Edit tour

Windows Analysis Report
K59gVXTgGv.exe

Overview

General Information

Sample name:	K59gVXTgGv.exe renamed because original name is a hash value
Original sample name:	b7ca45674c6b8a24a6a71315e0e51397.exe
Analysis ID:	1465048
MD5:	b7ca45674c6b8a24a6a71315e0e51397
SHA1:	79516b1bd2227f08ff333b950dafb29707916828
SHA256:	63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb
Tags:	32exetrojan
Infos:

Detection

AsyncRAT, DarkTortilla, Njrat, StormKitty

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected AsyncRAT

Yara detected DarkTortilla Crypter

Yara detected Njrat

Yara detected StormKitty Stealer

Yara detected Telegram RAT

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to capture screen (.Net source)

Contains functionality to log keystrokes (.Net Source)

Found many strings related to Crypto-Wallets (likely being stolen)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries Google from non browser process on port 80

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the program root directory (C:\Program Files)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

May infect USB drives

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Startup Folder File Write

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

K59gVXTgGv.exe (PID: 5160 cmdline: "C:\Users\user\Desktop\K59gVXTgGv.exe" MD5: B7CA45674C6B8A24A6A71315E0E51397)

cmd.exe (PID: 1876 cmdline: "cmd" /c ping 127.0.0.1 -n 43 > nul && copy "C:\Users\user\Desktop\K59gVXTgGv.exe" "C:\Program Files (x86)\Google Chrome sandbox.exe.exe" && ping 127.0.0.1 -n 43 > nul && "C:\Program Files (x86)\Google Chrome sandbox.exe.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PING.EXE (PID: 1276 cmdline: ping 127.0.0.1 -n 43 MD5: B3624DD758CCECF93A1226CEF252CA12)

PING.EXE (PID: 5060 cmdline: ping 127.0.0.1 -n 43 MD5: B3624DD758CCECF93A1226CEF252CA12)

Google Chrome sandbox.exe.exe (PID: 2364 cmdline: "C:\Program Files (x86)\Google Chrome sandbox.exe.exe" MD5: B7CA45674C6B8A24A6A71315E0E51397)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Name	Description	Attribution	Blogpost URLs	Link
DarkTortilla	DarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks Counter Threat Unit (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver "addon packages" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.From January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021.	No Attribution	https://www.secureworks.com/research/darktortilla-malware-analysis	https://malpedia.caad.fkie.fraunhofer.de/details/win.darktortilla

Name	Description	Attribution	Blogpost URLs	Link
NjRAT	RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.	AQUATIC PANDA Earth Lusca Operation C-Major The Gorgon Group	http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/ http://blogs.360.cn/post/analysis-of-apt-c-37.html http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/ https://asec.ahnlab.com/1369	https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

Name	Description	Attribution	Blogpost URLs	Link
Cameleon, StormKitty	PWC describes this malware as a backdoor, capable of file management, upload and download of files, and execution of commands.	No Attribution	https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/threat-actor-of-in-tur-est.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.cameleon

Malware Configuration

Threatname: AsyncRAT

{"Server": "127.0.0.1", "Ports": "6606,7707,8808", "Telegram C2": "https://api.telegram.org/bot7095863454:AAFGhBQqJXY7rFzi0CT99qZPVRwQpKI6R1A/sendMessage?chat_id=7257613869", "Version": "", "AES_key": "VIfxfqryUTyZUBGDCBAvbYVYIsexIM7Z", "Mutex": "AsyncMutex_6SI8OkPnk", "Certificate": "MIIE9jCCAt6gAwIBAgIQAKQXqY8ZdB/modqi69mWGTANBgkqhkiG9w0BAQ0FADAcMRowGAYDVQQDDBFXb3JsZFdpbmQgU3RlYWxlcjAgFw0yMTA3MTMwNDUxMDZaGA85OTk5MTIzMTIzNTk1OVowHDEaMBgGA1UEAwwRV29ybGRXaW5kIFN0ZWFsZXIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCnRXYoxuLqqgXdcvIAYWb9DuVRl5ZpdpPfoIgmb7Y9A9AuiddKNm4is8EvIlEh98bQD4OBaK0EGWuj7WuAcQPCCGuzHpDqFZbXR7iRqVn6TiLRsO0LCMB4ta4XLQ4JdTFXvnQHcGiUxHddH70T/2P2bBVY0W+PVJDzG3XUWHpYb4PVv7qaQr/DalR3qyyd5otzE1kIjJLCOCyI/9ntIcD/PbMTKVnCP4fzbnkNB+xy0PmQmx3WRWEF5q72TdgaKrCbOpR2C/+rfGIoPC6Ze6dqWO3bQLGt6jpCO8A4CtAaAYmiw1vHUOfP54BgI9ls1TjYO3Rn4R1jmhWBGV2pT5chrglgSxMzPhrxFTQljG78RlPCJmyagJbtnPL3AlV34sQggcbf+80FVeyechm/xrMTSWXrJQ+xek1HRJBDFoCJyUR7SuIUelOW24TU+rwl/2dcALLZXpjYu3/zvJjH4iaJXRCt7oWhfzIFG1bHBFr78kV9VP0H+ZNVb129eUr14F/uubAoIPAz2EHG/CXBZv9GkFuzw0NgsI1eP7AznCLdT+z91M+yB7vWtvclwQ5k6MxWDPOraG5JMjUHvKI6zvyZ4IQ2a7bUENDghxLAqIxgo7zfZMdrjbRxBlqW14oki6Um7GpGKEZ0s2Ip6K2yJHBLpbVxOYjyzrxohMguh+qvgQIDAQABozIwMDAdBgNVHQ4EFgQUmTejTtK6on20N0YJez5sAZdMe/kwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOCAgEAhauA0si7sHBd06DSGJgP5vJxL2daW30wR5XbAJd0HWj3QWfl7w27iyZ5AqBT4B0ojLNuMUG8mUOvpcoq0m80qUX7TIKUULKvb+i7uGGEDxk3W5F3es/CTUUWO0QlseWx9QEYziGlp6f3tkP4PTGSL0DywVRSa8l6f/B5kqwnW17CbQfJZ8vmy5snpDO/avgYssUnQtKQPhos7GbokNHps/bxEIRfLeprzQox20dw4RV59LcorjP5QV7Vc6FuYmhzC0nfRetTHckyxg66O3ekfTVs87MLiDV0ipQ+D/6k3g6DRuTdd4V2khjtI56ujSqTQ2PueNQXPu8y2fdsT2Rd1LcfxMS1xKAhSwhHfyy0I3JwzPG1D+sm3QNJEOoJviSNn5fYOFpY+mSEkFNMMeEbwOFdHxWbkiJk/Z8VwdH5I52tkHU3sRQMuZHtcKUc/SIt5Ivv6gtuEZQdm1GE6KUdiRB95s8JVGNlCcHX5bXbScu4eKCRQn3Cl+m5KR4EzI6hVP/iDRhVKj7Dn/blOHLzhNS5vW4X085dTP+1TBL8CHpQpiA3t8LfqfV1b/+WahOd3jNBNTXXfe/AQSjErgctLMdmOBpUQaJLOlcDcKGxWQdOo102nxg8Y/kFDARccywugoQxuIZpMYq74tjnJlJZ9kqR/LPrjmvx4v+0XFsaCPE=", "ServerSignature": "J7XpD4w+JaFzTixc0nCmiRA4ZP4bPCIpEYYGofNxvC1+0OsFQr56oTWwQMosnOTB64TZRGSdXVHKzjVchQf7X5Uwu/KQU61NPArjxWVScwKZXOGS4ZNzsWbrxgztkmlyRlQgvEq4rdFsqy1bfvHEoQ/s9aDXBNoLPPjJOexTRQSGuZYMpGSUD+ZUiVwPqqFWTb8KcjEMyABMeXGKfia2e9u8ePKpWv4HSiOfl6N47tTtIfN2FW/2mCX7BOnIZwCl3UxaQnITN812tHD1enX9TK86R91F02c0wabnf4oC07S3cqiXYo1yZ5y3dDnnERLagBuX1bemwzX/7DjHkfOaIPLgAAO8vGHbQX3pPqmwC88sG1+FExp3FEKMITnQTqQr5uXa5GjggFUSFr9rt2nfcjEjHRnOzX1jpsUUtuDyqoAFhdosdv46x+o5Iod34II88nouxzyzAfMSa48ozukJ3fCknI6u9fj/it1dx0GimhXUv4YG4A19n3EdvJbaxZXImHZvqiYGsHTIUtxa89QhxCpuJPKdTP7ya5rJFkDT0Z8ijH4Z1Dv42umyEN6PT99JRuJHcXSqkXfOeOilnM6YRY019FHq6udNVWn5OQetK4ULVcQmwPTV26ZRPyrqO57Rjr5LeSauZtNKTE/kmS1iR3eMtq5PsAHunrHZPzzaUhY=", "Group": "Default"}

