bc0deb 231->232 233 bc0d99-bc0db8 231->233 237 bc0dee-bc0e46 RegQueryValueExW 232->237 233->232 239 bc0e4c-bc0e62 237->239
                                                          APIs
                                                          • RegQueryValueExW.KERNEL32(?,00000E24,?,?), ref: 00BC0E3E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081928156.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_bc0000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: QueryValue
                                                          • String ID:
                                                          • API String ID: 3660427363-0
                                                          • Opcode ID: 65e4363bce503cd7ebb9652410f51d4fa2241264d04e74840e3747cf862d7ae4
                                                          • Instruction ID: 36f96eb9561a147ba42321273e8f6dba79c678c0889d710c32cd571da9187bc8
                                                          • Opcode Fuzzy Hash: 65e4363bce503cd7ebb9652410f51d4fa2241264d04e74840e3747cf862d7ae4
                                                          • Instruction Fuzzy Hash: 6B317C6510E7C0AFD3139B258C61A61BFB4EF47610F0E45CBD8C48F6A3D229A919D7B2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00BC19A4 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 240 bc19a4-bc1a63 246 bc1ab5-bc1aba 240->246 247 bc1a65-bc1a6d getaddrinfo 240->247 246->247 248 bc1a73-bc1a85 247->248 250 bc1abc-bc1ac1 248->250 251 bc1a87-bc1ab2 248->251 250->251
                                                          APIs
                                                          • getaddrinfo.WS2_32(?,00000E24), ref: 00BC1A6B
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081928156.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_bc0000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: getaddrinfo
                                                          • String ID:
                                                          • API String ID: 300660673-0
                                                          • Opcode ID: d830a50fd064bdb0dd8610bcc5309763ddbf2ef8d49618da99c7babd65a8f268
                                                          • Instruction ID: dff7f9b262bce6381be3b0e7f936bbbe329bf5d37d6c673269da85dea3c66265
                                                          • Opcode Fuzzy Hash: d830a50fd064bdb0dd8610bcc5309763ddbf2ef8d49618da99c7babd65a8f268
                                                          • Instruction Fuzzy Hash: BE31BFB1100340AFE721CB60CC84FA6FBACEF15314F04889AFA489B682D374E909CB71
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0060AA52 Relevance: 1.6, APIs: 1, Instructions: 91registryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 255 60aa52-60aab8 257 60aabe-60aacf 255->257 258 60aad5-60aae1 257->258 259 60aae3 258->259 260 60aae6-60aafd 258->260 259->260 262 60ab3f-60ab44 260->262 263 60aaff-60ab12 RegOpenKeyExW 260->263 262->263 264 60ab14-60ab3c 263->264 265 60ab46-60ab4b 263->265 265->264
                                                          APIs
                                                          • RegOpenKeyExW.KERNEL32(?,00000E24), ref: 0060AB05
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081364218.000000000060A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0060A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_60a000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: Open
                                                          • String ID:
                                                          • API String ID: 71445658-0
                                                          • Opcode ID: c912ebcbee2d1a051472d7718a25aa893db8fa9d39a2fc62efc29f6b688193cc
                                                          • Instruction ID: 01c0ad4641c2e4f92628ec356281a08863980c8a5502cdb790531dde3b6798ab
                                                          • Opcode Fuzzy Hash: c912ebcbee2d1a051472d7718a25aa893db8fa9d39a2fc62efc29f6b688193cc
                                                          • Instruction Fuzzy Hash: 153197725083846FE7228B61CC44FA7BFBCEF16214F08849AE9848B652D324E909C772
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0060A612 Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 270 60a612-60a695 274 60a697 270->274 275 60a69a-60a6a3 270->275 274->275 276 60a6a5 275->276 277 60a6a8-60a6b1 275->277 276->277 278 60a702-60a707 277->278 279 60a6b3-60a6d7 CreateMutexW 277->279 278->279 282 60a709-60a70e 279->282 283 60a6d9-60a6ff 279->283 282->283
                                                          APIs
                                                          • CreateMutexW.KERNEL32(?,?), ref: 0060A6B9
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081364218.000000000060A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0060A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_60a000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: CreateMutex
                                                          • String ID:
                                                          • API String ID: 1964310414-0
                                                          • Opcode ID: f62432874b99138bf3873324076997a2b346536c13e4df103051cbc78dd46ac5
                                                          • Instruction ID: ee7ccc1a48fb987650e0dec51f428515d06e286fa7d0fd8d96210576f2660c95
                                                          • Opcode Fuzzy Hash: f62432874b99138bf3873324076997a2b346536c13e4df103051cbc78dd46ac5
                                                          • Instruction Fuzzy Hash: AA3181B55093806FE711CB65DC85B96BFF8EF16310F08849AE984CB292D375E909C762
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00BC1290 Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 286 bc1290-bc1311 290 bc1316-bc131f 286->290 291 bc1313 286->291 292 bc1377-bc137c 290->292 293 bc1321-bc1329 ConvertStringSecurityDescriptorToSecurityDescriptorW 290->293 291->290 292->293 294 bc132f-bc1341 293->294 296 bc137e-bc1383 294->296 297 bc1343-bc1374 294->297 296->297
                                                          APIs
                                                          • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 00BC1327
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081928156.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_bc0000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: DescriptorSecurity$ConvertString
                                                          • String ID:
                                                          • API String ID: 3907675253-0
                                                          • Opcode ID: cd428b39426f7dfc458b252cddc6fb9e1b0d889b335e620995d1042169f786f8
                                                          • Instruction ID: c6563a8b4fcb2024e97f6a699c3ae7f32f2acb9b4a3ab8de92e1a6debd3fe575
                                                          • Opcode Fuzzy Hash: cd428b39426f7dfc458b252cddc6fb9e1b0d889b335e620995d1042169f786f8
                                                          • Instruction Fuzzy Hash: 7931B4716043846FE7218B64DC44FA6BBF8EF46214F08889AE944DB652D364E909CB71
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0060ADAD Relevance: 1.6, APIs: 1, Instructions: 86fileCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 301 60adad-60ae2a 305 60ae2c 301->305 306 60ae2f-60ae3b 301->306 305->306 307 60ae40-60ae49 306->307 308 60ae3d 306->308 309 60ae9a-60ae9f 307->309 310 60ae4b-60ae6f CreateFileW 307->310 308->307 309->310 313 60aea1-60aea6 310->313 314 60ae71-60ae97 310->314 313->314
                                                          APIs
                                                          • CreateFileW.KERNEL32(?,?,?,?,?,?), ref: 0060AE51
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081364218.000000000060A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0060A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_60a000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: CreateFile
                                                          • String ID:
                                                          • API String ID: 823142352-0
                                                          • Opcode ID: 2929cd308041a67fb27787889f0ade96a0fd765e85f7c65556f32d5aff5eecba
                                                          • Instruction ID: 7981815c6ffba1d88ddb7b5e74520079d404cf1a29face1bed13202d84c115df
                                                          • Opcode Fuzzy Hash: 2929cd308041a67fb27787889f0ade96a0fd765e85f7c65556f32d5aff5eecba
                                                          • Instruction Fuzzy Hash: E2318F71504340AFE721CF65DC84FA7BBF8EF19310F08849AE9898B652D375E918CB62
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00BC2C46 Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 317 bc2c46-bc2c9e 320 bc2ca0 317->320 321 bc2ca3-bc2caf 317->321 320->321 322 bc2cb4-bc2cbd 321->322 323 bc2cb1 321->323 324 bc2cbf 322->324 325 bc2cc2-bc2cd9 322->325 323->322 324->325 327 bc2d1b-bc2d20 325->327 328 bc2cdb-bc2cee RegCreateKeyExW 325->328 327->328 329 bc2cf0-bc2d18 328->329 330 bc2d22-bc2d27 328->330 330->329
                                                          APIs
                                                          • RegCreateKeyExW.KERNEL32(?,00000E24), ref: 00BC2CE1
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081928156.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_bc0000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: Create
                                                          • String ID:
                                                          • API String ID: 2289755597-0
                                                          • Opcode ID: 5cbbe37efe0c684a347a2f7a421a81c3581217f966fbd0063ad54bdabd4ca811
                                                          • Instruction ID: 0978ca9b4095db06359a305c9ffec1818af64f83fd12867eea829ecd48c90069
                                                          • Opcode Fuzzy Hash: 5cbbe37efe0c684a347a2f7a421a81c3581217f966fbd0063ad54bdabd4ca811
                                                          • Instruction Fuzzy Hash: 01218D72600604AFEB319F65CC84FABBBECEF28714F04846AE945C7651D724E9098B71
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0060A361 Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 335 60a361-60a3cf 338 60a3d1 335->338 339 60a3d4-60a3dd 335->339 338->339 340 60a3e2-60a3e8 339->340 341 60a3df 339->341 342 60a3ea 340->342 343 60a3ed-60a404 340->343 341->340 342->343 345 60a406-60a419 RegQueryValueExW 343->345 346 60a43b-60a440 343->346 347 60a442-60a447 345->347 348 60a41b-60a438 345->348 346->345 347->348
                                                          APIs
                                                          • RegQueryValueExW.KERNEL32(?,00000E24,DA482954,00000000,00000000,00000000,00000000), ref: 0060A40C
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081364218.000000000060A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0060A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_60a000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: QueryValue
                                                          • String ID:
                                                          • API String ID: 3660427363-0
                                                          • Opcode ID: 3717dc42499de48b89fa9c01e496275e81b017c397988977e5bd751f70a67133
                                                          • Instruction ID: c0bc727d511838bf50c677578bbeff94e59f8e73a06612eb696ac48a52a56415
                                                          • Opcode Fuzzy Hash: 3717dc42499de48b89fa9c01e496275e81b017c397988977e5bd751f70a67133
                                                          • Instruction Fuzzy Hash: 1D318075505780AFE721CF51CC84F93BBF8EF06314F08849AE985CB292D364E909CB62
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0060BAD0 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 352 60bad0-60bb5c 356 60bba7-60bbac 352->356 357 60bb5e-60bb66 GetExitCodeProcess 352->357 356->357 359 60bb6c-60bb7e 357->359 360 60bb80-60bba6 359->360 361 60bbae-60bbb3 359->361 361->360
                                                          APIs
                                                          • GetExitCodeProcess.KERNEL32(?,00000E24,DA482954,00000000,00000000,00000000,00000000), ref: 0060BB64
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081364218.000000000060A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0060A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_60a000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: CodeExitProcess
                                                          • String ID:
                                                          • API String ID: 3861947596-0
                                                          • Opcode ID: d9c965f9883dddf003062ac17675898f2eb66cd7ad3083b76e03bbe50b593b7c
                                                          • Instruction ID: b6a957ffa3eabed911828784cdd15be2f2ade5ce114433a4c88e6993974d43e8
                                                          • Opcode Fuzzy Hash: d9c965f9883dddf003062ac17675898f2eb66cd7ad3083b76e03bbe50b593b7c
                                                          • Instruction Fuzzy Hash: EE21E5B15093805FE7128F21DC45BA6BFB8EF56324F0884DBE984CF193D364AA09CB61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00BC189C Relevance: 1.6, APIs: 1, Instructions: 85timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetProcessTimes.KERNEL32(?,00000E24,DA482954,00000000,00000000,00000000,00000000), ref: 00BC1939
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081928156.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_bc0000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: ProcessTimes
                                                          • String ID:
                                                          • API String ID: 1995159646-0
                                                          • Opcode ID: e53463ce4defd6676e2be23c773e8b09e0ab503b3eacfe832e8150cd58a6e415
                                                          • Instruction ID: 578b02fd615ff44af0f3a2ab64425e373e2474e3cc04ca67c957188f3b5f837c
                                                          • Opcode Fuzzy Hash: e53463ce4defd6676e2be23c773e8b09e0ab503b3eacfe832e8150cd58a6e415
                                                          • Instruction Fuzzy Hash: 912106B2504340AFE7228F54DC45F96BFB8EF16324F04849AE9458B552D334A909CBB1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00BC2F88 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetProcessWorkingSetSize.KERNEL32(?,00000E24,DA482954,00000000,00000000,00000000,00000000), ref: 00BC301F
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081928156.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_bc0000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: ProcessSizeWorking
                                                          • String ID:
                                                          • API String ID: 3584180929-0
                                                          • Opcode ID: 26f63e15c7c58c1aa8ac580ed9a57cc6eee5856731c71be5a2273099124314c2
                                                          • Instruction ID: 9da0d5779ec676aa4473aa2c1ace7cf8060b76716e5f57c965dcaab52a67cad7
                                                          • Opcode Fuzzy Hash: 26f63e15c7c58c1aa8ac580ed9a57cc6eee5856731c71be5a2273099124314c2
                                                          • Instruction Fuzzy Hash: A221D5B25093C05FE712CB20DC54B96BFB8EF56314F08C4DAE9888F193D225A949C772
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00BC19C6 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • getaddrinfo.WS2_32(?,00000E24), ref: 00BC1A6B
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081928156.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_bc0000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: getaddrinfo
                                                          • String ID:
                                                          • API String ID: 300660673-0
                                                          • Opcode ID: 4f7db0b7402cf28875354c9a565c10ccce1fd7dc09c16976945ede94cd86d0fb
                                                          • Instruction ID: 6f754f7c60d50c166eae831f7f8ba5b74c4b7f2daf097fa3e7770d5895e54f28
                                                          • Opcode Fuzzy Hash: 4f7db0b7402cf28875354c9a565c10ccce1fd7dc09c16976945ede94cd86d0fb
                                                          • Instruction Fuzzy Hash: 0F21A371600204AEF720DF64CC84FAAF7ECEF14714F04885AFA499A681D775E5098B71
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00BC2EB9 Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081928156.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_bc0000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: select
                                                          • String ID:
                                                          • API String ID: 1274211008-0
                                                          • Opcode ID: 24fd6194a5eabe48ac1937c3b04b4088725da06f19dda64a26136f883f15b3e5
                                                          • Instruction ID: 568577c97ed9279133477bdceaba173610716e2ef37bc7a674907ca09c2faf02
                                                          • Opcode Fuzzy Hash: 24fd6194a5eabe48ac1937c3b04b4088725da06f19dda64a26136f883f15b3e5
                                                          • Instruction Fuzzy Hash: 932139755093849FDB22CF25D844BA2FFF8EF06314B0984DAE984CB262D275A909DB61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0060AEA8 Relevance: 1.6, APIs: 1, Instructions: 79COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetFileType.KERNEL32(?,00000E24,DA482954,00000000,00000000,00000000,00000000), ref: 0060AF3D
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081364218.000000000060A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0060A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_60a000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: FileType
                                                          • String ID:
                                                          • API String ID: 3081899298-0
                                                          • Opcode ID: 5e7c0499120d2caee599825e19bf280ad3ff6971fa4cc73c4da8d1b691b21aa2
                                                          • Instruction ID: b14d354eac5a965216e8de2bc84e76fec36ef0b196ef19a5771108aac73b88ce
                                                          • Opcode Fuzzy Hash: 5e7c0499120d2caee599825e19bf280ad3ff6971fa4cc73c4da8d1b691b21aa2
                                                          • Instruction Fuzzy Hash: CD212BB55093805FE7128B11DC41BA2BFBCEF16324F0880D6E9448B293D364A909C771
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0060A462 Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegSetValueExW.KERNEL32(?,00000E24,DA482954,00000000,00000000,00000000,00000000), ref: 0060A4F8
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081364218.000000000060A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0060A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_60a000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: Value
                                                          • String ID:
                                                          • API String ID: 3702945584-0
                                                          • Opcode ID: 8a56b692783cd8cb9dfa7c473c3a0d20b9048bd2f043f3ad4b2fcc93abedc0f3
