Edit tour

Windows Analysis Report
wzHH1r6YOi.exe

Overview

General Information

Sample name:	wzHH1r6YOi.exe renamed because original name is a hash value
Original sample name:	2058d4dd912bd77b5b79ec0bd1a1ff9e.exe
Analysis ID:	1464969
MD5:	2058d4dd912bd77b5b79ec0bd1a1ff9e
SHA1:	c03126efdc44ee76ec8a7793ab5c60913b110cf5
SHA256:	6a56a1810bc71836b0a21868db9ed2f1265f5219c8318c8cbcc6dbaa79ac4c3f
Tags:	exenjratRAT
Infos:

Detection

Njrat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected Njrat

.NET source code contains potential unpacker

.NET source code contains process injector

.NET source code references suspicious native API functions

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to log keystrokes (.Net Source)

Creates multiple autostart registry keys

Disables zone checking for all users

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies the windows firewall

Uses netsh to modify the Windows network and firewall settings

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

wzHH1r6YOi.exe (PID: 6516 cmdline: "C:\Users\user\Desktop\wzHH1r6YOi.exe" MD5: 2058D4DD912BD77B5B79EC0BD1A1FF9E)

chargeable.exe (PID: 4480 cmdline: "C:\Users\user\AppData\Roaming\confuse\chargeable.exe" MD5: CB7C4448E2F1976110D9CF1D4BA279E6)

chargeable.exe (PID: 3992 cmdline: C:\Users\user\AppData\Roaming\confuse\chargeable.exe MD5: CB7C4448E2F1976110D9CF1D4BA279E6)

netsh.exe (PID: 2896 cmdline: netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

conhost.exe (PID: 180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chargeable.exe (PID: 6304 cmdline: "C:\Users\user\AppData\Roaming\confuse\chargeable.exe" MD5: CB7C4448E2F1976110D9CF1D4BA279E6)

chargeable.exe (PID: 744 cmdline: C:\Users\user\AppData\Roaming\confuse\chargeable.exe MD5: CB7C4448E2F1976110D9CF1D4BA279E6)

wzHH1r6YOi.exe (PID: 7108 cmdline: "C:\Users\user\Desktop\wzHH1r6YOi.exe" MD5: 2058D4DD912BD77B5B79EC0BD1A1FF9E)

chargeable.exe (PID: 2004 cmdline: "C:\Users\user\AppData\Roaming\confuse\chargeable.exe" MD5: CB7C4448E2F1976110D9CF1D4BA279E6)

chargeable.exe (PID: 6848 cmdline: C:\Users\user\AppData\Roaming\confuse\chargeable.exe MD5: CB7C4448E2F1976110D9CF1D4BA279E6)

wzHH1r6YOi.exe (PID: 7112 cmdline: "C:\Users\user\Desktop\wzHH1r6YOi.exe" MD5: 2058D4DD912BD77B5B79EC0BD1A1FF9E)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
NjRAT	RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.	AQUATIC PANDA Earth Lusca Operation C-Major The Gorgon Group	http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/ http://blogs.360.cn/post/analysis-of-apt-c-37.html http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/ https://asec.ahnlab.com/1369	https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

Malware Configuration

Threatname: Njrat

{"Host": "doddyfire.linkpc.net", "Port": "10000", "Version": "0.7d", "Campaign ID": "neuf", "Install Name": "softcontrol.exe", "Install Dir": "TEMP", "Network Seprator": "|'|'|"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.1865300658.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000005.00000002.1865300658.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x3a9a:$a1: get_Registry 0x4b76:$a2: SEE_MASK_NOZONECHECKS 0x4c72:$a3: Download ERROR 0x4b38:$a4: cmd.exe /c ping 0 -n 2 & del " 0x4aca:$a5: netsh firewall delete allowedprogram "
00000005.00000002.1865300658.0000000000402000.00000040.00000400.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4ba6:$a1: netsh firewall add allowedprogram 0x4b76:$a2: SEE_MASK_NOZONECHECKS 0x4e20:$b1: [TAP] 0x4b38:$c3: cmd.exe /c ping
00000005.00000002.1865300658.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4b76:$reg: SEE_MASK_NOZONECHECKS 0x4c4e:$msg: Execute ERROR 0x4caa:$msg: Execute ERROR 0x4b38:$ping: cmd.exe /c ping 0 -n 2 & del
00000002.00000002.1767143215.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000002.00000002.1767143215.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x4070e:$a1: get_Registry 0x417ea:$a2: SEE_MASK_NOZONECHECKS 0x418e6:$a3: Download ERROR 0x417ac:$a4: cmd.exe /c ping 0 -n 2 & del " 0x4173e:$a5: netsh firewall delete allowedprogram "
00000002.00000002.1767143215.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4181a:$a1: netsh firewall add allowedprogram 0x417ea:$a2: SEE_MASK_NOZONECHECKS 0x41a94:$b1: [TAP] 0x417ac:$c3: cmd.exe /c ping
00000002.00000002.1767143215.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x417ea:$reg: SEE_MASK_NOZONECHECKS 0x418c2:$msg: Execute ERROR 0x4191e:$msg: Execute ERROR 0x417ac:$ping: cmd.exe /c ping 0 -n 2 & del
Process Memory Space: chargeable.exe PID: 4480	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: chargeable.exe PID: 3992	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: chargeable.exe PID: 744	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.chargeable.exe.400000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
5.2.chargeable.exe.400000.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x3c9a:$a1: get_Registry 0x4d76:$a2: SEE_MASK_NOZONECHECKS 0x4e72:$a3: Download ERROR 0x4d38:$a4: cmd.exe /c ping 0 -n 2 & del " 0x4cca:$a5: netsh firewall delete allowedprogram "
5.2.chargeable.exe.400000.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x4d38:$x1: cmd.exe /c ping 0 -n 2 & del " 0x4e90:$s3: Executed As 0x4e72:$s6: Download ERROR
5.2.chargeable.exe.400000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4da6:$a1: netsh firewall add allowedprogram 0x4d76:$a2: SEE_MASK_NOZONECHECKS 0x5020:$b1: [TAP] 0x4d38:$c3: cmd.exe /c ping
5.2.chargeable.exe.400000.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4d76:$reg: SEE_MASK_NOZONECHECKS 0x4e4e:$msg: Execute ERROR 0x4eaa:$msg: Execute ERROR 0x4d38:$ping: cmd.exe /c ping 0 -n 2 & del
5.2.chargeable.exe.400000.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x4cca:$s1: netsh firewall delete allowedprogram 0x4da6:$s2: netsh firewall add allowedprogram 0x4d38:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x4e4e:$s4: Execute ERROR 0x4eaa:$s4: Execute ERROR 0x4e72:$s5: Download ERROR 0x4fd6:$s6: [kl]
2.2.chargeable.exe.28eda74.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
2.2.chargeable.exe.28eda74.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x3c9a:$a1: get_Registry 0x4d76:$a2: SEE_MASK_NOZONECHECKS 0x4e72:$a3: Download ERROR 0x4d38:$a4: cmd.exe /c ping 0 -n 2 & del " 0x4cca:$a5: netsh firewall delete allowedprogram "
2.2.chargeable.exe.28eda74.0.raw.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x4d38:$x1: cmd.exe /c ping 0 -n 2 & del " 0x4e90:$s3: Executed As 0x4e72:$s6: Download ERROR
2.2.chargeable.exe.28eda74.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4da6:$a1: netsh firewall add allowedprogram 0x4d76:$a2: SEE_MASK_NOZONECHECKS 0x5020:$b1: [TAP] 0x4d38:$c3: cmd.exe /c ping
2.2.chargeable.exe.28eda74.0.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4d76:$reg: SEE_MASK_NOZONECHECKS 0x4e4e:$msg: Execute ERROR 0x4eaa:$msg: Execute ERROR 0x4d38:$ping: cmd.exe /c ping 0 -n 2 & del
2.2.chargeable.exe.28eda74.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x4cca:$s1: netsh firewall delete allowedprogram 0x4da6:$s2: netsh firewall add allowedprogram 0x4d38:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x4e4e:$s4: Execute ERROR 0x4eaa:$s4: Execute ERROR 0x4e72:$s5: Download ERROR 0x4fd6:$s6: [kl]
2.2.chargeable.exe.28eda74.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
2.2.chargeable.exe.28eda74.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1e9a:$a1: get_Registry 0x2f76:$a2: SEE_MASK_NOZONECHECKS 0x3072:$a3: Download ERROR 0x2f38:$a4: cmd.exe /c ping 0 -n 2 & del " 0x2eca:$a5: netsh firewall delete allowedprogram "
2.2.chargeable.exe.28eda74.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x2f38:$x1: cmd.exe /c ping 0 -n 2 & del " 0x3090:$s3: Executed As 0x3072:$s6: Download ERROR
2.2.chargeable.exe.28eda74.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2fa6:$a1: netsh firewall add allowedprogram 0x2f76:$a2: SEE_MASK_NOZONECHECKS 0x3220:$b1: [TAP] 0x2f38:$c3: cmd.exe /c ping
2.2.chargeable.exe.28eda74.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2f76:$reg: SEE_MASK_NOZONECHECKS 0x304e:$msg: Execute ERROR 0x30aa:$msg: Execute ERROR 0x2f38:$ping: cmd.exe /c ping 0 -n 2 & del
2.2.chargeable.exe.28eda74.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x2eca:$s1: netsh firewall delete allowedprogram 0x2fa6:$s2: netsh firewall add allowedprogram 0x2f38:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x304e:$s4: Execute ERROR 0x30aa:$s4: Execute ERROR 0x3072:$s5: Download ERROR 0x31d6:$s6: [kl]
Click to see the 13 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\confuse\chargeable.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\wzHH1r6YOi.exe, ProcessId: 6516, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\confuse

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: wzHH1r6YOi.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe

Avira: detection malicious, Label: TR/Dropper.Gen

Found malware configuration

Source: 00000002.00000002.1767143215.00000000028B1000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Njrat {"Host": "doddyfire.linkpc.net", "Port": "10000", "Version": "0.7d", "Campaign ID": "neuf", "Install Name": "softcontrol.exe", "Install Dir": "TEMP", "Network Seprator": "|'|'|"}

Multi AV Scanner detection for domain / URL

Source: doddyfire.linkpc.net	Virustotal: Detection: 18%			Perma Link
Source: doddyfire.linkpc.net	Virustotal: Detection: 18%			Perma Link

Multi AV Scanner detection for submitted file

Source: wzHH1r6YOi.exe	ReversingLabs: Detection: 94%
Source: wzHH1r6YOi.exe	Virustotal: Detection: 82%			Perma Link

Yara detected Njrat

Source: Yara match	File source: 5.2.chargeable.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.chargeable.exe.28eda74.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.chargeable.exe.28eda74.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1865300658.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1767143215.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: chargeable.exe PID: 4480, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chargeable.exe PID: 3992, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chargeable.exe PID: 744, type: MEMORYSTR

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: wzHH1r6YOi.exe

Joe Sandbox ML: detected

Source: wzHH1r6YOi.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\wzHH1r6YOi.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: wzHH1r6YOi.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: doddyfire.linkpc.net

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: doddyfire.linkpc.net

Source: chargeable.exe, 00000003.00000002.4108304833.00000000010D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.microsoft.
Source: chargeable.exe, 00000003.00000002.4108304833.00000000010D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.microsoft.LinkId=42127
Source: wzHH1r6YOi.exe, 00000000.00000002.1734163615.0000000006452000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: wzHH1r6YOi.exe, 00000000.00000002.1734163615.0000000006452000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: wzHH1r6YOi.exe, 00000000.00000002.1734163615.0000000006452000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: wzHH1r6YOi.exe, 00000000.00000002.1734163615.0000000006452000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: wzHH1r6YOi.exe, 00000000.00000002.1734163615.0000000006452000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: wzHH1r6YOi.exe, 00000000.00000002.1734163615.0000000006452000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: wzHH1r6YOi.exe, 00000000.00000002.1734163615.0000000006452000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: wzHH1r6YOi.exe, 00000000.00000002.1734163615.0000000006452000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: wzHH1r6YOi.exe, 00000000.00000002.1734163615.0000000006452000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: wzHH1r6YOi.exe, 00000000.00000002.1734163615.0000000006452000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: wzHH1r6YOi.exe, 00000000.00000002.1734163615.0000000006452000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: wzHH1r6YOi.exe, 00000000.00000002.1734163615.0000000006452000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: wzHH1r6YOi.exe, 00000000.00000002.1734163615.0000000006452000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: wzHH1r6YOi.exe, 00000000.00000002.1734163615.0000000006452000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: wzHH1r6YOi.exe, 00000000.00000002.1734163615.0000000006452000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: wzHH1r6YOi.exe, 00000000.00000002.1734163615.0000000006452000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: wzHH1r6YOi.exe, 00000000.00000002.1734163615.0000000006452000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: wzHH1r6YOi.exe, 00000000.00000002.1734163615.0000000006452000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: wzHH1r6YOi.exe, 00000000.00000002.1734163615.0000000006452000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: wzHH1r6YOi.exe, 00000000.00000002.1734163615.0000000006452000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: wzHH1r6YOi.exe, 00000000.00000002.1734163615.0000000006452000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: wzHH1r6YOi.exe, 00000000.00000002.1734163615.0000000006452000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: wzHH1r6YOi.exe, 00000000.00000002.1734163615.0000000006452000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: wzHH1r6YOi.exe, 00000000.00000002.1734163615.0000000006452000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: wzHH1r6YOi.exe, 00000000.00000002.1734163615.0000000006452000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 2.2.chargeable.exe.28eda74.0.raw.unpack, kl.cs

.Net Code: VKCodeToUnicode

E-Banking Fraud

Yara detected Njrat

Source: Yara match	File source: 5.2.chargeable.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.chargeable.exe.28eda74.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.chargeable.exe.28eda74.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1865300658.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1767143215.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: chargeable.exe PID: 4480, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chargeable.exe PID: 3992, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chargeable.exe PID: 744, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 5.2.chargeable.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 5.2.chargeable.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 5.2.chargeable.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 5.2.chargeable.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.chargeable.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 2.2.chargeable.exe.28eda74.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 2.2.chargeable.exe.28eda74.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 2.2.chargeable.exe.28eda74.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 2.2.chargeable.exe.28eda74.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.chargeable.exe.28eda74.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 2.2.chargeable.exe.28eda74.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 2.2.chargeable.exe.28eda74.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 2.2.chargeable.exe.28eda74.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 2.2.chargeable.exe.28eda74.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.chargeable.exe.28eda74.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 00000005.00000002.1865300658.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000005.00000002.1865300658.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000005.00000002.1865300658.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.1767143215.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000002.00000002.1767143215.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000002.00000002.1767143215.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Code function: 2_2_06330E3E NtResumeThread,	2_2_06330E3E
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Code function: 2_2_06330EE6 NtWriteVirtualMemory,	2_2_06330EE6
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Code function: 2_2_06330EB9 NtWriteVirtualMemory,	2_2_06330EB9
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Code function: 2_2_06330DFA NtResumeThread,	2_2_06330DFA
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Code function: 4_2_056B0EE6 NtWriteVirtualMemory,	4_2_056B0EE6
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Code function: 4_2_056B0E3E NtResumeThread,	4_2_056B0E3E
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Code function: 4_2_056B0DFA NtResumeThread,	4_2_056B0DFA
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Code function: 4_2_056B0EB9 NtWriteVirtualMemory,	4_2_056B0EB9
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Code function: 12_2_07040E3E NtResumeThread,	12_2_07040E3E
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Code function: 12_2_07040EE6 NtWriteVirtualMemory,	12_2_07040EE6
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Code function: 12_2_07040EB9 NtWriteVirtualMemory,	12_2_07040EB9
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Code function: 12_2_07040DFA NtResumeThread,	12_2_07040DFA

Source: wzHH1r6YOi.exe, 00000000.00000002.1734012982.0000000005270000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameb6052.dll4 vs wzHH1r6YOi.exe
Source: wzHH1r6YOi.exe, 00000000.00000002.1733626231.0000000003D91000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename1.exe0 vs wzHH1r6YOi.exe
Source: wzHH1r6YOi.exe, 00000000.00000002.1732060144.0000000000DFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemscorwks.dllT vs wzHH1r6YOi.exe
Source: wzHH1r6YOi.exe, 00000000.00000000.1637473772.00000000007D2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename1.exe0 vs wzHH1r6YOi.exe
Source: wzHH1r6YOi.exe, 00000000.00000002.1733450204.0000000002D91000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameriched20.dllp( vs wzHH1r6YOi.exe
Source: wzHH1r6YOi.exe, 00000000.00000002.1733450204.0000000002D91000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs wzHH1r6YOi.exe
Source: wzHH1r6YOi.exe, 00000000.00000002.1733450204.0000000002D91000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: kU,\\StringFileInfo\\000004B0\\OriginalFilenameL. vs wzHH1r6YOi.exe
Source: wzHH1r6YOi.exe, 00000000.00000002.1733450204.0000000002D91000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameb6052.dll4 vs wzHH1r6YOi.exe
Source: wzHH1r6YOi.exe, 00000000.00000000.1637493143.00000000007EE000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename1.exe0 vs wzHH1r6YOi.exe
Source: wzHH1r6YOi.exe, 00000009.00000002.1895768675.00000000027A6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameriched20.dllp( vs wzHH1r6YOi.exe
Source: wzHH1r6YOi.exe, 00000009.00000002.1895768675.00000000027A6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs wzHH1r6YOi.exe
Source: wzHH1r6YOi.exe, 00000009.00000002.1895768675.00000000027A6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: kU,\\StringFileInfo\\000004B0\\OriginalFilenameL. vs wzHH1r6YOi.exe
Source: wzHH1r6YOi.exe, 0000000E.00000002.2061982361.0000000003146000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameriched20.dllp( vs wzHH1r6YOi.exe
Source: wzHH1r6YOi.exe, 0000000E.00000002.2061982361.0000000003146000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs wzHH1r6YOi.exe
Source: wzHH1r6YOi.exe, 0000000E.00000002.2061982361.0000000003146000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: kU,\\StringFileInfo\\000004B0\\OriginalFilenameL. vs wzHH1r6YOi.exe
Source: wzHH1r6YOi.exe	Binary or memory string: OriginalFilename1.exe0 vs wzHH1r6YOi.exe

Source: wzHH1r6YOi.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 5.2.chargeable.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 5.2.chargeable.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.chargeable.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 5.2.chargeable.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 5.2.chargeable.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 2.2.chargeable.exe.28eda74.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 2.2.chargeable.exe.28eda74.0.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.chargeable.exe.28eda74.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 2.2.chargeable.exe.28eda74.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 2.2.chargeable.exe.28eda74.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 2.2.chargeable.exe.28eda74.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 2.2.chargeable.exe.28eda74.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.chargeable.exe.28eda74.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 2.2.chargeable.exe.28eda74.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 2.2.chargeable.exe.28eda74.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 00000005.00000002.1865300658.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000005.00000002.1865300658.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000005.00000002.1865300658.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000002.00000002.1767143215.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000002.00000002.1767143215.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000002.00000002.1767143215.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan

Source: wzHH1r6YOi.exe, MusicExpressMain.cs	Base64 encoded string: 'H7rrlW34uZ4g7TG29m695QHDWNDM6maH760RUMe2fvs6fBSV9ArU3xwZc58t79bYW92J4Kch8bJvQTXR7ZSLOpr16aCx9Y9b8sq08YK78X7af00cL6y1OAAaRhD2nS8883jy033am604F33HjHR2N4DSNOFX55eN2ArGi81FaNmmYUdOT0DytcGnj0PgMQ04e0wiA616'
Source: chargeable.exe.0.dr, MusicExpressMain.cs	Base64 encoded string: 'H7rrlW34uZ4g7TG29m695QHDWNDM6maH760RUMe2fvs6fBSV9ArU3xwZc58t79bYW92J4Kch8bJvQTXR7ZSLOpr16aCx9Y9b8sq08YK78X7af00cL6y1OAAaRhD2nS8883jy033am604F33HjHR2N4DSNOFX55eN2ArGi81FaNmmYUdOT0DytcGnj0PgMQ04e0wiA616'
Source: 0.2.wzHH1r6YOi.exe.3d97ef0.2.raw.unpack, MusicExpressMain.cs	Base64 encoded string: 'H7rrlW34uZ4g7TG29m695QHDWNDM6maH760RUMe2fvs6fBSV9ArU3xwZc58t79bYW92J4Kch8bJvQTXR7ZSLOpr16aCx9Y9b8sq08YK78X7af00cL6y1OAAaRhD2nS8883jy033am604F33HjHR2N4DSNOFX55eN2ArGi81FaNmmYUdOT0DytcGnj0PgMQ04e0wiA616'
Source: 0.2.wzHH1r6YOi.exe.3db3c90.1.raw.unpack, MusicExpressMain.cs	Base64 encoded string: 'H7rrlW34uZ4g7TG29m695QHDWNDM6maH760RUMe2fvs6fBSV9ArU3xwZc58t79bYW92J4Kch8bJvQTXR7ZSLOpr16aCx9Y9b8sq08YK78X7af00cL6y1OAAaRhD2nS8883jy033am604F33HjHR2N4DSNOFX55eN2ArGi81FaNmmYUdOT0DytcGnj0PgMQ04e0wiA616'

Source: classification engine

Classification label: mal100.phis.troj.spyw.evad.winEXE@16/4@2/0

Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Code function: 3_2_05451276 AdjustTokenPrivileges,		3_2_05451276
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Code function: 3_2_0545123F AdjustTokenPrivileges,		3_2_0545123F

Source: C:\Users\user\Desktop\wzHH1r6YOi.exe

File created: C:\Users\user\AppData\Roaming\confuse

Jump to behavior

Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Mutant created: \Sessions\1\BaseNamedObjects\e1a87040f2026369a233f9ae76301b7b
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:180:120:WilError_03
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: wzHH1r6YOi.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: wzHH1r6YOi.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\wzHH1r6YOi.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\wzHH1r6YOi.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: wzHH1r6YOi.exe	ReversingLabs: Detection: 94%
Source: wzHH1r6YOi.exe	Virustotal: Detection: 82%

Source: C:\Users\user\Desktop\wzHH1r6YOi.exe

File read: C:\Users\user\Desktop\wzHH1r6YOi.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\wzHH1r6YOi.exe "C:\Users\user\Desktop\wzHH1r6YOi.exe"
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process created: C:\Users\user\AppData\Roaming\confuse\chargeable.exe "C:\Users\user\AppData\Roaming\confuse\chargeable.exe"
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process created: C:\Users\user\AppData\Roaming\confuse\chargeable.exe C:\Users\user\AppData\Roaming\confuse\chargeable.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\confuse\chargeable.exe "C:\Users\user\AppData\Roaming\confuse\chargeable.exe"
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process created: C:\Users\user\AppData\Roaming\confuse\chargeable.exe C:\Users\user\AppData\Roaming\confuse\chargeable.exe
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\wzHH1r6YOi.exe "C:\Users\user\Desktop\wzHH1r6YOi.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\confuse\chargeable.exe "C:\Users\user\AppData\Roaming\confuse\chargeable.exe"
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process created: C:\Users\user\AppData\Roaming\confuse\chargeable.exe C:\Users\user\AppData\Roaming\confuse\chargeable.exe
Source: unknown	Process created: C:\Users\user\Desktop\wzHH1r6YOi.exe "C:\Users\user\Desktop\wzHH1r6YOi.exe"
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process created: C:\Users\user\AppData\Roaming\confuse\chargeable.exe "C:\Users\user\AppData\Roaming\confuse\chargeable.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process created: C:\Users\user\AppData\Roaming\confuse\chargeable.exe C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process created: C:\Users\user\AppData\Roaming\confuse\chargeable.exe C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process created: C:\Users\user\AppData\Roaming\confuse\chargeable.exe C:\Users\user\AppData\Roaming\confuse\chargeable.exe

Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: riched20.dll
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: usp10.dll
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: msls31.dll
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Section loaded: mscoree.dll
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Section loaded: dwrite.dll
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Section loaded: riched20.dll
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Section loaded: usp10.dll
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Section loaded: msls31.dll
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Section loaded: textshaping.dll
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Section loaded: shfolder.dll

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: wzHH1r6YOi.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\wzHH1r6YOi.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: wzHH1r6YOi.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: 2.2.chargeable.exe.28eda74.0.raw.unpack, OK.cs

.Net Code: Plugin System.Reflection.Assembly.Load(byte[])

Source: wzHH1r6YOi.exe	Static PE information: section name: .l2
Source: chargeable.exe.0.dr	Static PE information: section name: .l2

Source: C:\Users\user\Desktop\wzHH1r6YOi.exe

Code function: 14_2_0133099A push eax; retf

14_2_0133099D

Source: C:\Users\user\Desktop\wzHH1r6YOi.exe

File created: C:\Users\user\AppData\Roaming\confuse\chargeable.exe

Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run confuse			Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysMain			Jump to behavior

Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run confuse	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run confuse	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysMain	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysMain	Jump to behavior

Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Memory allocated: 1260000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Memory allocated: 2D90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Memory allocated: 4D90000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Memory allocated: B50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Memory allocated: 2820000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Memory allocated: B50000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Memory allocated: 12E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Memory allocated: 3020000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Memory allocated: 12E0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Memory allocated: 1630000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Memory allocated: 3460000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Memory allocated: 1770000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Memory allocated: 1640000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Memory allocated: 3540000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Memory allocated: 1880000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Memory allocated: A70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Memory allocated: 2780000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Memory allocated: 4880000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Memory allocated: 3450000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Memory allocated: 3450000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Memory allocated: 5450000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Memory allocated: FE0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Memory allocated: 3080000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Memory allocated: FE0000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Memory allocated: F30000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Memory allocated: 3120000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Memory allocated: 1190000 memory commit \| memory reserve \| memory write watch

Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Window / User API: threadDelayed 811	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Window / User API: threadDelayed 3749	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Window / User API: threadDelayed 1085	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Window / User API: foregroundWindowGot 1618	Jump to behavior

Source: C:\Users\user\Desktop\wzHH1r6YOi.exe TID: 6592	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe TID: 5652	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe TID: 3844	Thread sleep count: 811 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe TID: 3844	Thread sleep time: -811000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe TID: 6100	Thread sleep count: 250 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe TID: 6100	Thread sleep time: -500000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe TID: 5660	Thread sleep count: 3749 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe TID: 3844	Thread sleep count: 1085 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe TID: 3844	Thread sleep time: -1085000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe TID: 6100	Thread sleep count: 96 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe TID: 6100	Thread sleep time: -192000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe TID: 7044	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe TID: 6960	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe TID: 5824	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe TID: 4480	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe TID: 6992	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe TID: 5672	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Thread delayed: delay time: 922337203685477

Source: chargeable.exe, 00000003.00000002.4108304833.00000000010D9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWCulture=neutra
Source: chargeable.exe, 00000003.00000002.4108304833.00000000010D9000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000007.00000003.1834360353.00000000011E1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\wzHH1r6YOi.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code contains process injector

Source: 0.2.wzHH1r6YOi.exe.5270000.3.raw.unpack, D.cs	.Net Code: Run contains injection code
Source: 0.2.wzHH1r6YOi.exe.2dec09c.0.raw.unpack, D.cs	.Net Code: Run contains injection code
Source: 2.2.chargeable.exe.287c2fc.1.raw.unpack, D.cs	.Net Code: Run contains injection code

.NET source code references suspicious native API functions

Source: 0.2.wzHH1r6YOi.exe.5270000.3.raw.unpack, D.cs	Reference to suspicious API methods: VirtualAllocEx((IntPtr)array4[0], intPtr, (uint)(ptr2 + 80), 12288u, 64u)
Source: 0.2.wzHH1r6YOi.exe.5270000.3.raw.unpack, D.cs	Reference to suspicious API methods: NtWriteVirtualMemory((IntPtr)array4[0], intPtr, (IntPtr)ptr5, (uint)(ptr2 + 84), IntPtr.Zero)
Source: 0.2.wzHH1r6YOi.exe.5270000.3.raw.unpack, D.cs	Reference to suspicious API methods: NtSetContextThread((IntPtr)array4[1], (IntPtr)ptr4)
Source: 2.2.chargeable.exe.28eda74.0.raw.unpack, kl.cs	Reference to suspicious API methods: MapVirtualKey(a, 0u)
Source: 2.2.chargeable.exe.28eda74.0.raw.unpack, kl.cs	Reference to suspicious API methods: GetAsyncKeyState(num2)
Source: 2.2.chargeable.exe.28eda74.0.raw.unpack, OK.cs	Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Memory written: C:\Users\user\AppData\Roaming\confuse\chargeable.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Memory written: C:\Users\user\AppData\Roaming\confuse\chargeable.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Memory written: C:\Users\user\AppData\Roaming\confuse\chargeable.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Process created: C:\Users\user\AppData\Roaming\confuse\chargeable.exe "C:\Users\user\AppData\Roaming\confuse\chargeable.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process created: C:\Users\user\AppData\Roaming\confuse\chargeable.exe C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process created: C:\Users\user\AppData\Roaming\confuse\chargeable.exe C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe	Process created: C:\Users\user\AppData\Roaming\confuse\chargeable.exe C:\Users\user\AppData\Roaming\confuse\chargeable.exe

Source: chargeable.exe, 00000003.00000002.4111229738.00000000030B3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: chargeable.exe, 00000003.00000002.4111229738.00000000030B3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@9
Source: chargeable.exe, 00000003.00000002.4111229738.00000000030B3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerpY

Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wzHH1r6YOi.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disables zone checking for all users

Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe

Registry value created: HKEY_CURRENT_USER\Environment SEE_MASK_NOZONECHECKS

Jump to behavior

Modifies the windows firewall

Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE

Uses netsh to modify the Windows network and firewall settings

Source: C:\Users\user\AppData\Roaming\confuse\chargeable.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE

Stealing of Sensitive Information

Yara detected Njrat

Source: Yara match	File source: 5.2.chargeable.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.chargeable.exe.28eda74.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.chargeable.exe.28eda74.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1865300658.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1767143215.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: chargeable.exe PID: 4480, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chargeable.exe PID: 3992, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chargeable.exe PID: 744, type: MEMORYSTR

Remote Access Functionality

Yara detected Njrat

Source: Yara match	File source: 5.2.chargeable.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.chargeable.exe.28eda74.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.chargeable.exe.28eda74.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1865300658.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1767143215.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: chargeable.exe PID: 4480, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chargeable.exe PID: 3992, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chargeable.exe PID: 744, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	11 Registry Run Keys / Startup Folder	1 Access Token Manipulation	1 Masquerading	1 Input Capture	1 Security Software Discovery	Remote Services	1 Input Capture	1 Non-Application Layer Protocol	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	212 Process Injection	31 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	11 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	11 Registry Run Keys / Startup Folder	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 Access Token Manipulation	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	212 Process Injection	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Obfuscated Files or Information	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
wzHH1r6YOi.exe	95%	ReversingLabs	ByteCode-MSIL.Backdoor.Ratenjay
wzHH1r6YOi.exe	82%	Virustotal		Browse
wzHH1r6YOi.exe	100%	Avira	TR/Dropper.Gen
wzHH1r6YOi.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\confuse\chargeable.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Roaming\confuse\chargeable.exe	100%	Joe Sandbox ML

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
doddyfire.linkpc.net	19%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.apache.org/licenses/LICENSE-2.0	0%	URL Reputation	safe
http://www.apache.org/licenses/LICENSE-2.0	0%	URL Reputation	safe
http://www.fontbureau.com	0%	URL Reputation	safe
http://www.fontbureau.com/designersG	0%	URL Reputation	safe
http://www.fontbureau.com/designersG	0%	URL Reputation	safe
http://www.fontbureau.com/designers/?	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.fontbureau.com/designers?	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.fontbureau.com/designers	0%	URL Reputation	safe
http://www.fontbureau.com/designers	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.fontbureau.com/designers/cabarga.htmlN	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.fontbureau.com/designers/frere-user.html	0%	URL Reputation	safe
http://www.fontbureau.com/designers/frere-user.html	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.fontbureau.com/designers8	0%	URL Reputation	safe
http://www.fonts.com	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
doddyfire.linkpc.net	0%	Avira URL Cloud	safe
http://go.microsoft.	0%	Avira URL Cloud	safe
http://go.microsoft.LinkId=42127	0%	Avira URL Cloud	safe
http://go.microsoft.	0%	Virustotal		Browse
doddyfire.linkpc.net	19%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
doddyfire.linkpc.net	226.85.155.175	true	true	19%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
doddyfire.linkpc.net	true	19%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	wzHH1r6YOi.exe, 00000000.00000002.1734163615.0000000006452000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com	wzHH1r6YOi.exe, 00000000.00000002.1734163615.0000000006452000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designersG	wzHH1r6YOi.exe, 00000000.00000002.1734163615.0000000006452000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	wzHH1r6YOi.exe, 00000000.00000002.1734163615.0000000006452000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/bThe	wzHH1r6YOi.exe, 00000000.00000002.1734163615.0000000006452000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	wzHH1r6YOi.exe, 00000000.00000002.1734163615.0000000006452000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://go.microsoft.	chargeable.exe, 00000003.00000002.4108304833.00000000010D9000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.tiro.com	wzHH1r6YOi.exe, 00000000.00000002.1734163615.0000000006452000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	wzHH1r6YOi.exe, 00000000.00000002.1734163615.0000000006452000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.goodfont.co.kr	wzHH1r6YOi.exe, 00000000.00000002.1734163615.0000000006452000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://go.microsoft.LinkId=42127	chargeable.exe, 00000003.00000002.4108304833.00000000010D9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	wzHH1r6YOi.exe, 00000000.00000002.1734163615.0000000006452000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	wzHH1r6YOi.exe, 00000000.00000002.1734163615.0000000006452000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	wzHH1r6YOi.exe, 00000000.00000002.1734163615.0000000006452000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	wzHH1r6YOi.exe, 00000000.00000002.1734163615.0000000006452000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	wzHH1r6YOi.exe, 00000000.00000002.1734163615.0000000006452000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	wzHH1r6YOi.exe, 00000000.00000002.1734163615.0000000006452000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	wzHH1r6YOi.exe, 00000000.00000002.1734163615.0000000006452000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	wzHH1r6YOi.exe, 00000000.00000002.1734163615.0000000006452000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	wzHH1r6YOi.exe, 00000000.00000002.1734163615.0000000006452000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	wzHH1r6YOi.exe, 00000000.00000002.1734163615.0000000006452000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	wzHH1r6YOi.exe, 00000000.00000002.1734163615.0000000006452000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.com	wzHH1r6YOi.exe, 00000000.00000002.1734163615.0000000006452000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sandoll.co.kr	wzHH1r6YOi.exe, 00000000.00000002.1734163615.0000000006452000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	wzHH1r6YOi.exe, 00000000.00000002.1734163615.0000000006452000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	wzHH1r6YOi.exe, 00000000.00000002.1734163615.0000000006452000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	wzHH1r6YOi.exe, 00000000.00000002.1734163615.0000000006452000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1464969
Start date and time:	2024-07-01 02:51:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	wzHH1r6YOi.exe renamed because original name is a hash value
Original Sample Name:	2058d4dd912bd77b5b79ec0bd1a1ff9e.exe
Detection:	MAL
Classification:	mal100.phis.troj.spyw.evad.winEXE@16/4@2/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 216 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, d.3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.8.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
01:51:59	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run confuse C:\Users\user\AppData\Roaming\confuse\chargeable.exe
01:52:07	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run SysMain C:\Users\user\Desktop\wzHH1r6YOi.exe
01:52:16	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run confuse C:\Users\user\AppData\Roaming\confuse\chargeable.exe
01:52:24	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run SysMain C:\Users\user\Desktop\wzHH1r6YOi.exe
20:52:46	API Interceptor	554466x Sleep call for process: chargeable.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
doddyfire.linkpc.net	NNAq3d5eQF.exe	Get hash	malicious	Njrat	Browse	198.17.56.173
	PXe2j6taKw.exe	Get hash	malicious	Njrat	Browse	160.177.56.173
	2P2XFVtixh.exe	Get hash	malicious	Njrat	Browse	160.177.56.173
	on2JggGo0k.exe	Get hash	malicious	Njrat	Browse	160.177.56.173
	hJp7k54EgT.exe	Get hash	malicious	Njrat	Browse	160.177.56.173
	MLueAj6kTM.exe	Get hash	malicious	Njrat	Browse	198.42.118.111
	kGlfHSAvsv.exe	Get hash	malicious	Njrat	Browse	198.42.118.111
	1IPG5H92Qv.exe	Get hash	malicious	Njrat	Browse	198.42.118.111
	U5FHkrCwJN.exe	Get hash	malicious	Njrat	Browse	198.42.118.111
	wIJ2SPVh6Y.exe	Get hash	malicious	Njrat	Browse	198.42.118.111

Process:	C:\Users\user\AppData\Roaming\confuse\chargeable.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	388
Entropy (8bit):	5.20595142366915
Encrypted:	false
SSDEEP:	12:Q3LaJU2C9XAn10U29xtUz1B0U2uk71K6xhk7v:MLF2CpI329Iz52Ve
MD5:	2452328391F7A0B3C56DDF0E6389513E
SHA1:	6FE308A325AE8BFB17DE5CAAF54432E5301987B6
SHA-256:	2BC0F7D1CBD869EF4FD93B95495C8081B01B3FD627890B006B6A531D8C050AA2
SHA-512:	AC65283B0959E112B73160BB4322D0725C7D0EC79E3BB93555B1412204AA72F1F66BB9EB8D8B24B6570EC8717A1A4A129454588C3EA9ACE206B6E9CCB7F2ABDC
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\wzHH1r6YOi.exe.log

Download File

Process:	C:\Users\user\Desktop\wzHH1r6YOi.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	388
Entropy (8bit):	5.20595142366915
Encrypted:	false
SSDEEP:	12:Q3LaJU2C9XAn10U29xtUz1B0U2uk71K6xhk7v:MLF2CpI329Iz52Ve
MD5:	2452328391F7A0B3C56DDF0E6389513E
SHA1:	6FE308A325AE8BFB17DE5CAAF54432E5301987B6
SHA-256:	2BC0F7D1CBD869EF4FD93B95495C8081B01B3FD627890B006B6A531D8C050AA2
SHA-512:	AC65283B0959E112B73160BB4322D0725C7D0EC79E3BB93555B1412204AA72F1F66BB9EB8D8B24B6570EC8717A1A4A129454588C3EA9ACE206B6E9CCB7F2ABDC
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..

C:\Users\user\AppData\Roaming\confuse\chargeable.exe

Download File

Process:	C:\Users\user\Desktop\wzHH1r6YOi.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	114112
Entropy (8bit):	6.008167040581093
Encrypted:	false
SSDEEP:	1536:orp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4xtKegoxmOBh73x1:w5eznsjsguGDFqGx8egoxmO3rx1
MD5:	CB7C4448E2F1976110D9CF1D4BA279E6
SHA1:	B68742DA24F145C2584E7CCF106A17E83A9F446F
SHA-256:	4EF8AFF34F77AA621DD4CCADF673FCDE39ECE958C41835AA952C21DF2D049E3E
SHA-512:	6E228D7E60D260BB3FA4045F41E0AD412833257DB3060E764285985DBC6ADEBD67B627502846ABE75D9FC257FB8ACAE459D2C345485AAD8934F886FB46AAE190
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...S..[.................x..........^.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...dv... ...x.................. ..`.rsrc...H............\|..............@..@.reloc..............................@..B.l2.................................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Windows\SysWOW64\netsh.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	313
Entropy (8bit):	4.971939296804078
Encrypted:	false
SSDEEP:	6:/ojfKsUTGN8Ypox42k9L+DbGMKeQE+vigqAZs2E+AYeDPO+Yswyha:wjPIGNrkHk9iaeIM6ADDPOHyha
MD5:	689E2126A85BF55121488295EE068FA1
SHA1:	09BAAA253A49D80C18326DFBCA106551EBF22DD6
SHA-256:	D968A966EF474068E41256321F77807A042F1965744633D37A203A705662EC25
SHA-512:	C3736A8FC7E6573FA1B26FE6A901C05EE85C55A4A276F8F569D9EADC9A58BEC507D1BB90DBF9EA62AE79A6783178C69304187D6B90441D82E46F5F56172B5C5C
Malicious:	false
Reputation:	high, very likely benign file
Preview:	..IMPORTANT: Command executed successfully...However, "netsh firewall" is deprecated;..use "netsh advfirewall firewall" instead...For more information on using "netsh advfirewall firewall" commands..instead of "netsh firewall", see KB article 947709..at https://go.microsoft.com/fwlink/?linkid=121488 .....Ok.....

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.0065668267361145
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01%
File name:	wzHH1r6YOi.exe
File size:	114'048 bytes
MD5:	2058d4dd912bd77b5b79ec0bd1a1ff9e
SHA1:	c03126efdc44ee76ec8a7793ab5c60913b110cf5
SHA256:	6a56a1810bc71836b0a21868db9ed2f1265f5219c8318c8cbcc6dbaa79ac4c3f
SHA512:	93b5ba4691cedd522e8f3b41327610a8c4013aa39b76cbe508fd8445b64141686f31d3d044885bd7c640b08c7c2efb4e9d214c3991efd087f701c1075eb86bed
SSDEEP:	1536:orp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4xtKegoxmOBh73xj:w5eznsjsguGDFqGx8egoxmO3rxj
TLSH:	63B30C387D952133C67EC1F689E50A8AEB69223F31A1E9ED4CA742C418B2F156DC1D1F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...S..[.................x..........^.... ........@.. ....................................@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x41965e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x5B1EAC53 [Mon Jun 11 17:07:31 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x19608	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1e000	0x400	.l2
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x17664	0x17800	7acd957f3266ee65ab01391ebf758013	False	0.46648520611702127	data	5.649987526076151	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x1a000	0x348	0x400	2f8c2571ca02df8c52b2a03fcee90517	False	0.37109375	data	2.7512174114856074	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x1c000	0xc	0x200	5219651ec1890b5711996a05a6f4ed37	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.l2	0x1e000	0x400	0x400	8821bc5ab10b630550f47d3029855e20	False	0.3720703125	data	2.7512174114856074	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x1e060	0x2ec	data			0.4625668449197861

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 1, 2024 02:52:16.293797970 CEST	56580	53	192.168.2.4	1.1.1.1
Jul 1, 2024 02:52:16.417901039 CEST	53	56580	1.1.1.1	192.168.2.4
Jul 1, 2024 02:52:41.919878960 CEST	53	52018	162.159.36.2	192.168.2.4
Jul 1, 2024 02:52:42.474407911 CEST	53	52376	1.1.1.1	192.168.2.4
Jul 1, 2024 02:54:15.616713047 CEST	59625	53	192.168.2.4	1.1.1.1
Jul 1, 2024 02:54:15.743415117 CEST	53	59625	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 1, 2024 02:52:16.293797970 CEST	192.168.2.4	1.1.1.1	0x9848	Standard query (0)	doddyfire.linkpc.net	A (IP address)	IN (0x0001)	false
Jul 1, 2024 02:54:15.616713047 CEST	192.168.2.4	1.1.1.1	0x5e5e	Standard query (0)	doddyfire.linkpc.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 1, 2024 02:52:16.417901039 CEST	1.1.1.1	192.168.2.4	0x9848	No error (0)	doddyfire.linkpc.net		226.85.155.175	A (IP address)	IN (0x0001)	false
Jul 1, 2024 02:54:15.743415117 CEST	1.1.1.1	192.168.2.4	0x5e5e	No error (0)	doddyfire.linkpc.net		226.85.155.175	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	20:51:53
Start date:	30/06/2024
Path:	C:\Users\user\Desktop\wzHH1r6YOi.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\wzHH1r6YOi.exe"
Imagebase:	0x7d0000
File size:	114'048 bytes
MD5 hash:	2058D4DD912BD77B5B79EC0BD1A1FF9E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	20:52:02
Start date:	30/06/2024
Path:	C:\Users\user\AppData\Roaming\confuse\chargeable.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\confuse\chargeable.exe"
Imagebase:	0x190000
File size:	114'112 bytes
MD5 hash:	CB7C4448E2F1976110D9CF1D4BA279E6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000002.00000002.1767143215.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000002.00000002.1767143215.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000002.00000002.1767143215.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000002.00000002.1767143215.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	20:52:06
Start date:	30/06/2024
Path:	C:\Users\user\AppData\Roaming\confuse\chargeable.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\confuse\chargeable.exe
Imagebase:	0xa90000
File size:	114'112 bytes
MD5 hash:	CB7C4448E2F1976110D9CF1D4BA279E6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	20:52:07
Start date:	30/06/2024
Path:	C:\Users\user\AppData\Roaming\confuse\chargeable.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\confuse\chargeable.exe"
Imagebase:	0xdb0000
File size:	114'112 bytes
MD5 hash:	CB7C4448E2F1976110D9CF1D4BA279E6
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	20:52:11
Start date:	30/06/2024
Path:	C:\Users\user\AppData\Roaming\confuse\chargeable.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\confuse\chargeable.exe
Imagebase:	0xe90000
File size:	114'112 bytes
MD5 hash:	CB7C4448E2F1976110D9CF1D4BA279E6
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000005.00000002.1865300658.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000005.00000002.1865300658.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000005.00000002.1865300658.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000005.00000002.1865300658.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	20:52:12
Start date:	30/06/2024
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
Imagebase:	0x1560000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	20:52:12
Start date:	30/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	20:52:15
Start date:	30/06/2024
Path:	C:\Users\user\Desktop\wzHH1r6YOi.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\wzHH1r6YOi.exe"
Imagebase:	0x210000
File size:	114'048 bytes
MD5 hash:	2058D4DD912BD77B5B79EC0BD1A1FF9E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	20:52:24
Start date:	30/06/2024
Path:	C:\Users\user\AppData\Roaming\confuse\chargeable.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\confuse\chargeable.exe"
Imagebase:	0xec0000
File size:	114'112 bytes
MD5 hash:	CB7C4448E2F1976110D9CF1D4BA279E6
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	20:52:27
Start date:	30/06/2024
Path:	C:\Users\user\AppData\Roaming\confuse\chargeable.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\confuse\chargeable.exe
Imagebase:	0x920000
File size:	114'112 bytes
MD5 hash:	CB7C4448E2F1976110D9CF1D4BA279E6
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	20:52:32
Start date:	30/06/2024
Path:	C:\Users\user\Desktop\wzHH1r6YOi.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\wzHH1r6YOi.exe"
Imagebase:	0x8f0000
File size:	114'048 bytes
MD5 hash:	2058D4DD912BD77B5B79EC0BD1A1FF9E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	19.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	90
Total number of Limit Nodes:	3

Executed Functions

Function 04F900D0 Relevance: 9.1, Instructions: 9148
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1733783094.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_wzHH1r6YOi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58dedbf39dea7a15e3410a5db0eb444ce3d456f81790b1f939771e3f2b972310
Instruction ID: db66ab912d532bdda9c1e3999475c96de51c9353d9e76495aa26837a726d5f06
Opcode Fuzzy Hash: 58dedbf39dea7a15e3410a5db0eb444ce3d456f81790b1f939771e3f2b972310
Instruction Fuzzy Hash: E3146934600708CFDB25DB30C894A9AB3B6FF8A304F5185A9D54AAB760CF39AE45CF55

Function 04F900E0 Relevance: 9.1, Instructions: 9140
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1733783094.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_wzHH1r6YOi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b552f6337bd7180e834251c4e106ac70a0a641996d4a17dfbf4643a8576925a0
Instruction ID: ca10c67ca73a9efa178b6e0516433ee7e481b8e111e98516e75232ba0719f6fb
Opcode Fuzzy Hash: b552f6337bd7180e834251c4e106ac70a0a641996d4a17dfbf4643a8576925a0
Instruction Fuzzy Hash: CB146934600708CFDB25DB30C894A9AB3B6FF8A304F5185A9D54AAB760CF39AE45CF55

Function 04F998A0 Relevance: 2.7, Instructions: 2697
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1733783094.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_wzHH1r6YOi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 579f5e5bedadea345cdb34720a14e314fdc2eb3f61beaefb6d824d643ab00304
Instruction ID: 5f6eab862594338170922f948d455ae4265a8a0f24e887b48ee10280522b3d7d
Opcode Fuzzy Hash: 579f5e5bedadea345cdb34720a14e314fdc2eb3f61beaefb6d824d643ab00304
Instruction Fuzzy Hash: 8C338565B315208B8646BF78D59341F6B72EB88598718834ED9050B38CEF3C9F478BD9

Function 05110B60 Relevance: 1.6, APIs: 1, Instructions: 92
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 05110C05

Memory Dump Source

Source File: 00000000.00000002.1733927021.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5110000_wzHH1r6YOi.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: f03a757b62f6087f84f6ceaa8488fccc4b541d7958f70772b057a7284e0bd66e
Instruction ID: 58f9293c8a984fa3db19cae1f425c3cae9f55ba1ca7315fde658b197f207ae9f
Opcode Fuzzy Hash: f03a757b62f6087f84f6ceaa8488fccc4b541d7958f70772b057a7284e0bd66e
Instruction Fuzzy Hash: 34318F715053806FE721CF65DC84F66BBE8EF0A224F0884AEE985CB652D375E809CB75

Function 00DBAC22 Relevance: 1.6, APIs: 1, Instructions: 92
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 00DBACD1