Threatname: Njrat

{"Host": "194.26.192.92", "Port": "5552", "Version": "im523", "Campaign ID": "HacKed", "Install Name": "server.exe", "Install Dir": "TEMP"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2386535902.0000000003146000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000000.00000002.2386535902.0000000003146000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000000.00000002.2386535902.0000000003146000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.2386535902.0000000003146000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xe0f1:$a1: get_Registry 0xfb16:$a3: Download ERROR 0xfe08:$a5: netsh firewall delete allowedprogram "
00000000.00000002.2386535902.0000000003146000.00000004.00000800.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xfcfe:$a1: netsh firewall add allowedprogram 0xfef8:$b1: [TAP] 0xfe9e:$b2: & exit 0xfe6a:$c1: md.exe /k ping 0 & del
00000000.00000002.2390410734.0000000006900000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000000.00000002.2388229518.00000000040D5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000000.00000002.2386535902.0000000002F37000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000000.00000002.2386535902.0000000002F37000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000000.00000002.2386535902.0000000002F37000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.2386535902.0000000002F37000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x41511:$a1: get_Registry 0x42f36:$a3: Download ERROR 0x43228:$a5: netsh firewall delete allowedprogram "
00000000.00000002.2386535902.0000000002F37000.00000004.00000800.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4311e:$a1: netsh firewall add allowedprogram 0x43318:$b1: [TAP] 0x432be:$b2: & exit 0x4328a:$c1: md.exe /k ping 0 & del
00000000.00000002.2386535902.0000000002E6F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000000.00000002.2388229518.0000000003FEA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000000.00000002.2388229518.0000000003FEA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000000.00000002.2388229518.0000000003FEA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000000.00000002.2388229518.0000000003FEA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
00000000.00000002.2388229518.0000000003FEA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2388229518.0000000003FEA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.2388229518.0000000003FEA000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x323da:$a1: get_Registry 0x33dff:$a3: Download ERROR 0x340f1:$a5: netsh firewall delete allowedprogram "
00000000.00000002.2388229518.0000000003FEA000.00000004.00000800.00020000.00000000.sdmp	RAT_njRat	Detects njRAT	Kevin Breen <kevin@techanarchy.net>	0x335c9:$s1: 7C 00 27 00 7C 00 27 00 7C 0x33fe7:$s2: netsh firewall add allowedprogram 0x33549:$s3: Software\Microsoft\Windows\CurrentVersion\Run 0x23861:$s4: yyyy-MM-dd 0x23e3f:$s4: yyyy-MM-dd 0x28e1a:$s4: yyyy-MM-dd 0x58ad7:$s4: yyyy-MM-dd 0x590b5:$s4: yyyy-MM-dd 0x5e090:$s4: yyyy-MM-dd 0x34151:$v1: cmd.exe /k ping 0 & del
00000000.00000002.2388229518.0000000003FEA000.00000004.00000800.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x33fe7:$a1: netsh firewall add allowedprogram 0x341e1:$b1: [TAP] 0x293ba:$b2: & exit 0x34187:$b2: & exit 0x5e630:$b2: & exit 0x34153:$c1: md.exe /k ping 0 & del
00000000.00000002.2388229518.0000000003FEA000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x293cc:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x5e642:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000000.00000002.2388229518.0000000003FEA000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x2594d:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84} 0x5abc3:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
00000000.00000002.2388229518.0000000003EE0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000000.00000002.2388229518.0000000003EE0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000000.00000002.2388229518.0000000003EE0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000000.00000002.2388229518.0000000003EE0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
00000000.00000002.2388229518.0000000003EE0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2388229518.0000000003EE0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.2388229518.0000000003EE0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x679ea:$a1: get_Registry 0x9cc7a:$a1: get_Registry 0xd1efa:$a1: get_Registry 0x6940f:$a3: Download ERROR 0x9e69f:$a3: Download ERROR 0xd391f:$a3: Download ERROR 0x69701:$a5: netsh firewall delete allowedprogram " 0x9e991:$a5: netsh firewall delete allowedprogram " 0xd3c11:$a5: netsh firewall delete allowedprogram "
00000000.00000002.2388229518.0000000003EE0000.00000004.00000800.00020000.00000000.sdmp	RAT_njRat	Detects njRAT	Kevin Breen <kevin@techanarchy.net>	0x68bd9:$s1: 7C 00 27 00 7C 00 27 00 7C 0x9de69:$s1: 7C 00 27 00 7C 00 27 00 7C 0xd30e9:$s1: 7C 00 27 00 7C 00 27 00 7C 0x695f7:$s2: netsh firewall add allowedprogram 0x9e887:$s2: netsh firewall add allowedprogram 0xd3b07:$s2: netsh firewall add allowedprogram 0x68b59:$s3: Software\Microsoft\Windows\CurrentVersion\Run 0x9dde9:$s3: Software\Microsoft\Windows\CurrentVersion\Run 0xd3069:$s3: Software\Microsoft\Windows\CurrentVersion\Run 0x58e71:$s4: yyyy-MM-dd 0x5944f:$s4: yyyy-MM-dd 0x5e42a:$s4: yyyy-MM-dd 0x8e101:$s4: yyyy-MM-dd 0x8e6df:$s4: yyyy-MM-dd 0x936ba:$s4: yyyy-MM-dd 0xc3381:$s4: yyyy-MM-dd 0xc395f:$s4: yyyy-MM-dd 0xc893a:$s4: yyyy-MM-dd 0x69761:$v1: cmd.exe /k ping 0 & del 0x9e9f1:$v1: cmd.exe /k ping 0 & del 0xd3c71:$v1: cmd.exe /k ping 0 & del
00000000.00000002.2388229518.0000000003EE0000.00000004.00000800.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x695f7:$a1: netsh firewall add allowedprogram 0x9e887:$a1: netsh firewall add allowedprogram 0xd3b07:$a1: netsh firewall add allowedprogram 0x697f1:$b1: [TAP] 0x9ea81:$b1: [TAP] 0xd3d01:$b1: [TAP] 0x5e9ca:$b2: & exit 0x69797:$b2: & exit 0x93c5a:$b2: & exit 0x9ea27:$b2: & exit 0xc8eda:$b2: & exit 0xd3ca7:$b2: & exit 0x69763:$c1: md.exe /k ping 0 & del 0x9e9f3:$c1: md.exe /k ping 0 & del 0xd3c73:$c1: md.exe /k ping 0 & del
00000000.00000002.2388229518.0000000003EE0000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x5e9dc:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x93c6c:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0xc8eec:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000000.00000002.2388229518.0000000003EE0000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x5af5d:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84} 0x901ed:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84} 0xc546d:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
Process Memory Space: K59gVXTgGv.exe PID: 5160	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: K59gVXTgGv.exe PID: 5160	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: K59gVXTgGv.exe PID: 5160	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
Process Memory Space: K59gVXTgGv.exe PID: 5160	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
Process Memory Space: K59gVXTgGv.exe PID: 5160	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: K59gVXTgGv.exe PID: 5160	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: K59gVXTgGv.exe PID: 5160	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: K59gVXTgGv.exe PID: 5160	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x2a59b:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x530bd:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Process Memory Space: K59gVXTgGv.exe PID: 5160	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x290b9:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84} 0x51bdb:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
Click to see the 39 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.K59gVXTgGv.exe.2f72050.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0.2.K59gVXTgGv.exe.2f72050.0.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.K59gVXTgGv.exe.2f72050.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x46c1:$a1: get_Registry 0x60e6:$a3: Download ERROR 0x63d8:$a5: netsh firewall delete allowedprogram "
0.2.K59gVXTgGv.exe.2f72050.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x62ce:$a1: netsh firewall add allowedprogram 0x64c8:$b1: [TAP] 0x646e:$b2: & exit 0x643a:$c1: md.exe /k ping 0 & del
0.2.K59gVXTgGv.exe.2f72050.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x63d8:$s1: netsh firewall delete allowedprogram 0x62ce:$s2: netsh firewall add allowedprogram 0x6438:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 6B 00 20 00 70 00 69 00 6E 00 67 0x60c2:$s4: Execute ERROR 0x6122:$s4: Execute ERROR 0x60e6:$s5: Download ERROR 0x647e:$s6: [kl]
0.2.K59gVXTgGv.exe.4015f19.4.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0.2.K59gVXTgGv.exe.4015f19.4.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.K59gVXTgGv.exe.4015f19.4.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x46c1:$a1: get_Registry 0x60e6:$a3: Download ERROR 0x63d8:$a5: netsh firewall delete allowedprogram "
0.2.K59gVXTgGv.exe.4015f19.4.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x62ce:$a1: netsh firewall add allowedprogram 0x64c8:$b1: [TAP] 0x646e:$b2: & exit 0x643a:$c1: md.exe /k ping 0 & del
0.2.K59gVXTgGv.exe.4015f19.4.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x63d8:$s1: netsh firewall delete allowedprogram 0x62ce:$s2: netsh firewall add allowedprogram 0x6438:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 6B 00 20 00 70 00 69 00 6E 00 67 0x60c2:$s4: Execute ERROR 0x6122:$s4: Execute ERROR 0x60e6:$s5: Download ERROR 0x647e:$s6: [kl]
0.2.K59gVXTgGv.exe.6900000.9.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.K59gVXTgGv.exe.314dc30.1.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0.2.K59gVXTgGv.exe.314dc30.1.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.K59gVXTgGv.exe.314dc30.1.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x46c1:$a1: get_Registry 0x60e6:$a3: Download ERROR 0x63d8:$a5: netsh firewall delete allowedprogram "
0.2.K59gVXTgGv.exe.314dc30.1.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x62ce:$a1: netsh firewall add allowedprogram 0x64c8:$b1: [TAP] 0x646e:$b2: & exit 0x643a:$c1: md.exe /k ping 0 & del
0.2.K59gVXTgGv.exe.314dc30.1.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x63d8:$s1: netsh firewall delete allowedprogram 0x62ce:$s2: netsh firewall add allowedprogram 0x6438:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 6B 00 20 00 70 00 69 00 6E 00 67 0x60c2:$s4: Execute ERROR 0x6122:$s4: Execute ERROR 0x60e6:$s5: Download ERROR 0x647e:$s6: [kl]
0.2.K59gVXTgGv.exe.3f41529.3.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0.2.K59gVXTgGv.exe.3f41529.3.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.K59gVXTgGv.exe.3f41529.3.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x46c1:$a1: get_Registry 0x60e6:$a3: Download ERROR 0x63d8:$a5: netsh firewall delete allowedprogram "
0.2.K59gVXTgGv.exe.3f41529.3.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x62ce:$a1: netsh firewall add allowedprogram 0x64c8:$b1: [TAP] 0x646e:$b2: & exit 0x643a:$c1: md.exe /k ping 0 & del
0.2.K59gVXTgGv.exe.3f41529.3.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x63d8:$s1: netsh firewall delete allowedprogram 0x62ce:$s2: netsh firewall add allowedprogram 0x6438:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 6B 00 20 00 70 00 69 00 6E 00 67 0x60c2:$s4: Execute ERROR 0x6122:$s4: Execute ERROR 0x60e6:$s5: Download ERROR 0x647e:$s6: [kl]
0.2.K59gVXTgGv.exe.40d5ef0.5.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.K59gVXTgGv.exe.6900000.9.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.K59gVXTgGv.exe.401f560.8.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.K59gVXTgGv.exe.401f560.8.unpack	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
0.2.K59gVXTgGv.exe.401f560.8.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.K59gVXTgGv.exe.401f560.8.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.K59gVXTgGv.exe.401f560.8.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x272e2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0.2.K59gVXTgGv.exe.401f560.8.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x23863:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
0.2.K59gVXTgGv.exe.401f560.8.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x2593f:$s1: \VPN\NordVPN 0x25925:$s2: \VPN\OpenVPN 0x25907:$s3: \VPN\ProtonVPN
0.2.K59gVXTgGv.exe.401f560.8.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x2409b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x2410d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x24197:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x24229:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x24293:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x24305:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x2439b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x2442b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.K59gVXTgGv.exe.401f560.8.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x1018c:$x3: StormKitty 0x198ca:$s1: GetBSSID 0x197ca:$s2: GetAntivirus 0x24d4b:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x24f7d:$s6: "encrypted_key":"(.*?)"
0.2.K59gVXTgGv.exe.314dc30.1.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0.2.K59gVXTgGv.exe.314dc30.1.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.K59gVXTgGv.exe.314dc30.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.K59gVXTgGv.exe.314dc30.1.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x64c1:$a1: get_Registry 0x7ee6:$a3: Download ERROR 0x81d8:$a5: netsh firewall delete allowedprogram "
0.2.K59gVXTgGv.exe.314dc30.1.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x80ce:$a1: netsh firewall add allowedprogram 0x82c8:$b1: [TAP] 0x826e:$b2: & exit 0x823a:$c1: md.exe /k ping 0 & del
0.2.K59gVXTgGv.exe.314dc30.1.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x81d8:$s1: netsh firewall delete allowedprogram 0x80ce:$s2: netsh firewall add allowedprogram 0x8238:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 6B 00 20 00 70 00 69 00 6E 00 67 0x7ec2:$s4: Execute ERROR 0x7f22:$s4: Execute ERROR 0x7ee6:$s5: Download ERROR 0x827e:$s6: [kl]
0.2.K59gVXTgGv.exe.40d5ef0.5.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.K59gVXTgGv.exe.3fea2ea.2.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.K59gVXTgGv.exe.3fea2ea.2.unpack	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
0.2.K59gVXTgGv.exe.3fea2ea.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.K59gVXTgGv.exe.3fea2ea.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.K59gVXTgGv.exe.3fea2ea.2.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x272e2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0.2.K59gVXTgGv.exe.3fea2ea.2.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x23863:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
0.2.K59gVXTgGv.exe.3fea2ea.2.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x2593f:$s1: \VPN\NordVPN 0x25925:$s2: \VPN\OpenVPN 0x25907:$s3: \VPN\ProtonVPN
0.2.K59gVXTgGv.exe.3fea2ea.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x2409b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x2410d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x24197:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x24229:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x24293:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x24305:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x2439b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x2442b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.K59gVXTgGv.exe.3fea2ea.2.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x1018c:$x3: StormKitty 0x198ca:$s1: GetBSSID 0x197ca:$s2: GetAntivirus 0x24d4b:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x24f7d:$s6: "encrypted_key":"(.*?)"
0.2.K59gVXTgGv.exe.2f72050.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0.2.K59gVXTgGv.exe.2f72050.0.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.K59gVXTgGv.exe.2f72050.0.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.K59gVXTgGv.exe.2f72050.0.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x64c1:$a1: get_Registry 0x7ee6:$a3: Download ERROR 0x81d8:$a5: netsh firewall delete allowedprogram "
0.2.K59gVXTgGv.exe.2f72050.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x80ce:$a1: netsh firewall add allowedprogram 0x82c8:$b1: [TAP] 0x826e:$b2: & exit 0x823a:$c1: md.exe /k ping 0 & del
0.2.K59gVXTgGv.exe.2f72050.0.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x81d8:$s1: netsh firewall delete allowedprogram 0x80ce:$s2: netsh firewall add allowedprogram 0x8238:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 6B 00 20 00 70 00 69 00 6E 00 67 0x7ec2:$s4: Execute ERROR 0x7f22:$s4: Execute ERROR 0x7ee6:$s5: Download ERROR 0x827e:$s6: [kl]
0.2.K59gVXTgGv.exe.3f158fa.7.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.K59gVXTgGv.exe.3f158fa.7.unpack	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
0.2.K59gVXTgGv.exe.3f158fa.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.K59gVXTgGv.exe.3f158fa.7.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.K59gVXTgGv.exe.3f158fa.7.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x272e2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0.2.K59gVXTgGv.exe.3f158fa.7.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x23863:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
0.2.K59gVXTgGv.exe.3f158fa.7.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x2593f:$s1: \VPN\NordVPN 0x25925:$s2: \VPN\OpenVPN 0x25907:$s3: \VPN\ProtonVPN
0.2.K59gVXTgGv.exe.3f158fa.7.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x2409b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x2410d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x24197:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x24229:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x24293:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x24305:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x2439b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x2442b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.K59gVXTgGv.exe.3f158fa.7.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x1018c:$x3: StormKitty 0x198ca:$s1: GetBSSID 0x197ca:$s2: GetAntivirus 0x24d4b:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x24f7d:$s6: "encrypted_key":"(.*?)"
0.2.K59gVXTgGv.exe.3f4ab8a.6.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.K59gVXTgGv.exe.3f4ab8a.6.unpack	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
0.2.K59gVXTgGv.exe.3f4ab8a.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.K59gVXTgGv.exe.3f4ab8a.6.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.K59gVXTgGv.exe.3f4ab8a.6.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x272e2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0.2.K59gVXTgGv.exe.3f4ab8a.6.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x23863:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
0.2.K59gVXTgGv.exe.3f4ab8a.6.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x2593f:$s1: \VPN\NordVPN 0x25925:$s2: \VPN\OpenVPN 0x25907:$s3: \VPN\ProtonVPN
0.2.K59gVXTgGv.exe.3f4ab8a.6.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x2409b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x2410d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x24197:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x24229:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x24293:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x24305:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x2439b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x2442b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.K59gVXTgGv.exe.3f4ab8a.6.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x1018c:$x3: StormKitty 0x198ca:$s1: GetBSSID 0x197ca:$s2: GetAntivirus 0x24d4b:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x24f7d:$s6: "encrypted_key":"(.*?)"
0.2.K59gVXTgGv.exe.3f4ab8a.6.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.K59gVXTgGv.exe.3f4ab8a.6.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0.2.K59gVXTgGv.exe.3f4ab8a.6.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.K59gVXTgGv.exe.3f4ab8a.6.raw.unpack	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
0.2.K59gVXTgGv.exe.3f4ab8a.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.K59gVXTgGv.exe.3f4ab8a.6.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.K59gVXTgGv.exe.3f4ab8a.6.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.K59gVXTgGv.exe.3f4ab8a.6.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x320f0:$a1: get_Registry 0x67370:$a1: get_Registry 0x33b15:$a3: Download ERROR 0x68d95:$a3: Download ERROR 0x33e07:$a5: netsh firewall delete allowedprogram " 0x69087:$a5: netsh firewall delete allowedprogram "
0.2.K59gVXTgGv.exe.3f4ab8a.6.raw.unpack	RAT_njRat	Detects njRAT	Kevin Breen <kevin@techanarchy.net>	0x332df:$s1: 7C 00 27 00 7C 00 27 00 7C 0x6855f:$s1: 7C 00 27 00 7C 00 27 00 7C 0x33cfd:$s2: netsh firewall add allowedprogram 0x68f7d:$s2: netsh firewall add allowedprogram 0x3325f:$s3: Software\Microsoft\Windows\CurrentVersion\Run 0x684df:$s3: Software\Microsoft\Windows\CurrentVersion\Run 0x23577:$s4: yyyy-MM-dd 0x23b55:$s4: yyyy-MM-dd 0x28b30:$s4: yyyy-MM-dd 0x587f7:$s4: yyyy-MM-dd 0x58dd5:$s4: yyyy-MM-dd 0x5ddb0:$s4: yyyy-MM-dd 0x33e67:$v1: cmd.exe /k ping 0 & del 0x690e7:$v1: cmd.exe /k ping 0 & del
0.2.K59gVXTgGv.exe.3f4ab8a.6.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x33cfd:$a1: netsh firewall add allowedprogram 0x68f7d:$a1: netsh firewall add allowedprogram 0x33ef7:$b1: [TAP] 0x69177:$b1: [TAP] 0x290d0:$b2: & exit 0x33e9d:$b2: & exit 0x5e350:$b2: & exit 0x6911d:$b2: & exit 0x33e69:$c1: md.exe /k ping 0 & del 0x690e9:$c1: md.exe /k ping 0 & del
0.2.K59gVXTgGv.exe.3f4ab8a.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x290e2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x5e362:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0.2.K59gVXTgGv.exe.3f4ab8a.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x25663:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84} 0x5a8e3:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