                                                          • Instruction ID: e54d8d6637b8fc86071fb84c4b15274abd9e32521283972bf8b6d6a952cbf7f3
                                                          • Opcode Fuzzy Hash: 8a56b692783cd8cb9dfa7c473c3a0d20b9048bd2f043f3ad4b2fcc93abedc0f3
                                                          • Instruction Fuzzy Hash: C72190B65443806FD7228F51DC44FA7BFB8EF56214F08849AE985CB692D364E908C772
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00BC0E6A Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WSASocketW.WS2_32(?,?,?,?,?), ref: 00BC0EF6
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081928156.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_bc0000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: Socket
                                                          • String ID:
                                                          • API String ID: 38366605-0
                                                          • Opcode ID: 2fe5171b8145b5afd210323a50efe374ba56479a8c8873a2670956318f008998
                                                          • Instruction ID: 65e292a70c687dbf79bd550e9dfd080b86839442c9b3d4195f43b96dde902d41
                                                          • Opcode Fuzzy Hash: 2fe5171b8145b5afd210323a50efe374ba56479a8c8873a2670956318f008998
                                                          • Instruction Fuzzy Hash: BC218271505380AFE721CF51DC45F96FFF8EF09210F04889EE9858B652D375A519CB62
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00BC1446 Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081928156.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_bc0000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: FileView
                                                          • String ID:
                                                          • API String ID: 3314676101-0
                                                          • Opcode ID: 9c9f6023c5006ba38f2f8cd3067160dc64e2f68641093a7c0cf983c041d8f489
                                                          • Instruction ID: e0683e63133049d8904801a22016dfc1543fe05c3674bb5974d7ce43c0e4b5ca
                                                          • Opcode Fuzzy Hash: 9c9f6023c5006ba38f2f8cd3067160dc64e2f68641093a7c0cf983c041d8f489
                                                          • Instruction Fuzzy Hash: 6C21A071505380AFE722CF15CC44F96FBF8EF19214F04889EE9898B252D375E908CB62
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0060A078 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • EnumWindows.USER32(?,00000E24,?,?), ref: 0060A10E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081364218.000000000060A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0060A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_60a000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: EnumWindows
                                                          • String ID:
                                                          • API String ID: 1129996299-0
                                                          • Opcode ID: b3d9e29b6df27ecd0a1bb3595425395ac028c2d22ccad5cc2912c21d554adbf9
                                                          • Instruction ID: be91cb873ceae83171f343b4568c493a7f3d39d3fffa1e941815ef86d55cda32
                                                          • Opcode Fuzzy Hash: b3d9e29b6df27ecd0a1bb3595425395ac028c2d22ccad5cc2912c21d554adbf9
                                                          • Instruction Fuzzy Hash: 1521D37150D3C06FC3128B218C55B66BFB4EF87620F1984CBD884CF693D238A909CBA2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0060ADD2 Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileW.KERNEL32(?,?,?,?,?,?), ref: 0060AE51
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081364218.000000000060A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0060A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_60a000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: CreateFile
                                                          • String ID:
                                                          • API String ID: 823142352-0
                                                          • Opcode ID: 3ed8268c1c86861db3a87de40fae4feafb9f57d06ee39d292e2e7425d10a73db
                                                          • Instruction ID: ec7cf9f10ba3d56ac81f79866c57e2bf14effbc5953fa714e90bea50e2aeb0b0
                                                          • Opcode Fuzzy Hash: 3ed8268c1c86861db3a87de40fae4feafb9f57d06ee39d292e2e7425d10a73db
                                                          • Instruction Fuzzy Hash: 43219C71600300AFEB20DF65DD85BA6FBE8EF18314F048869E9498B791D375E808DB72
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00BC12B6 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 00BC1327
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081928156.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_bc0000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: DescriptorSecurity$ConvertString
                                                          • String ID:
                                                          • API String ID: 3907675253-0
                                                          • Opcode ID: e66e7ae37a0a9d5711e91db27ae84e7975c06b31576b9278831443d249d6f3b0
                                                          • Instruction ID: 93cefbd7ba186882b54e5a8c9bcd0e36e0a1f75c23683cc0a166aac139a95e01
                                                          • Opcode Fuzzy Hash: e66e7ae37a0a9d5711e91db27ae84e7975c06b31576b9278831443d249d6f3b0
                                                          • Instruction Fuzzy Hash: A5212971600244AFE720DF69DD44FAAFBECEF45314F04886AE944DBA42D774E5088BB1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00BC119E Relevance: 1.6, APIs: 1, Instructions: 76registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegQueryValueExW.KERNEL32(?,00000E24,DA482954,00000000,00000000,00000000,00000000), ref: 00BC123C
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081928156.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_bc0000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: QueryValue
                                                          • String ID:
                                                          • API String ID: 3660427363-0
                                                          • Opcode ID: d3e843e386a280de2e8d2f95d365a74d5c3ce342c849ce3ff0db9240609349bc
                                                          • Instruction ID: 9663766b009403b123c07513e40b123b907eacff112cbc08250cec8ad525c2e5
                                                          • Opcode Fuzzy Hash: d3e843e386a280de2e8d2f95d365a74d5c3ce342c849ce3ff0db9240609349bc
                                                          • Instruction Fuzzy Hash: 76219F75505780AFE721CB15CC44F97BBF8EF56310F08849AE945DB292D325E908CB71
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0060AA86 Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyExW.KERNEL32(?,00000E24), ref: 0060AB05
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081364218.000000000060A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0060A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_60a000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: Open
                                                          • String ID:
                                                          • API String ID: 71445658-0
                                                          • Opcode ID: 0c60f0ba652b9b9ed75e88f85d3054c02ac0babc4375e02daf77a7dd53a96226
                                                          • Instruction ID: a1b33f7a580fd510c322c8f2ab807e2b4e4a5e51d9750fcd14a3744855b66d06
                                                          • Opcode Fuzzy Hash: 0c60f0ba652b9b9ed75e88f85d3054c02ac0babc4375e02daf77a7dd53a96226
                                                          • Instruction Fuzzy Hash: 3C21D1B2600304AEE7209F55CC84FABFBECEF18314F04845AEA448B691D774E5098BB2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00BC3087 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetProcessWorkingSetSize.KERNEL32(?,00000E24,DA482954,00000000,00000000,00000000,00000000), ref: 00BC3103
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081928156.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_bc0000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: ProcessSizeWorking
                                                          • String ID:
                                                          • API String ID: 3584180929-0
                                                          • Opcode ID: 6eb55f0db28cb9c76a1b8a9e46a8f8bd8a36651ffa258f80ff65842d7bc0c719
                                                          • Instruction ID: 04bcfb78c821f74f543f62e3412cf94f49ed42b8ee4a0cfb3d9fc9a210aa7e5d
                                                          • Opcode Fuzzy Hash: 6eb55f0db28cb9c76a1b8a9e46a8f8bd8a36651ffa258f80ff65842d7bc0c719
                                                          • Instruction Fuzzy Hash: D02192715053806FE722CF21DC44FA6BFB8EF56614F0884AAE944DB252D375E908CB75
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0060A646 Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateMutexW.KERNEL32(?,?), ref: 0060A6B9
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081364218.000000000060A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0060A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_60a000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: CreateMutex
                                                          • String ID:
                                                          • API String ID: 1964310414-0
                                                          • Opcode ID: 4d28553023abcc1651886031c526ca2ed00b52ee92f808193c57eb3c47310f3f
                                                          • Instruction ID: 61fad3a29eea9e5ab71c1d120fbd8a7e1ba6593f3e1e4c2bc91f8d0588773030
                                                          • Opcode Fuzzy Hash: 4d28553023abcc1651886031c526ca2ed00b52ee92f808193c57eb3c47310f3f
                                                          • Instruction Fuzzy Hash: 5C218075600240AFE720DF65DD85BA6FBE8EF14314F08846AE9488B781D775E909CA72
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00BC16DD Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • shutdown.WS2_32(?,00000E24,DA482954,00000000,00000000,00000000,00000000), ref: 00BC1760
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081928156.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_bc0000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: shutdown
                                                          • String ID:
                                                          • API String ID: 2510479042-0
                                                          • Opcode ID: a92d9db30877b433786da5ca84e1e00765961e5518b7194afcd84466df029aae
                                                          • Instruction ID: a12310aca7e14c657e47dc8e6df9d08ebc758866a4244235641cf9a377b7fffd
                                                          • Opcode Fuzzy Hash: a92d9db30877b433786da5ca84e1e00765961e5518b7194afcd84466df029aae
                                                          • Instruction Fuzzy Hash: 572195B15093806FD7128F14DC44B96BFB8EF46224F0884DBE9849B252C368A948C772
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0060A140 Relevance: 1.6, APIs: 1, Instructions: 71networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081364218.000000000060A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0060A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_60a000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: send
                                                          • String ID:
                                                          • API String ID: 2809346765-0
                                                          • Opcode ID: 4b728add320c14877f128d324f85d4ec67eb4b85674d7b3be531e6e4c86044e9
                                                          • Instruction ID: c02df5df8828e8f497c40a1efbbbd2c4370b946a44ec459aaf0940f488e2c7d1
                                                          • Opcode Fuzzy Hash: 4b728add320c14877f128d324f85d4ec67eb4b85674d7b3be531e6e4c86044e9
                                                          • Instruction Fuzzy Hash: E321AC7150D7C09FDB238B60DC94A52BFB4EF07210F0984DBD9848F5A3C279A919DB62
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0060B64C Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 0060B6C6
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081364218.000000000060A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0060A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_60a000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: LookupPrivilegeValue
                                                          • String ID:
                                                          • API String ID: 3899507212-0
                                                          • Opcode ID: 759e895573ee5b44598a80027dc5740f35f7e5cb99f64baa092b34bde471c852
                                                          • Instruction ID: 82928ab4115ff57326de606cb9d59f0234bd09e183b1727220f484be3f8c3314
                                                          • Opcode Fuzzy Hash: 759e895573ee5b44598a80027dc5740f35f7e5cb99f64baa092b34bde471c852
                                                          • Instruction Fuzzy Hash: A7216FB16493809FD7228F25DC54B92BFB8EF56324F0884DAED45CB293D265E808CB61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00BC0C02 Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ReadFile.KERNEL32(?,00000E24,DA482954,00000000,00000000,00000000,00000000), ref: 00BC0C81
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081928156.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_bc0000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: FileRead
                                                          • String ID:
                                                          • API String ID: 2738559852-0
                                                          • Opcode ID: 6915c5c28f949b3ab1addcfad5361d91b17502baca113a0265270da4838fe394
                                                          • Instruction ID: 75089465b406a6f61fb5faf95e733ee6908555ba1038fa6240e87b8fc50b0d5e
                                                          • Opcode Fuzzy Hash: 6915c5c28f949b3ab1addcfad5361d91b17502baca113a0265270da4838fe394
                                                          • Instruction Fuzzy Hash: 7A219F71505380AFDB22CF51DC44FA7BFB8EF59314F08849AE9849B652D335A908CBB2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0060A392 Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegQueryValueExW.KERNEL32(?,00000E24,DA482954,00000000,00000000,00000000,00000000), ref: 0060A40C
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081364218.000000000060A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0060A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_60a000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: QueryValue
                                                          • String ID:
                                                          • API String ID: 3660427363-0
                                                          • Opcode ID: 2acad5f79d36f5eee3fa28255e0960c4e712f25707b8fe7ba6c0c4d4853413a4
                                                          • Instruction ID: 6f71160e9ded76839ffa8c196533cb0cee324d7a9f25a38eaaed9a8943bb0416
                                                          • Opcode Fuzzy Hash: 2acad5f79d36f5eee3fa28255e0960c4e712f25707b8fe7ba6c0c4d4853413a4
                                                          • Instruction Fuzzy Hash: 34218B75200300AEE720CE55CC84FA7B7E8EF14754F04846AE945CB691D360E809CA72
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00BC2DF3 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ioctlsocket.WS2_32(?,00000E24,DA482954,00000000,00000000,00000000,00000000), ref: 00BC2E6F
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081928156.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_bc0000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: ioctlsocket
                                                          • String ID:
                                                          • API String ID: 3577187118-0
                                                          • Opcode ID: 93cb0fdb88754cf3c2914e8c877c2c3ed15204550eac8f64ae386e3bc6f3a7e8
                                                          • Instruction ID: bf2a0d498c45fef401ca30436770ac15301f2de45620926d211f4e5fda536d49
                                                          • Opcode Fuzzy Hash: 93cb0fdb88754cf3c2914e8c877c2c3ed15204550eac8f64ae386e3bc6f3a7e8
                                                          • Instruction Fuzzy Hash: D921C371509380AFE722CF10DC84FA6BFB8EF55314F08849AE9489B252C374A908C7B2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0060AB4D Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetFileAttributesW.KERNEL32(?,?,DA482954,00000000,?,?,?,?,?,?,?,?,6C8C3C58), ref: 0060ABCB
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081364218.000000000060A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0060A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_60a000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: AttributesFile
                                                          • String ID:
                                                          • API String ID: 3188754299-0
                                                          • Opcode ID: 71833cbe874048d907e094bafd1191f15ebdaf4943fa323fe6a68b5b539e6d50
                                                          • Instruction ID: 944386e19a4487e25123b92b6b4fd462942791b61d07f81a9a9c463d3557ce0f
                                                          • Opcode Fuzzy Hash: 71833cbe874048d907e094bafd1191f15ebdaf4943fa323fe6a68b5b539e6d50
                                                          • Instruction Fuzzy Hash: 2A21C2B15093C05FEB16CF25D885B92BFE4EF06324F0984DAE9858B267D2649849CB62
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0060B930 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindCloseChangeNotification.KERNEL32(?,DA482954,00000000,?,?,?,?,?,?,?,?,6C8C3C58), ref: 0060B99C
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081364218.000000000060A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0060A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_60a000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: ChangeCloseFindNotification
                                                          • String ID:
                                                          • API String ID: 2591292051-0
                                                          • Opcode ID: c7b43e89bfb1ffd26a24e11b3d43e133b69cdad7e9e8b196bcb7b39c196a8eb9
                                                          • Instruction ID: 8fe750eaed194de353263dd42bf18daf22b95c5407a3ff18238fce4f17314625
                                                          • Opcode Fuzzy Hash: c7b43e89bfb1ffd26a24e11b3d43e133b69cdad7e9e8b196bcb7b39c196a8eb9
                                                          • Instruction Fuzzy Hash: BB21C3B25093C05FDB128F25DC54692BFB4AF07324F0984DBE9858F663D2749908CB62
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00BC0E8A Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WSASocketW.WS2_32(?,?,?,?,?), ref: 00BC0EF6