Memory Dump Source

Source File: 00000000.00000002.1731801247.0000000000DBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dba000_wzHH1r6YOi.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 14db8f538daae07ea4147a1c9b13b6d5e5dec57b09ece1c31e089f14197f9b65
Instruction ID: b4fee08515da42abd85b201f2e0df71db861c3a3b45d04bbb9e4dc83fd84539c
Opcode Fuzzy Hash: 14db8f538daae07ea4147a1c9b13b6d5e5dec57b09ece1c31e089f14197f9b65
Instruction Fuzzy Hash: 7D31A2B1408384AFE7228F55DC45FA7BFBCEF06210F08849AE9858B652D264A949CB75

Function 00DBAD19 Relevance: 1.6, APIs: 1, Instructions: 89
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,C3CE1CF7,00000000,00000000,00000000,00000000), ref: 00DBADD4

Memory Dump Source

Source File: 00000000.00000002.1731801247.0000000000DBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dba000_wzHH1r6YOi.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 7c8402378b86537839f5a23a9a48cfbc50cd2c7ab4b32fbabebddfc16fd7c984
Instruction ID: 5f8070fa8a6dc91188a7b91c7aa652852df0b1ea51210a91246da7cdfd80b7e9
Opcode Fuzzy Hash: 7c8402378b86537839f5a23a9a48cfbc50cd2c7ab4b32fbabebddfc16fd7c984
Instruction Fuzzy Hash: 4831B3755047809FD722CF65CC45FA2BFF8EF06310F08849AE945CB662D264E949CB75

Function 05110F83 Relevance: 1.6, APIs: 1, Instructions: 81
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegSetValueExW.KERNELBASE(?,00000E24,C3CE1CF7,00000000,00000000,00000000,00000000), ref: 05111030

Memory Dump Source

Source File: 00000000.00000002.1733927021.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5110000_wzHH1r6YOi.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: a95db9685bbc6e1fd07895e29d4371ca5e4ce735ba53e6d5348d65a7e0d5cf1d
Instruction ID: 4409d19c89a6fdc89cde3ae8d46053b5ccc9762debad7e30bfe3be6fdc51ff3d
Opcode Fuzzy Hash: a95db9685bbc6e1fd07895e29d4371ca5e4ce735ba53e6d5348d65a7e0d5cf1d
Instruction Fuzzy Hash: 872191B55087806FE722CB21DC45FA3FFF8AF06214F08849AE9859B693D364A909C775

Function 00DBA2AC Relevance: 1.6, APIs: 1, Instructions: 79
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?,00000E24,?,?), ref: 00DBA346

Memory Dump Source

Source File: 00000000.00000002.1731801247.0000000000DBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dba000_wzHH1r6YOi.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 657e6361b01beb2b86ddad7ff2e741662da062a1f8a513f61ae26f477192121f
Instruction ID: 6f4c08df5573cb326169aa77b1b0316730eeaa383bbbffb46debee42b0d2b92c
Opcode Fuzzy Hash: 657e6361b01beb2b86ddad7ff2e741662da062a1f8a513f61ae26f477192121f
Instruction Fuzzy Hash: 0C21747140D7C06FD3138B259C51B62BFB4EF47610F0941DBE884DB653D225A91AC7B6

Function 05110B86 Relevance: 1.6, APIs: 1, Instructions: 76
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 05110C05

Memory Dump Source

Source File: 00000000.00000002.1733927021.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5110000_wzHH1r6YOi.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: fa37d513840fdd2b1df326f8a90a941321b29be66af5120a06837cfb867e073a
Instruction ID: 8dd56249b57c94f92180a4f5fe9dc9866893d99808f604468fcb25c6bc3366f8
Opcode Fuzzy Hash: fa37d513840fdd2b1df326f8a90a941321b29be66af5120a06837cfb867e073a
Instruction Fuzzy Hash: 72219F75904200AFE720CF65CD85B66FBE8EF09314F0488AAED49CB651D375E448CB69

Function 00DBAC52 Relevance: 1.6, APIs: 1, Instructions: 74
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 00DBACD1

Memory Dump Source

Source File: 00000000.00000002.1731801247.0000000000DBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dba000_wzHH1r6YOi.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 3bb57e3e01b525b2408dc6a90f9b903924b1eef748ae69dbaa3876ff56724cfe
Instruction ID: 78c715b2982fa5a742944ea111bac33adc35f1ea181b5a397add64cc0af553a7
Opcode Fuzzy Hash: 3bb57e3e01b525b2408dc6a90f9b903924b1eef748ae69dbaa3876ff56724cfe
Instruction Fuzzy Hash: F52101B2400204AFE720CF55CC84FABFBECEF04314F08845AE945CB651D320E94C8AB6

Function 05110D17 Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNELBASE(?,00000E24,C3CE1CF7,00000000,00000000,00000000,00000000), ref: 05110D9D

Memory Dump Source

Source File: 00000000.00000002.1733927021.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5110000_wzHH1r6YOi.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: be3035cef99f104d0a62cf847fd296bda5f55aab73e27e740aaaecd9992231b8
Instruction ID: 954ac22414d2b1c2eed7ef3e8c604c4dd65b53a94671f9951ea36c19aba3fa4b
Opcode Fuzzy Hash: be3035cef99f104d0a62cf847fd296bda5f55aab73e27e740aaaecd9992231b8
Instruction Fuzzy Hash: 3421D5B54097806FE7128B51DC85BA6BFB8EF47314F0880DAED84CB2A3D264A909C775

Function 05110431 Relevance: 1.6, APIs: 1, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?), ref: 051104B3

Memory Dump Source

Source File: 00000000.00000002.1733927021.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5110000_wzHH1r6YOi.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: fbb57b280b7118fe1936f311a7790d4daed15d8f36c177e0906a0b8ab0bca5fb
Instruction ID: bf4ec28a658f63c5ae14255b16ac9e8065ac8f85b693772e0db3debe6313dbed
Opcode Fuzzy Hash: fbb57b280b7118fe1936f311a7790d4daed15d8f36c177e0906a0b8ab0bca5fb
Instruction Fuzzy Hash: CA21B5715083849FDB22CF25DC84B62BFF4EF0A210F0884EAED848B652D335E944CB61

Function 05110EBA Relevance: 1.6, APIs: 1, Instructions: 70
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,00000E24,C3CE1CF7,00000000,00000000,00000000,00000000), ref: 05110F39

Memory Dump Source

Source File: 00000000.00000002.1733927021.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5110000_wzHH1r6YOi.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: a61ad016f7986a609c2f8616b72fcf0f002f9ebe550979a2b4acc8df15b82056
Instruction ID: fed3f10e8aba1ecb779a3732393f78acb42e33709ee9ca439a96f2e8b61e9d8f
Opcode Fuzzy Hash: a61ad016f7986a609c2f8616b72fcf0f002f9ebe550979a2b4acc8df15b82056
Instruction Fuzzy Hash: FA219271405780AFDB22CF51DC45FA7BFB8EF4A210F08849AE944DB562C374A509CBB6

Function 00DBAD5A Relevance: 1.6, APIs: 1, Instructions: 69
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,C3CE1CF7,00000000,00000000,00000000,00000000), ref: 00DBADD4

Memory Dump Source

Source File: 00000000.00000002.1731801247.0000000000DBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dba000_wzHH1r6YOi.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: ac4d7c42a9824ecda5499bd2793ba97b6d35f83cdec01678292a4df16ece5c81
Instruction ID: c361961bedc3116a735dce2a4c413246647b70140b67fcde6c79d159ab828ce9
Opcode Fuzzy Hash: ac4d7c42a9824ecda5499bd2793ba97b6d35f83cdec01678292a4df16ece5c81
Instruction Fuzzy Hash: 8E21AE75600600AFE720CF19CC85FA6B7ECEF05711F08845AE946CB651E760E808CAB6

Function 00DBBAB4 Relevance: 1.6, APIs: 1, Instructions: 68
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE(?), ref: 00DBBB2C

Memory Dump Source

Source File: 00000000.00000002.1731801247.0000000000DBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dba000_wzHH1r6YOi.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 5d1dfd2cbc0ff4e9d344bff43494ccdcf78d57aca044f14fda8f4bfcecb10d98
Instruction ID: f2c65554bed4ea2582a0d34a33ff3fc0d2c9db1963d9573ea47a48b1aa872b0c
Opcode Fuzzy Hash: 5d1dfd2cbc0ff4e9d344bff43494ccdcf78d57aca044f14fda8f4bfcecb10d98
Instruction Fuzzy Hash: 32215E715093C09FDB128B25DC95B92BFB4DF07224F0D84DAE9858F657D2649908CB72

Function 05110FBE Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E24,C3CE1CF7,00000000,00000000,00000000,00000000), ref: 05111030

Memory Dump Source

Source File: 00000000.00000002.1733927021.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5110000_wzHH1r6YOi.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 2f427978916825f51506a817a42987e4819ab1dd5a82ddffc83b0d4977ed24bf
Instruction ID: 09f374ef08aa17e9fc5030886760b1474feab3350f343df2f42b9b08bd31279e
Opcode Fuzzy Hash: 2f427978916825f51506a817a42987e4819ab1dd5a82ddffc83b0d4977ed24bf
Instruction Fuzzy Hash: EC11B176900640AFE730CE21DC41FA7F7E8EF05610F0484AAEE458B652D774E448CAB9

Function 00DBB42D Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 00DBB4A9

Memory Dump Source

Source File: 00000000.00000002.1731801247.0000000000DBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dba000_wzHH1r6YOi.jbxd

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: 4260c20a46dba544012426b72a16b2cacd91ab221c623edfdc895f99b9fb1aca
Instruction ID: 0df3dc3fb11e0519df1dfbb722d7d9e4457ec6eddd05486134a6e22319cdf012
Opcode Fuzzy Hash: 4260c20a46dba544012426b72a16b2cacd91ab221c623edfdc895f99b9fb1aca
Instruction Fuzzy Hash: 332193B55093809FD7228F15DC45B62BFF8EF46724F08808AED85CB253D365A808CB71

Function 05111078 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,?), ref: 051110E3

Memory Dump Source

Source File: 00000000.00000002.1733927021.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5110000_wzHH1r6YOi.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: cf1a7f8e2665716177e2e8753333f85c513b6e1341daa3634709c9e383ee5109
Instruction ID: ed12836cad001020511f80c0a6c4b5f6bb570c0353b2d1dff75f94b2a0f667c6
Opcode Fuzzy Hash: cf1a7f8e2665716177e2e8753333f85c513b6e1341daa3634709c9e383ee5109
Instruction Fuzzy Hash: BB2193715483C09FDB118B25DC55B66FFE8EF46220F0884EAED85CB262D2759405CB61

Function 05110AA4 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 05110B0B

Memory Dump Source

Source File: 00000000.00000002.1733927021.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5110000_wzHH1r6YOi.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 91cd9ac6135cc1ba49bbc07261730f562d0e26f92641f15ddd17f6bf3f614efa
Instruction ID: 982a146a812079b94aa64e923499d8b725c6f6c0531f8bf810c7abdef5b1db8e
Opcode Fuzzy Hash: 91cd9ac6135cc1ba49bbc07261730f562d0e26f92641f15ddd17f6bf3f614efa
Instruction Fuzzy Hash: 5B117F756093809FDB11CF25DC89B56BFE8EF4A220F0984EAED49CB252D374E944CB61

Function 00DBBC4B Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.KERNELBASE(?,?), ref: 00DBBCBF

Memory Dump Source

Source File: 00000000.00000002.1731801247.0000000000DBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dba000_wzHH1r6YOi.jbxd

Similarity

API ID: FileInfoSizeVersion
String ID:
API String ID: 1661704012-0
Opcode ID: f35330266007cac3d04be96e93e228117df5cd63457639b428c3faceda209e83
Instruction ID: 361ef94a601f3c10e2b236a2529858b0d5901f114bb5fbc734cfd188db446169
Opcode Fuzzy Hash: f35330266007cac3d04be96e93e228117df5cd63457639b428c3faceda209e83
Instruction Fuzzy Hash: E6218EB15093849FEB12CF25DC85B52BFE4EF46320F0984DAE8858F263D274A909CB71

Function 05111325 Relevance: 1.6, APIs: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 05111399

Memory Dump Source

Source File: 00000000.00000002.1733927021.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5110000_wzHH1r6YOi.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 6b155650f70616c4ff070955792cf3d248d9c1b367a998d0dbf4f6e08c550f75
Instruction ID: 627145e0c7dc7d23bbc31a751c11b41ca3178905e9bee947b7ea664285404bda
Opcode Fuzzy Hash: 6b155650f70616c4ff070955792cf3d248d9c1b367a998d0dbf4f6e08c550f75
Instruction Fuzzy Hash: E2215E715093C09FDB128F25DC45A52FFB4EF07220F0985DAE9848B563D265A858DB62

Function 05110007 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

VerLanguageNameW.KERNELBASE(?,00000E24,?,?), ref: 05110082

Memory Dump Source

Source File: 00000000.00000002.1733927021.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5110000_wzHH1r6YOi.jbxd

Similarity

API ID: LanguageName
String ID:
API String ID: 2060303382-0
Opcode ID: 90db93c1ac8f2df169fbd59f23445a3c68675ce2af94265dc8da259077857237
Instruction ID: ad226827da7ea791d9b537344541cd531f0c09da930dd1b75c1ce802da15c0cd
Opcode Fuzzy Hash: 90db93c1ac8f2df169fbd59f23445a3c68675ce2af94265dc8da259077857237
Instruction Fuzzy Hash: 1111C4715043406FD3118B15DC42F72FFF8EF8AA20F0581AAFC4897642D274B915CBA5

Function 00DBA5FB Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00DBA666

Memory Dump Source

Source File: 00000000.00000002.1731801247.0000000000DBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dba000_wzHH1r6YOi.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: fd25dee5fe061794f6a9e4c26194bd51bb0418335a2384a88c4a6f08e930555d
Instruction ID: b2551b9c9479b5f6b78bea1029a9d8a3cb8d7e4b9656140f14a49425fa77a4d3
Opcode Fuzzy Hash: fd25dee5fe061794f6a9e4c26194bd51bb0418335a2384a88c4a6f08e930555d
Instruction Fuzzy Hash: 5B11B171409780AFDB228F55DC44A62FFF4EF4A310F0888DAED858B562D275A818DB72

Function 05110EDA Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E24,C3CE1CF7,00000000,00000000,00000000,00000000), ref: 05110F39

Memory Dump Source

Source File: 00000000.00000002.1733927021.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5110000_wzHH1r6YOi.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 593edab6c540412edc8dc1fa28ddf2a735e1d773c5975e07b234d66c6cff0aa2
Instruction ID: b63780ecb0ca88f378f54344bb2db6c785f106204c3d0ebe61e6ef183a495732
Opcode Fuzzy Hash: 593edab6c540412edc8dc1fa28ddf2a735e1d773c5975e07b234d66c6cff0aa2
Instruction Fuzzy Hash: A511E771500600AFEB21CF51DC49FA6FBE8EF09724F0484AAED45CB651C375A549CBB9

Function 051111E4 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(?), ref: 05111240

Memory Dump Source

Source File: 00000000.00000002.1733927021.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5110000_wzHH1r6YOi.jbxd

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: 684de70a19540e8361ac068318d014d2567c0f180e92fbd1228697208fece089
Instruction ID: e1e06573c2abb7107af06fed8e8076795725140886aabe6066e3adcec652796b
Opcode Fuzzy Hash: 684de70a19540e8361ac068318d014d2567c0f180e92fbd1228697208fece089
Instruction Fuzzy Hash: F41190715093809FDB12CF25DC95B52FFE8AF46220F0884EAED45CF652D264A908CB62

Function 00DBBD10 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

GetFileVersionInfoW.KERNELBASE(?,?,?,?), ref: 00DBBD75

Memory Dump Source

Source File: 00000000.00000002.1731801247.0000000000DBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dba000_wzHH1r6YOi.jbxd

Similarity

API ID: FileInfoVersion
String ID:
API String ID: 2427832333-0
Opcode ID: 522f210234e510918cae3f523c8874018daf951970d02f8957144d918531b682
Instruction ID: ade1afaf5c77b3511a09f85beba240b5a9cff222d3117e35e96fc1fb8a0cd377
Opcode Fuzzy Hash: 522f210234e510918cae3f523c8874018daf951970d02f8957144d918531b682
Instruction Fuzzy Hash: 2111B271504380AFDB218F15DC45B66FFF8EF46720F08809EED868B662D265E818CB71

Function 051116B7 Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 05111721

Memory Dump Source

Source File: 00000000.00000002.1733927021.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5110000_wzHH1r6YOi.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 16b249e97855dbce478c991dda1615c0b543a7cc74aa0e757040ef1c92dcb411
Instruction ID: 26c46a3960955d902415cfb31e7bc6b38e3ca659ac9f8b2259dcd93710f55bac
Opcode Fuzzy Hash: 16b249e97855dbce478c991dda1615c0b543a7cc74aa0e757040ef1c92dcb411
Instruction Fuzzy Hash: 0F11B275549380AFDB228F15DC45B62FFB4EF06324F0884EEED858B663C275A418CB61

Function 05110AC6 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 05110B0B

Memory Dump Source

Source File: 00000000.00000002.1733927021.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5110000_wzHH1r6YOi.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 484cab530a32eed4b7cac4d297885f6a780eed77581e2a4adcf1d419407b6ce6
Instruction ID: 428521b4a26fa769cd7ae6ef631edeae51622f95ffb4bdca024340cb5c63c293
Opcode Fuzzy Hash: 484cab530a32eed4b7cac4d297885f6a780eed77581e2a4adcf1d419407b6ce6
Instruction Fuzzy Hash: 47116175A042408FDB10CF19D989B66FBE8EF09324F08C4BADD49CB646D774E944CB69

Function 05110D4A Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,C3CE1CF7,00000000,00000000,00000000,00000000), ref: 05110D9D

Memory Dump Source

Source File: 00000000.00000002.1733927021.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5110000_wzHH1r6YOi.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 1bd9e4eee033eabdeb2a3ddbc37fb387883e75f72af448f196d450b13d9e9425
Instruction ID: dafd1b5654050706271b96f8b06a5c608955227095b5bc0aae443433fc0df4c7
Opcode Fuzzy Hash: 1bd9e4eee033eabdeb2a3ddbc37fb387883e75f72af448f196d450b13d9e9425
Instruction Fuzzy Hash: A401C479900604AFEB20CB55DC89BA6F7E8EF49724F04C0A6ED048B751D774A8488AB9

Function 05110462 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?), ref: 051104B3

Memory Dump Source

Source File: 00000000.00000002.1733927021.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5110000_wzHH1r6YOi.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: bf073e08975e54f52f69351fdafbebb0ea982acb007b76c2443ecc672db191ee
Instruction ID: e02c67bb919e0a65163db441fdd9576377acf9f39de44a01fa319d4507ac15cf
Opcode Fuzzy Hash: bf073e08975e54f52f69351fdafbebb0ea982acb007b76c2443ecc672db191ee
Instruction Fuzzy Hash: D01170759043449FDB20CF55D988B66FBE8FF08220F0884AADD49CBA52D375E944CBA5

Function 051110A6 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,?), ref: 051110E3

Memory Dump Source

Source File: 00000000.00000002.1733927021.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5110000_wzHH1r6YOi.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: e050635da239f62eeb6e7ecd7fb9e01f4ac8a48a186c5b03e3d06f7a711abad0
Instruction ID: 8e8d9c01fdc0818ed6f8e34cb14ef7eb3a47243d0353043662dd937f95b77f7e
Opcode Fuzzy Hash: e050635da239f62eeb6e7ecd7fb9e01f4ac8a48a186c5b03e3d06f7a711abad0
Instruction Fuzzy Hash: BB019275A042409FEB10CF25D98576AFBD4EF05220F08C4AADD49CB746D374D404CBA5

Function 00DBA42A Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00DBA480

Memory Dump Source

Source File: 00000000.00000002.1731801247.0000000000DBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dba000_wzHH1r6YOi.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 3ee409deab107276ba58cfb42a250901b88db65caeea64ec2505b4a17d28711c
Instruction ID: c4a0134c6b0e5a60dd71222ab31c8229c19fcd91b4830cdedf84cb8fe173b02c
Opcode Fuzzy Hash: 3ee409deab107276ba58cfb42a250901b88db65caeea64ec2505b4a17d28711c
Instruction Fuzzy Hash: A2018875408384AFD7118F15DD44B62FFB4DF46720F0880DAED858B252D275A808CB72

Function 05111206 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(?), ref: 05111240

Memory Dump Source

Source File: 00000000.00000002.1733927021.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5110000_wzHH1r6YOi.jbxd

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: 7a23afbcac05405e1d42d2f1189f0956332273915d1cf9f959bae8bc0fb1262f
Instruction ID: 9c78efa58f3ddf096c68d51740aca8d8b740099956ff5f68d930a8a8167d204f
Opcode Fuzzy Hash: 7a23afbcac05405e1d42d2f1189f0956332273915d1cf9f959bae8bc0fb1262f
Instruction Fuzzy Hash: 1701D2316002409FDB10CF19D885BA6FBD8EF05220F08C0BADD09CF642D374E404CB65

Function 00DBB45E Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 00DBB4A9

Memory Dump Source

Source File: 00000000.00000002.1731801247.0000000000DBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dba000_wzHH1r6YOi.jbxd

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: 6abbfa5837134cfb181c916cac31deed0d1924590f8a248cddb24885e2a2fe90
Instruction ID: 25aec64eb2fd8a36dd5d09d937ac7dc47c9101cbdb11570b7c79a9f5c03df857
Opcode Fuzzy Hash: 6abbfa5837134cfb181c916cac31deed0d1924590f8a248cddb24885e2a2fe90
Instruction Fuzzy Hash: 4F018075500200CFDB20CF19D985BA2FBE4FF14724F08809ADD4A8B752D7B4E808CA71

Function 00DBBD32 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

GetFileVersionInfoW.KERNELBASE(?,?,?,?), ref: 00DBBD75

Memory Dump Source

Source File: 00000000.00000002.1731801247.0000000000DBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dba000_wzHH1r6YOi.jbxd

Similarity

API ID: FileInfoVersion
String ID:
API String ID: 2427832333-0
Opcode ID: 122f30e9ed0b291bb5ffd1bffc93af1d0429e1ef0374be9e860bcdbf900d7615
Instruction ID: bc7538d6a3a5f6ace3211686030f295fe71292124660d512554dad0ad9a2f034
Opcode Fuzzy Hash: 122f30e9ed0b291bb5ffd1bffc93af1d0429e1ef0374be9e860bcdbf900d7615
Instruction Fuzzy Hash: 3F018075500600CFDB608F15D885B96FBE4EF05720F08805ADD4B8B752D3B5E858CE71

Function 00DBA622 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00DBA666

Memory Dump Source

Source File: 00000000.00000002.1731801247.0000000000DBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dba000_wzHH1r6YOi.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 843eb82dcb811e0d8cf968148942d5d2f3d78e6983a0e4d8e660a7d2f92e969c
Instruction ID: 6252df859b01c35c74e43fed0a6dacdcc03dccd9bfe5819a9dafd79ac405dd7a
Opcode Fuzzy Hash: 843eb82dcb811e0d8cf968148942d5d2f3d78e6983a0e4d8e660a7d2f92e969c
Instruction Fuzzy Hash: E3016171900600DFDB218F55D944B56FBE4EF09310F08C85ADD8A8A655D375E418DF62

Function 00DBBC82 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.KERNELBASE(?,?), ref: 00DBBCBF

Memory Dump Source

Source File: 00000000.00000002.1731801247.0000000000DBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dba000_wzHH1r6YOi.jbxd

Similarity

API ID: FileInfoSizeVersion
String ID:
API String ID: 1661704012-0
Opcode ID: 26897bf44d51e515a786faaa0fa82d88b0ef7d3fb6d7c0345efb483ee2aad801
Instruction ID: b9ce605e4d9073c5faaf1b7bdd2350dee31a70aee2141d3845e9bf699c079fef
Opcode Fuzzy Hash: 26897bf44d51e515a786faaa0fa82d88b0ef7d3fb6d7c0345efb483ee2aad801
Instruction Fuzzy Hash: 2C018C71900200CFEB10CF26D8857A6FBE4EB04320F0884AADC49CB246D7B5E404CAB1

Function 05110032 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

VerLanguageNameW.KERNELBASE(?,00000E24,?,?), ref: 05110082

Memory Dump Source

Source File: 00000000.00000002.1733927021.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5110000_wzHH1r6YOi.jbxd

Similarity

API ID: LanguageName
String ID:
API String ID: 2060303382-0
Opcode ID: 6064ebb674a96b51ec14d0f0e7bdf0554d5ca2448b014a241599bb99bf9fbd55
Instruction ID: 5680350b18558feed8d15e71e9a769c1110bc64078670035b459b46c86815d5d
Opcode Fuzzy Hash: 6064ebb674a96b51ec14d0f0e7bdf0554d5ca2448b014a241599bb99bf9fbd55
Instruction Fuzzy Hash: 7901A271500600ABD250DF1ACC86B66FBE8FB89A20F14811AED089BB41D771F916CBE9