0.2.K59gVXTgGv.exe.3f4ab8a.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x2773f:$s1: \VPN\NordVPN 0x5c9bf:$s1: \VPN\NordVPN 0x27725:$s2: \VPN\OpenVPN 0x5c9a5:$s2: \VPN\OpenVPN 0x27707:$s3: \VPN\ProtonVPN 0x5c987:$s3: \VPN\ProtonVPN
0.2.K59gVXTgGv.exe.3f4ab8a.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x25e9b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x5b11b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x25f0d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x5b18d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x25f97:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x5b217:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x26029:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x5b2a9:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x26093:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x5b313:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x26105:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x5b385:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x2619b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x5b41b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x2622b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x5b4ab:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.K59gVXTgGv.exe.3f4ab8a.6.raw.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x11f8c:$x3: StormKitty 0x4720c:$x3: StormKitty 0x1b6ca:$s1: GetBSSID 0x5094a:$s1: GetBSSID 0x1b5ca:$s2: GetAntivirus 0x5084a:$s2: GetAntivirus 0x26b4b:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x5bdcb:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x26d7d:$s6: "encrypted_key":"(.?)" 0x5bffd:$s6: "encrypted_key":"(.?)"
0.2.K59gVXTgGv.exe.3f4ab8a.6.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x33e07:$s1: netsh firewall delete allowedprogram 0x69087:$s1: netsh firewall delete allowedprogram 0x33cfd:$s2: netsh firewall add allowedprogram 0x68f7d:$s2: netsh firewall add allowedprogram 0x33e67:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 6B 00 20 00 70 00 69 00 6E 00 67 0x690e7:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 6B 00 20 00 70 00 69 00 6E 00 67 0x33af1:$s4: Execute ERROR 0x33b51:$s4: Execute ERROR 0x68d71:$s4: Execute ERROR 0x68dd1:$s4: Execute ERROR 0x33b15:$s5: Download ERROR 0x68d95:$s5: Download ERROR 0x33ead:$s6: [kl] 0x6912d:$s6: [kl]
0.2.K59gVXTgGv.exe.401f560.8.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.K59gVXTgGv.exe.401f560.8.raw.unpack	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
0.2.K59gVXTgGv.exe.401f560.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.K59gVXTgGv.exe.401f560.8.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.K59gVXTgGv.exe.401f560.8.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.K59gVXTgGv.exe.401f560.8.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x290e2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0.2.K59gVXTgGv.exe.401f560.8.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x25663:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
0.2.K59gVXTgGv.exe.401f560.8.raw.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x2773f:$s1: \VPN\NordVPN 0x27725:$s2: \VPN\OpenVPN 0x27707:$s3: \VPN\ProtonVPN
0.2.K59gVXTgGv.exe.401f560.8.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x25e9b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x25f0d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x25f97:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x26029:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x26093:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x26105:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x2619b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x2622b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.K59gVXTgGv.exe.401f560.8.raw.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x11f8c:$x3: StormKitty 0x1b6ca:$s1: GetBSSID 0x1b5ca:$s2: GetAntivirus 0x26b4b:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x26d7d:$s6: "encrypted_key":"(.*?)"
0.2.K59gVXTgGv.exe.4015f19.4.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.K59gVXTgGv.exe.4015f19.4.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0.2.K59gVXTgGv.exe.4015f19.4.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.K59gVXTgGv.exe.4015f19.4.raw.unpack	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
0.2.K59gVXTgGv.exe.4015f19.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.K59gVXTgGv.exe.4015f19.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.K59gVXTgGv.exe.4015f19.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.K59gVXTgGv.exe.4015f19.4.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x64c1:$a1: get_Registry 0x7ee6:$a3: Download ERROR 0x81d8:$a5: netsh firewall delete allowedprogram "
0.2.K59gVXTgGv.exe.4015f19.4.raw.unpack	RAT_njRat	Detects njRAT	Kevin Breen <kevin@techanarchy.net>	0x76b0:$s1: 7C 00 27 00 7C 00 27 00 7C 0x80ce:$s2: netsh firewall add allowedprogram 0x7630:$s3: Software\Microsoft\Windows\CurrentVersion\Run 0x2cbbe:$s4: yyyy-MM-dd 0x2d19c:$s4: yyyy-MM-dd 0x32177:$s4: yyyy-MM-dd 0x8238:$v1: cmd.exe /k ping 0 & del
0.2.K59gVXTgGv.exe.4015f19.4.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x80ce:$a1: netsh firewall add allowedprogram 0x82c8:$b1: [TAP] 0x826e:$b2: & exit 0x32717:$b2: & exit 0x823a:$c1: md.exe /k ping 0 & del
0.2.K59gVXTgGv.exe.4015f19.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x32729:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0.2.K59gVXTgGv.exe.4015f19.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x2ecaa:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
0.2.K59gVXTgGv.exe.4015f19.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x30d86:$s1: \VPN\NordVPN 0x30d6c:$s2: \VPN\OpenVPN 0x30d4e:$s3: \VPN\ProtonVPN
0.2.K59gVXTgGv.exe.4015f19.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x2f4e2:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x2f554:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x2f5de:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x2f670:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x2f6da:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x2f74c:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x2f7e2:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x2f872:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.K59gVXTgGv.exe.4015f19.4.raw.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x1b5d3:$x3: StormKitty 0x24d11:$s1: GetBSSID 0x24c11:$s2: GetAntivirus 0x30192:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x303c4:$s6: "encrypted_key":"(.*?)"
0.2.K59gVXTgGv.exe.4015f19.4.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x81d8:$s1: netsh firewall delete allowedprogram 0x80ce:$s2: netsh firewall add allowedprogram 0x8238:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 6B 00 20 00 70 00 69 00 6E 00 67 0x7ec2:$s4: Execute ERROR 0x7f22:$s4: Execute ERROR 0x7ee6:$s5: Download ERROR 0x827e:$s6: [kl]
0.2.K59gVXTgGv.exe.3f158fa.7.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.K59gVXTgGv.exe.3f158fa.7.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0.2.K59gVXTgGv.exe.3f158fa.7.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.K59gVXTgGv.exe.3f158fa.7.raw.unpack	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
0.2.K59gVXTgGv.exe.3f158fa.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.K59gVXTgGv.exe.3f158fa.7.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.K59gVXTgGv.exe.3f158fa.7.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.K59gVXTgGv.exe.3f158fa.7.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x320f0:$a1: get_Registry 0x67380:$a1: get_Registry 0x9c600:$a1: get_Registry 0x33b15:$a3: Download ERROR 0x68da5:$a3: Download ERROR 0x9e025:$a3: Download ERROR 0x33e07:$a5: netsh firewall delete allowedprogram " 0x69097:$a5: netsh firewall delete allowedprogram " 0x9e317:$a5: netsh firewall delete allowedprogram "
0.2.K59gVXTgGv.exe.3f158fa.7.raw.unpack	RAT_njRat	Detects njRAT	Kevin Breen <kevin@techanarchy.net>	0x332df:$s1: 7C 00 27 00 7C 00 27 00 7C 0x6856f:$s1: 7C 00 27 00 7C 00 27 00 7C 0x9d7ef:$s1: 7C 00 27 00 7C 00 27 00 7C 0x33cfd:$s2: netsh firewall add allowedprogram 0x68f8d:$s2: netsh firewall add allowedprogram 0x9e20d:$s2: netsh firewall add allowedprogram 0x3325f:$s3: Software\Microsoft\Windows\CurrentVersion\Run 0x684ef:$s3: Software\Microsoft\Windows\CurrentVersion\Run 0x9d76f:$s3: Software\Microsoft\Windows\CurrentVersion\Run 0x23577:$s4: yyyy-MM-dd 0x23b55:$s4: yyyy-MM-dd 0x28b30:$s4: yyyy-MM-dd 0x58807:$s4: yyyy-MM-dd 0x58de5:$s4: yyyy-MM-dd 0x5ddc0:$s4: yyyy-MM-dd 0x8da87:$s4: yyyy-MM-dd 0x8e065:$s4: yyyy-MM-dd 0x93040:$s4: yyyy-MM-dd 0x33e67:$v1: cmd.exe /k ping 0 & del 0x690f7:$v1: cmd.exe /k ping 0 & del 0x9e377:$v1: cmd.exe /k ping 0 & del
0.2.K59gVXTgGv.exe.3f158fa.7.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x33cfd:$a1: netsh firewall add allowedprogram 0x68f8d:$a1: netsh firewall add allowedprogram 0x9e20d:$a1: netsh firewall add allowedprogram 0x33ef7:$b1: [TAP] 0x69187:$b1: [TAP] 0x9e407:$b1: [TAP] 0x290d0:$b2: & exit 0x33e9d:$b2: & exit 0x5e360:$b2: & exit 0x6912d:$b2: & exit 0x935e0:$b2: & exit 0x9e3ad:$b2: & exit 0x33e69:$c1: md.exe /k ping 0 & del 0x690f9:$c1: md.exe /k ping 0 & del 0x9e379:$c1: md.exe /k ping 0 & del
0.2.K59gVXTgGv.exe.3f158fa.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x290e2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x5e372:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x935f2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0.2.K59gVXTgGv.exe.3f158fa.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x25663:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84} 0x5a8f3:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84} 0x8fb73:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
0.2.K59gVXTgGv.exe.3f158fa.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x2773f:$s1: \VPN\NordVPN 0x5c9cf:$s1: \VPN\NordVPN 0x91c4f:$s1: \VPN\NordVPN 0x27725:$s2: \VPN\OpenVPN 0x5c9b5:$s2: \VPN\OpenVPN 0x91c35:$s2: \VPN\OpenVPN 0x27707:$s3: \VPN\ProtonVPN 0x5c997:$s3: \VPN\ProtonVPN 0x91c17:$s3: \VPN\ProtonVPN
0.2.K59gVXTgGv.exe.3f158fa.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x25e9b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x5b12b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x903ab:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x25f0d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x5b19d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x9041d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x25f97:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x5b227:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x904a7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x26029:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x5b2b9:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x90539:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x26093:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x5b323:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x905a3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x26105:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x5b395:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x90615:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x2619b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x5b42b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x906ab:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
0.2.K59gVXTgGv.exe.3f158fa.7.raw.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x11f8c:$x3: StormKitty 0x4721c:$x3: StormKitty 0x7c49c:$x3: StormKitty 0x1b6ca:$s1: GetBSSID 0x5095a:$s1: GetBSSID 0x85bda:$s1: GetBSSID 0x1b5ca:$s2: GetAntivirus 0x5085a:$s2: GetAntivirus 0x85ada:$s2: GetAntivirus 0x26b4b:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x5bddb:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x9105b:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x26d7d:$s6: "encrypted_key":"(.?)" 0x5c00d:$s6: "encrypted_key":"(.?)" 0x9128d:$s6: "encrypted_key":"(.*?)"
0.2.K59gVXTgGv.exe.3f158fa.7.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x33e07:$s1: netsh firewall delete allowedprogram 0x69097:$s1: netsh firewall delete allowedprogram 0x9e317:$s1: netsh firewall delete allowedprogram 0x33cfd:$s2: netsh firewall add allowedprogram 0x68f8d:$s2: netsh firewall add allowedprogram 0x9e20d:$s2: netsh firewall add allowedprogram 0x33e67:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 6B 00 20 00 70 00 69 00 6E 00 67 0x690f7:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 6B 00 20 00 70 00 69 00 6E 00 67 0x9e377:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 6B 00 20 00 70 00 69 00 6E 00 67 0x33af1:$s4: Execute ERROR 0x33b51:$s4: Execute ERROR 0x68d81:$s4: Execute ERROR 0x68de1:$s4: Execute ERROR 0x9e001:$s4: Execute ERROR 0x9e061:$s4: Execute ERROR 0x33b15:$s5: Download ERROR 0x68da5:$s5: Download ERROR 0x9e025:$s5: Download ERROR 0x33ead:$s6: [kl] 0x6913d:$s6: [kl] 0x9e3bd:$s6: [kl]
0.2.K59gVXTgGv.exe.3fea2ea.2.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.K59gVXTgGv.exe.3fea2ea.2.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0.2.K59gVXTgGv.exe.3fea2ea.2.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.K59gVXTgGv.exe.3fea2ea.2.raw.unpack	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
0.2.K59gVXTgGv.exe.3fea2ea.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.K59gVXTgGv.exe.3fea2ea.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.K59gVXTgGv.exe.3fea2ea.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.K59gVXTgGv.exe.3fea2ea.2.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x320f0:$a1: get_Registry 0x33b15:$a3: Download ERROR 0x33e07:$a5: netsh firewall delete allowedprogram "
0.2.K59gVXTgGv.exe.3fea2ea.2.raw.unpack	RAT_njRat	Detects njRAT	Kevin Breen <kevin@techanarchy.net>	0x332df:$s1: 7C 00 27 00 7C 00 27 00 7C 0x33cfd:$s2: netsh firewall add allowedprogram 0x3325f:$s3: Software\Microsoft\Windows\CurrentVersion\Run 0x23577:$s4: yyyy-MM-dd 0x23b55:$s4: yyyy-MM-dd 0x28b30:$s4: yyyy-MM-dd 0x587ed:$s4: yyyy-MM-dd 0x58dcb:$s4: yyyy-MM-dd 0x5dda6:$s4: yyyy-MM-dd 0x33e67:$v1: cmd.exe /k ping 0 & del
0.2.K59gVXTgGv.exe.3fea2ea.2.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x33cfd:$a1: netsh firewall add allowedprogram 0x33ef7:$b1: [TAP] 0x290d0:$b2: & exit 0x33e9d:$b2: & exit 0x5e346:$b2: & exit 0x33e69:$c1: md.exe /k ping 0 & del
0.2.K59gVXTgGv.exe.3fea2ea.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x290e2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x5e358:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0.2.K59gVXTgGv.exe.3fea2ea.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x25663:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84} 0x5a8d9:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
0.2.K59gVXTgGv.exe.3fea2ea.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x2773f:$s1: \VPN\NordVPN 0x5c9b5:$s1: \VPN\NordVPN 0x27725:$s2: \VPN\OpenVPN 0x5c99b:$s2: \VPN\OpenVPN 0x27707:$s3: \VPN\ProtonVPN 0x5c97d:$s3: \VPN\ProtonVPN
0.2.K59gVXTgGv.exe.3fea2ea.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x25e9b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x5b111:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x25f0d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x5b183:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x25f97:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x5b20d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x26029:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x5b29f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x26093:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x5b309:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x26105:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x5b37b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x2619b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x5b411:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x2622b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x5b4a1:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.K59gVXTgGv.exe.3fea2ea.2.raw.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x11f8c:$x3: StormKitty 0x47202:$x3: StormKitty 0x1b6ca:$s1: GetBSSID 0x50940:$s1: GetBSSID 0x1b5ca:$s2: GetAntivirus 0x50840:$s2: GetAntivirus 0x26b4b:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x5bdc1:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x26d7d:$s6: "encrypted_key":"(.?)" 0x5bff3:$s6: "encrypted_key":"(.?)"
0.2.K59gVXTgGv.exe.3fea2ea.2.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x33e07:$s1: netsh firewall delete allowedprogram 0x33cfd:$s2: netsh firewall add allowedprogram 0x33e67:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 6B 00 20 00 70 00 69 00 6E 00 67 0x33af1:$s4: Execute ERROR 0x33b51:$s4: Execute ERROR 0x33b15:$s5: Download ERROR 0x33ead:$s6: [kl]
0.2.K59gVXTgGv.exe.3f41529.3.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.K59gVXTgGv.exe.3f41529.3.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0.2.K59gVXTgGv.exe.3f41529.3.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.K59gVXTgGv.exe.3f41529.3.raw.unpack	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
0.2.K59gVXTgGv.exe.3f41529.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.K59gVXTgGv.exe.3f41529.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.K59gVXTgGv.exe.3f41529.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.K59gVXTgGv.exe.3f41529.3.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x64c1:$a1: get_Registry 0x3b751:$a1: get_Registry 0x709d1:$a1: get_Registry 0x7ee6:$a3: Download ERROR 0x3d176:$a3: Download ERROR 0x723f6:$a3: Download ERROR 0x81d8:$a5: netsh firewall delete allowedprogram " 0x3d468:$a5: netsh firewall delete allowedprogram " 0x726e8:$a5: netsh firewall delete allowedprogram "
0.2.K59gVXTgGv.exe.3f41529.3.raw.unpack	RAT_njRat	Detects njRAT	Kevin Breen <kevin@techanarchy.net>	0x76b0:$s1: 7C 00 27 00 7C 00 27 00 7C 0x3c940:$s1: 7C 00 27 00 7C 00 27 00 7C 0x71bc0:$s1: 7C 00 27 00 7C 00 27 00 7C 0x80ce:$s2: netsh firewall add allowedprogram 0x3d35e:$s2: netsh firewall add allowedprogram 0x725de:$s2: netsh firewall add allowedprogram 0x7630:$s3: Software\Microsoft\Windows\CurrentVersion\Run 0x3c8c0:$s3: Software\Microsoft\Windows\CurrentVersion\Run 0x71b40:$s3: Software\Microsoft\Windows\CurrentVersion\Run 0x2cbd8:$s4: yyyy-MM-dd 0x2d1b6:$s4: yyyy-MM-dd 0x32191:$s4: yyyy-MM-dd 0x61e58:$s4: yyyy-MM-dd 0x62436:$s4: yyyy-MM-dd 0x67411:$s4: yyyy-MM-dd 0x8238:$v1: cmd.exe /k ping 0 & del 0x3d4c8:$v1: cmd.exe /k ping 0 & del 0x72748:$v1: cmd.exe /k ping 0 & del
0.2.K59gVXTgGv.exe.3f41529.3.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x80ce:$a1: netsh firewall add allowedprogram 0x3d35e:$a1: netsh firewall add allowedprogram 0x725de:$a1: netsh firewall add allowedprogram 0x82c8:$b1: [TAP] 0x3d558:$b1: [TAP] 0x727d8:$b1: [TAP] 0x826e:$b2: & exit 0x32731:$b2: & exit 0x3d4fe:$b2: & exit 0x679b1:$b2: & exit 0x7277e:$b2: & exit 0x823a:$c1: md.exe /k ping 0 & del 0x3d4ca:$c1: md.exe /k ping 0 & del 0x7274a:$c1: md.exe /k ping 0 & del
0.2.K59gVXTgGv.exe.3f41529.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x32743:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x679c3:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0.2.K59gVXTgGv.exe.3f41529.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x2ecc4:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84} 0x63f44:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
0.2.K59gVXTgGv.exe.3f41529.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x30da0:$s1: \VPN\NordVPN 0x66020:$s1: \VPN\NordVPN 0x30d86:$s2: \VPN\OpenVPN 0x66006:$s2: \VPN\OpenVPN 0x30d68:$s3: \VPN\ProtonVPN 0x65fe8:$s3: \VPN\ProtonVPN
0.2.K59gVXTgGv.exe.3f41529.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x2f4fc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6477c:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x2f56e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x647ee:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x2f5f8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x64878:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x2f68a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6490a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x2f6f4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x64974:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x2f766:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x649e6:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x2f7fc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x64a7c:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x2f88c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x64b0c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.K59gVXTgGv.exe.3f41529.3.raw.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x1b5ed:$x3: StormKitty 0x5086d:$x3: StormKitty 0x24d2b:$s1: GetBSSID 0x59fab:$s1: GetBSSID 0x24c2b:$s2: GetAntivirus 0x59eab:$s2: GetAntivirus 0x301ac:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x6542c:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x303de:$s6: "encrypted_key":"(.?)" 0x6565e:$s6: "encrypted_key":"(.?)"
0.2.K59gVXTgGv.exe.3f41529.3.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x81d8:$s1: netsh firewall delete allowedprogram 0x3d468:$s1: netsh firewall delete allowedprogram 0x726e8:$s1: netsh firewall delete allowedprogram 0x80ce:$s2: netsh firewall add allowedprogram 0x3d35e:$s2: netsh firewall add allowedprogram 0x725de:$s2: netsh firewall add allowedprogram 0x8238:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 6B 00 20 00 70 00 69 00 6E 00 67 0x3d4c8:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 6B 00 20 00 70 00 69 00 6E 00 67 0x72748:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 6B 00 20 00 70 00 69 00 6E 00 67 0x7ec2:$s4: Execute ERROR 0x7f22:$s4: Execute ERROR 0x3d152:$s4: Execute ERROR 0x3d1b2:$s4: Execute ERROR 0x723d2:$s4: Execute ERROR 0x72432:$s4: Execute ERROR 0x7ee6:$s5: Download ERROR 0x3d176:$s5: Download ERROR 0x723f6:$s5: Download ERROR 0x827e:$s6: [kl] 0x3d50e:$s6: [kl] 0x7278e:$s6: [kl]
Click to see the 157 entries