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081928156.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_bc0000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: Socket
                                                          • String ID:
                                                          • API String ID: 38366605-0
                                                          • Opcode ID: ccbe7fd9fc065005da65a028807c120f8f10b2f94720d79eff6777731c18e190
                                                          • Instruction ID: 59663b4ea837409557854e148bd928123d99f0108c40b2889fad85349c1a931e
                                                          • Opcode Fuzzy Hash: ccbe7fd9fc065005da65a028807c120f8f10b2f94720d79eff6777731c18e190
                                                          • Instruction Fuzzy Hash: 6C21D171500200AFEB21DF55DD84FA6FBE8EF08320F0488AEEA498B651D375E418CB72
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00BC1B76 Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 00BC1BF2
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081928156.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_bc0000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: Connect
                                                          • String ID:
                                                          • API String ID: 3144859779-0
                                                          • Opcode ID: 263d7002f850fd485f5d15e2490980b53dffc9701576c9f7cb817c25052ffdc6
                                                          • Instruction ID: d548ff0656671423644d0d3ede57d57dd4b570c46bb02c2e09a3804c906486d0
                                                          • Opcode Fuzzy Hash: 263d7002f850fd485f5d15e2490980b53dffc9701576c9f7cb817c25052ffdc6
                                                          • Instruction Fuzzy Hash: F8216F71508780AFDB228F55DC44B62BFF4EF0A310F0888DAE9859B663D275A819DB61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00BC1466 Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081928156.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_bc0000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: FileView
                                                          • String ID:
                                                          • API String ID: 3314676101-0
                                                          • Opcode ID: dfd3c4e0a8019641222dd1f255bcfc57684e38b9c28f1de89b33a75e0fda9f5c
                                                          • Instruction ID: 0e28f906b5830b93a18f322ea3323d06862902efdcfe7529fc7780b056d37bf4
                                                          • Opcode Fuzzy Hash: dfd3c4e0a8019641222dd1f255bcfc57684e38b9c28f1de89b33a75e0fda9f5c
                                                          • Instruction Fuzzy Hash: B121A171500200AFEB21CF55DD85FA6FBE8EF19324F0488ADE9499B652D375E508CB62
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00BC1F32 Relevance: 1.6, APIs: 1, Instructions: 66libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(?,00000E24), ref: 00BC1FBB
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081928156.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_bc0000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: LibraryLoad
                                                          • String ID:
                                                          • API String ID: 1029625771-0
                                                          • Opcode ID: 236075ce8a734ca5b62f1aa36d19c77e6e470a6b3b2e70ad6f2186dd5f4c6f35
                                                          • Instruction ID: 0bb4204fdb0ec06f2ffc5ec121bbb5281159832bba80dc90e7331250ae6e1665
                                                          • Opcode Fuzzy Hash: 236075ce8a734ca5b62f1aa36d19c77e6e470a6b3b2e70ad6f2186dd5f4c6f35
                                                          • Instruction Fuzzy Hash: DD11B1715053806FE721CB15DC85FA6FFB8DF56720F08849AFA489B292D364A948CB62
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0060A486 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegSetValueExW.KERNEL32(?,00000E24,DA482954,00000000,00000000,00000000,00000000), ref: 0060A4F8
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081364218.000000000060A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0060A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_60a000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: Value
                                                          • String ID:
                                                          • API String ID: 3702945584-0
                                                          • Opcode ID: b0ef1307c76eebaac09803577456834e5f070f5373ee629350482a8ad4bfd815
                                                          • Instruction ID: f662e03d0dc76b4045f89e73f64e98fa0cf04e3050e4bf106a35efdb67de4ca5
                                                          • Opcode Fuzzy Hash: b0ef1307c76eebaac09803577456834e5f070f5373ee629350482a8ad4bfd815
                                                          • Instruction Fuzzy Hash: 0F11B1B6640700AFE7218F55DC45FA7BBECEF18714F04845AED458A781D370E808CAB2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00BC11CA Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegQueryValueExW.KERNEL32(?,00000E24,DA482954,00000000,00000000,00000000,00000000), ref: 00BC123C
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081928156.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_bc0000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: QueryValue
                                                          • String ID:
                                                          • API String ID: 3660427363-0
                                                          • Opcode ID: 4c61b3037e4231f259aa1b7bbc1c36d28fd90d9ff0d2735a26c0ca1061948a29
                                                          • Instruction ID: 56671cbfd3470094ca9a7943e17628e1ba58d2fcfc0f0b3fa31edb1028f691c9
                                                          • Opcode Fuzzy Hash: 4c61b3037e4231f259aa1b7bbc1c36d28fd90d9ff0d2735a26c0ca1061948a29
                                                          • Instruction Fuzzy Hash: EA11A275600600AFE720CF15CC84FA6F7E8EF15724F14889AE945DA652D760E908CAB1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0060ACE8 Relevance: 1.6, APIs: 1, Instructions: 64fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CopyFileW.KERNEL32(?,?,?,DA482954,00000000,?,?,?,?,?,?,?,?,6C8C3C58), ref: 0060AD52
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081364218.000000000060A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0060A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_60a000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: CopyFile
                                                          • String ID:
                                                          • API String ID: 1304948518-0
                                                          • Opcode ID: 3c7f164f417d2ec527954fe784db5c70778a036ef0bf19a3cdf34f65415ca134
                                                          • Instruction ID: 15f0097d7ddb16d85559eabcf818dee767dfe8c46d1682d18816d8b287d95b68
                                                          • Opcode Fuzzy Hash: 3c7f164f417d2ec527954fe784db5c70778a036ef0bf19a3cdf34f65415ca134
                                                          • Instruction Fuzzy Hash: FD1184B16453805FD721CF65DC85B97BFE8EF06310F0884AAE985CB692D274E808CB62
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0060A710 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindCloseChangeNotification.KERNEL32(?,DA482954,00000000,?,?,?,?,?,?,?,?,6C8C3C58,?), ref: 0060A780
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081364218.000000000060A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0060A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_60a000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: ChangeCloseFindNotification
                                                          • String ID:
                                                          • API String ID: 2591292051-0
                                                          • Opcode ID: 6181b9cbc03b00e6457ed6822f96a26bcaef45ce2674659b13a935e1e0689363
                                                          • Instruction ID: 72f225177c13121389c14426f8eeb261eda24d09381864c51370db8f57e4ce20
                                                          • Opcode Fuzzy Hash: 6181b9cbc03b00e6457ed6822f96a26bcaef45ce2674659b13a935e1e0689363
                                                          • Instruction Fuzzy Hash: BB21E4B55043809FD711CF55DD85792BFB8EF02324F09849BED458B693D3349909CBA2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00BC18DA Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetProcessTimes.KERNEL32(?,00000E24,DA482954,00000000,00000000,00000000,00000000), ref: 00BC1939
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081928156.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_bc0000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: ProcessTimes
                                                          • String ID:
                                                          • API String ID: 1995159646-0
                                                          • Opcode ID: 3b2d123ec31c61be328ea2059583cea4759082111e9cd1ae78fe014c56d1acd1
                                                          • Instruction ID: bc365423eac306313a50a0e84077f5a9ec286c3c6a872575456cf00f3cb51c94
                                                          • Opcode Fuzzy Hash: 3b2d123ec31c61be328ea2059583cea4759082111e9cd1ae78fe014c56d1acd1
                                                          • Instruction Fuzzy Hash: 2A11E672600200AFFB218F55DC84FAAFBE8EF15314F04886AE945DB651D375E5098BB1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00BC30AA Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetProcessWorkingSetSize.KERNEL32(?,00000E24,DA482954,00000000,00000000,00000000,00000000), ref: 00BC3103
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081928156.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_bc0000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: ProcessSizeWorking
                                                          • String ID:
                                                          • API String ID: 3584180929-0
                                                          • Opcode ID: 65fc23887b6ee0961627258aa87d07227d363494e9dbd4a4be397566ff08464a
                                                          • Instruction ID: 781241d290e3465eeafb04de44de64e6b5adcbf187851ad039f539e981f2fd94
                                                          • Opcode Fuzzy Hash: 65fc23887b6ee0961627258aa87d07227d363494e9dbd4a4be397566ff08464a
                                                          • Instruction Fuzzy Hash: 0911C471600200AFE721CF15DC85FAAB7E8EF14724F08C4AAEA45DB641D775E5088BB1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00BC2FC6 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetProcessWorkingSetSize.KERNEL32(?,00000E24,DA482954,00000000,00000000,00000000,00000000), ref: 00BC301F
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081928156.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_bc0000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: ProcessSizeWorking
                                                          • String ID:
                                                          • API String ID: 3584180929-0
                                                          • Opcode ID: 65fc23887b6ee0961627258aa87d07227d363494e9dbd4a4be397566ff08464a
                                                          • Instruction ID: cca745a323ce76ab815b1ec26259d98e89767418a10415a78bff22cc604dd85d
                                                          • Opcode Fuzzy Hash: 65fc23887b6ee0961627258aa87d07227d363494e9dbd4a4be397566ff08464a
                                                          • Instruction Fuzzy Hash: 9711C472600200AFEB20CF15DC84FAAF7E8EF14724F04C4AAEE45CB641D775E5488AB1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0060BB0E Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetExitCodeProcess.KERNEL32(?,00000E24,DA482954,00000000,00000000,00000000,00000000), ref: 0060BB64
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081364218.000000000060A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0060A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_60a000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: CodeExitProcess
                                                          • String ID:
                                                          • API String ID: 3861947596-0
                                                          • Opcode ID: 2c8ad47442ac0d13d71e8f4cfeb0f5786ad4bb4517dc35fbe2273ce665e67ab2
                                                          • Instruction ID: 30b8da4a679649ecd0e89041e6cbe569677743a09602427803d21372339bb29c
                                                          • Opcode Fuzzy Hash: 2c8ad47442ac0d13d71e8f4cfeb0f5786ad4bb4517dc35fbe2273ce665e67ab2
                                                          • Instruction Fuzzy Hash: E111E371600200AFEB208F15DC85BABB7A8DF44324F14C46AED04CB685D774E908CAB2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0060BDE4 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • K32EnumProcesses.KERNEL32(?,?,?,DA482954,00000000,?,?,?,?,?,?,?,?,6C8C3C58), ref: 0060BE46
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081364218.000000000060A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0060A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_60a000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: EnumProcesses
                                                          • String ID:
                                                          • API String ID: 84517404-0
                                                          • Opcode ID: f8c3e2329b7f3c07ecadee6e303e4247a6920e985aa1199b9cb184e8047eb265
                                                          • Instruction ID: 276f5ecee06c9ad8d68b9cf32bccb961e4cbc6a31d7584d11fc1751ab436e0e0
                                                          • Opcode Fuzzy Hash: f8c3e2329b7f3c07ecadee6e303e4247a6920e985aa1199b9cb184e8047eb265
                                                          • Instruction Fuzzy Hash: 861172715053809FD711CF65DC84B96BFE8EF05210F0884AAED45CB262D274A908CB61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00BC0C22 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ReadFile.KERNEL32(?,00000E24,DA482954,00000000,00000000,00000000,00000000), ref: 00BC0C81
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081928156.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_bc0000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: FileRead
                                                          • String ID:
                                                          • API String ID: 2738559852-0
                                                          • Opcode ID: 4be10d3731e315515aef55f206f2bc588f31a25f814845ea9dd1b5a3b0d14296
                                                          • Instruction ID: 63672856795d5cda9d6588f3bc59ae6a43100e2e236ceb474ab6ef410857757d
                                                          • Opcode Fuzzy Hash: 4be10d3731e315515aef55f206f2bc588f31a25f814845ea9dd1b5a3b0d14296
                                                          • Instruction Fuzzy Hash: 48110471600200AFEB21CF54DC80FA7FBE8EF18314F0484AAEA448B641C335E5088BB2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00BC2E16 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ioctlsocket.WS2_32(?,00000E24,DA482954,00000000,00000000,00000000,00000000), ref: 00BC2E6F
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081928156.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_bc0000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: ioctlsocket
                                                          • String ID:
                                                          • API String ID: 3577187118-0
                                                          • Opcode ID: ab590aa91c3dde49113bc5efb58a9246ca6e360933b8b2fd3345f6894fde5159
                                                          • Instruction ID: b26e9c6f160b25879c21b450b7d8178549e38cf78760d59fccead7d73e6a7b04
                                                          • Opcode Fuzzy Hash: ab590aa91c3dde49113bc5efb58a9246ca6e360933b8b2fd3345f6894fde5159
                                                          • Instruction Fuzzy Hash: 6911E371600200AFE720CF14DC84FA6FBE8EF54324F04C4AAEE489B641C374E5088AB2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0060A9B5 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindCloseChangeNotification.KERNEL32(?,DA482954,00000000,?,?,?,?,?,?,?,?,6C8C3C58), ref: 0060AA14
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081364218.000000000060A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0060A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_60a000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: ChangeCloseFindNotification
                                                          • String ID:
                                                          • API String ID: 2591292051-0
                                                          • Opcode ID: b7fcf15075cc80d3e9c7d4e2efeec3a82cf2f871b76d77f8e84473083cee2fd8
                                                          • Instruction ID: 44f2d7a5e03eec0667314c299e1df7afe1a91468e3f54e0963222535eb1782f5
                                                          • Opcode Fuzzy Hash: b7fcf15075cc80d3e9c7d4e2efeec3a82cf2f871b76d77f8e84473083cee2fd8
                                                          • Instruction Fuzzy Hash: 13116D715493C09FDB128F65DD44A92BFB4EF47220F0884DAED848F293C279A948DB62
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00BC170A Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • shutdown.WS2_32(?,00000E24,DA482954,00000000,00000000,00000000,00000000), ref: 00BC1760
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081928156.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_bc0000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: shutdown
                                                          • String ID:
                                                          • API String ID: 2510479042-0
                                                          • Opcode ID: 3109632e9a6957e5142fd189b5ea8a9709a7f87418792fa5c71e39e6435e878b
                                                          • Instruction ID: dcc6baa5144ee7690c56d369d2d88f3f8b367f26f52ebe4b9a9cfd771265b3b8
                                                          • Opcode Fuzzy Hash: 3109632e9a6957e5142fd189b5ea8a9709a7f87418792fa5c71e39e6435e878b
                                                          • Instruction Fuzzy Hash: 1C11C6B5600200AFEB21CF15DC84FA6B7E8DF59724F14C8AAED449B641D774E9088AB1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0060A2D2 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetErrorMode.KERNEL32(?,DA482954,00000000,?,?,?,?,?,?,?,?,6C8C3C58), ref: 0060A330
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081364218.000000000060A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0060A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_60a000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: ErrorMode
                                                          • String ID:
                                                          • API String ID: 2340568224-0