Function 00DBBAF2 Relevance: 1.5, APIs: 1, Instructions: 43libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(?), ref: 00DBBB2C

Memory Dump Source

Source File: 00000000.00000002.1731801247.0000000000DBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dba000_wzHH1r6YOi.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 53de6dd05dbbcc7b07ff32a1b930deaf1f65a08bd2f7068cf6b66ea1a5191577
Instruction ID: e17087d055ca82309a1a2f296b0f2c4083dcb885d327bd9a5b6cd4969fe1c7fc
Opcode Fuzzy Hash: 53de6dd05dbbcc7b07ff32a1b930deaf1f65a08bd2f7068cf6b66ea1a5191577
Instruction Fuzzy Hash: B6015E719002408FDB10CF19D8857A6FBD4EB05721F0884AADD4ACB65AD3B4E904CAB5

Function 00DBA2F6 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?,00000E24,?,?), ref: 00DBA346

Memory Dump Source

Source File: 00000000.00000002.1731801247.0000000000DBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dba000_wzHH1r6YOi.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 0e860da23f9aba6b1dd49d308b38d9d3f179249bb697372830c38dc907f398e6
Instruction ID: 1f5449d8e77a374845b6d32c08333b2e67513f750e962680bcb7395c9f2ba0a7
Opcode Fuzzy Hash: 0e860da23f9aba6b1dd49d308b38d9d3f179249bb697372830c38dc907f398e6
Instruction Fuzzy Hash: 7201D671500600AFD350DF1ACC86B66FBE8FB89A20F148159EC089BB41D771F916CBE5

Function 051116E6 Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 05111721

Memory Dump Source

Source File: 00000000.00000002.1733927021.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5110000_wzHH1r6YOi.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: f856e2e4590b49fb0f1c336b8d09106ae405ea0edb45d68372e15f467ecc9360
Instruction ID: 517efc5896de1ec541e2f4ef0788659d05d8ee4204486db3307e8a841d6c1f70
Opcode Fuzzy Hash: f856e2e4590b49fb0f1c336b8d09106ae405ea0edb45d68372e15f467ecc9360
Instruction Fuzzy Hash: EA01BC365002009FDB209F15D885B66FBE1EF09220F08C0AAEE498B762C371E458CBA6

Function 0511135E Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 05111399

Memory Dump Source

Source File: 00000000.00000002.1733927021.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5110000_wzHH1r6YOi.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 753dd58e674cb91e09bc6ef444f3b7340135cf3bcebc4c3cf2e9cf81b820b53f
Instruction ID: e3546431603584e90d124eba5b05ceeb01e66ec948edc0d4254d20c08b881cb8
Opcode Fuzzy Hash: 753dd58e674cb91e09bc6ef444f3b7340135cf3bcebc4c3cf2e9cf81b820b53f
Instruction Fuzzy Hash: 9C017C359003049FDB208F05D885B66FBE1EF09321F08C0AADE494AA56D375A458CAA6

Function 00DBA44E Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00DBA480

Memory Dump Source

Source File: 00000000.00000002.1731801247.0000000000DBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dba000_wzHH1r6YOi.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 7240ea06a27e4c60ec98ff2c470d3ae215f33736ea4c9489683e836646b0448c
Instruction ID: ff6ea4391a447df04fd573f447faab4d458e2ce4fec814b4aa0f4295ca2ac147
Opcode Fuzzy Hash: 7240ea06a27e4c60ec98ff2c470d3ae215f33736ea4c9489683e836646b0448c
Instruction Fuzzy Hash: E8F0A475904240CFDB108F09D9897A1FBE4DF05321F08C09ADD494B756D2B5E448CEB2

Function 04F9C7F0 Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1733783094.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_wzHH1r6YOi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b81c1378b0e6a6e5f973a5f37d78983e430329bb9965c6e939a1766044edffca
Instruction ID: 297f6ec97b547ce51ffab5d6b81cce308c603f71e8b059f4801f0c0a533aa6ad
Opcode Fuzzy Hash: b81c1378b0e6a6e5f973a5f37d78983e430329bb9965c6e939a1766044edffca
Instruction Fuzzy Hash: 9491E431B142558FDB15EB74C8916BE77F2AF85308F10443AD506AB384EF38AE06CBA1

Function 04F9C630 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1733783094.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_wzHH1r6YOi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfb89b99a70fc380e7be5fe2cc48a54461b9ac25889d88558e19c2c2f0bad8b9
Instruction ID: 708b9a6ed39b191384ebdc29b74da5b1056e7f020f20a73222737299758edb34
Opcode Fuzzy Hash: cfb89b99a70fc380e7be5fe2cc48a54461b9ac25889d88558e19c2c2f0bad8b9
Instruction Fuzzy Hash: C741E532B001545BEF11DBA9C881BBEBBE6EBC6714F148525D5088F7C2D634AC4287A1

Function 04F9C7E1 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1733783094.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_wzHH1r6YOi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3dfe126b5346d3ddab2b373f2e1d56d1e1fb1321d0743fff0ef6ea068e06e12
Instruction ID: 4dbde8edb67115d8947186b8b0e54b182689579b24350e6125407b6ea2fbb087
Opcode Fuzzy Hash: f3dfe126b5346d3ddab2b373f2e1d56d1e1fb1321d0743fff0ef6ea068e06e12
Instruction Fuzzy Hash: E5319071F042928FEB11DB68D9959BEBBF1BB84345B10412AD80197395EB34AD42CBA1

Function 0141076C Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1733407290.0000000001410000.00000040.00000020.00020000.00000000.sdmp, Offset: 01410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1410000_wzHH1r6YOi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4cdbfbcf8abfb14ba81eca4f572c2a42d9e614f3c7a2c81891fd75d87189bf3
Instruction ID: 715480afb361c2a3925c5d807077cf4b8a66d0317c57e30d4d17cbf3a98376d2
Opcode Fuzzy Hash: e4cdbfbcf8abfb14ba81eca4f572c2a42d9e614f3c7a2c81891fd75d87189bf3
Instruction Fuzzy Hash: 1A11E430244284DFD711CB14C984B26FBE1EB89708F24C99EF9590BB66C777D843CA81

Function 04F9001C Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1733783094.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_wzHH1r6YOi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cd32e9a33197dd65f1310ecff2c800f5db62e308ec53a652f2f1e7f20798261
Instruction ID: ef689976eb46eba8efbcc3db738051f7742408b06ab70e19be70b12df807b909
Opcode Fuzzy Hash: 8cd32e9a33197dd65f1310ecff2c800f5db62e308ec53a652f2f1e7f20798261
Instruction Fuzzy Hash: 0F01AF9691E7D04FD707237018B60A93F75DD6305530A45EBC8C6CA1A3EA0D1A0B977A

Function 04F99819 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1733783094.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_wzHH1r6YOi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 753413b0212da391ef66404db978d47baaa9f47a7ee1f9a3573f389dfdcdfb76
Instruction ID: 79ca72481ba6443854b0b7cb0dc859d986c4e0ebb23ba0804d6c7334f2034fac
Opcode Fuzzy Hash: 753413b0212da391ef66404db978d47baaa9f47a7ee1f9a3573f389dfdcdfb76
Instruction Fuzzy Hash: 0FF0F472B043105BEB222734AC12F1E3395DBCAB50F26402EE605EF791DEB1AC0383A5

Function 014105E0 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1733407290.0000000001410000.00000040.00000020.00020000.00000000.sdmp, Offset: 01410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1410000_wzHH1r6YOi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 683b6f9409796280aad7587b67c1fabb70d24aaa5dcac1f39c2b4a9773dcd0ac
Instruction ID: 22401f750c04a4ba655424d5cfc4c39cf6010149e9e3d46fe2a09b46922ff797
Opcode Fuzzy Hash: 683b6f9409796280aad7587b67c1fabb70d24aaa5dcac1f39c2b4a9773dcd0ac
Instruction Fuzzy Hash: 6A01D6B54097806FC311CB15EC41893BFE8DF86630B0984ABE848CB612D139A949CB65

Function 04F99828 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1733783094.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_wzHH1r6YOi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3abf92c11d2d680386380647f01659a52f9d90c10c3f032bd64833dc5aed6e4
Instruction ID: 2f5b538bf146c6b4040974553349a736643c36b439986ce2b080af1f503253dd
Opcode Fuzzy Hash: f3abf92c11d2d680386380647f01659a52f9d90c10c3f032bd64833dc5aed6e4
Instruction Fuzzy Hash: BEF0C232B402205BDA206739A811F2E71D687C9B64F25413EE605EF384EEB2AC0247E9

Function 01410828 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1733407290.0000000001410000.00000040.00000020.00020000.00000000.sdmp, Offset: 01410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1410000_wzHH1r6YOi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26e1c6324d431d8898d05c4f184fa73b81ea7543c773894a6020088d6b5dab9c
Instruction ID: ec014ac60df6c6f023b4be2d6b009208fb9d9c09e6af4a8f8027451dbf6e76e7
Opcode Fuzzy Hash: 26e1c6324d431d8898d05c4f184fa73b81ea7543c773894a6020088d6b5dab9c
Instruction Fuzzy Hash: A0F0FB35148644DFC216CB44D980B16FBA2EB89718F24CAADE95907766C737D813DA81

Function 04F9C77F Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1733783094.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_wzHH1r6YOi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05a53c11925c7eb2e563fdb9bfcee644b781efcbf7778262707abc1b8c30f65d
Instruction ID: 53653563da2dd5358ab91413726e8af70c44cbd5168cc56ef85adc0095b55f93
Opcode Fuzzy Hash: 05a53c11925c7eb2e563fdb9bfcee644b781efcbf7778262707abc1b8c30f65d
Instruction Fuzzy Hash: C5E0ABA260C2854ECB01F2B059914DD7B805FC2215F00056FD1848AEA6D7400409C357

Function 01410606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1733407290.0000000001410000.00000040.00000020.00020000.00000000.sdmp, Offset: 01410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1410000_wzHH1r6YOi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ac37d1d070648b76628370ae72aef3b3df98872d471a0bac073e2045dec15ef
Instruction ID: 1377004d9cce0eea57b3c67ddd1ba4242e409327bac669934d8b2b800c3215a9
Opcode Fuzzy Hash: 8ac37d1d070648b76628370ae72aef3b3df98872d471a0bac073e2045dec15ef
Instruction Fuzzy Hash: 17E092B66006005B9750CF0AED82462F7D8EB88630B08C07FDC0DCB701D635B548CAA5

Function 04F900A0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1733783094.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_wzHH1r6YOi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b61c64184d47d66e96b92762ce382eb837558c6dd34aa8e05b6d04cd05a09b8
Instruction ID: a716dc8aad8caf4624306f4c5571a6d4abdea5954e29e34ee4d2d3c75ee63ed7
Opcode Fuzzy Hash: 7b61c64184d47d66e96b92762ce382eb837558c6dd34aa8e05b6d04cd05a09b8
Instruction Fuzzy Hash: 2ED0A7D274452597850A22D8681196E324DCBCBA64701106AFA098B252CE480D1153FE

Function 04F90070 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1733783094.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_wzHH1r6YOi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424ad53be2e1aed610599732051a4d8c314f1448e82c568fe4dd25f4f196c4c4
Instruction ID: 7f2beaaf9a660b82901e203d773f83c4b66de81a972224b8f6220cebbc00ca99
Opcode Fuzzy Hash: 424ad53be2e1aed610599732051a4d8c314f1448e82c568fe4dd25f4f196c4c4
Instruction Fuzzy Hash: 3AC08C12358525430A0932B510269AEB24D8E824EC306003ED61EEB393CF0B8D0202FE

Function 00DB23F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731771661.0000000000DB2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db2000_wzHH1r6YOi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a3c2a76a3356332c0857d894ebcc27fa959f2fc615b6169a205a967f0a6eb5d
Instruction ID: 5deba059bbd4bfa350c0ccf29980534a32b2dee2d3b561ff3d4899e351802030
Opcode Fuzzy Hash: 1a3c2a76a3356332c0857d894ebcc27fa959f2fc615b6169a205a967f0a6eb5d
Instruction Fuzzy Hash: C1D02E3A2006C08FD312CA0CC1A5BE53BD4AF61704F0A00FDE8008BB63C728D880C210

Function 04F9C7C0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1733783094.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_wzHH1r6YOi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 089d2965cafe274824b94dca256a640d37af55f527dc539a553c68ee0d7f9370
Instruction ID: c8c32ee25cf91ac481bf74cbaa59655469b9ae16f69b54496ce01fbbf0805a85
Opcode Fuzzy Hash: 089d2965cafe274824b94dca256a640d37af55f527dc539a553c68ee0d7f9370
Instruction Fuzzy Hash: 42C08CE240A2558FEB0242345CDE6D53BA0DB832023CA21AAA489C769AD6080C1F232B

Function 00DB23BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731771661.0000000000DB2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db2000_wzHH1r6YOi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 577881dc877cb1e1743a7ae53583e267b2d5c643d599a83ffbaa4cb7af4178d2
Instruction ID: 71a773cd637a7523b074eb791f66649fe4aeac50947d5fd268c0e680cd35136c
Opcode Fuzzy Hash: 577881dc877cb1e1743a7ae53583e267b2d5c643d599a83ffbaa4cb7af4178d2
Instruction Fuzzy Hash: C2D05E352002818BC715DA0DC2D4FA977D4AB44714F0A44FCAC118BB62C7A8D8C0CA14

Function 04F900B0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1733783094.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_wzHH1r6YOi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f1afb061ade79b0d9b1412165fa4f9d96e4f02df4cefb000dbeed8833f914ab
Instruction ID: 6faaba680082c4b3e86b143eb0474af2a18218caa0c98c24f88c3c6db047f670
Opcode Fuzzy Hash: 0f1afb061ade79b0d9b1412165fa4f9d96e4f02df4cefb000dbeed8833f914ab
Instruction Fuzzy Hash: A5C09B5271453593081D31DD34129AE734DC98AD65741145EF70D57352CE455D0113FE

Analysis Process: chargeable.exePID: 4480, Parent PID: 6516COMMON

Execution Graph

Execution Coverage:	19.3%
Dynamic/Decrypted Code Coverage:	91.4%
Signature Coverage:	10.9%
Total number of Nodes:	128
Total number of Limit Nodes:	11

Executed Functions

Function 06330DFA Relevance: 1.6, APIs: 1, Instructions: 69
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtResumeThread.NTDLL(?,?), ref: 06330E73

Memory Dump Source

Source File: 00000002.00000002.1767877962.0000000006330000.00000040.00000800.00020000.00000000.sdmp, Offset: 06330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6330000_chargeable.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: ae5985625015fb43511142af9ba3bf92bed83458f3cd3872c5c4d6f702270561
Instruction ID: 19d65bd8074faa8f9f82d7f4f7eface0221b4a2c2849579c84f475b8709e8db3
Opcode Fuzzy Hash: ae5985625015fb43511142af9ba3bf92bed83458f3cd3872c5c4d6f702270561
Instruction Fuzzy Hash: AF2190B55093C49FDB12CF21D854BA1BFE0AF06224F1D84DEE9C84F253D266954ACB62

Function 06330EB9 Relevance: 1.6, APIs: 1, Instructions: 62nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL ref: 06330F24

Memory Dump Source

Source File: 00000002.00000002.1767877962.0000000006330000.00000040.00000800.00020000.00000000.sdmp, Offset: 06330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6330000_chargeable.jbxd

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: fd9b93010647f2cc8a8ce3fe346f1f9fc5fa5905e09c019b850ef645b56221d8
Instruction ID: 4db676e88d27d97359487911c0e1a76d641aaf90c3345fbe61e6462b9c5af2ca
Opcode Fuzzy Hash: fd9b93010647f2cc8a8ce3fe346f1f9fc5fa5905e09c019b850ef645b56221d8
Instruction Fuzzy Hash: AA116071409380AFDB228F55DC44A62FFF4EF46310F0884DAED898F553D275A519DB61

Function 06330EE6 Relevance: 1.5, APIs: 1, Instructions: 43nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL ref: 06330F24

Memory Dump Source

Source File: 00000002.00000002.1767877962.0000000006330000.00000040.00000800.00020000.00000000.sdmp, Offset: 06330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6330000_chargeable.jbxd

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: 3d5f0a8f3e9ad46ad837e7dfb823166c3ef46f404c4a430014a26a968216830d
Instruction ID: c70790e488d0b82d99dd1f0d236b20a56e5bd0b6a0e56b88f147f4f7a2315fb1
Opcode Fuzzy Hash: 3d5f0a8f3e9ad46ad837e7dfb823166c3ef46f404c4a430014a26a968216830d
Instruction Fuzzy Hash: B701B131904200DFEB60CF55D884B66FBE4EF08320F08C8AAED498B616D375E458CFA6

Function 06330E3E Relevance: 1.5, APIs: 1, Instructions: 40nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(?,?), ref: 06330E73

Memory Dump Source

Source File: 00000002.00000002.1767877962.0000000006330000.00000040.00000800.00020000.00000000.sdmp, Offset: 06330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6330000_chargeable.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: b75228004b178da5568e5377b0ae4878e8da394ced21ff675c6c3f1a4c60a1bd
Instruction ID: b4b3628ec0c0e6174702bccf3d8a79a5f19a47c92e4cf881ff2257e50d8de262
Opcode Fuzzy Hash: b75228004b178da5568e5377b0ae4878e8da394ced21ff675c6c3f1a4c60a1bd
Instruction Fuzzy Hash: CD01DF71A043408FEB50CF15D884765FBE4EF08320F08D8AADD488F706D379A408CAA1

Function 049500D0 Relevance: 9.1, Instructions: 9148
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.1767421579.0000000004950000.00000040.00000800.00020000.00000000.sdmp, Offset: 04950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4950000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eff1263c3f897c3f359031eb159d37a69f3b09a2b1382dd7320a30cc9e3dd09
Instruction ID: aa7144622a4fb7df6cca5c80d98e8e8e1708f374bb4936dfb2c4890feb49187f
Opcode Fuzzy Hash: 0eff1263c3f897c3f359031eb159d37a69f3b09a2b1382dd7320a30cc9e3dd09
Instruction Fuzzy Hash: BC146834600704CFDB65DB30C894A9AB3B6FF8A304F5189A8D54A9B7A0CF39AE45CF55

Function 049500E0 Relevance: 9.1, Instructions: 9140
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.1767421579.0000000004950000.00000040.00000800.00020000.00000000.sdmp, Offset: 04950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4950000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aec527370159aa493d92cfad9ecf237cf8cd20808a392f447e4098a1d070edee
Instruction ID: 7d4767ac3cc05173fb33f180c87eb0baae4e792b44f0ee64d19e34a9658195a7
Opcode Fuzzy Hash: aec527370159aa493d92cfad9ecf237cf8cd20808a392f447e4098a1d070edee
Instruction Fuzzy Hash: AD146834600704CFDB65DB30C894A9AB3B6FF8A304F5189A8D54A9B7A0CF39AE45CF55

Function 049598A0 Relevance: 2.7, Instructions: 2694
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.1767421579.0000000004950000.00000040.00000800.00020000.00000000.sdmp, Offset: 04950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4950000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edebb9d84297c3ff4906690ab666291c9d347602359b994c12ff615d243c5325
Instruction ID: 7b519706b84acdf692210ebbe3fd20df4791208114a9227b3850f74b44c2d43b
Opcode Fuzzy Hash: edebb9d84297c3ff4906690ab666291c9d347602359b994c12ff615d243c5325
Instruction Fuzzy Hash: 37339534731D208B8A16BB79D59381F6B72EBD8654364C38DDA0207389EF3C5B468BD9

Function 06330CA1 Relevance: 1.6, APIs: 1, Instructions: 121
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,00000E24), ref: 06330DA4

Memory Dump Source

Source File: 00000002.00000002.1767877962.0000000006330000.00000040.00000800.00020000.00000000.sdmp, Offset: 06330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6330000_chargeable.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 61354dd87ddcf9f749deb970370aaec46ed490f43368664d8c028208218e5e86
Instruction ID: 1e9542c4f9cb50b6981bed853dfdb10a23e03dc2cbe92409f17cd4cfac200c01
Opcode Fuzzy Hash: 61354dd87ddcf9f749deb970370aaec46ed490f43368664d8c028208218e5e86
Instruction Fuzzy Hash: 14418071104340AFEB22CB65CC45FE6BBECEF06710F04499AF9898B5A2D365F909CB60

Function 06330CDA Relevance: 1.6, APIs: 1, Instructions: 97
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,00000E24), ref: 06330DA4

Memory Dump Source

Source File: 00000002.00000002.1767877962.0000000006330000.00000040.00000800.00020000.00000000.sdmp, Offset: 06330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6330000_chargeable.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 05c793ac1025ca94a98dbf7480e6f88db077eca97a4030383cd86e28ab9d329a
Instruction ID: b3455fdb136ce6141893140e45d99a3ef69905436e165fc19582cbe47bd0c49d
Opcode Fuzzy Hash: 05c793ac1025ca94a98dbf7480e6f88db077eca97a4030383cd86e28ab9d329a
Instruction Fuzzy Hash: EA318E71600200AFEB21CB65DC85FA6FBECEF08710F04855AFA498A691D771F948CB64

Function 009AAC22 Relevance: 1.6, APIs: 1, Instructions: 92
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 009AACD1

Memory Dump Source

Source File: 00000002.00000002.1766835656.00000000009AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 009AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9aa000_chargeable.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: d2fe020ab734d51c69dd3219ed0ae2a21b0d8c1e4559bf4ffe98a84749b6fabe
Instruction ID: 359df51c1868e8b946b01d6f5d07ed08e465e504f98bd0713ec7ac3b46c904ba
Opcode Fuzzy Hash: d2fe020ab734d51c69dd3219ed0ae2a21b0d8c1e4559bf4ffe98a84749b6fabe
Instruction Fuzzy Hash: 2131B6B14083846FE722CB51DC45FA7BFBCEF06310F08849AE9858B652D364A90DCB75

Function 009AAD19 Relevance: 1.6, APIs: 1, Instructions: 89
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,3EB9B99B,00000000,00000000,00000000,00000000), ref: 009AADD4

Memory Dump Source

Source File: 00000002.00000002.1766835656.00000000009AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 009AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9aa000_chargeable.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: e3ed37d02b4b9b588f5e59fd4c3eade0e595cd5f09391898709267c6c8885109
Instruction ID: ec88ac2bd370a43a9d5584f6073ba387a79eb3a2d08bc74764c66d54f1d8ef17
Opcode Fuzzy Hash: e3ed37d02b4b9b588f5e59fd4c3eade0e595cd5f09391898709267c6c8885109
Instruction Fuzzy Hash: E731B3755087805FD722CB61CC44FA2BFFCEF06310F08849AE985CB6A2D364E909CBA5

Function 009AA2AC Relevance: 1.6, APIs: 1, Instructions: 79
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?,00000E24,?,?), ref: 009AA346

Memory Dump Source

Source File: 00000002.00000002.1766835656.00000000009AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 009AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9aa000_chargeable.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e801bb17519d7fa7d0e7d549424a1128cd715d6f5a34c0df02782ae5bb24b41a
Instruction ID: a23798cc541eabdac1cb2537fcaf5baeef0c018f4897060fa3ce38c81e76d40b
Opcode Fuzzy Hash: e801bb17519d7fa7d0e7d549424a1128cd715d6f5a34c0df02782ae5bb24b41a
Instruction Fuzzy Hash: 1E21627140D7C06FD3138B259C51B62BFB8EF47610F0A41DBE884DB653D229A91AC7A6

Function 009AAC52 Relevance: 1.6, APIs: 1, Instructions: 74
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 009AACD1

Memory Dump Source

Source File: 00000002.00000002.1766835656.00000000009AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 009AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9aa000_chargeable.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: a5fd2de94c9a0e3008256dcd58598335a63bfaede2917d5a37c9c222119ae31a
Instruction ID: 18982d5d9a799380db9493c5177f34a770145c4114178e6f25a79040cd4e32ed
Opcode Fuzzy Hash: a5fd2de94c9a0e3008256dcd58598335a63bfaede2917d5a37c9c222119ae31a
Instruction Fuzzy Hash: 6321D1B2500604AFE720DF51DC84FABFBECEF05324F04845AE9458B652D324E90CCABA

Function 06330431 Relevance: 1.6, APIs: 1, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?), ref: 063304B3