Sigma Signatures

System Summary

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\K59gVXTgGv.exe, ProcessId: 5160, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google Chrome sandbox.exe.lnk

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: K59gVXTgGv.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe

Avira: detection malicious, Label: HEUR/AGEN.1304596

Found malware configuration

Source: 00000000.00000002.2386535902.0000000003146000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Njrat {"Host": "194.26.192.92", "Port": "5552", "Version": "im523", "Campaign ID": "HacKed", "Install Name": "server.exe", "Install Dir": "TEMP"}
Source: 0.2.K59gVXTgGv.exe.3f4ab8a.6.raw.unpack	Malware Configuration Extractor: AsyncRAT {"Server": "127.0.0.1", "Ports": "6606,7707,8808", "Telegram C2": "https://api.telegram.org/bot7095863454:AAFGhBQqJXY7rFzi0CT99qZPVRwQpKI6R1A/sendMessage?chat_id=7257613869", "Version": "", "AES_key": "VIfxfqryUTyZUBGDCBAvbYVYIsexIM7Z", "Mutex": "AsyncMutex_6SI8OkPnk", "Certificate": "MIIE9jCCAt6gAwIBAgIQAKQXqY8ZdB/modqi69mWGTANBgkqhkiG9w0BAQ0FADAcMRowGAYDVQQDDBFXb3JsZFdpbmQgU3RlYWxlcjAgFw0yMTA3MTMwNDUxMDZaGA85OTk5MTIzMTIzNTk1OVowHDEaMBgGA1UEAwwRV29ybGRXaW5kIFN0ZWFsZXIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCnRXYoxuLqqgXdcvIAYWb9DuVRl5ZpdpPfoIgmb7Y9A9AuiddKNm4is8EvIlEh98bQD4OBaK0EGWuj7WuAcQPCCGuzHpDqFZbXR7iRqVn6TiLRsO0LCMB4ta4XLQ4JdTFXvnQHcGiUxHddH70T/2P2bBVY0W+PVJDzG3XUWHpYb4PVv7qaQr/DalR3qyyd5otzE1kIjJLCOCyI/9ntIcD/PbMTKVnCP4fzbnkNB+xy0PmQmx3WRWEF5q72TdgaKrCbOpR2C/+rfGIoPC6Ze6dqWO3bQLGt6jpCO8A4CtAaAYmiw1vHUOfP54BgI9ls1TjYO3Rn4R1jmhWBGV2pT5chrglgSxMzPhrxFTQljG78RlPCJmyagJbtnPL3AlV34sQggcbf+80FVeyechm/xrMTSWXrJQ+xek1HRJBDFoCJyUR7SuIUelOW24TU+rwl/2dcALLZXpjYu3/zvJjH4iaJXRCt7oWhfzIFG1bHBFr78kV9VP0H+ZNVb129eUr14F/uubAoIPAz2EHG/CXBZv9GkFuzw0NgsI1eP7AznCLdT+z91M+yB7vWtvclwQ5k6MxWDPOraG5JMjUHvKI6zvyZ4IQ2a7bUENDghxLAqIxgo7zfZMdrjbRxBlqW14oki6Um7GpGKEZ0s2Ip6K2yJHBLpbVxOYjyzrxohMguh+qvgQIDAQABozIwMDAdBgNVHQ4EFgQUmTejTtK6on20N0YJez5sAZdMe/kwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOCAgEAhauA0si7sHBd06DSGJgP5vJxL2daW30wR5XbAJd0HWj3QWfl7w27iyZ5AqBT4B0ojLNuMUG8mUOvpcoq0m80qUX7TIKUULKvb+i7uGGEDxk3W5F3es/CTUUWO0QlseWx9QEYziGlp6f3tkP4PTGSL0DywVRSa8l6f/B5kqwnW17CbQfJZ8vmy5snpDO/avgYssUnQtKQPhos7GbokNHps/bxEIRfLeprzQox20dw4RV59LcorjP5QV7Vc6FuYmhzC0nfRetTHckyxg66O3ekfTVs87MLiDV0ipQ+D/6k3g6DRuTdd4V2khjtI56ujSqTQ2PueNQXPu8y2fdsT2Rd1LcfxMS1xKAhSwhHfyy0I3JwzPG1D+sm3QNJEOoJviSNn5fYOFpY+mSEkFNMMeEbwOFdHxWbkiJk/Z8VwdH5I52tkHU3sRQMuZHtcKUc/SIt5Ivv6gtuEZQdm1GE6KUdiRB95s8JVGNlCcHX5bXbScu4eKCRQn3Cl+m5KR4EzI6hVP/iDRhVKj7Dn/blOHLzhNS5vW4X085dTP+1TBL8CHpQpiA3t8LfqfV1b/+WahOd3jNBNTXXfe/AQSjErgctLMdmOBpUQaJLOlcDcKGxWQdOo102nxg8Y/kFDARccywugoQxuIZpMYq74tjnJlJZ9kqR/LPrjmvx4v+0XFsaCPE=", "ServerSignature": "J7XpD4w+JaFzTixc0nCmiRA4ZP4bPCIpEYYGofNxvC1+0OsFQr56oTWwQMosnOTB64TZRGSdXVHKzjVchQf7X5Uwu/KQU61NPArjxWVScwKZXOGS4ZNzsWbrxgztkmlyRlQgvEq4rdFsqy1bfvHEoQ/s9aDXBNoLPPjJOexTRQSGuZYMpGSUD+ZUiVwPqqFWTb8KcjEMyABMeXGKfia2e9u8ePKpWv4HSiOfl6N47tTtIfN2FW/2mCX7BOnIZwCl3UxaQnITN812tHD1enX9TK86R91F02c0wabnf4oC07S3cqiXYo1yZ5y3dDnnERLagBuX1bemwzX/7DjHkfOaIPLgAAO8vGHbQX3pPqmwC88sG1+FExp3FEKMITnQTqQr5uXa5GjggFUSFr9rt2nfcjEjHRnOzX1jpsUUtuDyqoAFhdosdv46x+o5Iod34II88nouxzyzAfMSa48ozukJ3fCknI6u9fj/it1dx0GimhXUv4YG4A19n3EdvJbaxZXImHZvqiYGsHTIUtxa89QhxCpuJPKdTP7ya5rJFkDT0Z8ijH4Z1Dv42umyEN6PT99JRuJHcXSqkXfOeOilnM6YRY019FHq6udNVWn5OQetK4ULVcQmwPTV26ZRPyrqO57Rjr5LeSauZtNKTE/kmS1iR3eMtq5PsAHunrHZPzzaUhY=", "Group": "Default"}

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe

ReversingLabs: Detection: 67%

Multi AV Scanner detection for submitted file

Source: K59gVXTgGv.exe	ReversingLabs: Detection: 67%
Source: K59gVXTgGv.exe	Virustotal: Detection: 64%			Perma Link

Yara detected Njrat

Source: Yara match	File source: 0.2.K59gVXTgGv.exe.2f72050.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.4015f19.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.314dc30.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3f41529.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.314dc30.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.2f72050.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3f4ab8a.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.4015f19.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3f158fa.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3fea2ea.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3f41529.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2386535902.0000000003146000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2386535902.0000000002F37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2388229518.0000000003FEA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2388229518.0000000003EE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: K59gVXTgGv.exe PID: 5160, type: MEMORYSTR

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: K59gVXTgGv.exe

Joe Sandbox ML: detected

Source: K59gVXTgGv.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: K59gVXTgGv.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: K59gVXTgGv.exe, 00000000.00000002.2386535902.0000000003146000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: K59gVXTgGv.exe, 00000000.00000002.2386535902.0000000003146000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: K59gVXTgGv.exe, 00000000.00000002.2388229518.0000000003FEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: K59gVXTgGv.exe, 00000000.00000002.2388229518.0000000003FEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: K59gVXTgGv.exe, 00000000.00000002.2388229518.0000000003EE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: K59gVXTgGv.exe, 00000000.00000002.2388229518.0000000003EE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: K59gVXTgGv.exe, 00000000.00000002.2386535902.0000000002F37000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: K59gVXTgGv.exe, 00000000.00000002.2386535902.0000000002F37000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [autorun]

Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]		0_2_02D19F98
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]		0_2_02D1A1D8

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 194.26.192.92

Queries Google from non browser process on port 80

Source: C:\Users\user\Desktop\K59gVXTgGv.exe	HTTP traffic: GET / HTTP/1.1 Host: www.google.com Connection: Keep-Alive
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	HTTP traffic: GET / HTTP/1.1 Host: www.google.com Connection: Keep-Alive

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 43

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3f4ab8a.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.401f560.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.4015f19.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3f158fa.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3fea2ea.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3f41529.3.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: www.google.com