                                                          • Opcode ID: 418662241d877ed3d0eacb54cc07967f65f9377bc6a02195f940f64503c75d5e
                                                          • Instruction ID: b752e831b5eb6cd1dcf2f18dbbb7020f32118088e60039e503ba6b838a97d48b
                                                          • Opcode Fuzzy Hash: 418662241d877ed3d0eacb54cc07967f65f9377bc6a02195f940f64503c75d5e
                                                          • Instruction Fuzzy Hash: E11191715493C06FDB228B25DC54A62BFB4DF47224F0D80DBED848F2A3C265A918D772
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00BC0170 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00BC01D6
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081928156.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_bc0000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: DuplicateHandle
                                                          • String ID:
                                                          • API String ID: 3793708945-0
                                                          • Opcode ID: 4ed7dba4f146faee9894adfd1c270be6f0ab25c378a98213f75965fc73f5081b
                                                          • Instruction ID: 9e6388bca45e4016f183bf17a52633ed2b3c1b9f45411fbe61560c51795f5f4a
                                                          • Opcode Fuzzy Hash: 4ed7dba4f146faee9894adfd1c270be6f0ab25c378a98213f75965fc73f5081b
                                                          • Instruction Fuzzy Hash: EC119371504780AFDB218F51DD44B52FFF4EF4A320F08889EEA858B562C275A819DB61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00BC1F52 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(?,00000E24), ref: 00BC1FBB
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081928156.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_bc0000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: LibraryLoad
                                                          • String ID:
                                                          • API String ID: 1029625771-0
                                                          • Opcode ID: 5efc23cd19089d46d4f65f978f1b6e72db7172bccf2ed8cb9899df100806928a
                                                          • Instruction ID: 3fba81e1b811b0c9b8f3d4e220448af470109860aa5a2003bb8781c0f3ef44ec
                                                          • Opcode Fuzzy Hash: 5efc23cd19089d46d4f65f978f1b6e72db7172bccf2ed8cb9899df100806928a
                                                          • Instruction Fuzzy Hash: F311E571600200AEE720DB15DD81FB6FBE8DF15724F14C49DEE485A781D3B4E908CAA2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00BC2EF2 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081928156.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_bc0000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: select
                                                          • String ID:
                                                          • API String ID: 1274211008-0
                                                          • Opcode ID: a0eaba14356df9777cd2e9eb30d97f83d337fb75d152f0d5434e2f3be84f1e6b
                                                          • Instruction ID: ace3659c9377e105f50a49f4de54fcdd70c4ea132ace4d48ef06990704087eb1
                                                          • Opcode Fuzzy Hash: a0eaba14356df9777cd2e9eb30d97f83d337fb75d152f0d5434e2f3be84f1e6b
                                                          • Instruction Fuzzy Hash: 4011E9756002449FDB20CF59D984FA6FBF8EF04710F0884AEDD49CB651D775E948CA61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0060B67E Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 0060B6C6
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081364218.000000000060A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0060A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_60a000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: LookupPrivilegeValue
                                                          • String ID:
                                                          • API String ID: 3899507212-0
                                                          • Opcode ID: 5428458a75e3a12518e763ca45dfbbc1b1b2b543dcddb0f9cb90fc62cd05e638
                                                          • Instruction ID: d920bd6a0e6f96f2ee2f558ccc78b087becea4be5b18dca9a31e9cc57278daeb
                                                          • Opcode Fuzzy Hash: 5428458a75e3a12518e763ca45dfbbc1b1b2b543dcddb0f9cb90fc62cd05e638
                                                          • Instruction Fuzzy Hash: 7D1170716102408FEB24CF29D884BA6BBE8EF04324F08C46AED45CB781D375E804CB62
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0060AD0A Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CopyFileW.KERNEL32(?,?,?,DA482954,00000000,?,?,?,?,?,?,?,?,6C8C3C58), ref: 0060AD52
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081364218.000000000060A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0060A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_60a000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: CopyFile
                                                          • String ID:
                                                          • API String ID: 1304948518-0
                                                          • Opcode ID: 5428458a75e3a12518e763ca45dfbbc1b1b2b543dcddb0f9cb90fc62cd05e638
                                                          • Instruction ID: 1f042978ad0ba999cc1cf0bc6efcbf3a69178bb4d650e1f713c4eda5cb36177c
                                                          • Opcode Fuzzy Hash: 5428458a75e3a12518e763ca45dfbbc1b1b2b543dcddb0f9cb90fc62cd05e638
                                                          • Instruction Fuzzy Hash: 4E1170B26403009FDB24CF69D985757BBE8EF04351F08846ADD45CBB81D674D804CA62
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0060AEEA Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetFileType.KERNEL32(?,00000E24,DA482954,00000000,00000000,00000000,00000000), ref: 0060AF3D
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081364218.000000000060A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0060A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_60a000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: FileType
                                                          • String ID:
                                                          • API String ID: 3081899298-0
                                                          • Opcode ID: 313104f1a0c7ce33cbe815f3ba49530a6a501f13b2a6b2dbd6701c292f0d9cff
                                                          • Instruction ID: 88204a115815acd1ece00802f3b63a27fb94d68dc36f9ce8d3446215f077114e
                                                          • Opcode Fuzzy Hash: 313104f1a0c7ce33cbe815f3ba49530a6a501f13b2a6b2dbd6701c292f0d9cff
                                                          • Instruction Fuzzy Hash: BB01D6B5640300AEE720CF55DD84BA7F7E8DF14724F14C0A6EE448B781D374E5098AB6
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0060A918 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WaitForInputIdle.USER32(?,?), ref: 0060A96F
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081364218.000000000060A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0060A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_60a000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: IdleInputWait
                                                          • String ID:
                                                          • API String ID: 2200289081-0
                                                          • Opcode ID: fdb02b3ab5f546322d7929902dbdcbc7d620a8fc8f24ad332af5bf76622313f3
                                                          • Instruction ID: 7876068fbb049eb484fa9030b5e3c7a4aaf4d817eec13c8bffedb8b9fb93bb64
                                                          • Opcode Fuzzy Hash: fdb02b3ab5f546322d7929902dbdcbc7d620a8fc8f24ad332af5bf76622313f3
                                                          • Instruction Fuzzy Hash: BB11A0715483809FDB118F55DD84B92FFB4EF46320F0984DAED848F262D279A809CB62
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0060BE06 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • K32EnumProcesses.KERNEL32(?,?,?,DA482954,00000000,?,?,?,?,?,?,?,?,6C8C3C58), ref: 0060BE46
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081364218.000000000060A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0060A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_60a000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: EnumProcesses
                                                          • String ID:
                                                          • API String ID: 84517404-0
                                                          • Opcode ID: 61e94e7def2533ef99346eb96b9fcef997a229f0f06beed312c10d9fd04939a0
                                                          • Instruction ID: 093b864012293b7b475c0137533dcc2e58a425504b0fb66b9f89adc9c32416e0
                                                          • Opcode Fuzzy Hash: 61e94e7def2533ef99346eb96b9fcef997a229f0f06beed312c10d9fd04939a0
                                                          • Instruction Fuzzy Hash: D51161716006449FEB24CF25D984BA6FBE4EF04760F08C4AADE49CB795D375E908CB62
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00BC1BA6 Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 00BC1BF2
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081928156.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_bc0000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: Connect
                                                          • String ID:
                                                          • API String ID: 3144859779-0
                                                          • Opcode ID: a126ab5c9d2929d250bf11b18bb54dd56628dcb596d6b0e38412db6ebed1d311
                                                          • Instruction ID: 4387466b26991afee42e3040f3ec9bd4db2047cce7d3a7a61eceb94f40651002
                                                          • Opcode Fuzzy Hash: a126ab5c9d2929d250bf11b18bb54dd56628dcb596d6b0e38412db6ebed1d311
                                                          • Instruction Fuzzy Hash: 081170716006409FDB20CF59D984B62FBE4EF09310F0888AAEE459B652D335E818DF62
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0060AB8E Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetFileAttributesW.KERNEL32(?,?,DA482954,00000000,?,?,?,?,?,?,?,?,6C8C3C58), ref: 0060ABCB
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081364218.000000000060A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0060A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_60a000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: AttributesFile
                                                          • String ID:
                                                          • API String ID: 3188754299-0
                                                          • Opcode ID: 8b5ff54098a5bd03883cd1376b6eae66e8721a2be90463ae64beb750dc2f9b51
                                                          • Instruction ID: e7eda35d040dad23d14cfe2721aa065cdc4975677db2c6eca50bfa5746e29657
                                                          • Opcode Fuzzy Hash: 8b5ff54098a5bd03883cd1376b6eae66e8721a2be90463ae64beb750dc2f9b51
                                                          • Instruction Fuzzy Hash: BD0184716403409FEB24CF55D984766FBE5EF04360F0884AADD45CB781D675D844CA62
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0060A0BE Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • EnumWindows.USER32(?,00000E24,?,?), ref: 0060A10E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081364218.000000000060A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0060A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_60a000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: EnumWindows
                                                          • String ID:
                                                          • API String ID: 1129996299-0
                                                          • Opcode ID: b441f884bf0d570af35aaa2588532432249a31f8645551bef997afea7dd1f260
                                                          • Instruction ID: ad1cb5a2ef29531f03be5172eaf4e2458e7939320f3a4f1a77444aff349f7b04
                                                          • Opcode Fuzzy Hash: b441f884bf0d570af35aaa2588532432249a31f8645551bef997afea7dd1f260
                                                          • Instruction Fuzzy Hash: 0B015EB1600200ABD310DF16DD45B76FBA8FB88A20F14855AED089BB41D735F915CBA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00BC1CC6 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetVolumeInformationA.KERNEL32(?,00000E24,?,?), ref: 00BC1D16
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081928156.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_bc0000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: InformationVolume
                                                          • String ID:
                                                          • API String ID: 2039140958-0
                                                          • Opcode ID: babd1bdc40c389f2f51ec55f88ca4f1870c2dc5a8f808475f7e4a69088a93b0e
                                                          • Instruction ID: d8a1b680722184826520812d70a61ba1f51264ec10ece2976e5da73c5a6653f1
                                                          • Opcode Fuzzy Hash: babd1bdc40c389f2f51ec55f88ca4f1870c2dc5a8f808475f7e4a69088a93b0e
                                                          • Instruction Fuzzy Hash: 15015EB1600200ABD350DF16DD45B76FBA8FB88A20F14855AED089BB41D735F915CBE5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00BC0192 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00BC01D6
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081928156.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_bc0000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: DuplicateHandle
                                                          • String ID:
                                                          • API String ID: 3793708945-0
                                                          • Opcode ID: 2ce3ac6a71b8657dc1ef5d89a69718c72852a241bf6b0eef83effb04c13ff8a3
                                                          • Instruction ID: 3555b881ba7364f83551d813c1d751ecaabf9e48b31eae0a44bda9446dc8c665
                                                          • Opcode Fuzzy Hash: 2ce3ac6a71b8657dc1ef5d89a69718c72852a241bf6b0eef83effb04c13ff8a3
                                                          • Instruction Fuzzy Hash: 6A018E31500700DFDB218F55D984B52FBE0EF08314F0888AAEE459A611C235E418DF62
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0060B96A Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindCloseChangeNotification.KERNEL32(?,DA482954,00000000,?,?,?,?,?,?,?,?,6C8C3C58), ref: 0060B99C
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081364218.000000000060A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0060A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_60a000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: ChangeCloseFindNotification
                                                          • String ID:
                                                          • API String ID: 2591292051-0
                                                          • Opcode ID: 9b2941f30fcfa46e51ee9776281d58f54b0f4c0a292dc1f1a6c70960537eb3e9
                                                          • Instruction ID: 86acc466c788a0f100e354ad15c8bfc8bb1fc0f2f3254a4d034a54f749aa31b9
                                                          • Opcode Fuzzy Hash: 9b2941f30fcfa46e51ee9776281d58f54b0f4c0a292dc1f1a6c70960537eb3e9
                                                          • Instruction Fuzzy Hash: 7901D4716002408FDB10CF19E984796FBE4EF05324F08C4AADE498F785C375E908CB62
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0060A74E Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindCloseChangeNotification.KERNEL32(?,DA482954,00000000,?,?,?,?,?,?,?,?,6C8C3C58,?), ref: 0060A780
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081364218.000000000060A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0060A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_60a000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: ChangeCloseFindNotification
                                                          • String ID:
                                                          • API String ID: 2591292051-0
                                                          • Opcode ID: b572ba502b63a6d7bb3df724354ec5f238b6e4cea6f78eb39f1b7f8a0ba81b8e
                                                          • Instruction ID: 31ff96e76b157153e8318379041a1350f109b36920e98117a052d45929b8f34b
                                                          • Opcode Fuzzy Hash: b572ba502b63a6d7bb3df724354ec5f238b6e4cea6f78eb39f1b7f8a0ba81b8e
                                                          • Instruction Fuzzy Hash: 8E01D4756003408FEB108F55D9847A6FBE4DF04320F08C4ABDD458B782D275E408CEA2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00BC0DEE Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegQueryValueExW.KERNEL32(?,00000E24,?,?), ref: 00BC0E3E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081928156.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_bc0000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: QueryValue
                                                          • String ID:
                                                          • API String ID: 3660427363-0
                                                          • Opcode ID: 2dd38e4720f4b90e89621e633d68895ea7377a0fc657c108bc0e127b89c93939
                                                          • Instruction ID: 4a9cd30b3d901c7aa871ac7c90aae4951d5f376addae26026adde534463750a3
                                                          • Opcode Fuzzy Hash: 2dd38e4720f4b90e89621e633d68895ea7377a0fc657c108bc0e127b89c93939
                                                          • Instruction Fuzzy Hash: A901A271600200ABD310DF16DC46B76FBE8FB88A20F14811AED089BB41D771F915CBE6
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0060A186 Relevance: 1.5, APIs: 1, Instructions: 42networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081364218.000000000060A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0060A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_60a000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: send
                                                          • String ID:
                                                          • API String ID: 2809346765-0
                                                          • Opcode ID: ecde1a8e6cdb03ff433cfa4b5c4a63aeb0120ad4d2ef0359d6a2bea24b12d76a
                                                          • Instruction ID: b3ecde616e9729665319d67ab324c9dee96c9b169fb9c3c959645984b25dd173
                                                          • Opcode Fuzzy Hash: ecde1a8e6cdb03ff433cfa4b5c4a63aeb0120ad4d2ef0359d6a2bea24b12d76a
                                                          • Instruction Fuzzy Hash: 31019E715443409FDB20CF55D984B62FBE0EF04360F08C8AADE498B651C275E418DBA2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0060A93A Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WaitForInputIdle.USER32(?,?), ref: 0060A96F