Memory Dump Source

Source File: 00000002.00000002.1767877962.0000000006330000.00000040.00000800.00020000.00000000.sdmp, Offset: 06330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6330000_chargeable.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: dbd6a8b72fca550dd82f1c536a38ee6f605ccaf25fec12853f9f53408f03a4eb
Instruction ID: e6224d682dedc274a5d6b5d370ed43d2c616fed03af2bde1c5fdf81bd9202c21
Opcode Fuzzy Hash: dbd6a8b72fca550dd82f1c536a38ee6f605ccaf25fec12853f9f53408f03a4eb
Instruction Fuzzy Hash: E321A1715093849FDB22CF25DC44B62BFF8EF16210F09889AE9858F663D375E908CB61

Function 009AAD5A Relevance: 1.6, APIs: 1, Instructions: 69
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,3EB9B99B,00000000,00000000,00000000,00000000), ref: 009AADD4

Memory Dump Source

Source File: 00000002.00000002.1766835656.00000000009AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 009AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9aa000_chargeable.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 54195ddd38255dd0aedd78c18103b5de9a58318a684e5fb16ce4235db03d6966
Instruction ID: 86d802383e2b664519d9365ac1da9d1b28cefbf0ca068b63b37a2bac09773b21
Opcode Fuzzy Hash: 54195ddd38255dd0aedd78c18103b5de9a58318a684e5fb16ce4235db03d6966
Instruction Fuzzy Hash: 7321C075600600AFE721CF15CC84FA7F7ECEF05711F08845AE945CBA91D364E908CABA

Function 009ABAB4 Relevance: 1.6, APIs: 1, Instructions: 68
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE(?), ref: 009ABB2C

Memory Dump Source

Source File: 00000002.00000002.1766835656.00000000009AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 009AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9aa000_chargeable.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e4a272918ae942a61ce82355d16f2fb52cb0d5cebc3e3199e3526fd0cbc29b4e
Instruction ID: 55541a9f85508b563760881caf5cd5e1b06d080601fb84ba6a5c01f54dd40fe2
Opcode Fuzzy Hash: e4a272918ae942a61ce82355d16f2fb52cb0d5cebc3e3199e3526fd0cbc29b4e
Instruction Fuzzy Hash: CF216F715093C05FDB128B25DC94792BFB8EF07314F0D84DAE9848F257D2659908CBB2

Function 009AB42D Relevance: 1.6, APIs: 1, Instructions: 65
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 009AB4A9

Memory Dump Source

Source File: 00000002.00000002.1766835656.00000000009AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 009AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9aa000_chargeable.jbxd

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: b5b42ff157fe412ee919064eab9f345fc5935701464d0d64c867dcd3040645dd
Instruction ID: 59e0043354d4a57c1e5317e73a31912ae380663aef7193ce63df95f5f9bd3acd
Opcode Fuzzy Hash: b5b42ff157fe412ee919064eab9f345fc5935701464d0d64c867dcd3040645dd
Instruction Fuzzy Hash: B92190B55093805FDB228F15DC85B62BFF8EF46714F08849AE9848B2A3D365A808CB71

Function 06330006 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VerLanguageNameW.KERNELBASE(?,00000E24,?,?), ref: 06330082

Memory Dump Source

Source File: 00000002.00000002.1767877962.0000000006330000.00000040.00000800.00020000.00000000.sdmp, Offset: 06330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6330000_chargeable.jbxd

Similarity

API ID: LanguageName
String ID:
API String ID: 2060303382-0
Opcode ID: 888cbe90577432fc3e5ec068a94a3172cf192f2e429393dfec946526c6c6aadc
Instruction ID: 3b0a4861cb8cc61e5412bcd494bc3927559507968d10050e18fb80eb721b37a2
Opcode Fuzzy Hash: 888cbe90577432fc3e5ec068a94a3172cf192f2e429393dfec946526c6c6aadc
Instruction Fuzzy Hash: 08119071544340AFD3118B16CC41F62FFF8EF86A20F0581AAEC489B652D274BD16CBA6

Function 009ABC4B Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileVersionInfoSizeW.KERNELBASE(?,?), ref: 009ABCBF

Memory Dump Source

Source File: 00000002.00000002.1766835656.00000000009AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 009AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9aa000_chargeable.jbxd

Similarity

API ID: FileInfoSizeVersion
String ID:
API String ID: 1661704012-0
Opcode ID: 0dd01454aa5c84ed87a0621fc5f973200c64dacc479f08a9787c5dca2d574d14
Instruction ID: d18d846e7b07559f2ba1e5daec1d8f936b5d935048e811755cefd6ec5e4d770d
Opcode Fuzzy Hash: 0dd01454aa5c84ed87a0621fc5f973200c64dacc479f08a9787c5dca2d574d14
Instruction Fuzzy Hash: F121A5B15093849FD712CF25DC85B52BFF8EF46324F0984DAE9848F263D2749909CB61

Function 06331009 Relevance: 1.6, APIs: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0633107D

Memory Dump Source

Source File: 00000002.00000002.1767877962.0000000006330000.00000040.00000800.00020000.00000000.sdmp, Offset: 06330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6330000_chargeable.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 33eb4f7d6b2ff1a111378e42df86c1919169282eaa4fbc3c8eb908d619e50e8b
Instruction ID: 9ee818021cee71ee33c64e2cf16df75ffd3455fb887e365fa620acd3981b56fc
Opcode Fuzzy Hash: 33eb4f7d6b2ff1a111378e42df86c1919169282eaa4fbc3c8eb908d619e50e8b
Instruction Fuzzy Hash: 2A216A715093C09FDB238F25DC44A92FFB4EF07220F0984DAE9858F663D265A81DDB62

Function 009AA5FB Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 009AA666

Memory Dump Source

Source File: 00000002.00000002.1766835656.00000000009AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 009AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9aa000_chargeable.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b1d915492e57aacbe8c0358191dc1857ee4148a7329fa74e3d12b45c45299b80
Instruction ID: 04eb75d64cbe413a5aa87d00063434f2edf9cbfc21ffc1856422f3947a40af4a
Opcode Fuzzy Hash: b1d915492e57aacbe8c0358191dc1857ee4148a7329fa74e3d12b45c45299b80
Instruction Fuzzy Hash: 4E118471409780AFDB228F51DC44A62FFF8EF4A310F0888DAED858B562D275A918DB61

Function 009ABD10 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

GetFileVersionInfoW.KERNELBASE(?,?,?,?), ref: 009ABD75

Memory Dump Source

Source File: 00000002.00000002.1766835656.00000000009AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 009AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9aa000_chargeable.jbxd

Similarity

API ID: FileInfoVersion
String ID:
API String ID: 2427832333-0
Opcode ID: cfbe918bc16fba6cd8026e0e95f12f409be7e57349788963547703fbcdbc1ce1
Instruction ID: e7b59cfa4f51eaed11f4d2821c75d47e96e9e6060c7792c0d6afb37038e2fa42
Opcode Fuzzy Hash: cfbe918bc16fba6cd8026e0e95f12f409be7e57349788963547703fbcdbc1ce1
Instruction Fuzzy Hash: C611B2B1504380AFDB228F15DC44B62FFF8EF46720F08809EED858B663D261E808CB61

Function 0633139B Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 06331405

Memory Dump Source

Source File: 00000002.00000002.1767877962.0000000006330000.00000040.00000800.00020000.00000000.sdmp, Offset: 06330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6330000_chargeable.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 7bef357503c956c85cf569a4953e5e857b2b07b13f22b3587762357095de93b7
Instruction ID: 86a64e564945b9ed942de59d18e39e6d5bff0fc332be57197a4e4cc7ba3a2b0e
Opcode Fuzzy Hash: 7bef357503c956c85cf569a4953e5e857b2b07b13f22b3587762357095de93b7
Instruction Fuzzy Hash: 03110171408380AFDB228F11DC85B52FFB4EF06324F0884EEED858B263C275A818CB61

Function 06330462 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?), ref: 063304B3

Memory Dump Source

Source File: 00000002.00000002.1767877962.0000000006330000.00000040.00000800.00020000.00000000.sdmp, Offset: 06330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6330000_chargeable.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 59a777d73d1bb0a968301ee7f1015f84a18ec7d162ce48f09213afea9832679b
Instruction ID: 7572c17ba16ebc2438ceea80502ff0f12ca9947a549d21a70da15c056d0ff790
Opcode Fuzzy Hash: 59a777d73d1bb0a968301ee7f1015f84a18ec7d162ce48f09213afea9832679b
Instruction Fuzzy Hash: 201170759003049FEB60CF15D884B66FBE8EF14320F0884AAED898B652D375E508CFA1

Function 009AA42A Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 009AA480

Memory Dump Source

Source File: 00000002.00000002.1766835656.00000000009AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 009AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9aa000_chargeable.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 5d49393bf3a56de2d6e26d74dad2373c1620ed3a35f847ae5ed03182c2936260
Instruction ID: 19aed0046019a59197f402e4ecc1b7cfe19c80433e2d6eecda29d594dc538827
Opcode Fuzzy Hash: 5d49393bf3a56de2d6e26d74dad2373c1620ed3a35f847ae5ed03182c2936260
Instruction Fuzzy Hash: FB018475408384AFD7128B15DC84B62FFF8EF46720F0880DAED854B262D275A808DBB2

Function 009ABD32 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

GetFileVersionInfoW.KERNELBASE(?,?,?,?), ref: 009ABD75

Memory Dump Source

Source File: 00000002.00000002.1766835656.00000000009AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 009AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9aa000_chargeable.jbxd

Similarity

API ID: FileInfoVersion
String ID:
API String ID: 2427832333-0
Opcode ID: 92131936effd7930404b65ed8e03b19f00f627d3a7e98b2897a38cfeae5023d5
Instruction ID: 0efe1fc381dff454fe3d39569e24247b8f77482625c5d2bef67c4857fd1a2529
Opcode Fuzzy Hash: 92131936effd7930404b65ed8e03b19f00f627d3a7e98b2897a38cfeae5023d5
Instruction Fuzzy Hash: 2B0192755006408FDB608F16D884B56FBE8EF05720F08849AED498B792D375E808DEA1

Function 009AB45E Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 009AB4A9

Memory Dump Source

Source File: 00000002.00000002.1766835656.00000000009AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 009AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9aa000_chargeable.jbxd

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: 9c0b6f64eacac3158cbf335e1c9952a793ec1ae4228aadd51fa4826de81f3808
Instruction ID: 0cd315030dbe727f460f2fa26a748f07e5db5e561524e767bc8ade3767662e2e
Opcode Fuzzy Hash: 9c0b6f64eacac3158cbf335e1c9952a793ec1ae4228aadd51fa4826de81f3808
Instruction Fuzzy Hash: B90152755006009FDB20CF19D885B62FBE8EF19720F088499ED498B763D375E808CBB1

Function 009AA622 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 009AA666

Memory Dump Source

Source File: 00000002.00000002.1766835656.00000000009AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 009AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9aa000_chargeable.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6de9286cc07bb5062f1c43de13fe2ad0b5dc7057c531ac6137a93d0a379ed990
Instruction ID: a427be152362e35ca673c9a12dd117af2ed9d1c4524d7973c017d029af458b42
Opcode Fuzzy Hash: 6de9286cc07bb5062f1c43de13fe2ad0b5dc7057c531ac6137a93d0a379ed990
Instruction Fuzzy Hash: 1D0180329007009FDB218F55D984B66FFE4EF09720F08C8AAED498B652D375E418DFA2

Function 009ABC82 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.KERNELBASE(?,?), ref: 009ABCBF

Memory Dump Source

Source File: 00000002.00000002.1766835656.00000000009AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 009AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9aa000_chargeable.jbxd

Similarity

API ID: FileInfoSizeVersion
String ID:
API String ID: 1661704012-0
Opcode ID: 5b8233094c571422a76a5801ee1446de2b57435940a932e1aff006452f64206f
Instruction ID: f1cbb9e56f736270267a0eea5abee1740462f2dc1af55a2b42552c84bc9f9397
Opcode Fuzzy Hash: 5b8233094c571422a76a5801ee1446de2b57435940a932e1aff006452f64206f
Instruction Fuzzy Hash: 8F01B1719002008FEB10CF19D884B66FBE8EF05320F08C8AADD898B342D779E804CAA1

Function 06330032 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

VerLanguageNameW.KERNELBASE(?,00000E24,?,?), ref: 06330082

Memory Dump Source

Source File: 00000002.00000002.1767877962.0000000006330000.00000040.00000800.00020000.00000000.sdmp, Offset: 06330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6330000_chargeable.jbxd

Similarity

API ID: LanguageName
String ID:
API String ID: 2060303382-0
Opcode ID: abc30ed8d7a682890c70e436962c3701254223106c889c15317b4dc81aecd11b
Instruction ID: 361ed45849bc751762c5495802cf4b72ffd5f8f2fc9584f5d84ee40b9a2c60b3
Opcode Fuzzy Hash: abc30ed8d7a682890c70e436962c3701254223106c889c15317b4dc81aecd11b
Instruction Fuzzy Hash: 8601A7715006006BD250DF1ACC45B66FBE4FB89B20F148159ED085B741D731F915CBE9

Function 009ABAF2 Relevance: 1.5, APIs: 1, Instructions: 43libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(?), ref: 009ABB2C

Memory Dump Source

Source File: 00000002.00000002.1766835656.00000000009AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 009AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9aa000_chargeable.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 51e34464ffcf0d2d4a85aac953fce485cb99000cfcaad866b64b1658b774da57
Instruction ID: 06134f73f6bde0c2f048a1d8b540ba3185005b29621de17a8de951ffc9607b30
Opcode Fuzzy Hash: 51e34464ffcf0d2d4a85aac953fce485cb99000cfcaad866b64b1658b774da57
Instruction Fuzzy Hash: 6B017C71A042408FDB50CF19D884766FBE8EF06321F0884AADD498F75AD379E804CAB6

Function 009AA2F6 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?,00000E24,?,?), ref: 009AA346

Memory Dump Source

Source File: 00000002.00000002.1766835656.00000000009AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 009AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9aa000_chargeable.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 4d37d20d6c936bcb76bc4117506310475c788d39da120d357f72900515aea566
Instruction ID: d30865cf981a67e0400fbb309c7956ed996ebcaf1238f80a30ffd7e41168b47b
Opcode Fuzzy Hash: 4d37d20d6c936bcb76bc4117506310475c788d39da120d357f72900515aea566
Instruction Fuzzy Hash: 3001A271500600ABD250DF1ACC86B66FBE8FB89A20F148159EC089BB41D735F916CBE9

Function 063313CA Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 06331405

Memory Dump Source

Source File: 00000002.00000002.1767877962.0000000006330000.00000040.00000800.00020000.00000000.sdmp, Offset: 06330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6330000_chargeable.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: d4730ebab48f486d6492da3a7808d2b19174cd5ba49947f72b9057d283415c92
Instruction ID: c72358f3e922f0be58e96110e19e8674cada079119810a5d54f2aafce1c8c079
Opcode Fuzzy Hash: d4730ebab48f486d6492da3a7808d2b19174cd5ba49947f72b9057d283415c92
Instruction Fuzzy Hash: E001B1369002008FDB618F16D884B66FBE4EF04324F08C4AAED498BB52D375E458CFA1

Function 06331042 Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0633107D

Memory Dump Source

Source File: 00000002.00000002.1767877962.0000000006330000.00000040.00000800.00020000.00000000.sdmp, Offset: 06330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6330000_chargeable.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 8d1c55e70fa034d5b105b643b4647df0a266115f738d89e52b5a802ce25cfbe4
Instruction ID: 96c24afe64193153b6d04a2d13ec0b782ea3f756ce644e6b8bc9eda816db43a3
Opcode Fuzzy Hash: 8d1c55e70fa034d5b105b643b4647df0a266115f738d89e52b5a802ce25cfbe4
Instruction Fuzzy Hash: EE018F35904240DFDB608F05D884B65FBE4EF09321F08C49AED494B752C375E428CFA2

Function 009AA44E Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 009AA480

Memory Dump Source

Source File: 00000002.00000002.1766835656.00000000009AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 009AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9aa000_chargeable.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 484d7d5fbbc3ae3ff1834f85598f2b65b7b13f5689e8f1b345dfcc0bc6cd752b
Instruction ID: 33ffd32de735ebfea4b3b6d7c951c5530d589b3758282007269e935db7e9982c
Opcode Fuzzy Hash: 484d7d5fbbc3ae3ff1834f85598f2b65b7b13f5689e8f1b345dfcc0bc6cd752b
Instruction Fuzzy Hash: 2EF0A4759043408FDB108F05D888761FBE4DF09721F08C4AAED494B762D3B9A808CEA6

Function 0495CE20 Relevance: 1.3, Instructions: 1282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1767421579.0000000004950000.00000040.00000800.00020000.00000000.sdmp, Offset: 04950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4950000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dbc4bfc886fc2d24de5ea3da6911d813726ea81e32e1f67cd680a751d778c7b
Instruction ID: 4a38b6e8205b40ecf5f916281c44fe9577dba87eaba81acbd5e79560eb9ea47e
Opcode Fuzzy Hash: 9dbc4bfc886fc2d24de5ea3da6911d813726ea81e32e1f67cd680a751d778c7b
Instruction Fuzzy Hash: 5CB13E71E002059FDB14DFA8D985BAEBBF6EF88310F25C165E915AB2A1D731AC42CB50

Function 0495C7F0 Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1767421579.0000000004950000.00000040.00000800.00020000.00000000.sdmp, Offset: 04950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4950000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1571faf6c3e04da4d9f691fbc11b6c50200358b3d8b52a22423b3ddd56599adf
Instruction ID: 70dacf88895c3980d1f1c9c91b1a44d9ddc894f4c91fa97dee36045c92fc39ae
Opcode Fuzzy Hash: 1571faf6c3e04da4d9f691fbc11b6c50200358b3d8b52a22423b3ddd56599adf
Instruction Fuzzy Hash: 49910730B142118FCB14EBB5C8916AE77B6EFC5318B108579D906AB395EF38EE05C791

Function 0495C630 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1767421579.0000000004950000.00000040.00000800.00020000.00000000.sdmp, Offset: 04950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4950000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e279f3e6b00a3aa631be8015a6870243fa8a5cc61a7d73ad7348fe97ebf5278
Instruction ID: e378a27cbb9c191dbc501b06374bd4ad3cd3aa4cf9ea42a11c7a95a6716f6105
Opcode Fuzzy Hash: 5e279f3e6b00a3aa631be8015a6870243fa8a5cc61a7d73ad7348fe97ebf5278
Instruction Fuzzy Hash: 49413631B052155FDB11DBA8C881BBEBBA2AFC6304F24853AD504CF792D630EC4187D1

Function 0495CB00 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1767421579.0000000004950000.00000040.00000800.00020000.00000000.sdmp, Offset: 04950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4950000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e73c12d4c89ec059a824b18d62cd7a54f109f4a4db663ca3630ca4fb049787eb
Instruction ID: 8faa22dc20a8f1d961a3de1162146af114452a09ba273f3cd66a0ed6ec0239a8
Opcode Fuzzy Hash: e73c12d4c89ec059a824b18d62cd7a54f109f4a4db663ca3630ca4fb049787eb
Instruction Fuzzy Hash: 5141A030B142158FDB14DB7888657AE77B69BC9214F24443AC806EB3A0EF789D46DB91

Function 0495C7E1 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1767421579.0000000004950000.00000040.00000800.00020000.00000000.sdmp, Offset: 04950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4950000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 823ebdc88d422cfe06cbb8840034542091869298e4573c877cd50f5da9dbc089
Instruction ID: 7e20a566d309a45e67b7e3ad133c33767ba8a3b2d2b77a29a66d063bde49a04e
Opcode Fuzzy Hash: 823ebdc88d422cfe06cbb8840034542091869298e4573c877cd50f5da9dbc089
Instruction Fuzzy Hash: 97312C34A083528FC710DB79D99556EB7B5FF84318B20427AD901D77A5EB30ED41CB91

Function 0495CCAF Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1767421579.0000000004950000.00000040.00000800.00020000.00000000.sdmp, Offset: 04950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4950000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c668d86ea69d586fb9e48b528149fa78594e3779534652f45c4ea19d4acab382
Instruction ID: eee9c3e0742d253f6a435286abed4f85cdce40426fc445c082a616b331f2f317
Opcode Fuzzy Hash: c668d86ea69d586fb9e48b528149fa78594e3779534652f45c4ea19d4acab382
Instruction Fuzzy Hash: 6A216D71E002199BCF20DFB58891AEEBBBAEFC9204F244439DA15B7254DB755901CBA1

Function 00600734 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1766539733.0000000000600000.00000040.00000020.00020000.00000000.sdmp, Offset: 00600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_600000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39b2913393f993c2fab33eb401d36bae4ad8edbd74cb7b26238d8d9844b5ad90
Instruction ID: fd7ca209d383562c9f70fffab3fda274b22265192fc7589ce8836542bc8ce7df
Opcode Fuzzy Hash: 39b2913393f993c2fab33eb401d36bae4ad8edbd74cb7b26238d8d9844b5ad90
Instruction Fuzzy Hash: BC2159345493C18FD7078B20D890B91BFB1EB57208F1985DED4848B6A3D62A880BCB52

Function 0060076C Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1766539733.0000000000600000.00000040.00000020.00020000.00000000.sdmp, Offset: 00600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_600000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a75343da85d8342437496c6a3ce5bf3cbceeb09b9eb6ced355a579df11725bb
Instruction ID: 687eec45d4c821ecefccbec7f22cba777edef053e5927fc4604bccfaf189bd0b
Opcode Fuzzy Hash: 2a75343da85d8342437496c6a3ce5bf3cbceeb09b9eb6ced355a579df11725bb
Instruction Fuzzy Hash: 59110A30284284DFE719CB10C980B67F7E6EB89708F24C59DE54907B82C77BE803CA41

Function 0495C77F Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1767421579.0000000004950000.00000040.00000800.00020000.00000000.sdmp, Offset: 04950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4950000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 734d6f91a1296a7042ec7e87857ddd8c8af30ec9515eff654134e6fa54dc1615
Instruction ID: d692baebf8a75bffb1c4c0cefd6c2a0a8cbed82a68cca9528bb32efa6f7e6cea
Opcode Fuzzy Hash: 734d6f91a1296a7042ec7e87857ddd8c8af30ec9515eff654134e6fa54dc1615
Instruction Fuzzy Hash: EF0197713092401FC714E27A5CD1AEFBBC29FC6218F10407EE1488FBD2DAA0480A8395

Function 04959819 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1767421579.0000000004950000.00000040.00000800.00020000.00000000.sdmp, Offset: 04950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4950000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1ce4dc2bb950a4c94147f81ef880be13ea3aa9502b162002e938a107e080ade
Instruction ID: de8d031df01984d9c138b53570ebf745c470aecc8469800e28a13e8d1038a075
Opcode Fuzzy Hash: f1ce4dc2bb950a4c94147f81ef880be13ea3aa9502b162002e938a107e080ade
Instruction Fuzzy Hash: 0B0149317082109FD7229334AC11B6E37918BC9B14F34417AD641DF3D1DAA19C038794

Function 006005DF Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1766539733.0000000000600000.00000040.00000020.00020000.00000000.sdmp, Offset: 00600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_600000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06168177e7ae576c1e28bb11544c547c226114cc2bed95d93190416ecc6c8e07
Instruction ID: cdca5d4ce5f56c8c390a8944070a6418620bc5242d84f50bbe124673ba5d4beb
Opcode Fuzzy Hash: 06168177e7ae576c1e28bb11544c547c226114cc2bed95d93190416ecc6c8e07
Instruction Fuzzy Hash: 7A01D6B64093806FD7028B16AC50862FFA8DF86630709C4AFEC898B613D125A909CB76

Function 04959828 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1767421579.0000000004950000.00000040.00000800.00020000.00000000.sdmp, Offset: 04950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4950000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 264462df0cef282b296a73836520256fd10f553815ac97bf95fd589eba67e7ac
Instruction ID: 773411b9413040e518c4c82789877a492918a8365914555ee6e62fe95a4ac630
Opcode Fuzzy Hash: 264462df0cef282b296a73836520256fd10f553815ac97bf95fd589eba67e7ac
Instruction Fuzzy Hash: 89F0213170431097DA20A775AC11B5E71DA87C9B64F344136EA05DF3D4EE75AC0247D9

Function 00600828 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1766539733.0000000000600000.00000040.00000020.00020000.00000000.sdmp, Offset: 00600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_600000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26e1c6324d431d8898d05c4f184fa73b81ea7543c773894a6020088d6b5dab9c
Instruction ID: e07f19b4f663f682247f9d64cd9be0c09464794d10148e6a90f9d64e1a1d7427
Opcode Fuzzy Hash: 26e1c6324d431d8898d05c4f184fa73b81ea7543c773894a6020088d6b5dab9c
Instruction Fuzzy Hash: C3F0FB35188644DFC616CB40D980B56FBA6EB89718F24CAADE94907752C737E813DA81