Source: cmd.exe, 00000004.00000003.2797214775.0000000003147000.00000004.00000020.00020000.00000000.sdmp, K59gVXTgGv.exe, Google Chrome sandbox.exe.exe.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: cmd.exe, 00000004.00000003.2797214775.0000000003147000.00000004.00000020.00020000.00000000.sdmp, K59gVXTgGv.exe, Google Chrome sandbox.exe.exe.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: cmd.exe, 00000004.00000003.2797214775.0000000003147000.00000004.00000020.00020000.00000000.sdmp, K59gVXTgGv.exe, Google Chrome sandbox.exe.exe.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: cmd.exe, 00000004.00000003.2797214775.0000000003147000.00000004.00000020.00020000.00000000.sdmp, K59gVXTgGv.exe, Google Chrome sandbox.exe.exe.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: cmd.exe, 00000004.00000003.2797214775.0000000003147000.00000004.00000020.00020000.00000000.sdmp, K59gVXTgGv.exe, Google Chrome sandbox.exe.exe.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: cmd.exe, 00000004.00000003.2797214775.0000000003147000.00000004.00000020.00020000.00000000.sdmp, K59gVXTgGv.exe, Google Chrome sandbox.exe.exe.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: cmd.exe, 00000004.00000003.2797214775.0000000003147000.00000004.00000020.00020000.00000000.sdmp, K59gVXTgGv.exe, Google Chrome sandbox.exe.exe.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Google Chrome sandbox.exe.exe.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: cmd.exe, 00000004.00000003.2797214775.0000000003147000.00000004.00000020.00020000.00000000.sdmp, K59gVXTgGv.exe, Google Chrome sandbox.exe.exe.4.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: cmd.exe, 00000004.00000003.2797214775.0000000003147000.00000004.00000020.00020000.00000000.sdmp, K59gVXTgGv.exe, Google Chrome sandbox.exe.exe.4.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: cmd.exe, 00000004.00000003.2797214775.0000000003147000.00000004.00000020.00020000.00000000.sdmp, K59gVXTgGv.exe, Google Chrome sandbox.exe.exe.4.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: cmd.exe, 00000004.00000003.2797214775.0000000003147000.00000004.00000020.00020000.00000000.sdmp, K59gVXTgGv.exe, Google Chrome sandbox.exe.exe.4.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: cmd.exe, 00000004.00000003.2797214775.0000000003147000.00000004.00000020.00020000.00000000.sdmp, K59gVXTgGv.exe, Google Chrome sandbox.exe.exe.4.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: K59gVXTgGv.exe, 00000000.00000002.2386535902.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, Google Chrome sandbox.exe.exe, 0000000A.00000002.3262432650.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: cmd.exe, 00000004.00000003.2797214775.0000000003147000.00000004.00000020.00020000.00000000.sdmp, K59gVXTgGv.exe, Google Chrome sandbox.exe.exe.4.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: K59gVXTgGv.exe, Google Chrome sandbox.exe.exe.4.dr	String found in binary or memory: http://www.google.com
Source: K59gVXTgGv.exe, 00000000.00000002.2386535902.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, Google Chrome sandbox.exe.exe, 0000000A.00000002.3261484937.0000000000F69000.00000004.00000020.00020000.00000000.sdmp, Google Chrome sandbox.exe.exe, 0000000A.00000002.3262432650.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/
Source: K59gVXTgGv.exe, 00000000.00000002.2388229518.0000000003EE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: K59gVXTgGv.exe, 00000000.00000002.2388229518.0000000003FEA000.00000004.00000800.00020000.00000000.sdmp, K59gVXTgGv.exe, 00000000.00000002.2388229518.0000000003EE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/file/bot
Source: K59gVXTgGv.exe, 00000000.00000002.2386535902.0000000002E6F000.00000004.00000800.00020000.00000000.sdmp, Google Chrome sandbox.exe.exe, 0000000A.00000002.3262432650.0000000002B0F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/gws/other-hp
Source: K59gVXTgGv.exe, 00000000.00000002.2386535902.0000000003146000.00000004.00000800.00020000.00000000.sdmp, K59gVXTgGv.exe, 00000000.00000002.2388229518.0000000003FEA000.00000004.00000800.00020000.00000000.sdmp, K59gVXTgGv.exe, 00000000.00000002.2388229518.0000000003EE0000.00000004.00000800.00020000.00000000.sdmp, K59gVXTgGv.exe, 00000000.00000002.2386535902.0000000002F37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dl.dropbox.com/s/p84aaz28t0hepul/Pass.exe?dl=0
Source: K59gVXTgGv.exe, 00000000.00000002.2388229518.0000000003FEA000.00000004.00000800.00020000.00000000.sdmp, K59gVXTgGv.exe, 00000000.00000002.2388229518.0000000003EE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/LimerBoy/StormKitty
Source: K59gVXTgGv.exe, 00000000.00000002.2388229518.0000000003FEA000.00000004.00000800.00020000.00000000.sdmp, K59gVXTgGv.exe, 00000000.00000002.2388229518.0000000003EE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/7B75u64B
Source: K59gVXTgGv.exe, 00000000.00000002.2388229518.0000000003FEA000.00000004.00000800.00020000.00000000.sdmp, K59gVXTgGv.exe, 00000000.00000002.2388229518.0000000003EE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/LimerBoy/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: 0.2.K59gVXTgGv.exe.401f560.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3fea2ea.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3f158fa.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3f4ab8a.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3f4ab8a.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.401f560.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.4015f19.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3f158fa.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3fea2ea.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3f41529.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2388229518.0000000003FEA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2388229518.0000000003EE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: K59gVXTgGv.exe PID: 5160, type: MEMORYSTR

Contains functionality to capture screen (.Net source)

Source: 0.2.K59gVXTgGv.exe.3f4ab8a.6.raw.unpack, DesktopScreenshot.cs	.Net Code: Make
Source: 0.2.K59gVXTgGv.exe.3fea2ea.2.raw.unpack, DesktopScreenshot.cs	.Net Code: Make
Source: 0.2.K59gVXTgGv.exe.401f560.8.raw.unpack, DesktopScreenshot.cs	.Net Code: Make
Source: 0.2.K59gVXTgGv.exe.3f158fa.7.raw.unpack, DesktopScreenshot.cs	.Net Code: Make

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.K59gVXTgGv.exe.3f4ab8a.6.raw.unpack, Keylogger.cs	.Net Code: SetHook
Source: 0.2.K59gVXTgGv.exe.3f4ab8a.6.raw.unpack, Keylogger.cs	.Net Code: KeyboardLayout
Source: 0.2.K59gVXTgGv.exe.2f72050.0.raw.unpack, kl.cs	.Net Code: VKCodeToUnicode
Source: 0.2.K59gVXTgGv.exe.3fea2ea.2.raw.unpack, Keylogger.cs	.Net Code: SetHook
Source: 0.2.K59gVXTgGv.exe.3fea2ea.2.raw.unpack, Keylogger.cs	.Net Code: KeyboardLayout
Source: 0.2.K59gVXTgGv.exe.401f560.8.raw.unpack, Keylogger.cs	.Net Code: SetHook
Source: 0.2.K59gVXTgGv.exe.401f560.8.raw.unpack, Keylogger.cs	.Net Code: KeyboardLayout
Source: 0.2.K59gVXTgGv.exe.314dc30.1.raw.unpack, kl.cs	.Net Code: VKCodeToUnicode
Source: 0.2.K59gVXTgGv.exe.3f158fa.7.raw.unpack, Keylogger.cs	.Net Code: SetHook
Source: 0.2.K59gVXTgGv.exe.3f158fa.7.raw.unpack, Keylogger.cs	.Net Code: KeyboardLayout
Source: 0.2.K59gVXTgGv.exe.4015f19.4.raw.unpack, kl.cs	.Net Code: VKCodeToUnicode
Source: 0.2.K59gVXTgGv.exe.3f41529.3.raw.unpack, kl.cs	.Net Code: VKCodeToUnicode

E-Banking Fraud

Yara detected Njrat

Source: Yara match	File source: 0.2.K59gVXTgGv.exe.2f72050.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.4015f19.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.314dc30.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3f41529.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.314dc30.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.2f72050.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3f4ab8a.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.4015f19.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3f158fa.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3fea2ea.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3f41529.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2386535902.0000000003146000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2386535902.0000000002F37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2388229518.0000000003FEA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2388229518.0000000003EE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: K59gVXTgGv.exe PID: 5160, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.K59gVXTgGv.exe.2f72050.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.2.K59gVXTgGv.exe.2f72050.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.K59gVXTgGv.exe.2f72050.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.2.K59gVXTgGv.exe.4015f19.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.2.K59gVXTgGv.exe.4015f19.4.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.K59gVXTgGv.exe.4015f19.4.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.2.K59gVXTgGv.exe.314dc30.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.2.K59gVXTgGv.exe.314dc30.1.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.K59gVXTgGv.exe.314dc30.1.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.2.K59gVXTgGv.exe.3f41529.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.2.K59gVXTgGv.exe.3f41529.3.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.K59gVXTgGv.exe.3f41529.3.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.2.K59gVXTgGv.exe.401f560.8.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.2.K59gVXTgGv.exe.401f560.8.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 0.2.K59gVXTgGv.exe.401f560.8.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 0.2.K59gVXTgGv.exe.401f560.8.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.K59gVXTgGv.exe.401f560.8.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 0.2.K59gVXTgGv.exe.314dc30.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.2.K59gVXTgGv.exe.314dc30.1.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.K59gVXTgGv.exe.314dc30.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.2.K59gVXTgGv.exe.3fea2ea.2.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.2.K59gVXTgGv.exe.3fea2ea.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 0.2.K59gVXTgGv.exe.3fea2ea.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 0.2.K59gVXTgGv.exe.3fea2ea.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.K59gVXTgGv.exe.3fea2ea.2.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 0.2.K59gVXTgGv.exe.2f72050.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.2.K59gVXTgGv.exe.2f72050.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.K59gVXTgGv.exe.2f72050.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.2.K59gVXTgGv.exe.3f158fa.7.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.2.K59gVXTgGv.exe.3f158fa.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 0.2.K59gVXTgGv.exe.3f158fa.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 0.2.K59gVXTgGv.exe.3f158fa.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.K59gVXTgGv.exe.3f158fa.7.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 0.2.K59gVXTgGv.exe.3f4ab8a.6.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.2.K59gVXTgGv.exe.3f4ab8a.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 0.2.K59gVXTgGv.exe.3f4ab8a.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 0.2.K59gVXTgGv.exe.3f4ab8a.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.K59gVXTgGv.exe.3f4ab8a.6.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 0.2.K59gVXTgGv.exe.3f4ab8a.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.2.K59gVXTgGv.exe.3f4ab8a.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects njRAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.K59gVXTgGv.exe.3f4ab8a.6.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.K59gVXTgGv.exe.3f4ab8a.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.2.K59gVXTgGv.exe.3f4ab8a.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 0.2.K59gVXTgGv.exe.3f4ab8a.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 0.2.K59gVXTgGv.exe.3f4ab8a.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.K59gVXTgGv.exe.3f4ab8a.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 0.2.K59gVXTgGv.exe.3f4ab8a.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.2.K59gVXTgGv.exe.401f560.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.2.K59gVXTgGv.exe.401f560.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 0.2.K59gVXTgGv.exe.401f560.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 0.2.K59gVXTgGv.exe.401f560.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.K59gVXTgGv.exe.401f560.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 0.2.K59gVXTgGv.exe.4015f19.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.2.K59gVXTgGv.exe.4015f19.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects njRAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.K59gVXTgGv.exe.4015f19.4.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.K59gVXTgGv.exe.4015f19.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.2.K59gVXTgGv.exe.4015f19.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 0.2.K59gVXTgGv.exe.4015f19.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 0.2.K59gVXTgGv.exe.4015f19.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.K59gVXTgGv.exe.4015f19.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 0.2.K59gVXTgGv.exe.4015f19.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.2.K59gVXTgGv.exe.3f158fa.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.2.K59gVXTgGv.exe.3f158fa.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects njRAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.K59gVXTgGv.exe.3f158fa.7.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.K59gVXTgGv.exe.3f158fa.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.2.K59gVXTgGv.exe.3f158fa.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 0.2.K59gVXTgGv.exe.3f158fa.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 0.2.K59gVXTgGv.exe.3f158fa.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.K59gVXTgGv.exe.3f158fa.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 0.2.K59gVXTgGv.exe.3f158fa.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.2.K59gVXTgGv.exe.3fea2ea.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.2.K59gVXTgGv.exe.3fea2ea.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects njRAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.K59gVXTgGv.exe.3fea2ea.2.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.K59gVXTgGv.exe.3fea2ea.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.2.K59gVXTgGv.exe.3fea2ea.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 0.2.K59gVXTgGv.exe.3fea2ea.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 0.2.K59gVXTgGv.exe.3fea2ea.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.K59gVXTgGv.exe.3fea2ea.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 0.2.K59gVXTgGv.exe.3fea2ea.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.2.K59gVXTgGv.exe.3f41529.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.2.K59gVXTgGv.exe.3f41529.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects njRAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.K59gVXTgGv.exe.3f41529.3.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.K59gVXTgGv.exe.3f41529.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.2.K59gVXTgGv.exe.3f41529.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 0.2.K59gVXTgGv.exe.3f41529.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 0.2.K59gVXTgGv.exe.3f41529.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.K59gVXTgGv.exe.3f41529.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 0.2.K59gVXTgGv.exe.3f41529.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 00000000.00000002.2386535902.0000000003146000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000000.00000002.2386535902.0000000003146000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000002.2386535902.0000000002F37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000000.00000002.2386535902.0000000002F37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000002.2388229518.0000000003FEA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000000.00000002.2388229518.0000000003FEA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects njRAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.2388229518.0000000003FEA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000002.2388229518.0000000003FEA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000000.00000002.2388229518.0000000003FEA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 00000000.00000002.2388229518.0000000003EE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000000.00000002.2388229518.0000000003EE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects njRAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.2388229518.0000000003EE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000002.2388229518.0000000003EE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000000.00000002.2388229518.0000000003EE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: Process Memory Space: K59gVXTgGv.exe PID: 5160, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: K59gVXTgGv.exe PID: 5160, type: MEMORYSTR	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen

Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Code function: 0_2_02D16E01	0_2_02D16E01
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Code function: 0_2_02D112A7	0_2_02D112A7
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Code function: 0_2_02D19F98	0_2_02D19F98
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Code function: 0_2_02D15F20	0_2_02D15F20
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Code function: 0_2_02D1426F	0_2_02D1426F
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Code function: 0_2_02D18218	0_2_02D18218
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Code function: 0_2_0698310C	0_2_0698310C
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Code function: 0_2_0698EA80	0_2_0698EA80
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Code function: 0_2_0698EA71	0_2_0698EA71
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Code function: 0_2_0698CB94	0_2_0698CB94
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Code function: 0_2_06C0C344	0_2_06C0C344
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Code function: 0_2_06C04040	0_2_06C04040
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Code function: 0_2_06C0403B	0_2_06C0403B
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Code function: 0_2_06C0DF28	0_2_06C0DF28
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Code function: 0_2_06C44018	0_2_06C44018
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Code function: 0_2_06C4EA77	0_2_06C4EA77
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Code function: 0_2_06C4EA78	0_2_06C4EA78
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Code function: 0_2_08200040	0_2_08200040
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Code function: 0_2_082066A0	0_2_082066A0
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Code function: 0_2_08208C00	0_2_08208C00
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Code function: 0_2_0820E0F8	0_2_0820E0F8
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Code function: 0_2_0820666D	0_2_0820666D
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Code function: 0_2_08953030	0_2_08953030
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Code function: 0_2_0895D85C	0_2_0895D85C
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Code function: 0_2_08953017	0_2_08953017
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Code function: 10_2_011412A7	10_2_011412A7
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Code function: 10_2_01145F20	10_2_01145F20
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Code function: 10_2_011480A0	10_2_011480A0
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Code function: 10_2_0114426F	10_2_0114426F
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Code function: 10_2_01146E10	10_2_01146E10

Source: Joe Sandbox View

Dropped File: C:\Program Files (x86)\Google Chrome sandbox.exe.exe 63D2C37FDB370CF6E743BD75E7408F5EDED5BC823A29401EEAFE0BEA921657BB

Source: K59gVXTgGv.exe, 00000000.00000002.2385923555.00000000010AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs K59gVXTgGv.exe
Source: K59gVXTgGv.exe, 00000000.00000002.2388229518.0000000003FEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClient.exe. vs K59gVXTgGv.exe
Source: K59gVXTgGv.exe, 00000000.00000002.2388229518.0000000003EE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClient.exe. vs K59gVXTgGv.exe
Source: K59gVXTgGv.exe, 00000000.00000002.2388229518.00000000040D5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMiPro.dll, vs K59gVXTgGv.exe
Source: K59gVXTgGv.exe, 00000000.00000002.2390410734.0000000006900000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMiPro.dll, vs K59gVXTgGv.exe
Source: K59gVXTgGv.exe, 00000000.00000000.2013273875.0000000000B72000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamechrome.exe< vs K59gVXTgGv.exe
Source: K59gVXTgGv.exe	Binary or memory string: OriginalFilenamechrome.exe< vs K59gVXTgGv.exe

Source: K59gVXTgGv.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.K59gVXTgGv.exe.2f72050.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.2.K59gVXTgGv.exe.2f72050.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.K59gVXTgGv.exe.2f72050.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.2.K59gVXTgGv.exe.4015f19.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.2.K59gVXTgGv.exe.4015f19.4.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.K59gVXTgGv.exe.4015f19.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.2.K59gVXTgGv.exe.314dc30.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.2.K59gVXTgGv.exe.314dc30.1.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.K59gVXTgGv.exe.314dc30.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.2.K59gVXTgGv.exe.3f41529.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.2.K59gVXTgGv.exe.3f41529.3.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.K59gVXTgGv.exe.3f41529.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.2.K59gVXTgGv.exe.401f560.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.2.K59gVXTgGv.exe.401f560.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 0.2.K59gVXTgGv.exe.401f560.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 0.2.K59gVXTgGv.exe.401f560.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.K59gVXTgGv.exe.401f560.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 0.2.K59gVXTgGv.exe.314dc30.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.2.K59gVXTgGv.exe.314dc30.1.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.K59gVXTgGv.exe.314dc30.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.2.K59gVXTgGv.exe.3fea2ea.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.2.K59gVXTgGv.exe.3fea2ea.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 0.2.K59gVXTgGv.exe.3fea2ea.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 0.2.K59gVXTgGv.exe.3fea2ea.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.K59gVXTgGv.exe.3fea2ea.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 0.2.K59gVXTgGv.exe.2f72050.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.2.K59gVXTgGv.exe.2f72050.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.K59gVXTgGv.exe.2f72050.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.2.K59gVXTgGv.exe.3f158fa.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.2.K59gVXTgGv.exe.3f158fa.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 0.2.K59gVXTgGv.exe.3f158fa.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 0.2.K59gVXTgGv.exe.3f158fa.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.K59gVXTgGv.exe.3f158fa.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 0.2.K59gVXTgGv.exe.3f4ab8a.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.2.K59gVXTgGv.exe.3f4ab8a.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 0.2.K59gVXTgGv.exe.3f4ab8a.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 0.2.K59gVXTgGv.exe.3f4ab8a.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.K59gVXTgGv.exe.3f4ab8a.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 0.2.K59gVXTgGv.exe.3f4ab8a.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.2.K59gVXTgGv.exe.3f4ab8a.6.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_njRat date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects njRAT, reference = http://malwareconfig.com/stats/njRat
Source: 0.2.K59gVXTgGv.exe.3f4ab8a.6.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.K59gVXTgGv.exe.3f4ab8a.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.2.K59gVXTgGv.exe.3f4ab8a.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 0.2.K59gVXTgGv.exe.3f4ab8a.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 0.2.K59gVXTgGv.exe.3f4ab8a.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.K59gVXTgGv.exe.3f4ab8a.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 0.2.K59gVXTgGv.exe.3f4ab8a.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.2.K59gVXTgGv.exe.401f560.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.2.K59gVXTgGv.exe.401f560.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 0.2.K59gVXTgGv.exe.401f560.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 0.2.K59gVXTgGv.exe.401f560.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.K59gVXTgGv.exe.401f560.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 0.2.K59gVXTgGv.exe.4015f19.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.2.K59gVXTgGv.exe.4015f19.4.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_njRat date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects njRAT, reference = http://malwareconfig.com/stats/njRat
Source: 0.2.K59gVXTgGv.exe.4015f19.4.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.K59gVXTgGv.exe.4015f19.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.2.K59gVXTgGv.exe.4015f19.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 0.2.K59gVXTgGv.exe.4015f19.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 0.2.K59gVXTgGv.exe.4015f19.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.K59gVXTgGv.exe.4015f19.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 0.2.K59gVXTgGv.exe.4015f19.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.2.K59gVXTgGv.exe.3f158fa.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.2.K59gVXTgGv.exe.3f158fa.7.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_njRat date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects njRAT, reference = http://malwareconfig.com/stats/njRat
Source: 0.2.K59gVXTgGv.exe.3f158fa.7.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.K59gVXTgGv.exe.3f158fa.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.2.K59gVXTgGv.exe.3f158fa.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 0.2.K59gVXTgGv.exe.3f158fa.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 0.2.K59gVXTgGv.exe.3f158fa.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.K59gVXTgGv.exe.3f158fa.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 0.2.K59gVXTgGv.exe.3f158fa.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.2.K59gVXTgGv.exe.3fea2ea.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.2.K59gVXTgGv.exe.3fea2ea.2.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_njRat date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects njRAT, reference = http://malwareconfig.com/stats/njRat
Source: 0.2.K59gVXTgGv.exe.3fea2ea.2.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.K59gVXTgGv.exe.3fea2ea.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.2.K59gVXTgGv.exe.3fea2ea.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 0.2.K59gVXTgGv.exe.3fea2ea.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 0.2.K59gVXTgGv.exe.3fea2ea.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.K59gVXTgGv.exe.3fea2ea.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 0.2.K59gVXTgGv.exe.3fea2ea.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.2.K59gVXTgGv.exe.3f41529.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.2.K59gVXTgGv.exe.3f41529.3.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_njRat date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects njRAT, reference = http://malwareconfig.com/stats/njRat
Source: 0.2.K59gVXTgGv.exe.3f41529.3.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.K59gVXTgGv.exe.3f41529.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.2.K59gVXTgGv.exe.3f41529.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 0.2.K59gVXTgGv.exe.3f41529.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 0.2.K59gVXTgGv.exe.3f41529.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.K59gVXTgGv.exe.3f41529.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 0.2.K59gVXTgGv.exe.3f41529.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 00000000.00000002.2386535902.0000000003146000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000000.00000002.2386535902.0000000003146000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000002.2386535902.0000000002F37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000000.00000002.2386535902.0000000002F37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000002.2388229518.0000000003FEA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000000.00000002.2388229518.0000000003FEA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: RAT_njRat date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects njRAT, reference = http://malwareconfig.com/stats/njRat
Source: 00000000.00000002.2388229518.0000000003FEA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000002.2388229518.0000000003FEA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000000.00000002.2388229518.0000000003FEA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 00000000.00000002.2388229518.0000000003EE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000000.00000002.2388229518.0000000003EE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: RAT_njRat date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects njRAT, reference = http://malwareconfig.com/stats/njRat
Source: 00000000.00000002.2388229518.0000000003EE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000002.2388229518.0000000003EE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000000.00000002.2388229518.0000000003EE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: Process Memory Space: K59gVXTgGv.exe PID: 5160, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: K59gVXTgGv.exe PID: 5160, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions

Source: 0.2.K59gVXTgGv.exe.3f4ab8a.6.raw.unpack, Settings.cs	Base64 encoded string: 'OfRC+NypcE+IToheoZZN8pzwcDl4uSi/g7kEwzyZwq8E7oBwdwJagaueIm5JCpPAfrjZ5wzTLIiXc6XMrv+mQnk407lFRkkJ1V3vZycPDJ5XzUVrKJq/ZzaglZwif4nN', 'v7KS4NGYpYR6dbl1ohYtOvZyF3faG8ZOM6yHQQArFUaFpvFmd2QuG8pR6Ea3G0MP2HfuQ241T0FwhKo+d5vVWA==', 'Z5pZYvRJIFTn8wlNIbceeqsxsKyiih9zS9G1Q49QpoEQOhv8FIVYhJy3JtaDzo7YHrinzRvWHLMY6KkdaCxT9w==', 'lv3eVVbrtyehpFQQS+O85pqbqHpE531GsoTORjAIVkmXnn29fizpHaeprUcfXfR7i1rDsUVnA0uHFazCOt353g==', 'vx/BE7jbRUB6mf7JvBe7Aqms5ens79dF75erQeF42sT5vvO+4N9X2zk0aqxqkuguWA/A06An2byEZbqi5N4oc6eDd74t2bt19gesw0UIL8c=', 'nXKe4oAN0iBYluL0NQNKasuRdPEYHHvoJHBCMT+I7iGe41QiUcLXnSquqUdY5Xs+MVUGLpfUfaHVmqMC/SfaaZX1JoFtVGWwClIrpf8FsiO8IpqEKgM6FNqF0Ognzq1b7tp3rIjM2Aq8StkwWXkHUOYxI8qr8GADLi4Ylq0kgwpIiGkb1z/6p5ujAOACIjgw5x9IhvGtTr+pZgOuq775zWQtOZIwgHiwfn+8HAB7TWqKBA5reeQ+GcSe1AVSSvIwL2m9YqmANxvUV/z6P+tntZK9khBosBwHhOiwRWXG7/WpzOHXHsguz9PsgGj8x6vv563lVxWQAVbkGsiVnDkQDg6utGPUefYXoghcReIUhhO5SZiVt8QiJpJVzlEJFFLSzuPdrYoqneInXeUrZciNHk6Hx/qmc0c/OP8zrIiuTOIjkA4/48e72ZkKUXXjDM9NHJYaFkiW7Wy09F3klKb3gXQb7uQKAQ3myxaI9H4viFDzQ+c6ot/Tt/9sm+I5UXFT4EyPgUXKxHI2gqb+mGyqQkOPuBaH45ePwop7BrYpY/1efw+fAOhY4ManjMs6wjMfCyT+RgVfeAolPHVmFc7THpeFENsGzPu4PaQTk7KcIXPlIOAC8nCCQkJ8Z/VkapUueXmA9ouv8rVUX3RDzPNuYQMj6eQGRGoJaiSi1XnTSB+pFxXuymASnVeMHzS1YJc6S1Fy8xnlzJW7wkSc0EzMjLWBFsM3Hqd3b6QH+6AftKjxmEGRAffkIkZg1kgQascpVqw/SlkjNmcC+8/jbyDIsnjfoUA7PIQ6NaNjAWDQ8QJGwp8fEK5MOILen18Pkqix0uS7isDBkB1ChKdH/cR8LyKqqAvhf24jkqpsdpnndycZXCnmG14YSdhSJD7P54U5ewxu5hWc0WDpXKCJSpKp+Gy3I3bLus4hISrBmvvjsDY5WaJWh4rN+zn3lBsaEVXz0YdEKxHlnUuHD4RTG2YEeg7l4NQmHuxkbkoOBiV/EkTcqVMpsm9VZOkIK44jxyFHyoqVqgnllEW2n6iThOHqhykb1ivXu6OBFYSpXiPeRpYEVBpUMWjvXy2wTmgsSDG43S2ISnly04sL8+POHl7dAZhsvW/Yb9kNVsrSyQzUi4FENeRphe5EQb59noFZbgoVWYsKCEtLnBLTOMUtNywmHbDlomrWnS16Z9wMlfLoBZwDq7q2Z/8FecilNhRqRnip5R1F+C7L5+PkGgbxv7hvDfnKlP68bC41b2+l+8MfkH/OIC4Pf4M4KBF7l5svnS6/SkGqtZ8RNySst5Cz/y7LYkWD8jrSInEMDXNvDkVq5egyR0WF52kgbiLK08K4cGSVG0q7Eo0WyabA8Ez1czK/JmEpDEJ2fggJBNfU8KOpygs/tUwEnJjj+fb+pogdcNDftRu+jLkC232YXIpGdY/sIUc03VXzJPbMwZVCZXmWZepd5FRkB7xBL6Vel/AIR6HMGe8APTLt5mtX7wMzt7tMf/KG7tH20e6uEYu7pmgfFXjU9LksVMIL8YZhezJqFHf+AW70OMfSNkYnu/sPLvlXSRD/7WVGTUjXtDFgTAPWVSLDiCkDi+DZ0aRUDufzdLaKLL0QaIiFxTE7R8TtaHooLbq1YGUnnGCmIzJH9yWg96yCDebbKI4TbcuNBfBpHaQ4nFL0/eu7rIDtbNrlM4pVdH1/kmax+IW7RBa5AH56ZoN8v6ZTK8vGmIX7JDWynYrSqFEetkjXYL9hoVT4TAhayuqAjY3rXtL1Wr+0ixxK+3nnBmEGbv4B5CV6UW1op7x6JljRFVhPGnU7gQdZMhTIlzx9V0r26bfwepof5aI3lQUjqV5nqB2K2M86T57ul4upx+UKts/3cqFm4uW6KGU+QlDJH5X5MpBAzlwDVFqO90gNG1iaO7L+5wB+mCR7GMOHWRvaEGPx7APVOR8Yfp4eJafkkh46BMOLWmuEzIx6XukDk9O7vsW9XMC88CuUsW5yCR+i61dDX2/1vuohT3RYT8mpm9I3h+dZkQYawTD8WPh9v/RihPHhp2PuM1O1s73iF+/DL+NvEn03K5FJ7pN5QdQ+Dh7ZxZ0gCHxC7kXaGz5krfPAZ7jnR61ojVDZyZkDUytVwZqVtNqOgW/kGZVrzkevqyK/ZDvyrRKd1Rr4dUYQxUc0X2tvBIamwGdwTkytiQWQUxkR2u+8P4HB6uPjaMAVvJ4ms7qv2bL9xb4OzTbG0Zk8J2p+N5t9uSrqVYVXn0pLQTZYXDpEbDKIjM4eSXjs9+iR68v+QgfwZfx380SFEkX8USuAGi+nknn2750JpeIa0K2PJLG7REXQxTTndMK8NHumykm63bZKIosdjC8=', 'xYuvE6ES2q02iyx0gj+TcxpQsqddzdkIJrpkxnhqM1VY6AGnW9K7iueX76+kb51aZY1MQHOImE+WAxBe/9TWW8PghqnYJs+uiWFcbqIrt7wBNgYAZIb4fWIYK6I8PvG
Source: 0.2.K59gVXTgGv.exe.3fea2ea.2.raw.unpack, Settings.cs	Base64 encoded string: 'OfRC+NypcE+IToheoZZN8pzwcDl4uSi/g7kEwzyZwq8E7oBwdwJagaueIm5JCpPAfrjZ5wzTLIiXc6XMrv+mQnk407lFRkkJ1V3vZycPDJ5XzUVrKJq/ZzaglZwif4nN', 'v7KS4NGYpYR6dbl1ohYtOvZyF3faG8ZOM6yHQQArFUaFpvFmd2QuG8pR6Ea3G0MP2HfuQ241T0FwhKo+d5vVWA==', 'Z5pZYvRJIFTn8wlNIbceeqsxsKyiih9zS9G1Q49QpoEQOhv8FIVYhJy3JtaDzo7YHrinzRvWHLMY6KkdaCxT9w==', 'lv3eVVbrtyehpFQQS+O85pqbqHpE531GsoTORjAIVkmXnn29fizpHaeprUcfXfR7i1rDsUVnA0uHFazCOt353g==', 'vx/BE7jbRUB6mf7JvBe7Aqms5ens79dF75erQeF42sT5vvO+4N9X2zk0aqxqkuguWA/A06An2byEZbqi5N4oc6eDd74t2bt19gesw0UIL8c=', 'nXKe4oAN0iBYluL0NQNKasuRdPEYHHvoJHBCMT+I7iGe41QiUcLXnSquqUdY5Xs+MVUGLpfUfaHVmqMC/SfaaZX1JoFtVGWwClIrpf8FsiO8IpqEKgM6FNqF0Ognzq1b7tp3rIjM2Aq8StkwWXkHUOYxI8qr8GADLi4Ylq0kgwpIiGkb1z/6p5ujAOACIjgw5x9IhvGtTr+pZgOuq775zWQtOZIwgHiwfn+8HAB7TWqKBA5reeQ+GcSe1AVSSvIwL2m9YqmANxvUV/z6P+tntZK9khBosBwHhOiwRWXG7/WpzOHXHsguz9PsgGj8x6vv563lVxWQAVbkGsiVnDkQDg6utGPUefYXoghcReIUhhO5SZiVt8QiJpJVzlEJFFLSzuPdrYoqneInXeUrZciNHk6Hx/qmc0c/OP8zrIiuTOIjkA4/48e72ZkKUXXjDM9NHJYaFkiW7Wy09F3klKb3gXQb7uQKAQ3myxaI9H4viFDzQ+c6ot/Tt/9sm+I5UXFT4EyPgUXKxHI2gqb+mGyqQkOPuBaH45ePwop7BrYpY/1efw+fAOhY4ManjMs6wjMfCyT+RgVfeAolPHVmFc7THpeFENsGzPu4PaQTk7KcIXPlIOAC8nCCQkJ8Z/VkapUueXmA9ouv8rVUX3RDzPNuYQMj6eQGRGoJaiSi1XnTSB+pFxXuymASnVeMHzS1YJc6S1Fy8xnlzJW7wkSc0EzMjLWBFsM3Hqd3b6QH+6AftKjxmEGRAffkIkZg1kgQascpVqw/SlkjNmcC+8/jbyDIsnjfoUA7PIQ6NaNjAWDQ8QJGwp8fEK5MOILen18Pkqix0uS7isDBkB1ChKdH/cR8LyKqqAvhf24jkqpsdpnndycZXCnmG14YSdhSJD7P54U5ewxu5hWc0WDpXKCJSpKp+Gy3I3bLus4hISrBmvvjsDY5WaJWh4rN+zn3lBsaEVXz0YdEKxHlnUuHD4RTG2YEeg7l4NQmHuxkbkoOBiV/EkTcqVMpsm9VZOkIK44jxyFHyoqVqgnllEW2n6iThOHqhykb1ivXu6OBFYSpXiPeRpYEVBpUMWjvXy2wTmgsSDG43S2ISnly04sL8+POHl7dAZhsvW/Yb9kNVsrSyQzUi4FENeRphe5EQb59noFZbgoVWYsKCEtLnBLTOMUtNywmHbDlomrWnS16Z9wMlfLoBZwDq7q2Z/8FecilNhRqRnip5R1F+C7L5+PkGgbxv7hvDfnKlP68bC41b2+l+8MfkH/OIC4Pf4M4KBF7l5svnS6/SkGqtZ8RNySst5Cz/y7LYkWD8jrSInEMDXNvDkVq5egyR0WF52kgbiLK08K4cGSVG0q7Eo0WyabA8Ez1czK/JmEpDEJ2fggJBNfU8KOpygs/tUwEnJjj+fb+pogdcNDftRu+jLkC232YXIpGdY/sIUc03VXzJPbMwZVCZXmWZepd5FRkB7xBL6Vel/AIR6HMGe8APTLt5mtX7wMzt7tMf/KG7tH20e6uEYu7pmgfFXjU9LksVMIL8YZhezJqFHf+AW70OMfSNkYnu/sPLvlXSRD/7WVGTUjXtDFgTAPWVSLDiCkDi+DZ0aRUDufzdLaKLL0QaIiFxTE7R8TtaHooLbq1YGUnnGCmIzJH9yWg96yCDebbKI4TbcuNBfBpHaQ4nFL0/eu7rIDtbNrlM4pVdH1/kmax+IW7RBa5AH56ZoN8v6ZTK8vGmIX7JDWynYrSqFEetkjXYL9hoVT4TAhayuqAjY3rXtL1Wr+0ixxK+3nnBmEGbv4B5CV6UW1op7x6JljRFVhPGnU7gQdZMhTIlzx9V0r26bfwepof5aI3lQUjqV5nqB2K2M86T57ul4upx+UKts/3cqFm4uW6KGU+QlDJH5X5MpBAzlwDVFqO90gNG1iaO7L+5wB+mCR7GMOHWRvaEGPx7APVOR8Yfp4eJafkkh46BMOLWmuEzIx6XukDk9O7vsW9XMC88CuUsW5yCR+i61dDX2/1vuohT3RYT8mpm9I3h+dZkQYawTD8WPh9v/RihPHhp2PuM1O1s73iF+/DL+NvEn03K5FJ7pN5QdQ+Dh7ZxZ0gCHxC7kXaGz5krfPAZ7jnR61ojVDZyZkDUytVwZqVtNqOgW/kGZVrzkevqyK/ZDvyrRKd1Rr4dUYQxUc0X2tvBIamwGdwTkytiQWQUxkR2u+8P4HB6uPjaMAVvJ4ms7qv2bL9xb4OzTbG0Zk8J2p+N5t9uSrqVYVXn0pLQTZYXDpEbDKIjM4eSXjs9+iR68v+QgfwZfx380SFEkX8USuAGi+nknn2750JpeIa0K2PJLG7REXQxTTndMK8NHumykm63bZKIosdjC8=', 'xYuvE6ES2q02iyx0gj+TcxpQsqddzdkIJrpkxnhqM1VY6AGnW9K7iueX76+kb51aZY1MQHOImE+WAxBe/9TWW8PghqnYJs+uiWFcbqIrt7wBNgYAZIb4fWIYK6I8PvG
Source: 0.2.K59gVXTgGv.exe.401f560.8.raw.unpack, Settings.cs	Base64 encoded string: 'OfRC+NypcE+IToheoZZN8pzwcDl4uSi/g7kEwzyZwq8E7oBwdwJagaueIm5JCpPAfrjZ5wzTLIiXc6XMrv+mQnk407lFRkkJ1V3vZycPDJ5XzUVrKJq/ZzaglZwif4nN', 'v7KS4NGYpYR6dbl1ohYtOvZyF3faG8ZOM6yHQQArFUaFpvFmd2QuG8pR6Ea3G0MP2HfuQ241T0FwhKo+d5vVWA==', 'Z5pZYvRJIFTn8wlNIbceeqsxsKyiih9zS9G1Q49QpoEQOhv8FIVYhJy3JtaDzo7YHrinzRvWHLMY6KkdaCxT9w==', 'lv3eVVbrtyehpFQQS+O85pqbqHpE531GsoTORjAIVkmXnn29fizpHaeprUcfXfR7i1rDsUVnA0uHFazCOt353g==', 'vx/BE7jbRUB6mf7JvBe7Aqms5ens79dF75erQeF42sT5vvO+4N9X2zk0aqxqkuguWA/A06An2byEZbqi5N4oc6eDd74t2bt19gesw0UIL8c=', 'nXKe4oAN0iBYluL0NQNKasuRdPEYHHvoJHBCMT+I7iGe41QiUcLXnSquqUdY5Xs+MVUGLpfUfaHVmqMC/SfaaZX1JoFtVGWwClIrpf8FsiO8IpqEKgM6FNqF0Ognzq1b7tp3rIjM2Aq8StkwWXkHUOYxI8qr8GADLi4Ylq0kgwpIiGkb1z/6p5ujAOACIjgw5x9IhvGtTr+pZgOuq775zWQtOZIwgHiwfn+8HAB7TWqKBA5reeQ+GcSe1AVSSvIwL2m9YqmANxvUV/z6P+tntZK9khBosBwHhOiwRWXG7/WpzOHXHsguz9PsgGj8x6vv563lVxWQAVbkGsiVnDkQDg6utGPUefYXoghcReIUhhO5SZiVt8QiJpJVzlEJFFLSzuPdrYoqneInXeUrZciNHk6Hx/qmc0c/OP8zrIiuTOIjkA4/48e72ZkKUXXjDM9NHJYaFkiW7Wy09F3klKb3gXQb7uQKAQ3myxaI9H4viFDzQ+c6ot/Tt/9sm+I5UXFT4EyPgUXKxHI2gqb+mGyqQkOPuBaH45ePwop7BrYpY/1efw+fAOhY4ManjMs6wjMfCyT+RgVfeAolPHVmFc7THpeFENsGzPu4PaQTk7KcIXPlIOAC8nCCQkJ8Z/VkapUueXmA9ouv8rVUX3RDzPNuYQMj6eQGRGoJaiSi1XnTSB+pFxXuymASnVeMHzS1YJc6S1Fy8xnlzJW7wkSc0EzMjLWBFsM3Hqd3b6QH+6AftKjxmEGRAffkIkZg1kgQascpVqw/SlkjNmcC+8/jbyDIsnjfoUA7PIQ6NaNjAWDQ8QJGwp8fEK5MOILen18Pkqix0uS7isDBkB1ChKdH/cR8LyKqqAvhf24jkqpsdpnndycZXCnmG14YSdhSJD7P54U5ewxu5hWc0WDpXKCJSpKp+Gy3I3bLus4hISrBmvvjsDY5WaJWh4rN+zn3lBsaEVXz0YdEKxHlnUuHD4RTG2YEeg7l4NQmHuxkbkoOBiV/EkTcqVMpsm9VZOkIK44jxyFHyoqVqgnllEW2n6iThOHqhykb1ivXu6OBFYSpXiPeRpYEVBpUMWjvXy2wTmgsSDG43S2ISnly04sL8+POHl7dAZhsvW/Yb9kNVsrSyQzUi4FENeRphe5EQb59noFZbgoVWYsKCEtLnBLTOMUtNywmHbDlomrWnS16Z9wMlfLoBZwDq7q2Z/8FecilNhRqRnip5R1F+C7L5+PkGgbxv7hvDfnKlP68bC41b2+l+8MfkH/OIC4Pf4M4KBF7l5svnS6/SkGqtZ8RNySst5Cz/y7LYkWD8jrSInEMDXNvDkVq5egyR0WF52kgbiLK08K4cGSVG0q7Eo0WyabA8Ez1czK/JmEpDEJ2fggJBNfU8KOpygs/tUwEnJjj+fb+pogdcNDftRu+jLkC232YXIpGdY/sIUc03VXzJPbMwZVCZXmWZepd5FRkB7xBL6Vel/AIR6HMGe8APTLt5mtX7wMzt7tMf/KG7tH20e6uEYu7pmgfFXjU9LksVMIL8YZhezJqFHf+AW70OMfSNkYnu/sPLvlXSRD/7WVGTUjXtDFgTAPWVSLDiCkDi+DZ0aRUDufzdLaKLL0QaIiFxTE7R8TtaHooLbq1YGUnnGCmIzJH9yWg96yCDebbKI4TbcuNBfBpHaQ4nFL0/eu7rIDtbNrlM4pVdH1/kmax+IW7RBa5AH56ZoN8v6ZTK8vGmIX7JDWynYrSqFEetkjXYL9hoVT4TAhayuqAjY3rXtL1Wr+0ixxK+3nnBmEGbv4B5CV6UW1op7x6JljRFVhPGnU7gQdZMhTIlzx9V0r26bfwepof5aI3lQUjqV5nqB2K2M86T57ul4upx+UKts/3cqFm4uW6KGU+QlDJH5X5MpBAzlwDVFqO90gNG1iaO7L+5wB+mCR7GMOHWRvaEGPx7APVOR8Yfp4eJafkkh46BMOLWmuEzIx6XukDk9O7vsW9XMC88CuUsW5yCR+i61dDX2/1vuohT3RYT8mpm9I3h+dZkQYawTD8WPh9v/RihPHhp2PuM1O1s73iF+/DL+NvEn03K5FJ7pN5QdQ+Dh7ZxZ0gCHxC7kXaGz5krfPAZ7jnR61ojVDZyZkDUytVwZqVtNqOgW/kGZVrzkevqyK/ZDvyrRKd1Rr4dUYQxUc0X2tvBIamwGdwTkytiQWQUxkR2u+8P4HB6uPjaMAVvJ4ms7qv2bL9xb4OzTbG0Zk8J2p+N5t9uSrqVYVXn0pLQTZYXDpEbDKIjM4eSXjs9+iR68v+QgfwZfx380SFEkX8USuAGi+nknn2750JpeIa0K2PJLG7REXQxTTndMK8NHumykm63bZKIosdjC8=', 'xYuvE6ES2q02iyx0gj+TcxpQsqddzdkIJrpkxnhqM1VY6AGnW9K7iueX76+kb51aZY1MQHOImE+WAxBe/9TWW8PghqnYJs+uiWFcbqIrt7wBNgYAZIb4fWIYK6I8PvG
Source: 0.2.K59gVXTgGv.exe.3f158fa.7.raw.unpack, Settings.cs	Base64 encoded string: 'OfRC+NypcE+IToheoZZN8pzwcDl4uSi/g7kEwzyZwq8E7oBwdwJagaueIm5JCpPAfrjZ5wzTLIiXc6XMrv+mQnk407lFRkkJ1V3vZycPDJ5XzUVrKJq/ZzaglZwif4nN', 'v7KS4NGYpYR6dbl1ohYtOvZyF3faG8ZOM6yHQQArFUaFpvFmd2QuG8pR6Ea3G0MP2HfuQ241T0FwhKo+d5vVWA==', 'Z5pZYvRJIFTn8wlNIbceeqsxsKyiih9zS9G1Q49QpoEQOhv8FIVYhJy3JtaDzo7YHrinzRvWHLMY6KkdaCxT9w==', 'lv3eVVbrtyehpFQQS+O85pqbqHpE531GsoTORjAIVkmXnn29fizpHaeprUcfXfR7i1rDsUVnA0uHFazCOt353g==', 'vx/BE7jbRUB6mf7JvBe7Aqms5ens79dF75erQeF42sT5vvO+4N9X2zk0aqxqkuguWA/A06An2byEZbqi5N4oc6eDd74t2bt19gesw0UIL8c=', 'nXKe4oAN0iBYluL0NQNKasuRdPEYHHvoJHBCMT+I7iGe41QiUcLXnSquqUdY5Xs+MVUGLpfUfaHVmqMC/SfaaZX1JoFtVGWwClIrpf8FsiO8IpqEKgM6FNqF0Ognzq1b7tp3rIjM2Aq8StkwWXkHUOYxI8qr8GADLi4Ylq0kgwpIiGkb1z/6p5ujAOACIjgw5x9IhvGtTr+pZgOuq775zWQtOZIwgHiwfn+8HAB7TWqKBA5reeQ+GcSe1AVSSvIwL2m9YqmANxvUV/z6P+tntZK9khBosBwHhOiwRWXG7/WpzOHXHsguz9PsgGj8x6vv563lVxWQAVbkGsiVnDkQDg6utGPUefYXoghcReIUhhO5SZiVt8QiJpJVzlEJFFLSzuPdrYoqneInXeUrZciNHk6Hx/qmc0c/OP8zrIiuTOIjkA4/48e72ZkKUXXjDM9NHJYaFkiW7Wy09F3klKb3gXQb7uQKAQ3myxaI9H4viFDzQ+c6ot/Tt/9sm+I5UXFT4EyPgUXKxHI2gqb+mGyqQkOPuBaH45ePwop7BrYpY/1efw+fAOhY4ManjMs6wjMfCyT+RgVfeAolPHVmFc7THpeFENsGzPu4PaQTk7KcIXPlIOAC8nCCQkJ8Z/VkapUueXmA9ouv8rVUX3RDzPNuYQMj6eQGRGoJaiSi1XnTSB+pFxXuymASnVeMHzS1YJc6S1Fy8xnlzJW7wkSc0EzMjLWBFsM3Hqd3b6QH+6AftKjxmEGRAffkIkZg1kgQascpVqw/SlkjNmcC+8/jbyDIsnjfoUA7PIQ6NaNjAWDQ8QJGwp8fEK5MOILen18Pkqix0uS7isDBkB1ChKdH/cR8LyKqqAvhf24jkqpsdpnndycZXCnmG14YSdhSJD7P54U5ewxu5hWc0WDpXKCJSpKp+Gy3I3bLus4hISrBmvvjsDY5WaJWh4rN+zn3lBsaEVXz0YdEKxHlnUuHD4RTG2YEeg7l4NQmHuxkbkoOBiV/EkTcqVMpsm9VZOkIK44jxyFHyoqVqgnllEW2n6iThOHqhykb1ivXu6OBFYSpXiPeRpYEVBpUMWjvXy2wTmgsSDG43S2ISnly04sL8+POHl7dAZhsvW/Yb9kNVsrSyQzUi4FENeRphe5EQb59noFZbgoVWYsKCEtLnBLTOMUtNywmHbDlomrWnS16Z9wMlfLoBZwDq7q2Z/8FecilNhRqRnip5R1F+C7L5+PkGgbxv7hvDfnKlP68bC41b2+l+8MfkH/OIC4Pf4M4KBF7l5svnS6/SkGqtZ8RNySst5Cz/y7LYkWD8jrSInEMDXNvDkVq5egyR0WF52kgbiLK08K4cGSVG0q7Eo0WyabA8Ez1czK/JmEpDEJ2fggJBNfU8KOpygs/tUwEnJjj+fb+pogdcNDftRu+jLkC232YXIpGdY/sIUc03VXzJPbMwZVCZXmWZepd5FRkB7xBL6Vel/AIR6HMGe8APTLt5mtX7wMzt7tMf/KG7tH20e6uEYu7pmgfFXjU9LksVMIL8YZhezJqFHf+AW70OMfSNkYnu/sPLvlXSRD/7WVGTUjXtDFgTAPWVSLDiCkDi+DZ0aRUDufzdLaKLL0QaIiFxTE7R8TtaHooLbq1YGUnnGCmIzJH9yWg96yCDebbKI4TbcuNBfBpHaQ4nFL0/eu7rIDtbNrlM4pVdH1/kmax+IW7RBa5AH56ZoN8v6ZTK8vGmIX7JDWynYrSqFEetkjXYL9hoVT4TAhayuqAjY3rXtL1Wr+0ixxK+3nnBmEGbv4B5CV6UW1op7x6JljRFVhPGnU7gQdZMhTIlzx9V0r26bfwepof5aI3lQUjqV5nqB2K2M86T57ul4upx+UKts/3cqFm4uW6KGU+QlDJH5X5MpBAzlwDVFqO90gNG1iaO7L+5wB+mCR7GMOHWRvaEGPx7APVOR8Yfp4eJafkkh46BMOLWmuEzIx6XukDk9O7vsW9XMC88CuUsW5yCR+i61dDX2/1vuohT3RYT8mpm9I3h+dZkQYawTD8WPh9v/RihPHhp2PuM1O1s73iF+/DL+NvEn03K5FJ7pN5QdQ+Dh7ZxZ0gCHxC7kXaGz5krfPAZ7jnR61ojVDZyZkDUytVwZqVtNqOgW/kGZVrzkevqyK/ZDvyrRKd1Rr4dUYQxUc0X2tvBIamwGdwTkytiQWQUxkR2u+8P4HB6uPjaMAVvJ4ms7qv2bL9xb4OzTbG0Zk8J2p+N5t9uSrqVYVXn0pLQTZYXDpEbDKIjM4eSXjs9+iR68v+QgfwZfx380SFEkX8USuAGi+nknn2750JpeIa0K2PJLG7REXQxTTndMK8NHumykm63bZKIosdjC8=', 'xYuvE6ES2q02iyx0gj+TcxpQsqddzdkIJrpkxnhqM1VY6AGnW9K7iueX76+kb51aZY1MQHOImE+WAxBe/9TWW8PghqnYJs+uiWFcbqIrt7wBNgYAZIb4fWIYK6I8PvG