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081364218.000000000060A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0060A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_60a000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: IdleInputWait
                                                          • String ID:
                                                          • API String ID: 2200289081-0
                                                          • Opcode ID: 5198431fabcc79c4fea118c36c08ee19ddc13cf058fc69fdac85e52343bcb97f
                                                          • Instruction ID: 1416da9bae6ba5b69edac52ad62e2e0eb71a19a15bb81af2876eb6de122d1dee
                                                          • Opcode Fuzzy Hash: 5198431fabcc79c4fea118c36c08ee19ddc13cf058fc69fdac85e52343bcb97f
                                                          • Instruction Fuzzy Hash: 8A018471A042409FDB10CF55D984766FBE5EF04324F08C8AADD448B755D275D408CAA3
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0060A9E2 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindCloseChangeNotification.KERNEL32(?,DA482954,00000000,?,?,?,?,?,?,?,?,6C8C3C58), ref: 0060AA14
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081364218.000000000060A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0060A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_60a000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: ChangeCloseFindNotification
                                                          • String ID:
                                                          • API String ID: 2591292051-0
                                                          • Opcode ID: de43c55fcb03398405db9ca219ca3671d9505c7e5ec813527c1372abd8f1bb59
                                                          • Instruction ID: 15b4bcda9ae84e7b6d2d0ca369ee6ba512108de049e9fda2f5eba6e60af11347
                                                          • Opcode Fuzzy Hash: de43c55fcb03398405db9ca219ca3671d9505c7e5ec813527c1372abd8f1bb59
                                                          • Instruction Fuzzy Hash: FF01A2716403409FDB20CF55DA84762FBE4EF44324F08C4AADD498F786D279E408CA62
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0060A2FE Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetErrorMode.KERNEL32(?,DA482954,00000000,?,?,?,?,?,?,?,?,6C8C3C58), ref: 0060A330
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081364218.000000000060A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0060A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_60a000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: ErrorMode
                                                          • String ID:
                                                          • API String ID: 2340568224-0
                                                          • Opcode ID: e9cb5fd2b398b8a4eaad36f672ace33b13cc92b119f180f5fea97eb5aca8d046
                                                          • Instruction ID: 0db1652c6b4e051355d6a9f1421005b86e3c0c1549730c7f6364408b5fc78644
                                                          • Opcode Fuzzy Hash: e9cb5fd2b398b8a4eaad36f672ace33b13cc92b119f180f5fea97eb5aca8d046
                                                          • Instruction Fuzzy Hash: 91F081759443409FDB248F19D984762FBA0EF04764F08C0AADD494B792D275E808CAA3
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00BD109C Relevance: .1, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081941915.0000000000BD0000.00000040.00000020.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_bd0000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 56de7c32b55ca5b5fec773a1fad2ab583bf9cdfe9f714df067edec2d46a66215
                                                          • Instruction ID: 3484044557360b8c88fcb0fcafe671793c6dd41e91461087ad2bb8f0ef261fa6
                                                          • Opcode Fuzzy Hash: 56de7c32b55ca5b5fec773a1fad2ab583bf9cdfe9f714df067edec2d46a66215
                                                          • Instruction Fuzzy Hash: D5214C7150D7C09FD7138B24D991B62BFB8EF03614F0A88DBD9848F663C2295808CB72
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00BD1070 Relevance: .1, Instructions: 69COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081941915.0000000000BD0000.00000040.00000020.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_bd0000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0f14f5892f200518bbf8a86fdbfbe029d6d8f9d682af08862aae58f2c30fcc2c
                                                          • Instruction ID: 35307727e43f639f5190e18fc63e04654e2cc8b580c7368359af45610ac8690c
                                                          • Opcode Fuzzy Hash: 0f14f5892f200518bbf8a86fdbfbe029d6d8f9d682af08862aae58f2c30fcc2c
                                                          • Instruction Fuzzy Hash: 8121A4715097C0AFD712CF18DC94B52FFE8EB02714F0988DBE9449B653D269A808C7A2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 051126C0 Relevance: .1, Instructions: 60COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4083807654.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_5110000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fd67a69ed586f11c5cae9ccb0ce4046e6d8681c09356895892058073a6d17aca
                                                          • Instruction ID: 390cd63d02b5588b1a20dea0fbc80a401389fa508731a46ed10d9c8aaecb42b6
                                                          • Opcode Fuzzy Hash: fd67a69ed586f11c5cae9ccb0ce4046e6d8681c09356895892058073a6d17aca
                                                          • Instruction Fuzzy Hash: A011CEB5608341AFD350CF19D940A5BFBE4FB88664F04896EF998D7311D231E9088FA2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00BD0934 Relevance: .1, Instructions: 59COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081941915.0000000000BD0000.00000040.00000020.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_bd0000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1200378a80cab8e13dd4cd6bcae2d22f345390b7780fcf938e3e8676424d81c0
                                                          • Instruction ID: 9a4978ff447154c419b057765fb916f9d63b45078f7877f6ebe7aed27806ce4d
                                                          • Opcode Fuzzy Hash: 1200378a80cab8e13dd4cd6bcae2d22f345390b7780fcf938e3e8676424d81c0
                                                          • Instruction Fuzzy Hash: 3211E4302142809FE311DB18D590B25FBE5EB89718F24C9EEE8490B753D73BD842CA41
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00BD08FC Relevance: .1, Instructions: 54COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081941915.0000000000BD0000.00000040.00000020.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_bd0000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 882a278362c4221a8f89f927d3d877134c804e0931212dc0bad7b6872163d96b
                                                          • Instruction ID: 56e7edc54342e037410fb701f2af894351e38fdd5b20a184e36440460951528d
                                                          • Opcode Fuzzy Hash: 882a278362c4221a8f89f927d3d877134c804e0931212dc0bad7b6872163d96b
                                                          • Instruction Fuzzy Hash: C1215E315093C48FC703CB20C960B55BFB2EF56318F1986DED4859B653D33A9806CB52
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0081B858 Relevance: .1, Instructions: 52COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081628580.000000000081A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0081A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_81a000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6dcc5a0a287280fedb43fad3ef82a3f53aa5f75bed939c601291998b1480d670
                                                          • Instruction ID: ca84f031b123974c35b301aec02543ed81f4e38fec7d365ed710858869e32973
                                                          • Opcode Fuzzy Hash: 6dcc5a0a287280fedb43fad3ef82a3f53aa5f75bed939c601291998b1480d670
                                                          • Instruction Fuzzy Hash: 9911C0B5608301AFD350CF19DD41E5BFBE8EB88660F148D6EF95997311D271E9088FA2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00BD10F6 Relevance: .0, Instructions: 48COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081941915.0000000000BD0000.00000040.00000020.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_bd0000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b83892f2c806fc00744f05a98d16e217d1e691aafdcd9d451efb3e9420d0436c
                                                          • Instruction ID: 1a20d4857cd1cd9961440d1a79c6f91119c0c4186be57767bdfd4e85e3d56321
                                                          • Opcode Fuzzy Hash: b83892f2c806fc00744f05a98d16e217d1e691aafdcd9d451efb3e9420d0436c
                                                          • Instruction Fuzzy Hash: 0A01B171608680EED7118F19DAC0762FBE4EB45724F08C8ABDE494BB01D3799848CBA2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00BD05E0 Relevance: .0, Instructions: 47COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081941915.0000000000BD0000.00000040.00000020.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_bd0000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 62da5f94af26c5af75d547a16a6620827f3e325373d4cbd0a78a2f02c19554a4
                                                          • Instruction ID: a6dc531d6f816b799ce65fa811562165bae4768232da135e088a1ab413daa3b7
                                                          • Opcode Fuzzy Hash: 62da5f94af26c5af75d547a16a6620827f3e325373d4cbd0a78a2f02c19554a4
                                                          • Instruction Fuzzy Hash: A10162B65097805FD7128F15AD418A2BFB8EF8662070984EBE9498B612D225B909CB62
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00BD09F0 Relevance: .0, Instructions: 31COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081941915.0000000000BD0000.00000040.00000020.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_bd0000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e98923c3d1ea22da9be8346e03fd0310872bdf3a94fd5444d8394cfb273c2f72
                                                          • Instruction ID: 061e21c19f089b9bd6ee9bcec994c4e8f8237e10e8889ed33bb239e9caaebc79
                                                          • Opcode Fuzzy Hash: e98923c3d1ea22da9be8346e03fd0310872bdf3a94fd5444d8394cfb273c2f72
                                                          • Instruction Fuzzy Hash: 7DF0FB35104645DFC205CF04D580B15FBE2FB89718F24CAA9E94907752C73BE812DA81
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00BD0606 Relevance: .0, Instructions: 27COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081941915.0000000000BD0000.00000040.00000020.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_bd0000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: da36a59205e72fcf05faa1349bc4d028ac27696ddf5c876c2733ca77b0104ba4
                                                          • Instruction ID: 03f00fb78f48ab4f7b00f1cb094534208e10ca89db4c07fa20673a463be66e7e
                                                          • Opcode Fuzzy Hash: da36a59205e72fcf05faa1349bc4d028ac27696ddf5c876c2733ca77b0104ba4
                                                          • Instruction Fuzzy Hash: 73E092B66006404B9650CF0AFD41462F7D8EB84630708C47FDD0D8B701D235B509CAA6
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0511272B Relevance: .0, Instructions: 26COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4083807654.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_5110000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f1e27811e420e3a946488b2c2973e7a79ede9666f8397036b2d468b711d7b3e7
                                                          • Instruction ID: a8b6c9dcdf9b0ee741927c1a144b00ab752fabf1aee1a476ad481264f6ad8a6a
                                                          • Opcode Fuzzy Hash: f1e27811e420e3a946488b2c2973e7a79ede9666f8397036b2d468b711d7b3e7
                                                          • Instruction Fuzzy Hash: 0BE0D8F264020067D2508F0AAC45F62FB9CDB44A31F04C467EE081B741D171B51889E2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05111FD7 Relevance: .0, Instructions: 26COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4083807654.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_5110000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 35e53689726b0486973ec5b370a4dd62f77e92229ae6bafc3a22e1b10c311225
                                                          • Instruction ID: 2a4c91fba30e0454f86d9d78cc88de48ebe1340336bca01e7398c2eaaa125e82
                                                          • Opcode Fuzzy Hash: 35e53689726b0486973ec5b370a4dd62f77e92229ae6bafc3a22e1b10c311225
                                                          • Instruction Fuzzy Hash: C6E0D8F260020067D2509F0AAC45F63FB98DB40A30F08C467EE081B701D172B518C9E2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0081B8A7 Relevance: .0, Instructions: 26COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081628580.000000000081A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0081A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_81a000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b6c1df5581df64d0aa68794c0910ee533f7a4477a4a8b5747e64aec10facfa05
                                                          • Instruction ID: bd89b183f930aee56e0ec6f77d578757446d2d69e5a06e66180f4016d9178910
                                                          • Opcode Fuzzy Hash: b6c1df5581df64d0aa68794c0910ee533f7a4477a4a8b5747e64aec10facfa05
                                                          • Instruction Fuzzy Hash: 0DE020F264020467D2508F06EC45F63FB9CDB44A31F04C567EE085F701D171B50889F2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 006023F4 Relevance: .0, Instructions: 15COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081351710.0000000000602000.00000040.00000800.00020000.00000000.sdmp, Offset: 00602000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_602000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5bebc3fbf2bef446841490121b93779a66ab9c332576a6f161bd1ddf1e546940
                                                          • Instruction ID: 3160b9750afbd3fc95ad3fd2bdf5bb17c5390f88f27fa2a3edd0a68f7792f24f
                                                          • Opcode Fuzzy Hash: 5bebc3fbf2bef446841490121b93779a66ab9c332576a6f161bd1ddf1e546940
                                                          • Instruction Fuzzy Hash: 27D02E792416C24FD32A8A0CC2A8BC637D4AF40704F0A04F9AC00CB7A3C768D8C1C200
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 006023BC Relevance: .0, Instructions: 14COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4081351710.0000000000602000.00000040.00000800.00020000.00000000.sdmp, Offset: 00602000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_602000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8b6e0399281cc775d7207225aa35d18825810d58e671afc52a58cbb9a5ab8551
                                                          • Instruction ID: 0a3f8abb4e2e834e8a1fa569f974f6d7c2f585f0129900532cbd98fc42117d63
                                                          • Opcode Fuzzy Hash: 8b6e0399281cc775d7207225aa35d18825810d58e671afc52a58cbb9a5ab8551
                                                          • Instruction Fuzzy Hash: D3D05E342402824FCB2DDA0CD2E8F9A37D9AF40714F1A44E8AC108B7A2C7B8DCC1DA00
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Execution Graph

                                                          Execution Coverage:8.7%
                                                          Dynamic/Decrypted Code Coverage:100%
                                                          Signature Coverage:0%
                                                          Total number of Nodes:12
                                                          Total number of Limit Nodes:0
                                                          execution_graph 610 c9a361 611 c9a392 RegQueryValueExW 610->611 613 c9a41b 611->613 614 c9a462 616 c9a486 RegSetValueExW 614->616 617 c9a507 616->617 618 c9a612 620 c9a646 CreateMutexW 618->620 621 c9a6c1 620->621 602 c9a646 603 c9a67e CreateMutexW 602->603 605 c9a6c1 603->605

                                                          Callgraph

                                                          Executed Functions

                                                          Function 00C9A612 Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 0 c9a612-c9a695 4 c9a69a-c9a6a3 0->4 5 c9a697 0->5 6 c9a6a8-c9a6b1 4->6 7 c9a6a5 4->7 5->4 8 c9a6b3-c9a6d7 CreateMutexW 6->8 9 c9a702-c9a707 6->9 7->6 12 c9a709-c9a70e 8->12 13 c9a6d9-c9a6ff 8->13 9->8 12->13
                                                          APIs
                                                          • CreateMutexW.KERNELBASE(?,?), ref: 00C9A6B9
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1844449448.0000000000C9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C9A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_c9a000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: CreateMutex
                                                          • String ID:
                                                          • API String ID: 1964310414-0
                                                          • Opcode ID: b173906305696665e6b84b0bf4d5564b7488a6c55de2c88184a0c8610fa21565
                                                          • Instruction ID: e7c26a26a0a6aa9a252a4432d98e0d9daa56af700bac1d4c37da20a36d2474e1
                                                          • Opcode Fuzzy Hash: b173906305696665e6b84b0bf4d5564b7488a6c55de2c88184a0c8610fa21565
                                                          • Instruction Fuzzy Hash: 4A3181755093806FE712CB65DC85B96BFF8EF16310F08849AE984CB292D365E909C762
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00C9A361 Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 16 c9a361-c9a3cf 19 c9a3d1 16->19 20 c9a3d4-c9a3dd 16->20 19->20 21 c9a3df 20->21 22 c9a3e2-c9a3e8 20->22 21->22 23 c9a3ea 22->23 24 c9a3ed-c9a404 22->24 23->24 26 c9a43b-c9a440 24->26 27 c9a406-c9a419 RegQueryValueExW 24->27 26->27 28 c9a41b-c9a438 27->28 29 c9a442-c9a447 27->29 29->28
                                                          APIs
                                                          • RegQueryValueExW.KERNELBASE(?,00000E24,ACD8C2D9,00000000,00000000,00000000,00000000), ref: 00C9A40C
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1844449448.0000000000C9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C9A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_c9a000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: QueryValue
                                                          • String ID:
                                                          • API String ID: 3660427363-0
                                                          • Opcode ID: 0bd8a2e9c9093b57a53b0ae6de9d711ce687f57068660fc3f9fe6dedf2686c50
                                                          • Instruction ID: 9b000132ee7ba3495399c83d3a7850ccde2e7ecc50b6f23d0f0ef8c51ba0f5ce
                                                          • Opcode Fuzzy Hash: 0bd8a2e9c9093b57a53b0ae6de9d711ce687f57068660fc3f9fe6dedf2686c50
                                                          • Instruction Fuzzy Hash: D5317375505744AFE721CF11CC88F92BBF8EF16714F08849AE945CB6A2D364E909CBB2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00C9A462 Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 33 c9a462-c9a4c3 36 c9a4c8-c9a4d4 33->36 37 c9a4c5 33->37 38 c9a4d9-c9a4f0 36->38 39 c9a4d6 36->39 37->36 41 c9a4f2-c9a505 RegSetValueExW 38->41 42 c9a527-c9a52c 38->42 39->38 43 c9a52e-c9a533 41->43 44 c9a507-c9a524 41->44 42->41 43->44