Function 00600606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1766539733.0000000000600000.00000040.00000020.00020000.00000000.sdmp, Offset: 00600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_600000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e032bbe8d68805f5e5c2a9201c67e938a5d4d87cf9ffa7a7e09b005a68cf5767
Instruction ID: 9dfc4d3ab74a9c303af68acc695ea5c04d4a0d11d5eef2a2e7aa5828f5bce6b3
Opcode Fuzzy Hash: e032bbe8d68805f5e5c2a9201c67e938a5d4d87cf9ffa7a7e09b005a68cf5767
Instruction Fuzzy Hash: 8AE092B66046005B9750CF0BEC81452F7D8EB84630B08C47FEC0D8B701D639B908CEA9

Function 049500A0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1767421579.0000000004950000.00000040.00000800.00020000.00000000.sdmp, Offset: 04950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4950000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62cf99a55f79752a7368bdd7e33e1a38626634643fba0b12509eadfadef81bd7
Instruction ID: 1f5af610558c96aaaaa7818fb03d9f1d590eb4cede936897ba2ada1d1470a987
Opcode Fuzzy Hash: 62cf99a55f79752a7368bdd7e33e1a38626634643fba0b12509eadfadef81bd7
Instruction Fuzzy Hash: F6D0A7A3249060568A1631A928115FF174D4BC7A34705007BE0469B293CD880902429E

Function 0495C7C0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1767421579.0000000004950000.00000040.00000800.00020000.00000000.sdmp, Offset: 04950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4950000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5afb89f74214ca6a51f739977855cb229b0fd4c0b4d4eeaf86b5d9e702de5ea
Instruction ID: d4ced8a45b1843e9fe5365f0b7111690dc02a6f3b3f09d706f7a6da7638d1780
Opcode Fuzzy Hash: d5afb89f74214ca6a51f739977855cb229b0fd4c0b4d4eeaf86b5d9e702de5ea
Instruction Fuzzy Hash: F5D0A9A73091508FC302D0B87C946EA6312E6E672539541B3EA00C76A2D228480B83A1

Function 04950070 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1767421579.0000000004950000.00000040.00000800.00020000.00000000.sdmp, Offset: 04950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4950000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5919f63f2c645a9a589b35e9ad4ecefd02346bfd9f2286d46964f4142d6b6e14
Instruction ID: aa96ae8aea2368bd91621a135f1ce27f3462c662fc6101bbd1ad4222090ba2c6
Opcode Fuzzy Hash: 5919f63f2c645a9a589b35e9ad4ecefd02346bfd9f2286d46964f4142d6b6e14
Instruction Fuzzy Hash: E2C08C12348624430E1932B652260EE728D8E825FC306003AD66EDB393CF0FAD0203EE

Function 009A23F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1766822127.00000000009A2000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9a2000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6c92e98548a48fe889006ee69e8e172a794c8c42c00b9b2c6ba08af1bb93d90
Instruction ID: 223a1b09670924686f56c83120d3585ec7f3f6a598e3eafedaec99dc4b403c06
Opcode Fuzzy Hash: e6c92e98548a48fe889006ee69e8e172a794c8c42c00b9b2c6ba08af1bb93d90
Instruction Fuzzy Hash: 4DD05E792097C14FD716DB1CC1A4B9537D8AB56714F4A44FDE8008BB73C768D981D644

Function 009A23BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1766822127.00000000009A2000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9a2000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c6e2622f78edb9fe28d72fc3050091c3cd34d37438c3959e2d04ad3e1e9a1f5
Instruction ID: bb490620287b4da7559dee524a4e05c8946b934790fe1a673e664d4f19ab2aa3
Opcode Fuzzy Hash: 4c6e2622f78edb9fe28d72fc3050091c3cd34d37438c3959e2d04ad3e1e9a1f5
Instruction Fuzzy Hash: E0D05E342002814BCB15DB0DC2D4F5977D8AB42B14F0644F8AC108B762CBA8D8C0CA44

Function 049500B0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1767421579.0000000004950000.00000040.00000800.00020000.00000000.sdmp, Offset: 04950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4950000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd3b481c1f22c3e91c996e67ab634ae88ca58f5ab64976d1a2be59ab29d45474
Instruction ID: 5f81a7e5513a3d4d9f5da83affcc85af0c7ca2d0bff2dce2b5453b5954e8ecd1
Opcode Fuzzy Hash: bd3b481c1f22c3e91c996e67ab634ae88ca58f5ab64976d1a2be59ab29d45474
Instruction Fuzzy Hash: A4C09B92304534930C1D319D35115EE734D49CAD75741046BF54957352CE455D0103EE

Analysis Process: chargeable.exePID: 3992, Parent PID: 4480COMMON

Execution Graph

Execution Coverage:	19.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	5.3%
Total number of Nodes:	114
Total number of Limit Nodes:	4

Executed Functions

Function 0545123F Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 054512BF

Memory Dump Source

Source File: 00000003.00000002.4114948515.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5450000_chargeable.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: cc856f1c3e7a95c627801057d17f960de8122a6192a8129021649711b6f3b745
Instruction ID: 1ed21f220a5831fb29529102007c7d7f9d8c3d7f64794406a9a1136a24868199
Opcode Fuzzy Hash: cc856f1c3e7a95c627801057d17f960de8122a6192a8129021649711b6f3b745
Instruction Fuzzy Hash: C1219F755097849FEB128F25DC44B92BFF4EF06220F0885DBE9858B663D271A908DB62

Function 05451276 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 054512BF

Memory Dump Source

Source File: 00000003.00000002.4114948515.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5450000_chargeable.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 851c71b20351ab24684132e9eb6407ef5b3a7fba48e8d9d07b79dec3b1310fbb
Instruction ID: 3de16bc373d740f0146622f7811929c852f12d493ca917a0f485306028e9a4a9
Opcode Fuzzy Hash: 851c71b20351ab24684132e9eb6407ef5b3a7fba48e8d9d07b79dec3b1310fbb
Instruction Fuzzy Hash: 5D1170755002449FEB20CF55D884BA6FBE4FF09220F08C4AAED8ACB652D375E419DB61

Function 01420B68 Relevance: 1.6, APIs: 1, Instructions: 110
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 01420B8F

Memory Dump Source

Source File: 00000003.00000002.4111142092.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1420000_chargeable.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 8eb0aac8cdaa500627ce32606d5ba11e14385e03230dd182367271d0cf8f576e
Instruction ID: 232347dbf23ca4247f2ab6638bbf5141fc421c86cfdbbee27dd7a57b75845a2c
Opcode Fuzzy Hash: 8eb0aac8cdaa500627ce32606d5ba11e14385e03230dd182367271d0cf8f576e
Instruction Fuzzy Hash: 6141D470A002108FCB18DF79C98459DB7F2EF88204B54807AD809DB369DB35DD81CBA4

Function 01420B58 Relevance: 1.6, APIs: 1, Instructions: 104
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 01420B8F

Memory Dump Source

Source File: 00000003.00000002.4111142092.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1420000_chargeable.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 6653a18e81728f37cc9e47602a0b7d9bb2b7e57d6966ee4f72c7eceb2cf6c991
Instruction ID: 4dcc7b4dd8bf2ea8169bd26a2ca4db7313172658bf679d6afeb53feeac5922e1
Opcode Fuzzy Hash: 6653a18e81728f37cc9e47602a0b7d9bb2b7e57d6966ee4f72c7eceb2cf6c991
Instruction Fuzzy Hash: B0419271A002148FCB18DF79C98469EBBF2EF88204B54847AD849DB369DB35DD81CBA4

Function 0103B8CA Relevance: 1.6, APIs: 1, Instructions: 103
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0103B989

Memory Dump Source

Source File: 00000003.00000002.4107275319.000000000103A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_103a000_chargeable.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 4a0e629d508746466c19d668c36249199c621aa247bbcf2a3544d27c162baf48
Instruction ID: ed5926db42da135dbaaeae37f0bca4afd7000e1ea89c70fee497a28a5000d9d6
Opcode Fuzzy Hash: 4a0e629d508746466c19d668c36249199c621aa247bbcf2a3544d27c162baf48
Instruction Fuzzy Hash: 0E31B2B1505380AFE712CF65DC40BA2BFE8EF46314F08849EE9848B652D275A909DB71

Function 054517EC Relevance: 1.6, APIs: 1, Instructions: 100
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 054518A9

Memory Dump Source

Source File: 00000003.00000002.4114948515.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5450000_chargeable.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 27a87a44f51610b36c8b74ea75c5a13ef5d1a826c0e6446e7ece324a4f840ac4
Instruction ID: 067912f54b007ee75e548b4a4da8221bc0b094c97af85df97216ea426d26e310
Opcode Fuzzy Hash: 27a87a44f51610b36c8b74ea75c5a13ef5d1a826c0e6446e7ece324a4f840ac4
Instruction Fuzzy Hash: 57318FB2504744AFE721CA65CC44FA7BBECEF09624F08899AF985C7652D324E909CB71

Function 0103BE37 Relevance: 1.6, APIs: 1, Instructions: 98
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 0103BEFE

Memory Dump Source

Source File: 00000003.00000002.4107275319.000000000103A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_103a000_chargeable.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 0fbdce0f37747c059c346917d213d9fbbba4f8fa9badfcce97d1803041eb703e
Instruction ID: fe8532e32dfd9923a11c02d9612d74941997401b87f16db765dd6da5d45aea09
Opcode Fuzzy Hash: 0fbdce0f37747c059c346917d213d9fbbba4f8fa9badfcce97d1803041eb703e
Instruction Fuzzy Hash: 9E319E7510E3C06FD3138B258C61A61BFB4EF47610B0E45CBD9C48F6A3D629A909D7B2

Function 0103A7C7 Relevance: 1.6, APIs: 1, Instructions: 95
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 0103A879

Memory Dump Source

Source File: 00000003.00000002.4107275319.000000000103A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_103a000_chargeable.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: c48716d0e87c9fbf6cfe90174d3b4bc02281c0a8c848f6baec6e396b6e454e31
Instruction ID: 76cae9c122f907b536e63ce753d472cafc4bcd0fd8db573255d25cefa9b455b6
Opcode Fuzzy Hash: c48716d0e87c9fbf6cfe90174d3b4bc02281c0a8c848f6baec6e396b6e454e31
Instruction Fuzzy Hash: 9431C7B15083806FE7228B51DC44FA7BFFCEF06214F08449AE984CB653D264A90AC775

Function 05450D54 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32(?,00000E24), ref: 05450E1B

Memory Dump Source

Source File: 00000003.00000002.4114948515.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5450000_chargeable.jbxd

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: 4578877dcd9b5bd8b7682d2e302563ccddac6d5c240a9e208bab00d98e68ce0d
Instruction ID: 948d98438d46f8e3503083aa2208d4e6fd61ac6cfad88e51fa148f4b36ea6004
Opcode Fuzzy Hash: 4578877dcd9b5bd8b7682d2e302563ccddac6d5c240a9e208bab00d98e68ce0d
Instruction Fuzzy Hash: 8231B1B1104340AFE721CF50DC88FA7FBACEB05314F04489AFA489B692D375A909CB75

Function 05450FE2 Relevance: 1.6, APIs: 1, Instructions: 91
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FormatMessageW.KERNELBASE(?,00000E24,?,?), ref: 0545109E

Memory Dump Source

Source File: 00000003.00000002.4114948515.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5450000_chargeable.jbxd

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 3e3ddbb8ccabeade6129d1db3afd334a70f5bbabf332c8e47a86f9240c4ddd49
Instruction ID: ede34a7ab279f6a3b75123774ece9b0898aa03bdf3f614ab6c93729607016144
Opcode Fuzzy Hash: 3e3ddbb8ccabeade6129d1db3afd334a70f5bbabf332c8e47a86f9240c4ddd49
Instruction Fuzzy Hash: A4318F7250D3C05FD7038B658C61AA2BFB4EF47610F0D84DBD8C48F2A3D624691AD7A2

Function 0103A612 Relevance: 1.6, APIs: 1, Instructions: 89
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0103A6B9

Memory Dump Source

Source File: 00000003.00000002.4107275319.000000000103A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_103a000_chargeable.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 2b9fe4f126bd27f71177697374f367047c27b91af6c9b06a793e2d22e2e4eb1a
Instruction ID: 0537f20af7fe636ecb7a89572160296e00c2d2bc693d73ad15f20032d287f8d5
Opcode Fuzzy Hash: 2b9fe4f126bd27f71177697374f367047c27b91af6c9b06a793e2d22e2e4eb1a
Instruction Fuzzy Hash: 8B31B3B15097809FE712CB65CC85B96BFF8EF46210F08849AE984CF293D375A909C775

Function 05450C4C Relevance: 1.6, APIs: 1, Instructions: 89
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessTimes.KERNELBASE(?,00000E24,D219E75E,00000000,00000000,00000000,00000000), ref: 05450CE9

Memory Dump Source

Source File: 00000003.00000002.4114948515.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5450000_chargeable.jbxd

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: b01549b137eff748856f41fbf00e8f0b648bae934f5ad8a245fd14039cb4eb74
Instruction ID: d77be77ae17ce88fa6da44f3f2eea02c4cad546b334ee3d02cb1d98d7908e6cc
Opcode Fuzzy Hash: b01549b137eff748856f41fbf00e8f0b648bae934f5ad8a245fd14039cb4eb74
Instruction Fuzzy Hash: B031C5765057806FE712CF50DC45FA6BFB8EF06324F08849BE9858B1A3D225A909CB75

Function 05450548 Relevance: 1.6, APIs: 1, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 054505DF

Memory Dump Source

Source File: 00000003.00000002.4114948515.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5450000_chargeable.jbxd

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 4f960e94b718464387d92cd45177a8606ea924672533ad03598f25e59d279122
Instruction ID: 7fd542bf6aefa530f738d063ff53c0cfbb4ab21e21aff498ca4ef00adae6df06
Opcode Fuzzy Hash: 4f960e94b718464387d92cd45177a8606ea924672533ad03598f25e59d279122
Instruction Fuzzy Hash: 3231C171504384AFE721CF65DC49FA7BBF8EF06220F0884AAE944CB652D324A909CB75

Function 0103A8C1 Relevance: 1.6, APIs: 1, Instructions: 86
windowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendMessageTimeoutA.USER32(?,00000E24), ref: 0103A97D

Memory Dump Source

Source File: 00000003.00000002.4107275319.000000000103A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_103a000_chargeable.jbxd

Similarity

API ID: MessageSendTimeout
String ID:
API String ID: 1599653421-0
Opcode ID: 0cc7b91e22fcaafb27f327b0d50dcbdc81a13764a231701cc434ae53b54f943a
Instruction ID: 9e325127638637347f766da4baf5314a0472739f02a4218eeab5c9899d27f63d
Opcode Fuzzy Hash: 0cc7b91e22fcaafb27f327b0d50dcbdc81a13764a231701cc434ae53b54f943a
Instruction Fuzzy Hash: 9731F471005780AFEB228F60DC44FA2FFB8EF46320F08849EE9848B563D275A509CB65

Function 0545180E Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 054518A9

Memory Dump Source

Source File: 00000003.00000002.4114948515.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5450000_chargeable.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 326b26231e6472e304231fdac941cc8da7b6091130266db48ad8dff92b70952a
Instruction ID: 23775aee1e46b8c02a5913c7b07cc517015979349f5c4c009b767e11dcd6e755
Opcode Fuzzy Hash: 326b26231e6472e304231fdac941cc8da7b6091130266db48ad8dff92b70952a
Instruction Fuzzy Hash: D5218D72500604AFEB31DE55CC84FA7BBECFF08624F08899AED85C7652D720E909CA75

Function 0103A361 Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,D219E75E,00000000,00000000,00000000,00000000), ref: 0103A40C

Memory Dump Source

Source File: 00000003.00000002.4107275319.000000000103A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_103a000_chargeable.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: f8ff0ab014403783eee931bf99ab15cbc52c45110013c7a63c5379e7c45f3e3a
Instruction ID: 6f492ba3ac0a02350aa5afbe8237eee0dfb886235cdb8999e37b9eab77feb31a
Opcode Fuzzy Hash: f8ff0ab014403783eee931bf99ab15cbc52c45110013c7a63c5379e7c45f3e3a
Instruction Fuzzy Hash: 0C315075505784AFE722CF15CC84F92BBFCEF46610F08849AE985CB2A2D364E909CB65

Function 05450D76 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000E24), ref: 05450E1B

Memory Dump Source

Source File: 00000003.00000002.4114948515.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5450000_chargeable.jbxd

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: 63e1d4fc6d43a17d470cb40eb649fcae4348257fe494d6cc01072648f964aa59
Instruction ID: 6d803e0d474d5194f5c6726a8e82f6459c3f0ec43efd080746eb102abcac904a
Opcode Fuzzy Hash: 63e1d4fc6d43a17d470cb40eb649fcae4348257fe494d6cc01072648f964aa59
Instruction Fuzzy Hash: FC21A371500204AEEB20DF50DD88FE6FBECEF04714F14445AFA489A681D775A549CB75

Function 05450006 Relevance: 1.6, APIs: 1, Instructions: 81networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 0545009E

Memory Dump Source

Source File: 00000003.00000002.4114948515.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5450000_chargeable.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: beac935959d036ea13608c5093535fb96b9e70d593b19bdbace43d3af0e4ab46
Instruction ID: f631b74c787e3fc8207a0f2f5af89a16fde8a1d19b4caffa8a74d8572d116b9b
Opcode Fuzzy Hash: beac935959d036ea13608c5093535fb96b9e70d593b19bdbace43d3af0e4ab46
Instruction Fuzzy Hash: EF319371409780AFE722CF51DC44F96FFF4EF06324F08849AE9858B652D375A909CB65

Function 0103B9E0 Relevance: 1.6, APIs: 1, Instructions: 79COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,D219E75E,00000000,00000000,00000000,00000000), ref: 0103BA75

Memory Dump Source

Source File: 00000003.00000002.4107275319.000000000103A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_103a000_chargeable.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 70256866c3e40d581efc00379155c358c1a75679312dc4abdcc56a9996f8e265
Instruction ID: 7fe41ee64c7bfc2bbc14fbb1ef13fd88672d2495bb59459b2696a059b130d58d
Opcode Fuzzy Hash: 70256866c3e40d581efc00379155c358c1a75679312dc4abdcc56a9996f8e265
Instruction Fuzzy Hash: A021F8B54097806FE712CF15DC81BA2BFACEF47324F0980D6E9848B2A3D264A909C775

Function 054513C1 Relevance: 1.6, APIs: 1, Instructions: 79COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E24,D219E75E,00000000,00000000,00000000,00000000), ref: 05451448

Memory Dump Source

Source File: 00000003.00000002.4114948515.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5450000_chargeable.jbxd

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: 4c3ba868080b61ede1f00be12f72ed5d4b8b4fcfa537485cc5c8034f7c4e485b
Instruction ID: cc62a965103e358735ef2cd84f5eb7bbd2070e17a73211c7af2e50968f973cff
Opcode Fuzzy Hash: 4c3ba868080b61ede1f00be12f72ed5d4b8b4fcfa537485cc5c8034f7c4e485b
Instruction Fuzzy Hash: A521C4715093806FE712CB50DC85FA6BFB8EF02224F0884DBE984CF293D264A909C775

Function 0103A462 Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E24,D219E75E,00000000,00000000,00000000,00000000), ref: 0103A4F8

Memory Dump Source

Source File: 00000003.00000002.4107275319.000000000103A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_103a000_chargeable.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 0987ab067508e53b1e3d0cc1e190198d649dbfd6aa3154cc73cb209e4478d10d
Instruction ID: 85e155c05d435a119176e6018a7b2f4079cb6eede4a5535db083dccd19256c8f
Opcode Fuzzy Hash: 0987ab067508e53b1e3d0cc1e190198d649dbfd6aa3154cc73cb209e4478d10d
Instruction Fuzzy Hash: 1B219F72104780AFE7228E55DC44F63BFFCEF46220F08849AE985CB6A2C264E809C775

Function 054506FE Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 05450792

Memory Dump Source

Source File: 00000003.00000002.4114948515.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5450000_chargeable.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: cea1dc90056641e1a8344c050455f00171b3d76518b3cf575fa4482e9ce15c93
Instruction ID: e214530e97abfe95589d1cfe8e3fb79b6442cbb04cf753bb95d6d94d14878da6
Opcode Fuzzy Hash: cea1dc90056641e1a8344c050455f00171b3d76518b3cf575fa4482e9ce15c93
Instruction Fuzzy Hash: 8B21D371405380AFE722CF55CC48F96FFF8EF0A224F04849EE9858B652D375A909CB65

Function 0103B90A Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0103B989

Memory Dump Source

Source File: 00000003.00000002.4107275319.000000000103A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_103a000_chargeable.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: f8528486b658ded8309cadb207f437ee6166f507253f3233ac5e88efe9a00b0e
Instruction ID: 6f8edd6e8ca89e4d44a632e53e2fc0bc392c1c7ff1b71c1a9dccd0bce6e9a03e
Opcode Fuzzy Hash: f8528486b658ded8309cadb207f437ee6166f507253f3233ac5e88efe9a00b0e
Instruction Fuzzy Hash: B121B271500200AFEB21CF65CC85B66FBE8EF09224F04845EE9858B751D375E509CB75

Function 0545056E Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 054505DF

Memory Dump Source

Source File: 00000003.00000002.4114948515.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5450000_chargeable.jbxd

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: b1387595cc4ce3aacbae0cc153ef8b59c9e5a59e6a01ebab902042736a1f4656
Instruction ID: 36d59474338f8865733459dcd205aae9580acc8a148ca332f1bc2f224597976f
Opcode Fuzzy Hash: b1387595cc4ce3aacbae0cc153ef8b59c9e5a59e6a01ebab902042736a1f4656
Instruction Fuzzy Hash: 6E21F276500204AFE720DF25DC48FABBBECEF04324F08846AED49DB652D234E5098AB5

Function 05450462 Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,D219E75E,00000000,00000000,00000000,00000000), ref: 054504F4

Memory Dump Source

Source File: 00000003.00000002.4114948515.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5450000_chargeable.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: faca922f64248277be5465560673f37334fa88da7ad153b08a244c6a9c56eaac
Instruction ID: c9221167b4d2ff0729bb1d59598946f5eacbe70bd27a8245df93878addeb22f8
Opcode Fuzzy Hash: faca922f64248277be5465560673f37334fa88da7ad153b08a244c6a9c56eaac
Instruction Fuzzy Hash: F1219076505744AFD722CF51DC44FA7BBF8EF06320F08849AE9498B262D364E909CB75

Function 0103A7FA Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 0103A879

Memory Dump Source

Source File: 00000003.00000002.4107275319.000000000103A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_103a000_chargeable.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 2df3e0d9249ba34715230adb7edfeb271a1e2893fd35ab2d4353de3bac79387c
Instruction ID: 8df105fcda5e5aa7f1dfaf98b053e21fb026a66a0af7b2b5b4512b1a2c7b25fb
Opcode Fuzzy Hash: 2df3e0d9249ba34715230adb7edfeb271a1e2893fd35ab2d4353de3bac79387c
Instruction Fuzzy Hash: FE21D1B2500204AEE721CF55CC44FABFBECEF04214F04845AEA85CB651D764E5098AB5

Function 0545158F Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetProcessWorkingSetSize.KERNEL32(?,00000E24,D219E75E,00000000,00000000,00000000,00000000), ref: 0545160B

Memory Dump Source

Source File: 00000003.00000002.4114948515.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5450000_chargeable.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: e957a6635c55d34c7f28b8c9bf16888ab8432c851906b8d333672ea2eb45f44c
Instruction ID: c633ef138a172d277e03a1cf99129b16a01e77d09de6c517932703f7deeccc85
Opcode Fuzzy Hash: e957a6635c55d34c7f28b8c9bf16888ab8432c851906b8d333672ea2eb45f44c
Instruction Fuzzy Hash: 9821D4715053806FE711CF51DC84FA7BFA8EF46220F0884ABE945CB252D374A908CBB6

Function 054514AB Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GetProcessWorkingSetSize.KERNEL32(?,00000E24,D219E75E,00000000,00000000,00000000,00000000), ref: 05451527

Memory Dump Source

Source File: 00000003.00000002.4114948515.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5450000_chargeable.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: e957a6635c55d34c7f28b8c9bf16888ab8432c851906b8d333672ea2eb45f44c
Instruction ID: 779982fe5392c4d31cd8a5ff458f5f139b6cb59270b91f46cc41053b7d12b1a4
Opcode Fuzzy Hash: e957a6635c55d34c7f28b8c9bf16888ab8432c851906b8d333672ea2eb45f44c
Instruction Fuzzy Hash: 8521D4715053846FEB12CF51DC44FA7BFA8EF46220F0884ABE945CB252D374A908CBB9