                                                          APIs
                                                          • RegSetValueExW.KERNELBASE(?,00000E24,ACD8C2D9,00000000,00000000,00000000,00000000), ref: 00C9A4F8
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1844449448.0000000000C9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C9A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_c9a000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: Value
                                                          • String ID:
                                                          • API String ID: 3702945584-0
                                                          • Opcode ID: a580400c8591b648f2a69003daffba410c984f129201eb0e16f95cf612304df0
                                                          • Instruction ID: 71dbd0148452958b42444a5aea9219341aa8385c695aa3593203cf9a517b51e9
                                                          • Opcode Fuzzy Hash: a580400c8591b648f2a69003daffba410c984f129201eb0e16f95cf612304df0
                                                          • Instruction Fuzzy Hash: 7421A4765057806FDB228F11DC44FA7BFB8EF56314F08849AE985CB652D364E908C7B2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00C9A646 Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 48 c9a646-c9a695 51 c9a69a-c9a6a3 48->51 52 c9a697 48->52 53 c9a6a8-c9a6b1 51->53 54 c9a6a5 51->54 52->51 55 c9a6b3-c9a6bb CreateMutexW 53->55 56 c9a702-c9a707 53->56 54->53 58 c9a6c1-c9a6d7 55->58 56->55 59 c9a709-c9a70e 58->59 60 c9a6d9-c9a6ff 58->60 59->60
                                                          APIs
                                                          • CreateMutexW.KERNELBASE(?,?), ref: 00C9A6B9
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1844449448.0000000000C9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C9A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_c9a000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: CreateMutex
                                                          • String ID:
                                                          • API String ID: 1964310414-0
                                                          • Opcode ID: febd7bdd7fea8912c7041aae59e2838c48bd3dd04b0cf9489a8f52ee3d1c8b50
                                                          • Instruction ID: ee06232ca5a5f4bede8058d94c990342f900631abd0199d5fc6ab94b8809cf12
                                                          • Opcode Fuzzy Hash: febd7bdd7fea8912c7041aae59e2838c48bd3dd04b0cf9489a8f52ee3d1c8b50
                                                          • Instruction Fuzzy Hash: 982195756002009FEB20DF65DD85BA6F7E8EF14314F08846AED498B741D775E909CBB2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00C9A392 Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 63 c9a392-c9a3cf 65 c9a3d1 63->65 66 c9a3d4-c9a3dd 63->66 65->66 67 c9a3df 66->67 68 c9a3e2-c9a3e8 66->68 67->68 69 c9a3ea 68->69 70 c9a3ed-c9a404 68->70 69->70 72 c9a43b-c9a440 70->72 73 c9a406-c9a419 RegQueryValueExW 70->73 72->73 74 c9a41b-c9a438 73->74 75 c9a442-c9a447 73->75 75->74
                                                          APIs
                                                          • RegQueryValueExW.KERNELBASE(?,00000E24,ACD8C2D9,00000000,00000000,00000000,00000000), ref: 00C9A40C
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1844449448.0000000000C9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C9A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_c9a000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: QueryValue
                                                          • String ID:
                                                          • API String ID: 3660427363-0
                                                          • Opcode ID: adaf9a749032f3c22798a5fc3da2ab21a70bc6da3be6898e71e2a03f87e2ac30
                                                          • Instruction ID: becd8a5ad98ebbc6480a47670a309ddf9232b31a83cc1c0ecede864dc2c7b722
                                                          • Opcode Fuzzy Hash: adaf9a749032f3c22798a5fc3da2ab21a70bc6da3be6898e71e2a03f87e2ac30
                                                          • Instruction Fuzzy Hash: 3B216075600604AFEB20CF15CC88FA6F7ECEF18714F14846AE946CB651D764E909CAB2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00C9A486 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 79 c9a486-c9a4c3 81 c9a4c8-c9a4d4 79->81 82 c9a4c5 79->82 83 c9a4d9-c9a4f0 81->83 84 c9a4d6 81->84 82->81 86 c9a4f2-c9a505 RegSetValueExW 83->86 87 c9a527-c9a52c 83->87 84->83 88 c9a52e-c9a533 86->88 89 c9a507-c9a524 86->89 87->86 88->89
                                                          APIs
                                                          • RegSetValueExW.KERNELBASE(?,00000E24,ACD8C2D9,00000000,00000000,00000000,00000000), ref: 00C9A4F8
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1844449448.0000000000C9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C9A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_c9a000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: Value
                                                          • String ID:
                                                          • API String ID: 3702945584-0
                                                          • Opcode ID: 3c8efc49cecb38b25fadb5e254b19b808e3e9db2f37d51116f0362d8f6772e2b
                                                          • Instruction ID: 172d737d8fa0be89e2d51acdbeea8bfb0d67da55bb4030ee81c26de1941b324d
                                                          • Opcode Fuzzy Hash: 3c8efc49cecb38b25fadb5e254b19b808e3e9db2f37d51116f0362d8f6772e2b
                                                          • Instruction Fuzzy Hash: BD119376600604AFEB218F15DC49FA7FBECEF18714F04845AED498A651D774E908CAB2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00DE0310 Relevance: .2, Instructions: 192COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 93 de0310-de0334 95 de033e-de0346 93->95 96 de0336-de0338 93->96 97 de034e-de035c 95->97 98 de0348-de034d 95->98 96->95 100 de035e-de0360 97->100 101 de0362-de0391 97->101 100->101 104 de03d8-de03ff 101->104 105 de0393-de03bb 101->105 111 de040a-de0418 104->111 110 de03ce 105->110 110->104 112 de041f-de0434 111->112 113 de041a 111->113 115 de046b-de0523 112->115 116 de0436-de0460 112->116 113->112 135 de0525-de0569 115->135 136 de0570-de0587 115->136 116->115 135->136 137 de058d-de05bf 136->137 138 de0880 136->138 137->138
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1844648966.0000000000DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DE0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_de0000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6ae14371eefb44940389995abee898dce494bf0dafc7d08d47e8ecb36fc28e13
                                                          • Instruction ID: fd658e68193567d50ebcd757668600f5c279cef39a965e2f0ee695c89f29e152
                                                          • Opcode Fuzzy Hash: 6ae14371eefb44940389995abee898dce494bf0dafc7d08d47e8ecb36fc28e13
                                                          • Instruction Fuzzy Hash: 685110307041408FCB28BB79946566E7AE7AB86308B18447DE402DF3E5DF79CD46D7A2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00DE0369 Relevance: .2, Instructions: 158COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 149 de0369-de0391 151 de03d8-de03ff 149->151 152 de0393-de03bb 149->152 158 de040a-de0418 151->158 157 de03ce 152->157 157->151 159 de041f-de0434 158->159 160 de041a 158->160 162 de046b-de0523 159->162 163 de0436-de0460 159->163 160->159 182 de0525-de0569 162->182 183 de0570-de0587 162->183 163->162 182->183 184 de058d-de05bf 183->184 185 de0880 183->185 184->185
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1844648966.0000000000DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DE0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_de0000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 749302dc1b56d7b6427682d561c078a1da9977efcdf581f1de4b32601fdebf84
                                                          • Instruction ID: f6c03ced45c5068e0ce5e6fb9ebb3609c13e5fdc50cbaa750ba932d13db8a2a8
                                                          • Opcode Fuzzy Hash: 749302dc1b56d7b6427682d561c078a1da9977efcdf581f1de4b32601fdebf84
                                                          • Instruction Fuzzy Hash: 3851EF307041018BCB18BB79945567E36E79B86348B14447DE402DF3A4DFB9CD4697A2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00DE03BD Relevance: .1, Instructions: 135COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 196 de03bd-de0418 204 de041f-de0434 196->204 205 de041a 196->205 207 de046b-de0523 204->207 208 de0436-de0460 204->208 205->204 227 de0525-de0569 207->227 228 de0570-de0587 207->228 208->207 227->228 229 de058d-de05bf 228->229 230 de0880 228->230 229->230
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1844648966.0000000000DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DE0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_de0000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9bd6b529dc40a714f2f4f979dd2249cc869551e39be4ee7f43086b871fc921d1
                                                          • Instruction ID: f06e56e1fe59c4534af80998e75323d3ddab5e60499b1a136bfe3ca98f6db878
                                                          • Opcode Fuzzy Hash: 9bd6b529dc40a714f2f4f979dd2249cc869551e39be4ee7f43086b871fc921d1
                                                          • Instruction Fuzzy Hash: E941DB31B041514B8B28B77A94652BE36D79FC6348718447DE002DF3E5DFA9CD06A7E2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00DE0088 Relevance: .1, Instructions: 126COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 241 de0088-de00ad 244 de00b8-de02f9 241->244
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1844648966.0000000000DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DE0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_de0000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 67509b2d03e0cbdf339a13aa13b161fb11436c1d77084d2ad498ad1052196b62
                                                          • Instruction ID: 9c97390e89d935f83254d209871e291db19b9c63286f40605fba36c4b88e3694
                                                          • Opcode Fuzzy Hash: 67509b2d03e0cbdf339a13aa13b161fb11436c1d77084d2ad498ad1052196b62
                                                          • Instruction Fuzzy Hash: FE51213021A686CBC714FF38E59599A77A7EB9520C340893DE0448F7AEDF789909CBC1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00C605E0 Relevance: .0, Instructions: 45COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 282 c605e0-c60603 283 c60606-c60620 282->283 284 c60626-c60643 283->284
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1844409749.0000000000C60000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_c60000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: edd6c98b6239c0e15f4a54e6d2b60779c1cf4af31f225f95327423973500902d
                                                          • Instruction ID: 582f2b353202682d51fab1ec331cc0c73798a7c6d0b723e6f8c17e4251df89c8
                                                          • Opcode Fuzzy Hash: edd6c98b6239c0e15f4a54e6d2b60779c1cf4af31f225f95327423973500902d
                                                          • Instruction Fuzzy Hash: 22018B755097805FD7128F159C41862FFF8EF86530709C4EFED498B652D225B809CBB2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00C60606 Relevance: .0, Instructions: 27COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 285 c60606-c60620 286 c60626-c60643 285->286
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1844409749.0000000000C60000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_c60000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e0747f4b6de6644da22f535dbab057912906dc187a9e09dde36f690c485f0e11
                                                          • Instruction ID: 96c73bab9bf80edca18f7abe1d616b2d8060832975e28f7c5133c279c623319c
                                                          • Opcode Fuzzy Hash: e0747f4b6de6644da22f535dbab057912906dc187a9e09dde36f690c485f0e11
                                                          • Instruction Fuzzy Hash: C2E092B66006048B9650DF0AEC41452F7D8EB88630708C47FDC0E8BB11E675B508CBA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00C923F4 Relevance: .0, Instructions: 15COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 287 c923f4-c923ff 288 c92401-c9240e 287->288 289 c92412-c92417 287->289 288->289 290 c92419 289->290 291 c9241a 289->291 292 c92420-c92421 291->292
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1844437175.0000000000C92000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C92000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_c92000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7a1c62c1ecf58b0012a06aad5dd275011aea56c3dabf05da4c6417bb02e701d8
                                                          • Instruction ID: 729f363e11d52ae464988baeaf6e73e13318180554af1eafe612747b696eed20
                                                          • Opcode Fuzzy Hash: 7a1c62c1ecf58b0012a06aad5dd275011aea56c3dabf05da4c6417bb02e701d8
                                                          • Instruction Fuzzy Hash: 30D02E792006C04FD7228A0CC2A8B8537D4AB60708F0A04F9A840CB763C728DA81E200
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00C923BC Relevance: .0, Instructions: 14COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 293 c923bc-c923c3 294 c923c5-c923d2 293->294 295 c923d6-c923db 293->295 294->295 296 c923dd-c923e0 295->296 297 c923e1 295->297 298 c923e7-c923e8 297->298
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1844437175.0000000000C92000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C92000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_c92000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ef5a5a1aba23ed778780014232c5cf34f2b9b5e1a462a0efbd6383665981d2ce
                                                          • Instruction ID: 6afe37245ee2386d3d5e17369a08d714eeb952e5a5126d56d38a824fb19bf741
                                                          • Opcode Fuzzy Hash: ef5a5a1aba23ed778780014232c5cf34f2b9b5e1a462a0efbd6383665981d2ce
                                                          • Instruction Fuzzy Hash: 9ED05E342002814FCB25DA0CC2D8F5937D8BB40714F1A44E8AC608B772C7A8D9C1DA00
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00DE006C Relevance: .0, Instructions: 5COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 299 de006c-de0076
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1844648966.0000000000DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DE0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_de0000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5e297e68b9010daa5b204279b64bb32f246a9ea1de209f5352f6bcbb0cbdaaca
                                                          • Instruction ID: a0053d199cf8e71672acee6f4b10e0ec39ec45bc088add72a23c911fb86bcece
                                                          • Opcode Fuzzy Hash: 5e297e68b9010daa5b204279b64bb32f246a9ea1de209f5352f6bcbb0cbdaaca
                                                          • Instruction Fuzzy Hash:
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Execution Graph

                                                          Execution Coverage:12.2%
                                                          Dynamic/Decrypted Code Coverage:100%
                                                          Signature Coverage:0%
                                                          Total number of Nodes:19
                                                          Total number of Limit Nodes:1
                                                          execution_graph 521 12ea74e 522 12ea77a FindCloseChangeNotification 521->522 523 12ea7b9 521->523 524 12ea788 522->524 523->522 529 12ea646 530 12ea67e CreateMutexW 529->530 532 12ea6c1 530->532 537 12ea462 539 12ea486 RegSetValueExW 537->539 540 12ea507 539->540 545 12ea612 548 12ea646 CreateMutexW 545->548 547 12ea6c1 548->547 549 12ea710 550 12ea74e FindCloseChangeNotification 549->550 552 12ea788 550->552 541 12ea361 542 12ea392 RegQueryValueExW 541->542 544 12ea41b 542->544

                                                          Callgraph

                                                          Executed Functions

                                                          Function 015B0310 Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 0 15b0310-15b0334 2 15b033e-15b0346 0->2 3 15b0336-15b0338 0->3 4 15b0348-15b034d 2->4 5 15b034e-15b0391 2->5 3->2 8 15b03d8-15b03ff 5->8 9 15b0393-15b03bb 5->9 15 15b040a-15b0418 8->15 14 15b03ce 9->14 14->8 16 15b041a 15->16 17 15b041f-15b0434 15->17 16->17 19 15b046b-15b0523 17->19 20 15b0436-15b0460 17->20 39 15b0570-15b0587 19->39 40 15b0525-15b0569 19->40 20->19 41 15b058d-15b05bf 39->41 42 15b0880 39->42 40->39 41->42
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1928206112.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_15b0000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: [\k^$-[\k^$=[\k^
                                                          • API String ID: 0-4010822436
                                                          • Opcode ID: 06490e1569f763d722e4b309c0ec87bfd9d051b6469effe1af650947b55a7fbc
                                                          • Instruction ID: 1b523a5d48e26b33877b3438dc194e39595aee4ed04b6585481c51ba0d64ccf7
                                                          • Opcode Fuzzy Hash: 06490e1569f763d722e4b309c0ec87bfd9d051b6469effe1af650947b55a7fbc
                                                          • Instruction Fuzzy Hash: 1D51DF307102159BD728EB39A454ABE76E7FB85254B14447EE006DB3D4DF3ACC4A87A2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 015B03BD Relevance: 3.9, Strings: 3, Instructions: 135COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 53 15b03bd-15b0418 61 15b041a 53->61 62 15b041f-15b0434 53->62 61->62 64 15b046b-15b0523 62->64 65 15b0436-15b0460 62->65 84 15b0570-15b0587 64->84 85 15b0525-15b0569 64->85 65->64 86 15b058d-15b05bf 84->86 87 15b0880 84->87 85->84 86->87
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1928206112.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_15b0000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: [\k^$-[\k^$=[\k^
                                                          • API String ID: 0-4010822436
                                                          • Opcode ID: 0ea6903d6af32c4f8a4eb25b953720c96147516ca3286b864e18fb5f2fd7ad6f
                                                          • Instruction ID: 3e7719e0007c28bcb573e1b686d9658e5fe25f58dd871d31f988f83981635647
                                                          • Opcode Fuzzy Hash: 0ea6903d6af32c4f8a4eb25b953720c96147516ca3286b864e18fb5f2fd7ad6f
                                                          • Instruction Fuzzy Hash: 5C4124307101159BCB28E779A1646BE76E7AFD5248B04447DE006DF7E4DF6ECC0A87A2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 012EA612 Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 98 12ea612-12ea695 102 12ea69a-12ea6a3 98->102 103 12ea697 98->103 104 12ea6a8-12ea6b1 102->104 105 12ea6a5 102->105 103->102 106 12ea702-12ea707 104->106 107 12ea6b3-12ea6d7 CreateMutexW 104->107 105->104 106->107 110 12ea709-12ea70e 107->110 111 12ea6d9-12ea6ff 107->111 110->111
                                                          APIs
                                                          • CreateMutexW.KERNELBASE(?,?), ref: 012EA6B9
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1927946511.00000000012EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012EA000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_12ea000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: CreateMutex
                                                          • String ID:
                                                          • API String ID: 1964310414-0
                                                          • Opcode ID: b1edbf4b1650547378b91f8e01c3310c0c415b9454b658aca748ea39ad9c1264
                                                          • Instruction ID: c027deb844c179ff73abbcb40c9b1e642ae7ebe9d747a68c64e583b973ab8cb2
                                                          • Opcode Fuzzy Hash: b1edbf4b1650547378b91f8e01c3310c0c415b9454b658aca748ea39ad9c1264
                                                          • Instruction Fuzzy Hash: C63181B55093806FE712CB25DC85B96BFF8EF06214F08849AE984CF292D365E909CB61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 012EA361 Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 114 12ea361-12ea3cf 117 12ea3d4-12ea3dd 114->117 118 12ea3d1 114->118 119 12ea3df 117->119 120 12ea3e2-12ea3e8 117->120 118->117 119->120 121 12ea3ed-12ea404 120->121 122 12ea3ea 120->122 124 12ea43b-12ea440 121->124 125 12ea406-12ea419 RegQueryValueExW 121->125 122->121 124->125 126 12ea41b-12ea438 125->126 127 12ea442-12ea447 125->127 127->126
                                                          APIs
                                                          • RegQueryValueExW.KERNELBASE(?,00000E24,07039CF7,00000000,00000000,00000000,00000000), ref: 012EA40C
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1927946511.00000000012EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012EA000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_12ea000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: QueryValue
                                                          • String ID:
                                                          • API String ID: 3660427363-0
                                                          • Opcode ID: e23cebda820e689dfdc3319c8dda22c2f79a93e847d865bce9ae3bbe8225bd9f
                                                          • Instruction ID: f2aaf842b3668f9ec0704b2abdbe6bda470d313404cad90ccd1f7ffdacf6ce08
                                                          • Opcode Fuzzy Hash: e23cebda820e689dfdc3319c8dda22c2f79a93e847d865bce9ae3bbe8225bd9f
                                                          • Instruction Fuzzy Hash: DC316175505740AFE722CF15CC88F96BFF8EF06614F08849AE985CB292D364E909CB71
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 012EA462 Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 131 12ea462-12ea4c3 134 12ea4c8-12ea4d4 131->134 135 12ea4c5 131->135 136 12ea4d9-12ea4f0 134->136 137 12ea4d6 134->137 135->134 139 12ea527-12ea52c 136->139 140 12ea4f2-12ea505 RegSetValueExW 136->140 137->136 139->140 141 12ea52e-12ea533 140->141 142 12ea507-12ea524 140->142 141->142
                                                          APIs
                                                          • RegSetValueExW.KERNELBASE(?,00000E24,07039CF7,00000000,00000000,00000000,00000000), ref: 012EA4F8
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1927946511.00000000012EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012EA000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_12ea000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: Value
                                                          • String ID:
                                                          • API String ID: 3702945584-0
                                                          • Opcode ID: ad1dfbf2b6d7bb10948eddf4b1ce6a1b20cc6becf14b4d1ca694e4989870f770
                                                          • Instruction ID: 202c95ba8ecdafdc3e69b76918027b011ab640855212a64c79363c5e5c5fd465
                                                          • Opcode Fuzzy Hash: ad1dfbf2b6d7bb10948eddf4b1ce6a1b20cc6becf14b4d1ca694e4989870f770
                                                          • Instruction Fuzzy Hash: 4E2192765043806FE7228F15DC44FA7BFF8DF46614F08849AE989CB652D364E908C771
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 012EA646 Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 146 12ea646-12ea695 149 12ea69a-12ea6a3 146->149 150 12ea697 146->150 151 12ea6a8-12ea6b1 149->151 152 12ea6a5 149->152 150->149 153 12ea702-12ea707 151->153 154 12ea6b3-12ea6bb CreateMutexW 151->154 152->151 153->154 155 12ea6c1-12ea6d7 154->155 157 12ea709-12ea70e 155->157 158 12ea6d9-12ea6ff 155->158 157->158
                                                          APIs
                                                          • CreateMutexW.KERNELBASE(?,?), ref: 012EA6B9
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1927946511.00000000012EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012EA000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_12ea000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: CreateMutex
                                                          • String ID:
                                                          • API String ID: 1964310414-0
                                                          • Opcode ID: b9386f04cb5bfce99ea00b5aa521bed71b3d8bb3f9bdbb6f34570510319d8148
                                                          • Instruction ID: ac0c898a3a09615a080cb131122f74e09b09eb172ee7a950029894fc1825aab2
                                                          • Opcode Fuzzy Hash: b9386f04cb5bfce99ea00b5aa521bed71b3d8bb3f9bdbb6f34570510319d8148
                                                          • Instruction Fuzzy Hash: 5C21C5716002009FEB20DF29CD85BA6FBE8EF15214F048469EE498B741D775E408CA71
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 012EA392 Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 161 12ea392-12ea3cf 163 12ea3d4-12ea3dd 161->163 164 12ea3d1 161->164 165 12ea3df 163->165 166 12ea3e2-12ea3e8 163->166 164->163 165->166 167 12ea3ed-12ea404 166->167 168 12ea3ea 166->168 170 12ea43b-12ea440 167->170 171 12ea406-12ea419 RegQueryValueExW 167->171 168->167 170->171 172 12ea41b-12ea438 171->172 173 12ea442-12ea447 171->173 173->172
                                                          APIs
                                                          • RegQueryValueExW.KERNELBASE(?,00000E24,07039CF7,00000000,00000000,00000000,00000000), ref: 012EA40C
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1927946511.00000000012EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012EA000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_12ea000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: QueryValue
                                                          • String ID:
                                                          • API String ID: 3660427363-0
                                                          • Opcode ID: d2c8877efe8fcaab45bf91de3f4f58f790bf6826b0109fc70ca93edbaf4b2c3a
                                                          • Instruction ID: 0dd5070cb9db26f84965ba89c2c2f3aaf15034d6caf5fb3922971e484aace25e
                                                          • Opcode Fuzzy Hash: d2c8877efe8fcaab45bf91de3f4f58f790bf6826b0109fc70ca93edbaf4b2c3a
                                                          • Instruction Fuzzy Hash: 5421AE75210200AFE720CF19CC89FA6B7ECEF04614F04C46AEA458B651D7A0E808CA72
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 012EA710 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 177 12ea710-12ea778 179 12ea77a-12ea782 FindCloseChangeNotification 177->179 180 12ea7b9-12ea7be 177->180 182 12ea788-12ea79a 179->182 180->179 183 12ea79c-12ea7b8 182->183 184 12ea7c0-12ea7c5 182->184 184->183
                                                          APIs
                                                          • FindCloseChangeNotification.KERNELBASE(?), ref: 012EA780
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1927946511.00000000012EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012EA000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_12ea000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: ChangeCloseFindNotification
                                                          • String ID:
                                                          • API String ID: 2591292051-0
                                                          • Opcode ID: 3dbe25653ce3548a891747ff427a840e27fb6c67cd4b0c1a03b267288c2859f5
                                                          • Instruction ID: 041255a98f920bd7bc7fd02e64170c2f76d30b178cfec6b20cf9dae55f3a9835
                                                          • Opcode Fuzzy Hash: 3dbe25653ce3548a891747ff427a840e27fb6c67cd4b0c1a03b267288c2859f5
                                                          • Instruction Fuzzy Hash: 0D21C3B15093809FD7128F15DC85752BFB8EF06324F0984DBDD858F6A3D2749909CB61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 012EA486 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 186 12ea486-12ea4c3 188 12ea4c8-12ea4d4 186->188 189 12ea4c5 186->189 190 12ea4d9-12ea4f0 188->190 191 12ea4d6 188->191 189->188 193 12ea527-12ea52c 190->193 194 12ea4f2-12ea505 RegSetValueExW 190->194 191->190 193->194 195 12ea52e-12ea533 194->195 196 12ea507-12ea524 194->196 195->196
                                                          APIs
                                                          • RegSetValueExW.KERNELBASE(?,00000E24,07039CF7,00000000,00000000,00000000,00000000), ref: 012EA4F8
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1927946511.00000000012EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012EA000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_12ea000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: Value
                                                          • String ID:
                                                          • API String ID: 3702945584-0
                                                          • Opcode ID: 532146432c755f1a4a27dec084d690408dc63dde8f8d8e3d0b5dced3808c9fa0
                                                          • Instruction ID: abf1d7de0891c446d5bf4de9dca95d9cee709a387ea534e8e7e6bc8881755d37
                                                          • Opcode Fuzzy Hash: 532146432c755f1a4a27dec084d690408dc63dde8f8d8e3d0b5dced3808c9fa0
                                                          • Instruction Fuzzy Hash: 50119376610600AFE7218F15DC89FA7FBECEF14714F04845AEE498B651D774E508CAB2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 012EA74E Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 200 12ea74e-12ea778 201 12ea77a-12ea782 FindCloseChangeNotification 200->201 202 12ea7b9-12ea7be 200->202 204 12ea788-12ea79a 201->204 202->201 205 12ea79c-12ea7b8 204->205 206 12ea7c0-12ea7c5 204->206 206->205
                                                          APIs
                                                          • FindCloseChangeNotification.KERNELBASE(?), ref: 012EA780
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1927946511.00000000012EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012EA000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_12ea000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: ChangeCloseFindNotification
                                                          • String ID:
                                                          • API String ID: 2591292051-0
                                                          • Opcode ID: c1f22e28ce351d30aa70cb9638bdb900052dc4a87e39d05429678a4e41139671
                                                          • Instruction ID: 8288d90d66216715d73dba806c019a60c1d815ed4fd969ba37168425bd6c034a
                                                          • Opcode Fuzzy Hash: c1f22e28ce351d30aa70cb9638bdb900052dc4a87e39d05429678a4e41139671
                                                          • Instruction Fuzzy Hash: FD0184756502409FEB10CF19D989765FBE4DF04620F08C4ABDD4A8F756D675E404CEA2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 015B0080 Relevance: .1, Instructions: 131COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 208 15b0080-15b00ad 211 15b00b8-15b02f9 208->211
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1928206112.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_15b0000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fe99fa783c5f0619a32c26c9024833b28d268e64bf9ba1462d51d32eeb9fe42e
                                                          • Instruction ID: 27805c52ce960888079600f6cc7dc41e165502770d22c6cf3e5e2b0e76f28af8
                                                          • Opcode Fuzzy Hash: fe99fa783c5f0619a32c26c9024833b28d268e64bf9ba1462d51d32eeb9fe42e
                                                          • Instruction Fuzzy Hash: F9513F30611286AFC734DB3AF694D9A77A2FB81208740897DD014CB669DF3D9DADCB81
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 015B0006 Relevance: .1, Instructions: 51COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 249 15b0006-15b0076
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1928206112.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_15b0000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3c9ebad2d0f7f2b82ecbce6cc7b5acc2fb7588acf0eba03cd3486c4ec61a1b01
                                                          • Instruction ID: 307b3955dd6426ab88cce29647e0ec889fe92e0ffb6fa76ed36c905827e35932
                                                          • Opcode Fuzzy Hash: 3c9ebad2d0f7f2b82ecbce6cc7b5acc2fb7588acf0eba03cd3486c4ec61a1b01
                                                          • Instruction Fuzzy Hash: 0601212508E3C28FC7439B7458A14907FB0AE5322476F41DBC880CE5A7E22E199EE773
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014C05DF Relevance: .0, Instructions: 46COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 250 14c05df-14c0603 251 14c0606-14c0620 250->251 252 14c0626-14c0643 251->252
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1928160049.00000000014C0000.00000040.00000020.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_14c0000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ae122a4662b3ceda6b77b7129888b36319b51d39be5af732038da7f855528b7a
                                                          • Instruction ID: b6b59c9f8116d39659cefc87b0e134a4b3af9d261b89cc286ae13f16179f8f7d
                                                          • Opcode Fuzzy Hash: ae122a4662b3ceda6b77b7129888b36319b51d39be5af732038da7f855528b7a
                                                          • Instruction Fuzzy Hash: 4C01D6B654D3806FD7128B16AC41862FFF8DB8663070984EFEC498B652D265B809CB72
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014C0606 Relevance: .0, Instructions: 27COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 253 14c0606-14c0620 254 14c0626-14c0643 253->254
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1928160049.00000000014C0000.00000040.00000020.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_14c0000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 181b53a26acefedf82a963460bae94aa9ab6e96461ad27c2d8a76fc9aa8b5f43
                                                          • Instruction ID: c09790cc0b2b136efab7bd53a6c40e0d0d35187d7ccfb11bfd543d293a2c39e7
                                                          • Opcode Fuzzy Hash: 181b53a26acefedf82a963460bae94aa9ab6e96461ad27c2d8a76fc9aa8b5f43
                                                          • Instruction Fuzzy Hash: 16E092B66006004B9650CF0AED81462F7D8EB84630B08C47FDC0D8B701D675B508CFA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 012E23F4 Relevance: .0, Instructions: 15COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 255 12e23f4-12e23ff 256 12e2412-12e2417 255->256 257 12e2401-12e240e 255->257 258 12e241a 256->258 259 12e2419 256->259 257->256 260 12e2420-12e2421 258->260
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1927934795.00000000012E2000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E2000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_12e2000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b345480a82840a89b286c1e2f21dd6c21b84b614bd00d5e0fbb306d3877593a6
                                                          • Instruction ID: a7655bf6380ade3fe30ca4f0da2e6c5a9f5f4fa2e251db1e8e4de67f101a21d0
                                                          • Opcode Fuzzy Hash: b345480a82840a89b286c1e2f21dd6c21b84b614bd00d5e0fbb306d3877593a6
                                                          • Instruction Fuzzy Hash: E7D02E792106E28FE3228B0CC2A8B853BE8AB40704F8A04F9A800CB763C728D481C210
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 012E23BC Relevance: .0, Instructions: 14COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1927934795.00000000012E2000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E2000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_12e2000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 776114d7b8ee7713c7d21280d7cef3fc502d080e2fc9e438dd72bf90994dbab5
                                                          • Instruction ID: 4907709b04e21582e7e9c5c4f6648d4582e2153509aa93b6b64a368ffa2235c5
                                                          • Opcode Fuzzy Hash: 776114d7b8ee7713c7d21280d7cef3fc502d080e2fc9e438dd72bf90994dbab5
                                                          • Instruction Fuzzy Hash: E9D05E342002828FD725DB0CC2D8F593BD8AB41714F2A44E8BD118B762C7A4D8C1DE00
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Execution Graph

                                                          Execution Coverage:11.6%
                                                          Dynamic/Decrypted Code Coverage:100%
                                                          Signature Coverage:0%
                                                          Total number of Nodes:19
                                                          Total number of Limit Nodes:1
                                                          execution_graph 540 aaa74e 541 aaa77a FindCloseChangeNotification 540->541 542 aaa7b9 540->542 543 aaa788 541->543 542->541 556 aaa612 558 aaa646 CreateMutexW 556->558 559 aaa6c1 558->559 564 aaa462 565 aaa486 RegSetValueExW 564->565 567 aaa507 565->567 560 aaa710 561 aaa74e FindCloseChangeNotification 560->561 563 aaa788 561->563 568 aaa361 569 aaa392 RegQueryValueExW 568->569 571 aaa41b 569->571 552 aaa646 553 aaa67e CreateMutexW 552->553 555 aaa6c1 553->555

                                                          Callgraph

                                                          Executed Functions

                                                          Function 04980310 Relevance: 3.9, Strings: 3, Instructions: 191COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 0 4980310-4980334 2 498033e-4980346 0->2 3 4980336-4980338 0->3 4 4980348-498034d 2->4 5 498034e-4980391 2->5 3->2 8 49803d8-49803ff 5->8 9 4980393-49803bb 5->9 15 498040a-4980418 8->15 14 49803ce 9->14 14->8 16 498041a 15->16 17 498041f-4980434 15->17 16->17 19 498046b-4980523 17->19 20 4980436-4980460 17->20 39 4980570-4980587 19->39 40 4980525-4980569 19->40 20->19 41 498058d-49805bf 39->41 42 4980880 39->42 40->39 41->42
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2009201058.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_4980000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: [k^$-[k^$=[k^
                                                          • API String ID: 0-3244988689
                                                          • Opcode ID: 6176876922556d228979c1f4b0199c2f044c4acbd985e6738d302ffa6e8666a0