Function 0103A646 Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0103A6B9

Memory Dump Source

Source File: 00000003.00000002.4107275319.000000000103A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_103a000_chargeable.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: b603638dfe64fb12348b110306b98f0ce0b291c4fdb57d1b324128ac8413c53f
Instruction ID: f2bb9bac7820a08fbc0a17ecc96f8c6eafa93a9b08fc3aceddcce962ead01ed4
Opcode Fuzzy Hash: b603638dfe64fb12348b110306b98f0ce0b291c4fdb57d1b324128ac8413c53f
Instruction Fuzzy Hash: 3921C2716002409FE711CF65CC85BA6FBECEF49210F0484AAE989CB741D375E909CA79

Function 0103BCC2 Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000E24,D219E75E,00000000,00000000,00000000,00000000), ref: 0103BD41

Memory Dump Source

Source File: 00000003.00000002.4107275319.000000000103A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_103a000_chargeable.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: f0842dfbe22e58d87b8145f0dfdecdb97faec1ee64eb6cf4e692bab318b76642
Instruction ID: 7cfd80af50ee1517488cedbe2f54a46028e4ea9148283d6c6580c9e617c633e0
Opcode Fuzzy Hash: f0842dfbe22e58d87b8145f0dfdecdb97faec1ee64eb6cf4e692bab318b76642
Instruction Fuzzy Hash: 1821C271405780AFDB22CF51DC44F97BFF8EF46214F08849AE9848B162D235A509CBB6

Function 0103A392 Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,D219E75E,00000000,00000000,00000000,00000000), ref: 0103A40C

Memory Dump Source

Source File: 00000003.00000002.4107275319.000000000103A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_103a000_chargeable.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 2842ea277b5b918ef9157ff33c2dc7d8dab39749158bf6d23c6a27d7921b47c0
Instruction ID: 01f22da8808adaa4e79c25304d20b2efe1bde84de34939fdaba7fbfcfbdd181f
Opcode Fuzzy Hash: 2842ea277b5b918ef9157ff33c2dc7d8dab39749158bf6d23c6a27d7921b47c0
Instruction Fuzzy Hash: 8021C0766006049FEB20CF15CC84FA6F7ECEF44710F08C49AEA85CB651D760E809CA75

Function 0545130C Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 05451378

Memory Dump Source

Source File: 00000003.00000002.4114948515.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5450000_chargeable.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 13389b61823a394716c7b45b98ecbd3f147ae2099441c916d71aaeb967ee634b
Instruction ID: d8bcdecd095f23ab707137d95a87fe2ff95bb2444472026fe450664484c7337c
Opcode Fuzzy Hash: 13389b61823a394716c7b45b98ecbd3f147ae2099441c916d71aaeb967ee634b
Instruction Fuzzy Hash: AB21A1715093C05FEB028B25DC94B92BFB4AF47224F0984DBEDC58F663D2659908CB62

Function 0103A710 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0103A780

Memory Dump Source

Source File: 00000003.00000002.4107275319.000000000103A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_103a000_chargeable.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 3abc64450ff806851720bf971a9f17286a43fdce6b52b87cb5cd02c3978259f1
Instruction ID: 4ba3468a5854fa4300e9eb9aa94557462531db2eaa075d82c7aee4920fb496ae
Opcode Fuzzy Hash: 3abc64450ff806851720bf971a9f17286a43fdce6b52b87cb5cd02c3978259f1
Instruction Fuzzy Hash: C821C0B55043809FD7028F15ED85752BFA8EF42224F0984ABED858B653D235A905DBA2

Function 0545071E Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 05450792

Memory Dump Source

Source File: 00000003.00000002.4114948515.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5450000_chargeable.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 84a6aa323ba4dde54591ef63a96127196a2e9fd4136c574cf7469930c7733bf7
Instruction ID: 15d13d4471b7bb9f8ae28d4d99fa0b82fd14a7ac9b31254c9aa79a35adb61492
Opcode Fuzzy Hash: 84a6aa323ba4dde54591ef63a96127196a2e9fd4136c574cf7469930c7733bf7
Instruction Fuzzy Hash: B921F371400240AFE721CF65CC88FA6FBE8EF09324F04845AE9498B751D371E409CBA9

Function 05450F26 Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 05450FA2

Memory Dump Source

Source File: 00000003.00000002.4114948515.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5450000_chargeable.jbxd

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: 4f7611b17bbd06c3c6bc8a09b75f7d89f812279aa4667f8d1bc009814ec7b181
Instruction ID: 9aa9eeb409f818808ad968ab190754c109c6239a30a644925c50fcc9153269d7
Opcode Fuzzy Hash: 4f7611b17bbd06c3c6bc8a09b75f7d89f812279aa4667f8d1bc009814ec7b181
Instruction Fuzzy Hash: 26217175508384AFDB228F51DC44B62FFF4EF06310F0884DAED858B263D275A519DB61

Function 05450032 Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 0545009E

Memory Dump Source

Source File: 00000003.00000002.4114948515.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5450000_chargeable.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 0928dc8a38168d501514c39c447ef4a29406954c703392ae0afa2dedd9028571
Instruction ID: f502ed55b52ce7cac6ed25830f1960712e0d80d151d939e4b087fd8ee5a08036
Opcode Fuzzy Hash: 0928dc8a38168d501514c39c447ef4a29406954c703392ae0afa2dedd9028571
Instruction Fuzzy Hash: 0421D171500240AFEB21CF55DD44FA6FBE4EF09724F04885AEE498B752D376A409CB7A

Function 0103A902 Relevance: 1.6, APIs: 1, Instructions: 66windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32(?,00000E24), ref: 0103A97D

Memory Dump Source

Source File: 00000003.00000002.4107275319.000000000103A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_103a000_chargeable.jbxd

Similarity

API ID: MessageSendTimeout
String ID:
API String ID: 1599653421-0
Opcode ID: 1d077b6382ce171d069fbd4551d7477caca4a853aa9274f325019727831d0878
Instruction ID: 2c64ca136f7abd57b0845ab7115927f5e0eeee8d49d9aaf37274343249082fcb
Opcode Fuzzy Hash: 1d077b6382ce171d069fbd4551d7477caca4a853aa9274f325019727831d0878
Instruction Fuzzy Hash: 1721E175500600AFEB218F50DC40FA6FBE8EF45310F04845AEE859B691D375A508CBB9

Function 0103A486 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E24,D219E75E,00000000,00000000,00000000,00000000), ref: 0103A4F8

Memory Dump Source

Source File: 00000003.00000002.4107275319.000000000103A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_103a000_chargeable.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 876d0f4cf8a86038c679b770f0593ce8ff791db86f42a0b26797bba5bf937806
Instruction ID: 0e90b75fb9cbff58c536b373b08a06cdd4d23063be25cd41e0473b9e1049b6f0
Opcode Fuzzy Hash: 876d0f4cf8a86038c679b770f0593ce8ff791db86f42a0b26797bba5bf937806
Instruction Fuzzy Hash: D711B176600600AFEB21CE15DC44FA7FBECEF45624F04845AED85CB692D760E808CAB5

Function 05450482 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,D219E75E,00000000,00000000,00000000,00000000), ref: 054504F4

Memory Dump Source

Source File: 00000003.00000002.4114948515.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5450000_chargeable.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 290552fa41f4734710c58094b4188920d4177d8215be1ee00129af000f3b6706
Instruction ID: fe8b42ee6fe0f17dcfdd7787c4d38c3c35519589231b6781d72ac2dcabb23fe0
Opcode Fuzzy Hash: 290552fa41f4734710c58094b4188920d4177d8215be1ee00129af000f3b6706
Instruction Fuzzy Hash: 8111DF76500604AFEB21CE55CC84FA7F7E8EF05320F08805AEE098B752D360E508CAB5

Function 054510D4 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 0545113E

Memory Dump Source

Source File: 00000003.00000002.4114948515.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5450000_chargeable.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 8246899bbab9a9211d1d47245d0db9679870deda1909f8f3219548204c6fe43c
Instruction ID: 7395518181c1921720dd93d08c2d7f2277b58ab79c4d7144c4891cd049f59847
Opcode Fuzzy Hash: 8246899bbab9a9211d1d47245d0db9679870deda1909f8f3219548204c6fe43c
Instruction Fuzzy Hash: 8A1160715053849FD711CF25DC85B97BFE8EF45220F0884EBED85CB652D265E908CB61

Function 05450C8A Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E24,D219E75E,00000000,00000000,00000000,00000000), ref: 05450CE9

Memory Dump Source

Source File: 00000003.00000002.4114948515.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5450000_chargeable.jbxd

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: d12f62ec82e557292569eb1937cbe75b602a17bdf4226e813f30c18b2f5718cd
Instruction ID: 7dea67943d971b20e1c99d52cfba295dff2561a7531b611bf16cd6ddc7392c14
Opcode Fuzzy Hash: d12f62ec82e557292569eb1937cbe75b602a17bdf4226e813f30c18b2f5718cd
Instruction Fuzzy Hash: AB110376500600AFEB21CF51DC44FABF7E8EF05320F04846AED098B655D375A409CBB5

Function 054514CE Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

GetProcessWorkingSetSize.KERNEL32(?,00000E24,D219E75E,00000000,00000000,00000000,00000000), ref: 05451527

Memory Dump Source

Source File: 00000003.00000002.4114948515.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5450000_chargeable.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: 30de5b441ec4cc443ea3d5d5440029c40012b6e3e2a8acd6aeb8b3f5feb5d9e2
Instruction ID: c049d9fe1a0dc412a09058f209ae36ab7a3a6d99b61d90f7b2712072f357fe82
Opcode Fuzzy Hash: 30de5b441ec4cc443ea3d5d5440029c40012b6e3e2a8acd6aeb8b3f5feb5d9e2
Instruction Fuzzy Hash: 7811B271500204AFEB11CF55DC85FAAB7A8EF05224F08846AEE45CB651D774A909CAB9

Function 054515B2 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SetProcessWorkingSetSize.KERNEL32(?,00000E24,D219E75E,00000000,00000000,00000000,00000000), ref: 0545160B

Memory Dump Source

Source File: 00000003.00000002.4114948515.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5450000_chargeable.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: 30de5b441ec4cc443ea3d5d5440029c40012b6e3e2a8acd6aeb8b3f5feb5d9e2
Instruction ID: 0f71f073ce5b183dcb5f8bf44f6a13641550087e95b41ce6f7b37160fe4621aa
Opcode Fuzzy Hash: 30de5b441ec4cc443ea3d5d5440029c40012b6e3e2a8acd6aeb8b3f5feb5d9e2
Instruction Fuzzy Hash: 9011B2715002009FEB10CF55DC84BA6B7A8EF05224F08846AEE49CB651D775A909CABA

Function 0103AF93 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0103AFFE

Memory Dump Source

Source File: 00000003.00000002.4107275319.000000000103A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_103a000_chargeable.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: cef0dc3aaf9dc36c361268da6ea372b591452d4e2637fd009dc64ee9e037eab1
Instruction ID: 39cfeec2c58734c926183a9ad5de4fde661e62380781fb1d1e735f0d5ae5de89
Opcode Fuzzy Hash: cef0dc3aaf9dc36c361268da6ea372b591452d4e2637fd009dc64ee9e037eab1
Instruction Fuzzy Hash: 2211B471409380AFDB228F55DC44B62FFF8EF4A310F0884DAED898B563C276A519DB61

Function 054513F2 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E24,D219E75E,00000000,00000000,00000000,00000000), ref: 05451448

Memory Dump Source

Source File: 00000003.00000002.4114948515.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5450000_chargeable.jbxd

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: 399dba96a87058b28cf89ac86142f05ce97352f8d14f14bf9c348b083c66e672
Instruction ID: 5e43ad6c57dd95800369fd99c7b1586f4979bf8043fd84aa92653cefcce4fb2b
Opcode Fuzzy Hash: 399dba96a87058b28cf89ac86142f05ce97352f8d14f14bf9c348b083c66e672
Instruction Fuzzy Hash: 7A11E371500200AFEB11CF55DC85FA6B7E8EF06224F0894ABED45CB752D774A909CAB9

Function 0103BCE2 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000E24,D219E75E,00000000,00000000,00000000,00000000), ref: 0103BD41

Memory Dump Source

Source File: 00000003.00000002.4107275319.000000000103A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_103a000_chargeable.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1770eaf3c7b217a082257738e5c9afb7fc1fa3f49b77b0f06d803d40fb774421
Instruction ID: d0643edd19e6014a951e2c516e2fd79c0e8f209460cba101dd833ca51cdd51b6
Opcode Fuzzy Hash: 1770eaf3c7b217a082257738e5c9afb7fc1fa3f49b77b0f06d803d40fb774421
Instruction Fuzzy Hash: 27113A71500600AFEB21CF54DC84FA6FBECEF45324F04845AEE448B651D375A508CBBA

Function 054503BE Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32(?,00000E24,?,?), ref: 0545043A

Memory Dump Source

Source File: 00000003.00000002.4114948515.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5450000_chargeable.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: b5412a35d44cf5deec2f9dcfc95c51266304a8cb4df8b95caaf56a2a9656511a
Instruction ID: bc7c557076f515b73358d2f4032e586675625c319c63e7e6efcbfcc989beb0b4
Opcode Fuzzy Hash: b5412a35d44cf5deec2f9dcfc95c51266304a8cb4df8b95caaf56a2a9656511a
Instruction Fuzzy Hash: 59110471509380AFD311CF15CC45F26FFB8EF86620F09809FE8489B682D325B909CBA6

Function 0103ABC1 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 0103AC20

Memory Dump Source

Source File: 00000003.00000002.4107275319.000000000103A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_103a000_chargeable.jbxd

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 4daa0f05f02cc70655675e457085c571cc1b5fedfaba0d5fdc7589b8931e5362
Instruction ID: 30148d73311e14728e7ddd7c105f9bfc54a2e4acf1df8fc504c71a1edef52b74
Opcode Fuzzy Hash: 4daa0f05f02cc70655675e457085c571cc1b5fedfaba0d5fdc7589b8931e5362
Instruction Fuzzy Hash: E11160715093C49FDB128F25DC44A52BFF4EF47220F0884DAED848F253C275A548DBA2

Function 0103A2D2 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0103A330

Memory Dump Source

Source File: 00000003.00000002.4107275319.000000000103A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_103a000_chargeable.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: d6de4b3bdde79e9ff3cc753a8f672bf7be735ee93bea22f35a63886aa436526a
Instruction ID: 4f482056d484507e8366a656257035590f34d876faf09c7a24dc03950789b151
Opcode Fuzzy Hash: d6de4b3bdde79e9ff3cc753a8f672bf7be735ee93bea22f35a63886aa436526a
Instruction Fuzzy Hash: 8D1191759093C4AFD7128B15DC44762BFA8EF47224F0D80DAEDC48B253C266A809DB62

Function 054510F6 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 0545113E

Memory Dump Source

Source File: 00000003.00000002.4114948515.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5450000_chargeable.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 34134a3c8f995b0485ad2b8d06a6ffd88e6afa62f02bb5ec5ece507bc61ef405
Instruction ID: a97da32cbb541e6b3b3e51402878421e6943deee1e7cd76c492654e877ad98df
Opcode Fuzzy Hash: 34134a3c8f995b0485ad2b8d06a6ffd88e6afa62f02bb5ec5ece507bc61ef405
Instruction Fuzzy Hash: C6115E756042449FEB10CF2AD885BA6FBE8EF08220F08D4EBDD89CB756D675E504CB61

Function 0103BA22 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,D219E75E,00000000,00000000,00000000,00000000), ref: 0103BA75

Memory Dump Source

Source File: 00000003.00000002.4107275319.000000000103A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_103a000_chargeable.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 719a942d8280605bb28adff136617dd7b3f999ab6dffad379e9f109ed4f12dcb
Instruction ID: 7d98edd8c807b1b140147135754b594433538b8dc99c2ad6cd4e7dbdc44ec815
Opcode Fuzzy Hash: 719a942d8280605bb28adff136617dd7b3f999ab6dffad379e9f109ed4f12dcb
Instruction Fuzzy Hash: FB01F975500A04AEE710CF45DC84BA6F7DCDF45729F08C096EE448B751D774E909CAB9

Function 05450F56 Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 05450FA2

Memory Dump Source

Source File: 00000003.00000002.4114948515.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5450000_chargeable.jbxd

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: 7956f69bed1a7aa1bdf4de57b1e22e808df8c58b6553c952a458c81c4a99aea2
Instruction ID: b390f3af53bf0c0e3e46e834cdda5f650ec5b998856fa1d59ba0530e2b4640e9
Opcode Fuzzy Hash: 7956f69bed1a7aa1bdf4de57b1e22e808df8c58b6553c952a458c81c4a99aea2
Instruction Fuzzy Hash: C81182365002449FDB20CF55D884BA2FBE5FF08320F08C49AED498B656D375E558DF62

Function 0545104E Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNELBASE(?,00000E24,?,?), ref: 0545109E

Memory Dump Source

Source File: 00000003.00000002.4114948515.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5450000_chargeable.jbxd

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 1507aeec4c3f3124d2a4963997ca4cfb94abdda940cafae21f0b0753db709f8b
Instruction ID: 2d98ce682fafaed84f00af36f128125ef0b2df26e9daf373ea74936ef1f80568
Opcode Fuzzy Hash: 1507aeec4c3f3124d2a4963997ca4cfb94abdda940cafae21f0b0753db709f8b
Instruction Fuzzy Hash: 7B01B171600200AFD310DF1ACC45B66FBE8FB88A20F14812AED089BB41D731F916CBE5

Function 0103AFBA Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0103AFFE

Memory Dump Source

Source File: 00000003.00000002.4107275319.000000000103A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_103a000_chargeable.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 5634afab776d4e5dca603f337c7367980ec1da75e6e94f654655b6d8cb3a04a1
Instruction ID: 9a9fbcdf1fff9e793d71d1022db778bede448810c229191ea02b2d0471d6b9b9
Opcode Fuzzy Hash: 5634afab776d4e5dca603f337c7367980ec1da75e6e94f654655b6d8cb3a04a1
Instruction Fuzzy Hash: 7401C036500340DFDB218F55D984B56FBE4EF48324F08C89AEE998B652C376E018DFA2

Function 0103BEAE Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 0103BEFE

Memory Dump Source

Source File: 00000003.00000002.4107275319.000000000103A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_103a000_chargeable.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 41315aa0d1a4e886f288ba90a8dd4bedcb2215fe8e3479a7e13a4a3d2fa6e43e
Instruction ID: 77d21f9145a4ad95e708586a951d015d593a63113ce5ef167446d6849f8e4f03
Opcode Fuzzy Hash: 41315aa0d1a4e886f288ba90a8dd4bedcb2215fe8e3479a7e13a4a3d2fa6e43e
Instruction Fuzzy Hash: 4B01A271500600ABD210DF1ACC46B66FBE8FB89A20F14811AED089BB41D771F916CBE6

Function 0103A74E Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0103A780

Memory Dump Source

Source File: 00000003.00000002.4107275319.000000000103A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_103a000_chargeable.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 340fef2df142eea9f000e72e54ef0514d7b53beb229084f90d8b27168b5a9f32
Instruction ID: 6b2064668e8c425c4e11eed2dbb96b5ac38914ce83de33e5d54548b2a6eb40a1
Opcode Fuzzy Hash: 340fef2df142eea9f000e72e54ef0514d7b53beb229084f90d8b27168b5a9f32
Instruction Fuzzy Hash: CC018F75A00240CFEB118F19DD85766FBE8EF45220F08C4ABDD8ACB756D275E508CAA2

Function 05451346 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 05451378

Memory Dump Source

Source File: 00000003.00000002.4114948515.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5450000_chargeable.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: e9aca94d6f03a725005242ba9db5a898ec7acd3f65b1be525b13a28df0a4a251
Instruction ID: e2a7708dbeb1c61ff6939e7e860046bf03fd07d54115ca2cfdecb3a1fc62e5dc
Opcode Fuzzy Hash: e9aca94d6f03a725005242ba9db5a898ec7acd3f65b1be525b13a28df0a4a251
Instruction Fuzzy Hash: 430184759042408FEB10CF15D984BA6FBE4EF45230F08D4ABDE898BB56D675E508CBA2

Function 054503EA Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32(?,00000E24,?,?), ref: 0545043A

Memory Dump Source

Source File: 00000003.00000002.4114948515.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5450000_chargeable.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 39857d38645db3b70eae24cc99d02267ee136f3ff871011a9a4963a99ad900ea
Instruction ID: 0e2e639f166436cd95153f959f1bdbf173b25e91b81ae940d1d74d0ac4527ec7
Opcode Fuzzy Hash: 39857d38645db3b70eae24cc99d02267ee136f3ff871011a9a4963a99ad900ea
Instruction Fuzzy Hash: 1C01D671500600AFD310DF1ACC46B66FBE8FB89A20F14815AED089BB41D731F916CBE6

Function 0103ABEE Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 0103AC20

Memory Dump Source

Source File: 00000003.00000002.4107275319.000000000103A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_103a000_chargeable.jbxd

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: b75027ea300c29914e8bfe555db38bbcf2457e5e4388eae1274c148f90fa2ed1
Instruction ID: 14d9240fd5b132e39cedfb511b62974004d08b8f2ddb04d599ec82f6016f9280
Opcode Fuzzy Hash: b75027ea300c29914e8bfe555db38bbcf2457e5e4388eae1274c148f90fa2ed1
Instruction Fuzzy Hash: 5F01D675A04244CFDB10CF15D884766FBE4EF45320F08C4AADD88CF746D279A548CBA2

Function 0103A2FE Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0103A330

Memory Dump Source

Source File: 00000003.00000002.4107275319.000000000103A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_103a000_chargeable.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 0e34dcb37386eb6833aed61674481e40e9192b9e9584321f669bc49d480ed9d3
Instruction ID: bcb1628a977f8bc8024bf8ba07bb92d3ad1324afa8be96b05d76f428d1bf16ae
Opcode Fuzzy Hash: 0e34dcb37386eb6833aed61674481e40e9192b9e9584321f669bc49d480ed9d3
Instruction Fuzzy Hash: 3FF0AF35A04244CFDB108F09D884765FBE4EF45325F08C09AED898B752D2B5A408CAA2

Function 01430814 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4111161537.0000000001430000.00000040.00000020.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1430000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 820ffe02e145f41106f1ea68f3f892624e631630082448f653dcbdd7849a5f03
Instruction ID: 09f125eb189ff55b9da00fbb57b006842ad7e6c941feb2365aec8e2110ece07f
Opcode Fuzzy Hash: 820ffe02e145f41106f1ea68f3f892624e631630082448f653dcbdd7849a5f03
Instruction Fuzzy Hash: F711A2306042449FD719CB15D580B16BBA5ABCD708F24CAAEE9491BB63C777D807CA81

Function 0143064B Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4111161537.0000000001430000.00000040.00000020.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1430000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a67162ee5c90c1f1731a1696699d9b00cd1dd68af4c6f39c22db426d5591259d
Instruction ID: 092a6e62a2c68fff449b57889072be357708287f5b7d2a42d39af93df4b53c0c
Opcode Fuzzy Hash: a67162ee5c90c1f1731a1696699d9b00cd1dd68af4c6f39c22db426d5591259d
Instruction Fuzzy Hash: 2E01DB7240D3C05FD3128F119C50853BFB8DF8712070984EFE848CB653D225A809C776

Function 014305E0 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4111161537.0000000001430000.00000040.00000020.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1430000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46b928b9345378dc1ff9a524c94a041b76278da965a146269ceb36796dddac68
Instruction ID: 580ce91e5124d7ceb1c7f47d1c1f11baf29016fb27fea70b366fb71cfd22c51f
Opcode Fuzzy Hash: 46b928b9345378dc1ff9a524c94a041b76278da965a146269ceb36796dddac68
Instruction Fuzzy Hash: A501F9755497C06FC7018F15EC40893FFE8EF86230709C4ABE8498B613D225B919CBB5

Function 01430805 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4111161537.0000000001430000.00000040.00000020.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1430000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ef81c2e7efa67a6dbefbbd85c4edc094d351b4e747c672d5e60207753e54cd5
Instruction ID: d420adfa3b81850990056abc88b513f0fc80f81d87b1b3099f06658b0247b6bf
Opcode Fuzzy Hash: 8ef81c2e7efa67a6dbefbbd85c4edc094d351b4e747c672d5e60207753e54cd5
Instruction Fuzzy Hash: FA113334509384DFC716CB14C590B15BFB1AF8A618F18C6EEE4895B763C33A9816CB41

Function 014308D0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4111161537.0000000001430000.00000040.00000020.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1430000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26e1c6324d431d8898d05c4f184fa73b81ea7543c773894a6020088d6b5dab9c
Instruction ID: 12bea691b8fa707c541ee20c552d96ee106b0e6e6821ca2a995b36759045470d
Opcode Fuzzy Hash: 26e1c6324d431d8898d05c4f184fa73b81ea7543c773894a6020088d6b5dab9c
Instruction Fuzzy Hash: A5F01935148644DFC716CF04D980B16FBA2EB89718F24CAADE9491BB62C737E813DA81