                                                          • Instruction ID: 69f4472d2a43c8d44ac872120648522c7fc4bb3254ac8b77533390f85e89c3ea
                                                          • Opcode Fuzzy Hash: 6176876922556d228979c1f4b0199c2f044c4acbd985e6738d302ffa6e8666a0
                                                          • Instruction Fuzzy Hash: D451FF317002048BCB18BB799411ABE37E7AB85204B55857DE006CB3E6DFBDDD0687A2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 049803BD Relevance: 3.9, Strings: 3, Instructions: 135COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 53 49803bd-4980418 61 498041a 53->61 62 498041f-4980434 53->62 61->62 64 498046b-4980523 62->64 65 4980436-4980460 62->65 84 4980570-4980587 64->84 85 4980525-4980569 64->85 65->64 86 498058d-49805bf 84->86 87 4980880 84->87 85->84 86->87
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2009201058.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_4980000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: [k^$-[k^$=[k^
                                                          • API String ID: 0-3244988689
                                                          • Opcode ID: 02ae12bcc36a294c9d97c610c0b6956024d55e60a0164189cfa74f36ebb22e4f
                                                          • Instruction ID: e920110e7dcd8cabc46ad05df9b291f821dd439de6f27402e0aaa634b51a4792
                                                          • Opcode Fuzzy Hash: 02ae12bcc36a294c9d97c610c0b6956024d55e60a0164189cfa74f36ebb22e4f
                                                          • Instruction Fuzzy Hash: CB41F131B002148BCB28B77D94116BE32D79FC5249745857DE006DB7E6EFAECD0A87A2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00AAA612 Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 98 aaa612-aaa695 102 aaa69a-aaa6a3 98->102 103 aaa697 98->103 104 aaa6a8-aaa6b1 102->104 105 aaa6a5 102->105 103->102 106 aaa702-aaa707 104->106 107 aaa6b3-aaa6d7 CreateMutexW 104->107 105->104 106->107 110 aaa709-aaa70e 107->110 111 aaa6d9-aaa6ff 107->111 110->111
                                                          APIs
                                                          • CreateMutexW.KERNELBASE(?,?), ref: 00AAA6B9
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2008734054.0000000000AAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AAA000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_aaa000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: CreateMutex
                                                          • String ID:
                                                          • API String ID: 1964310414-0
                                                          • Opcode ID: e717149bb4f95d2052b5646c9c60d9e3d6e0341f633871b551fcc04bd10cc18f
                                                          • Instruction ID: 26304e440bd27fa80c9b99d7dd9f7241c072717110921e61689dafa65942fbbe
                                                          • Opcode Fuzzy Hash: e717149bb4f95d2052b5646c9c60d9e3d6e0341f633871b551fcc04bd10cc18f
                                                          • Instruction Fuzzy Hash: 603181755093806FE712CB25DC85B96BFF8EF16310F08849AE984CB292D375E909CB62
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00AAA361 Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 114 aaa361-aaa3cf 117 aaa3d1 114->117 118 aaa3d4-aaa3dd 114->118 117->118 119 aaa3df 118->119 120 aaa3e2-aaa3e8 118->120 119->120 121 aaa3ea 120->121 122 aaa3ed-aaa404 120->122 121->122 124 aaa43b-aaa440 122->124 125 aaa406-aaa419 RegQueryValueExW 122->125 124->125 126 aaa41b-aaa438 125->126 127 aaa442-aaa447 125->127 127->126
                                                          APIs
                                                          • RegQueryValueExW.KERNELBASE(?,00000E24,3940E25D,00000000,00000000,00000000,00000000), ref: 00AAA40C
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2008734054.0000000000AAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AAA000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_aaa000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: QueryValue
                                                          • String ID:
                                                          • API String ID: 3660427363-0
                                                          • Opcode ID: e0864b2526417f30e65907f06151370b92402013eeb5ceb0f0165c77f8df397f
                                                          • Instruction ID: c89dc6f8d24a260d5758cf1f66e64bfcf77e967c81e77789abfd3c8559b8df10
                                                          • Opcode Fuzzy Hash: e0864b2526417f30e65907f06151370b92402013eeb5ceb0f0165c77f8df397f
                                                          • Instruction Fuzzy Hash: 88316F75505780AFE722CF11CC84F92BBF8EF16714F08849AE985CB292D364E909CB72
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00AAA462 Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 131 aaa462-aaa4c3 134 aaa4c8-aaa4d4 131->134 135 aaa4c5 131->135 136 aaa4d9-aaa4f0 134->136 137 aaa4d6 134->137 135->134 139 aaa4f2-aaa505 RegSetValueExW 136->139 140 aaa527-aaa52c 136->140 137->136 141 aaa52e-aaa533 139->141 142 aaa507-aaa524 139->142 140->139 141->142
                                                          APIs
                                                          • RegSetValueExW.KERNELBASE(?,00000E24,3940E25D,00000000,00000000,00000000,00000000), ref: 00AAA4F8
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2008734054.0000000000AAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AAA000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_aaa000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: Value
                                                          • String ID:
                                                          • API String ID: 3702945584-0
                                                          • Opcode ID: a9720745b6ff9e1abad6d1a8cb38d63fef1172a9693850da4ee2f33ba18c6867
                                                          • Instruction ID: 2199372ebc75e6afe61801972079ccfb64217ac027b16d8a0f0a871cbb23a074
                                                          • Opcode Fuzzy Hash: a9720745b6ff9e1abad6d1a8cb38d63fef1172a9693850da4ee2f33ba18c6867
                                                          • Instruction Fuzzy Hash: 9C2192765043806FD7228F11DC44FA7BFF8DF56214F08849AE985CB692D364E908CB72
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00AAA646 Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 146 aaa646-aaa695 149 aaa69a-aaa6a3 146->149 150 aaa697 146->150 151 aaa6a8-aaa6b1 149->151 152 aaa6a5 149->152 150->149 153 aaa702-aaa707 151->153 154 aaa6b3-aaa6bb CreateMutexW 151->154 152->151 153->154 156 aaa6c1-aaa6d7 154->156 157 aaa709-aaa70e 156->157 158 aaa6d9-aaa6ff 156->158 157->158
                                                          APIs
                                                          • CreateMutexW.KERNELBASE(?,?), ref: 00AAA6B9
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2008734054.0000000000AAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AAA000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_aaa000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: CreateMutex
                                                          • String ID:
                                                          • API String ID: 1964310414-0
                                                          • Opcode ID: e33fb95525827e1061b66c4846d3d4d76785d6f2ba41a3b28553431b934092bc
                                                          • Instruction ID: 9a115f3bf455f5785a925de5034c55a3397d399d680949ecb866489979762fec
                                                          • Opcode Fuzzy Hash: e33fb95525827e1061b66c4846d3d4d76785d6f2ba41a3b28553431b934092bc
                                                          • Instruction Fuzzy Hash: 43218071600200AFE720DB25DD85BA6FBE8EF15314F08886AE948CB781D775E909CA72
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00AAA392 Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 161 aaa392-aaa3cf 163 aaa3d1 161->163 164 aaa3d4-aaa3dd 161->164 163->164 165 aaa3df 164->165 166 aaa3e2-aaa3e8 164->166 165->166 167 aaa3ea 166->167 168 aaa3ed-aaa404 166->168 167->168 170 aaa43b-aaa440 168->170 171 aaa406-aaa419 RegQueryValueExW 168->171 170->171 172 aaa41b-aaa438 171->172 173 aaa442-aaa447 171->173 173->172
                                                          APIs
                                                          • RegQueryValueExW.KERNELBASE(?,00000E24,3940E25D,00000000,00000000,00000000,00000000), ref: 00AAA40C
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2008734054.0000000000AAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AAA000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_aaa000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: QueryValue
                                                          • String ID:
                                                          • API String ID: 3660427363-0
                                                          • Opcode ID: 17df98810f4d7682d75a1dca31903c7f0f979df84806c2e248bbea868fb6b978
                                                          • Instruction ID: 7a9dc39098c3f70868ab14108e011b3d53fec1d6f61697f9abde25769280c1c2
                                                          • Opcode Fuzzy Hash: 17df98810f4d7682d75a1dca31903c7f0f979df84806c2e248bbea868fb6b978
                                                          • Instruction Fuzzy Hash: 42215E75600604AFEB20CF15CC84FA6F7ECEF29714F14846AE9498B691D764E909CA72
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00AAA710 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 177 aaa710-aaa778 179 aaa77a-aaa782 FindCloseChangeNotification 177->179 180 aaa7b9-aaa7be 177->180 182 aaa788-aaa79a 179->182 180->179 183 aaa79c-aaa7b8 182->183 184 aaa7c0-aaa7c5 182->184 184->183
                                                          APIs
                                                          • FindCloseChangeNotification.KERNELBASE(?), ref: 00AAA780
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2008734054.0000000000AAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AAA000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_aaa000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: ChangeCloseFindNotification
                                                          • String ID:
                                                          • API String ID: 2591292051-0
                                                          • Opcode ID: 276f5bf014011f6be6ec5b7fcbe8713c222733d3aa8aa061f56844dc64f7aa6a
                                                          • Instruction ID: 3d3d34c2bdb7353ec62f2518033d90afca9fb748265da364c6d4f0adf1b0aab9
                                                          • Opcode Fuzzy Hash: 276f5bf014011f6be6ec5b7fcbe8713c222733d3aa8aa061f56844dc64f7aa6a
                                                          • Instruction Fuzzy Hash: 2221A1B15093809FD7128F15DC85752BFB8EF13324F0984DBD9858B6A3D3349909CB62
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00AAA486 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 186 aaa486-aaa4c3 188 aaa4c8-aaa4d4 186->188 189 aaa4c5 186->189 190 aaa4d9-aaa4f0 188->190 191 aaa4d6 188->191 189->188 193 aaa4f2-aaa505 RegSetValueExW 190->193 194 aaa527-aaa52c 190->194 191->190 195 aaa52e-aaa533 193->195 196 aaa507-aaa524 193->196 194->193 195->196
                                                          APIs
                                                          • RegSetValueExW.KERNELBASE(?,00000E24,3940E25D,00000000,00000000,00000000,00000000), ref: 00AAA4F8
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2008734054.0000000000AAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AAA000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_aaa000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: Value
                                                          • String ID:
                                                          • API String ID: 3702945584-0
                                                          • Opcode ID: 8874b818ec68ff398bded5beb8e3e5acba4f0c7719b59a51c0680260cf5272e2
                                                          • Instruction ID: 09b53da7f75a5ba2d40594f058c8944373ffc5cc500f1a770cf3b248d2c44e92
                                                          • Opcode Fuzzy Hash: 8874b818ec68ff398bded5beb8e3e5acba4f0c7719b59a51c0680260cf5272e2
                                                          • Instruction Fuzzy Hash: 0A11B176600600AFE7218F15CC44FA7FBECEF29714F04846AED498B681D370E808CAB2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00AAA74E Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 200 aaa74e-aaa778 201 aaa77a-aaa782 FindCloseChangeNotification 200->201 202 aaa7b9-aaa7be 200->202 204 aaa788-aaa79a 201->204 202->201 205 aaa79c-aaa7b8 204->205 206 aaa7c0-aaa7c5 204->206 206->205
                                                          APIs
                                                          • FindCloseChangeNotification.KERNELBASE(?), ref: 00AAA780
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2008734054.0000000000AAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AAA000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_aaa000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID: ChangeCloseFindNotification
                                                          • String ID:
                                                          • API String ID: 2591292051-0
                                                          • Opcode ID: 6fa5cc33b4ad08946b91f7fc3bb1c9530b393719fcb80f3fbfa6065781aae612
                                                          • Instruction ID: 3cd19521fb6adc25be5f02afb924ad9ca07c5009af1a33b2d8ed7cad616a7f68
                                                          • Opcode Fuzzy Hash: 6fa5cc33b4ad08946b91f7fc3bb1c9530b393719fcb80f3fbfa6065781aae612
                                                          • Instruction Fuzzy Hash: 23017C756002409FEB108F19D985766FBE4DF55720F08C4AADD49CB796D379E808CEA2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04980080 Relevance: .1, Instructions: 129COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 208 4980080-49800ad 211 49800b8-49802f9 208->211
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2009201058.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_4980000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 06475a931027b2e058150fea4e64891ab0dd57147b23fb3b1244118632911b09
                                                          • Instruction ID: 1feb481c0f8102c93eaeb73d291efb464f3f0b799105de80be406487c0c865d0
                                                          • Opcode Fuzzy Hash: 06475a931027b2e058150fea4e64891ab0dd57147b23fb3b1244118632911b09
                                                          • Instruction Fuzzy Hash: 49513831616349CBCB18FB78E55494A77A2AF95209340C97DD0058B7AFDFBC5909CB81
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00CF05E0 Relevance: .0, Instructions: 47COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 249 cf05e0-cf0603 250 cf0606-cf0620 249->250 251 cf0626-cf0643 250->251
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2008940748.0000000000CF0000.00000040.00000020.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_cf0000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 14091a018581a9b123a27beb7ef421e4b4a6c2b42bea58749b5965b876d71bc4
                                                          • Instruction ID: d23d4dadacf53bfbfb3dfe964dc8b66e6b266989083a201656e78744570d42f3
                                                          • Opcode Fuzzy Hash: 14091a018581a9b123a27beb7ef421e4b4a6c2b42bea58749b5965b876d71bc4
                                                          • Instruction Fuzzy Hash: E60186765097806FD7128F05AC51863FFB8EF86630709C4EFEC498B752D229A809CB72
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04980006 Relevance: .0, Instructions: 45COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 252 4980006-4980076
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2009201058.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_4980000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 798da3e3b453da3f6ebcf45da96612db5a52072d0017953cd9b7899fb5c152b8
                                                          • Instruction ID: a740b123bf557b24c2781bdeb172fe2d80aecf5b6ac24a6daa9dfe4e13b6e508
                                                          • Opcode Fuzzy Hash: 798da3e3b453da3f6ebcf45da96612db5a52072d0017953cd9b7899fb5c152b8
                                                          • Instruction Fuzzy Hash: 4801E99248F7C55FE70383752C799913FB09E4301979F80EBC991CB4ABA44E5A0AA723
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00CF0606 Relevance: .0, Instructions: 27COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 253 cf0606-cf0620 254 cf0626-cf0643 253->254
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2008940748.0000000000CF0000.00000040.00000020.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_cf0000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e8859686b21d1096aab29136a7fc154bbf676f12ca69a89d4d594a6850bd3c55
                                                          • Instruction ID: 3f2484f16fbb724e52b7faa95e2c63bbffebdb434ae9ca954e941c3a191f8f14
                                                          • Opcode Fuzzy Hash: e8859686b21d1096aab29136a7fc154bbf676f12ca69a89d4d594a6850bd3c55
                                                          • Instruction Fuzzy Hash: 7DE092B66006004B9650DF0AED41452F7D8EB84630718C47FDC0D8B701D235B508CEA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00AA23F4 Relevance: .0, Instructions: 15COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 255 aa23f4-aa23ff 256 aa2412-aa2417 255->256 257 aa2401-aa240e 255->257 258 aa241a 256->258 259 aa2419 256->259 257->256 260 aa2420-aa2421 258->260
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2008717989.0000000000AA2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AA2000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_aa2000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3c60ad43a1d613c472a67a5500010ee32d7b31362d9db92792a29498e38b4a99
                                                          • Instruction ID: f2f860c730edf43de570d8db8d90447c1261fbb1491480dc1a8d79b9ab491db2
                                                          • Opcode Fuzzy Hash: 3c60ad43a1d613c472a67a5500010ee32d7b31362d9db92792a29498e38b4a99
                                                          • Instruction Fuzzy Hash: ACD02E792407C04FD3268B0CC2A4B8537D4AB46704F0A04F9A800CB7A3C728D881C200
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00AA23BC Relevance: .0, Instructions: 14COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2008717989.0000000000AA2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AA2000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_aa2000_NezbdhNgwG.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f38c8fec3b4bcb35fa91a9c5649eb14fbb8a84db398d978d3f8cc0b2aa342be1
                                                          • Instruction ID: 3103e871ff415faae3901a2a4ab56bf2af5d3a5cbcd0acb920613a7381d39a2f
                                                          • Opcode Fuzzy Hash: f38c8fec3b4bcb35fa91a9c5649eb14fbb8a84db398d978d3f8cc0b2aa342be1
                                                          • Instruction Fuzzy Hash: 1FD05E342002814FDB25DB0CC2D4F5937D4AB42714F1A48E9AC108F7A2C7A8D8D1DA10
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%