Function 01430606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4111161537.0000000001430000.00000040.00000020.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1430000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 659182d74d8f65d2d1dc8fca8d739865fff616dfb062b06c650f83fc6dc21a86
Instruction ID: ec8b2f2445406c23d4283fa5c97b3bb69433a75777460462c57bf53302027afe
Opcode Fuzzy Hash: 659182d74d8f65d2d1dc8fca8d739865fff616dfb062b06c650f83fc6dc21a86
Instruction Fuzzy Hash: A3E092B66006445B9750CF0AEC81452F7D8EB84630708C07FDD0D8B701D636B509CAA6

Function 010323F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4107205096.0000000001032000.00000040.00000800.00020000.00000000.sdmp, Offset: 01032000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1032000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a30d55328179c2e28dd1c3b8062b0c2ebde62069ccac438ca4f4f03d70fafe0
Instruction ID: f0b94b9c4bdf1718df754bdd01146448082668024e2e9c19de598f9318e8f9ad
Opcode Fuzzy Hash: 9a30d55328179c2e28dd1c3b8062b0c2ebde62069ccac438ca4f4f03d70fafe0
Instruction Fuzzy Hash: 03D05E792056C14FE716DA1CC1A4B953BE8AB91714F4A44FDE8408BB63CB68E5D1D604

Function 010323BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4107205096.0000000001032000.00000040.00000800.00020000.00000000.sdmp, Offset: 01032000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1032000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d8d9f12387adb49dfa38219707b660c2784e2c3ff941ab6c6b6081102e041b6
Instruction ID: 0062e9f3d29d3fe4bfd2d5755b5c5fd8f040230e2f13128ef6b2f57ce2829e7b
Opcode Fuzzy Hash: 6d8d9f12387adb49dfa38219707b660c2784e2c3ff941ab6c6b6081102e041b6
Instruction Fuzzy Hash: AED05E352402814BD715DA0CC2D4F597BD8AB80B14F0684F8AC508B762C7A4D8C0CA04

Analysis Process: chargeable.exePID: 6304, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	19.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	54
Total number of Limit Nodes:	3

Executed Functions

Function 056B0DFA Relevance: 1.6, APIs: 1, Instructions: 69
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtResumeThread.NTDLL(?,?), ref: 056B0E73

Memory Dump Source

Source File: 00000004.00000002.1817915150.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_56b0000_chargeable.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 865b6d6e73314ca123dfcb99a4b10f2f3677c44abe2c1ec6b0f05829a1b2a730
Instruction ID: 9903cb31b84d223a1cc61fdc7cf13750f25ebac9473f161f4be85f44d1554a88
Opcode Fuzzy Hash: 865b6d6e73314ca123dfcb99a4b10f2f3677c44abe2c1ec6b0f05829a1b2a730
Instruction Fuzzy Hash: DE2192B54093C49FEB12CF21D855BA2BFE0AF06324F1D84DED9C44F253D266554ACB62

Function 056B0EB9 Relevance: 1.6, APIs: 1, Instructions: 62nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL ref: 056B0F24

Memory Dump Source

Source File: 00000004.00000002.1817915150.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_56b0000_chargeable.jbxd

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: 5b19d71a1788eb5bfed320083793a283874cbfc7e3cbcf8c27b4b3b54f172a9a
Instruction ID: 60a1acc26227fb4b17d45ca620f0fff706e67327469c23e251ae3ea1239fbd53
Opcode Fuzzy Hash: 5b19d71a1788eb5bfed320083793a283874cbfc7e3cbcf8c27b4b3b54f172a9a
Instruction Fuzzy Hash: 5C119071409380AFEB228F51DC44AA2FFB4EF46320F0884DAED848F662C275A558DB61

Function 056B0EE6 Relevance: 1.5, APIs: 1, Instructions: 43nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL ref: 056B0F24

Memory Dump Source

Source File: 00000004.00000002.1817915150.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_56b0000_chargeable.jbxd

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: a971f3b0a2cdfbbbc35c2e41dade4a5b9424c13f8a784363311363da07b3e534
Instruction ID: 1b405c879ad3fcfe9465293f3b95fcc0a304adff247b2b73ee103e2404e41784
Opcode Fuzzy Hash: a971f3b0a2cdfbbbc35c2e41dade4a5b9424c13f8a784363311363da07b3e534
Instruction Fuzzy Hash: 7E0180755002009FEB20CF55D944BA6FFE5EF04320F08C49ADD498B715D375E558CB62

Function 056B0E3E Relevance: 1.5, APIs: 1, Instructions: 40nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(?,?), ref: 056B0E73

Memory Dump Source

Source File: 00000004.00000002.1817915150.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_56b0000_chargeable.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: d6d30be82f02bfc5acd3719bdcdf863037f4853816b123f4e1131a85f99d0b56
Instruction ID: 612499ce1aa199616bdf2f7983a4fed4a9cfdc6a838c5f843a424ad89584db3d
Opcode Fuzzy Hash: d6d30be82f02bfc5acd3719bdcdf863037f4853816b123f4e1131a85f99d0b56
Instruction Fuzzy Hash: 78017C719042409FEB10CF15D888BA6FBE4EF48324F0888AADD488F756D3B6A545CBA1

Function 018300D0 Relevance: 9.1, Instructions: 9145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.1816689003.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1830000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff5ade80b5a3b191726fbf14d663d7cf845c39370fff59455fac3b4c554068d5
Instruction ID: f7f95455d7d7ea69090875fd8b03c7f061c6316617f055635ea5f7a1ea83cba8
Opcode Fuzzy Hash: ff5ade80b5a3b191726fbf14d663d7cf845c39370fff59455fac3b4c554068d5
Instruction Fuzzy Hash: E3145834600704CFDB25DB30C894A9AB3B6FF8A304F5185A8D55AAB7A0CF39AE45CF55

Function 018398A0 Relevance: 2.7, Instructions: 2696
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.1816689003.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1830000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e7e4fb45703351ad74f314258261ae17208789ffb46736fdb767f382201a324
Instruction ID: 39ea3996431195922762219bbd9775698f70005156a40f3dafd8204b210c134f
Opcode Fuzzy Hash: 8e7e4fb45703351ad74f314258261ae17208789ffb46736fdb767f382201a324
Instruction Fuzzy Hash: D5338378731520CBA609BFB8D59241F6B63EB8899D314834DCA0507388EF3C6F468BD6

Function 056B0CA1 Relevance: 1.6, APIs: 1, Instructions: 121
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,00000E24), ref: 056B0DA4

Memory Dump Source

Source File: 00000004.00000002.1817915150.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_56b0000_chargeable.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 256342e62ef6677ee48b6e2a29aa1a04e808c06a140850800c3158054df51d88
Instruction ID: d2e08268c2e840deec62ed282703dcd622bbfe19d8da96fd3c69b908d4f0ba76
Opcode Fuzzy Hash: 256342e62ef6677ee48b6e2a29aa1a04e808c06a140850800c3158054df51d88
Instruction Fuzzy Hash: 1B418171104340AFEB22CB65CC45FE2BFECEF06710F04499AF9898B5A2D665F949CB60

Function 056B0CDA Relevance: 1.6, APIs: 1, Instructions: 97
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,00000E24), ref: 056B0DA4

Memory Dump Source

Source File: 00000004.00000002.1817915150.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_56b0000_chargeable.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: d5da712a533135414dc42b7c5ba208a06f0ad4068008f395de72b89ce38bea0b
Instruction ID: 48608b628679b88d2be8fded21a7825e6bf78934a74d5571e20c21e6859d25d5
Opcode Fuzzy Hash: d5da712a533135414dc42b7c5ba208a06f0ad4068008f395de72b89ce38bea0b
Instruction Fuzzy Hash: FA316075100204AFEB31CB65CD45FA7FBECEB04710F04895AEA498A691D7B1F949CB64

Function 056B0431 Relevance: 1.6, APIs: 1, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?), ref: 056B04B3

Memory Dump Source

Source File: 00000004.00000002.1817915150.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_56b0000_chargeable.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: e4dd85a6b46dce8ccdf4035926403c46729bb5a8f8b44db2c054d8fddb676b97
Instruction ID: 787293d6e2e4840b89b8d0b3e98723645ff8411e94c7d18c0fbb19165fc0c7a4
Opcode Fuzzy Hash: e4dd85a6b46dce8ccdf4035926403c46729bb5a8f8b44db2c054d8fddb676b97
Instruction Fuzzy Hash: 4F21C7715083809FEB22CF25DC44B62BFF4EF06320F08859AE9858F663D275E804CB61

Function 056B1009 Relevance: 1.6, APIs: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 056B107D

Memory Dump Source

Source File: 00000004.00000002.1817915150.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_56b0000_chargeable.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 94ad3ea8fb0ab959cd5950bdc69801107f9903b6f7f7b0e33edaf228d3a20808
Instruction ID: d6d2cccd6033fbc28990f6229d089ee49cbd0a903afadc02735219e1427f9fb5
Opcode Fuzzy Hash: 94ad3ea8fb0ab959cd5950bdc69801107f9903b6f7f7b0e33edaf228d3a20808
Instruction Fuzzy Hash: 8B218C714093C0AFDB128B25DC44A92BFB4EF07220F0984DAE9848F663D265A858DB62

Function 056B0006 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

VerLanguageNameW.KERNELBASE(?,00000E24,?,?), ref: 056B0082

Memory Dump Source

Source File: 00000004.00000002.1817915150.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_56b0000_chargeable.jbxd

Similarity

API ID: LanguageName
String ID:
API String ID: 2060303382-0
Opcode ID: 0cafb01cacc819196b217271159b34df84811397453aa8b251bc054ce240a248
Instruction ID: 7c17776f9dd08b40c5f25b818201fcd8de618460a7fb1c2931b0f1aca742011e
Opcode Fuzzy Hash: 0cafb01cacc819196b217271159b34df84811397453aa8b251bc054ce240a248
Instruction Fuzzy Hash: 7811C4B15093806FC311CB15CC45F66FFB8EF86620F09819FE8489B692D725B919CBA6

Function 056B139B Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 056B1405

Memory Dump Source

Source File: 00000004.00000002.1817915150.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_56b0000_chargeable.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 5936e098e1e7e0d7af9b4d71dcd00c466abd8c19b9e590a9c3864d7791357698
Instruction ID: 2d59751135cb4f416c02c810e49dbf8088c713fcabcda7a69c09be5ee2fb013c
Opcode Fuzzy Hash: 5936e098e1e7e0d7af9b4d71dcd00c466abd8c19b9e590a9c3864d7791357698
Instruction Fuzzy Hash: 8A11E271408380AFDB228F11DC45B52FFB4EF06324F0884EEED858B663C275A819CB62

Function 056B0462 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?), ref: 056B04B3

Memory Dump Source

Source File: 00000004.00000002.1817915150.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_56b0000_chargeable.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 47a04ab2ad3e00f7f0312d0e8022936f38b1e0d97897a12b98c1688b3a8d0e31
Instruction ID: 0fa1fa3e27ce697e35400ad76fbf0d3e16b58c65d6401eb7c9e5c10d2ddfa735
Opcode Fuzzy Hash: 47a04ab2ad3e00f7f0312d0e8022936f38b1e0d97897a12b98c1688b3a8d0e31
Instruction Fuzzy Hash: FD114C75504244DFEB20CF55D988BA6FBE8FF04320F08856ADD498BB52D3B5E448CB62

Function 056B0032 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

VerLanguageNameW.KERNELBASE(?,00000E24,?,?), ref: 056B0082

Memory Dump Source

Source File: 00000004.00000002.1817915150.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_56b0000_chargeable.jbxd

Similarity

API ID: LanguageName
String ID:
API String ID: 2060303382-0
Opcode ID: ecb30cfe9524ec3975d9875d742fdc80ba344a5142b5e0db9db8c7073e09a4ce
Instruction ID: 968756b8a52c8dc672897c4f5bc75c5d7f2ff8722028f596c0e3e0e25ccf7902
Opcode Fuzzy Hash: ecb30cfe9524ec3975d9875d742fdc80ba344a5142b5e0db9db8c7073e09a4ce
Instruction Fuzzy Hash: E301A271500600ABD310DF1ACC46B66FBE8FB89B20F14811AED089BB41D731F916CBE9

Function 056B13CA Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 056B1405

Memory Dump Source

Source File: 00000004.00000002.1817915150.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_56b0000_chargeable.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 474904cdca8254e490a15677a5767019a71c65ef7655298d62fcfa1032fc36a8
Instruction ID: 5794d721744787af5393f7a608f67a9da792a03a781988b8da136a594099331c
Opcode Fuzzy Hash: 474904cdca8254e490a15677a5767019a71c65ef7655298d62fcfa1032fc36a8
Instruction Fuzzy Hash: 3901B5359002009FEB208F15D844BA6FBE4EF05324F08C56ADD454BB51D3B1E458CB62

Function 056B1042 Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 056B107D

Memory Dump Source

Source File: 00000004.00000002.1817915150.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_56b0000_chargeable.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: e6fc172b9b66c2338e2d83775b91e37971c8ab288476d1de0239e43c4d67036b
Instruction ID: 5e7540f3aee803f70efbc48fc0db04ca8142db51a5a8ef305507d7a291f3bd33
Opcode Fuzzy Hash: e6fc172b9b66c2338e2d83775b91e37971c8ab288476d1de0239e43c4d67036b
Instruction Fuzzy Hash: 69018F35904240DFEB20CF05D984BA2FBE0EF05324F08C49ADD494B762C7B5A458CB62

Function 0183CE20 Relevance: 1.3, Instructions: 1282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1816689003.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1830000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d198867330c4214465b100d32ad91ff18f40e00cdc5dc596a7caf21d5d67d485
Instruction ID: 82917a1b3a07ddcdc3a786164a1862507299e5d2f4d7492a6891e85c38c6f10e
Opcode Fuzzy Hash: d198867330c4214465b100d32ad91ff18f40e00cdc5dc596a7caf21d5d67d485
Instruction Fuzzy Hash: 33B13C75A002059FDB14CBA8D890BADFBF2BF88310F598166E514EB291DB31AD42CB91

Function 0183C630 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1816689003.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1830000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ebe3edb2316002eb698161f36efbf3066f56b6c659567ebcfac8b6e7ca78fc2
Instruction ID: 74d28b5a5f23f3e8586e6dc9a703677bcd49405387368f4e38d9b0149a25d07a
Opcode Fuzzy Hash: 9ebe3edb2316002eb698161f36efbf3066f56b6c659567ebcfac8b6e7ca78fc2
Instruction Fuzzy Hash: BF411571B001155FDB169BA8C881BBEBBE2ABC5314F18853AD504DF382DB34AD4197E1

Function 0183CB00 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1816689003.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1830000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30188f87b21e1183aea8484d55d59965dfff83a20471a458d99d9136fb8aab06
Instruction ID: 2ce4cf676e8dbdc6d08c7e96dbc0294a77820059bdc8b1c4e09ff09e75533e3f
Opcode Fuzzy Hash: 30188f87b21e1183aea8484d55d59965dfff83a20471a458d99d9136fb8aab06
Instruction Fuzzy Hash: 30319730F002198BDB699F79849567E7AF2ABC8754F19802BD402FB380DF348E469BD1

Function 0183CC9F Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1816689003.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1830000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d09b0c0d7e37dcf908b40fcd9f53f810af9127de39fd74ad4a314b6ec9a0e286
Instruction ID: c35038b92ecfcd65ce33235dd8688837c275f01adddacb2608795375331cc3f6
Opcode Fuzzy Hash: d09b0c0d7e37dcf908b40fcd9f53f810af9127de39fd74ad4a314b6ec9a0e286
Instruction Fuzzy Hash: F0219A71E0021A9FCB10DFB49851AEEBBB6EFC9210F15443AD601FB280DB744902CBA1

Function 0183C7C0 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1816689003.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1830000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67e37609f81189c7700b8e6d29cb1a4917a9bc2ce62f27af4ff5d88453203405
Instruction ID: 22a20523651cc8ec0d8cd62058da15fc0b67876115888c1f2de90811e16cf76f
Opcode Fuzzy Hash: 67e37609f81189c7700b8e6d29cb1a4917a9bc2ce62f27af4ff5d88453203405
Instruction Fuzzy Hash: 6421B035B04212CBC721CB69D89046EBBA1FF8832871A4566D916E7345EB38DF44CBD1

Function 01840736 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1816724494.0000000001840000.00000040.00000020.00020000.00000000.sdmp, Offset: 01840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1840000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f788b090866e1acfc74ff4a030434f42b6afe17d0612babe35b9acf23bfe8721
Instruction ID: 9ab797f75cde92823c4a2b0265b79895f8ad45b46c588133f9492c6a34d533fa
Opcode Fuzzy Hash: f788b090866e1acfc74ff4a030434f42b6afe17d0612babe35b9acf23bfe8721
Instruction Fuzzy Hash: E92159355093C58FD7038B24C990B55BFB1AF47218F1A86EED4858B6A3C62A8806DB52

Function 0184076C Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1816724494.0000000001840000.00000040.00000020.00020000.00000000.sdmp, Offset: 01840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1840000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 384ec7496bf3c49c70a99cc86f575ebeadfecb425f6066d0ed7c30315850d0fc
Instruction ID: 440f5cadf36d4c9ce3f0706ebddcb806dbca1ee7e1b53979f27455bb490e25f6
Opcode Fuzzy Hash: 384ec7496bf3c49c70a99cc86f575ebeadfecb425f6066d0ed7c30315850d0fc
Instruction Fuzzy Hash: A111D534244248DFD711CB14C980F67BB91EB89708F24C59CEA494BB42CB7BD903CA82

Function 01830014 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1816689003.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1830000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8436b085fa7d60b6010ba76b0d375c116aeb7b7580b803ddb7cb80c9edabf1ca
Instruction ID: 097313d6c0f506c57e38768a7adda75e787d8fe8ef72d30c13fe44f38e254d0c
Opcode Fuzzy Hash: 8436b085fa7d60b6010ba76b0d375c116aeb7b7580b803ddb7cb80c9edabf1ca
Instruction Fuzzy Hash: 9F01462258E3C28FC74367B048204A87FB09E5312070E45EBC4E5DE0A3EA5D4C4AC76A

Function 01839819 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1816689003.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1830000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b786459a8e48a29d865af8b2c3b0ef50fe94e8a68d11ab1f5600647e10ecbc4b
Instruction ID: 9204afaffb79969a91a2df01aa95c4fe02f007500975f4d7d5a35fbb5bc34e1c
Opcode Fuzzy Hash: b786459a8e48a29d865af8b2c3b0ef50fe94e8a68d11ab1f5600647e10ecbc4b
Instruction Fuzzy Hash: 14F0F431B443109FD7225634AC01B2E36D1DBCAB14F29417AE200DF390CEB58C028395

Function 018405E5 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1816724494.0000000001840000.00000040.00000020.00020000.00000000.sdmp, Offset: 01840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1840000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 348d8107976586b50ada061d8b69278ac3af7a794ab1454eb0be9d77d5bc0c05
Instruction ID: 5f597e507749b5f07013eaee273537cf749a55806680933950e8165c666c4362
Opcode Fuzzy Hash: 348d8107976586b50ada061d8b69278ac3af7a794ab1454eb0be9d77d5bc0c05
Instruction Fuzzy Hash: C7F0A9B65093806FD7118B159C40863FFA8DB86630709C49FEC498B612D225A909CB75

Function 01839828 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1816689003.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1830000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c32611808c4e826f441f15c5a55fd84a95b481c29687a2c52862a152ee404837
Instruction ID: 3645ef90534d667d1d0742780c04b97017c8a574d5ed85662783cf10beff28b6
Opcode Fuzzy Hash: c32611808c4e826f441f15c5a55fd84a95b481c29687a2c52862a152ee404837
Instruction Fuzzy Hash: F7F02B31F40320ABD6216739A811B2E71D6DBC9B58F29413AE605EF3C4DEB59C0247D9

Function 01840828 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1816724494.0000000001840000.00000040.00000020.00020000.00000000.sdmp, Offset: 01840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1840000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26e1c6324d431d8898d05c4f184fa73b81ea7543c773894a6020088d6b5dab9c
Instruction ID: 6b52d768d1214b18714205b3dab44010fd9b9aa9dfb6d63f9ab59be7e41f66f7
Opcode Fuzzy Hash: 26e1c6324d431d8898d05c4f184fa73b81ea7543c773894a6020088d6b5dab9c
Instruction Fuzzy Hash: E6F01D35144648DFC316CB44DA80F56FBA2EB89718F24CAADE9490B752C737D913DE81

Function 01840606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1816724494.0000000001840000.00000040.00000020.00020000.00000000.sdmp, Offset: 01840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1840000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed0978c9de5b5dc2b7d9fe6343512923648cfdfb122ba98cedd05663f35c5ba8
Instruction ID: 704cb9f27f36e2ffbefc468c9ec85ce036498b91730532ca04fc917d08e1499c
Opcode Fuzzy Hash: ed0978c9de5b5dc2b7d9fe6343512923648cfdfb122ba98cedd05663f35c5ba8
Instruction Fuzzy Hash: 22E092B6A046005B9750CF0AEC41452F7D8EB84630708C47FDC0D8BB11D635B908CAA5

Function 018300A0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1816689003.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1830000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a22583f834f70b1affb8720eac88dfd201b162777bf01f0ebc9e66870290138
Instruction ID: e34c8998155ffa3db891e1a6a0045b3331b115aa522b8479520adc2c084df332
Opcode Fuzzy Hash: 9a22583f834f70b1affb8720eac88dfd201b162777bf01f0ebc9e66870290138
Instruction Fuzzy Hash: E1D0A7737C052147C709229474104FE63D96BD7530716006BD0068F251CE8C0E0342A9

Function 015923F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1815819635.0000000001592000.00000040.00000800.00020000.00000000.sdmp, Offset: 01592000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1592000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ced3a98cf0513dc28b8e7050369cb3814383f82155699200e06e894031b4ebbd
Instruction ID: c55de1c705fa16647ef0833d2d5b988f5ddbae31661596ca13d70249d36aa660
Opcode Fuzzy Hash: ced3a98cf0513dc28b8e7050369cb3814383f82155699200e06e894031b4ebbd
Instruction Fuzzy Hash: 6FD02E392006C04FEB12CA0CC2A4B893BE4BB61708F0A00FDE8008FB63C728D480C201

Function 015923BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1815819635.0000000001592000.00000040.00000800.00020000.00000000.sdmp, Offset: 01592000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1592000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f14189d2cd4310252c3108181457fbf7458885c04358f44edc8d77d4711d7e8
Instruction ID: fec75e537ece835b12a56d1a33d5a091d5d64417bbd31ebf951056d16b148755
Opcode Fuzzy Hash: 6f14189d2cd4310252c3108181457fbf7458885c04358f44edc8d77d4711d7e8
Instruction Fuzzy Hash: 85D05E342002815BDB15DA0CC2D4F5D7BD4BB40714F0644F8AC108F762C7A4D8C0CA05

Function 018300B0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1816689003.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1830000_chargeable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b37cc66b8e3ce903483252c88f918751608602310a6f6dc473278c81412e9d3
Instruction ID: feec73e147ba141958ca7e4f6ab8f21624132ad023dd6325248c3c3935a6f346
Opcode Fuzzy Hash: 7b37cc66b8e3ce903483252c88f918751608602310a6f6dc473278c81412e9d3
Instruction Fuzzy Hash: 74C09B523C493653091D319D34144AE734D69DBC65782045AD5095F351CE855D0103EE

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report wzHH1r6YOi.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Njrat

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\chargeable.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\wzHH1r6YOi.exe.log

C:\Users\user\AppData\Roaming\confuse\chargeable.exe

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Windows Analysis Report
wzHH1r6YOi.exe

Function 04F900D0 Relevance: 9.1, Instructions: 9148
COMMON

Function 04F900E0 Relevance: 9.1, Instructions: 9140
COMMON

Function 04F998A0 Relevance: 2.7, Instructions: 2697
COMMON

Function 05110B60 Relevance: 1.6, APIs: 1, Instructions: 92
fileCOMMON

Function 00DBAC22 Relevance: 1.6, APIs: 1, Instructions: 92
registryCOMMON

Function 00DBAD19 Relevance: 1.6, APIs: 1, Instructions: 89
registryCOMMON

Function 05110F83 Relevance: 1.6, APIs: 1, Instructions: 81
registryCOMMON

Function 00DBA2AC Relevance: 1.6, APIs: 1, Instructions: 79
COMMON

Function 05110B86 Relevance: 1.6, APIs: 1, Instructions: 76
fileCOMMON

Function 00DBAC52 Relevance: 1.6, APIs: 1, Instructions: 74
registryCOMMON