Source: 0.2.K59gVXTgGv.exe.3fea2ea.2.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.K59gVXTgGv.exe.3fea2ea.2.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.K59gVXTgGv.exe.3f4ab8a.6.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.K59gVXTgGv.exe.3f4ab8a.6.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.K59gVXTgGv.exe.3f158fa.7.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.K59gVXTgGv.exe.3f158fa.7.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.K59gVXTgGv.exe.401f560.8.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.K59gVXTgGv.exe.401f560.8.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@10/6@1/2

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Program Files (x86)\Google Chrome sandbox.exe.exe

Jump to behavior

Source: C:\Users\user\Desktop\K59gVXTgGv.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google Chrome sandbox.exe.lnk

Jump to behavior

Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe

Mutant created: NULL

Source: K59gVXTgGv.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: K59gVXTgGv.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\K59gVXTgGv.exe

File read: C:\Program Files (x86)\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\K59gVXTgGv.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: K59gVXTgGv.exe	ReversingLabs: Detection: 67%
Source: K59gVXTgGv.exe	Virustotal: Detection: 64%

Source: unknown	Process created: C:\Users\user\Desktop\K59gVXTgGv.exe "C:\Users\user\Desktop\K59gVXTgGv.exe"
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 43 > nul && copy "C:\Users\user\Desktop\K59gVXTgGv.exe" "C:\Program Files (x86)\Google Chrome sandbox.exe.exe" && ping 127.0.0.1 -n 43 > nul && "C:\Program Files (x86)\Google Chrome sandbox.exe.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 43
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 43
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Google Chrome sandbox.exe.exe "C:\Program Files (x86)\Google Chrome sandbox.exe.exe"
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 43 > nul && copy "C:\Users\user\Desktop\K59gVXTgGv.exe" "C:\Program Files (x86)\Google Chrome sandbox.exe.exe" && ping 127.0.0.1 -n 43 > nul && "C:\Program Files (x86)\Google Chrome sandbox.exe.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 43	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 43	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Google Chrome sandbox.exe.exe "C:\Program Files (x86)\Google Chrome sandbox.exe.exe"	Jump to behavior

Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Users\user\Desktop\K59gVXTgGv.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Google Chrome sandbox.exe.lnk.0.dr

LNK file: ..\..\..\..\..\..\..\..\..\Program Files (x86)\Google Chrome sandbox.exe.exe

Source: C:\Users\user\Desktop\K59gVXTgGv.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: K59gVXTgGv.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: K59gVXTgGv.exe

Static file information: File size 1735048 > 1048576

Source: K59gVXTgGv.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected DarkTortilla Crypter

Source: Yara match	File source: 0.2.K59gVXTgGv.exe.2f72050.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.4015f19.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.6900000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.314dc30.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3f41529.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.40d5ef0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.6900000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.314dc30.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.40d5ef0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.2f72050.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3f4ab8a.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.4015f19.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3f158fa.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3fea2ea.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3f41529.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2386535902.0000000003146000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2390410734.0000000006900000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2388229518.00000000040D5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2386535902.0000000002F37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2386535902.0000000002E6F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2388229518.0000000003FEA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2388229518.0000000003EE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: K59gVXTgGv.exe PID: 5160, type: MEMORYSTR

.NET source code contains method to dynamically call methods (often used by packers)

Source: K59gVXTgGv.exe, Ca3t4Y.cs	.Net Code: NewLateBinding.LateCall(objectValue, (Type)null, "Invoke", new object[2]{null,new object[0]}, (string[])null, (Type[])null, (bool[])null, true)
Source: Google Chrome sandbox.exe.exe.4.dr, Ca3t4Y.cs	.Net Code: NewLateBinding.LateCall(objectValue, (Type)null, "Invoke", new object[2]{null,new object[0]}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: K59gVXTgGv.exe, Ca3t4Y.cs	.Net Code: r2K6W System.Reflection.Assembly.Load(byte[])
Source: 0.2.K59gVXTgGv.exe.2f72050.0.raw.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: 0.2.K59gVXTgGv.exe.314dc30.1.raw.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: 0.2.K59gVXTgGv.exe.4015f19.4.raw.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: 0.2.K59gVXTgGv.exe.3f41529.3.raw.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: Google Chrome sandbox.exe.exe.4.dr, Ca3t4Y.cs	.Net Code: r2K6W System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Code function: 0_2_02D19B80 pushad ; retf	0_2_02D19BF1
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Code function: 0_2_06987990 pushad ; ret	0_2_06987991
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Code function: 0_2_06987992 push eax; ret	0_2_06987999
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Code function: 0_2_06AD45F0 push eax; iretd	0_2_06AD45FD
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Code function: 0_2_06AD8F30 push es; ret	0_2_06AD8F50
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Code function: 0_2_06AD73A0 push es; ret	0_2_06AD73B0
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Code function: 0_2_06AD3390 push es; ret	0_2_06AD33A0
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Code function: 0_2_06ADF80C pushfd ; retf	0_2_06ADF80D
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Code function: 0_2_06ADF855 pushfd ; retf	0_2_06ADF856
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Code function: 0_2_06C0A608 pushfd ; retf	0_2_06C0A609
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Code function: 0_2_06C0A5DC pushfd ; retf	0_2_06C0A5DD
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Code function: 0_2_06C02F0B push es; ret	0_2_06C02F16
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Code function: 0_2_06C009F3 pushfd ; iretd	0_2_06C009F5
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Code function: 0_2_06C4FF80 pushfd ; retf	0_2_06C4FF81
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Code function: 0_2_06C41F59 push es; ret	0_2_06C41F60
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Code function: 0_2_0820C040 push es; ret	0_2_0820C07A
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Code function: 0_2_0820F21D push FFFFFF8Bh; iretd	0_2_0820F21F

Source: K59gVXTgGv.exe	Static PE information: section name: .text entropy: 6.961855800562577
Source: Google Chrome sandbox.exe.exe.4.dr	Static PE information: section name: .text entropy: 6.961855800562577

Source: K59gVXTgGv.exe, Em62.cs	High entropy of concatenated method names: 'Mo7w3J', 'g8BXb5', 'g0LSe8', 'm6X8Wr', 'Mc1z8E', 'Ci35Qw', 'Zg2j1H', 'mciSendStringW', 'XInputGetState', 'XInputSetState'
Source: Google Chrome sandbox.exe.exe.4.dr, Em62.cs	High entropy of concatenated method names: 'Mo7w3J', 'g8BXb5', 'g0LSe8', 'm6X8Wr', 'Mc1z8E', 'Ci35Qw', 'Zg2j1H', 'mciSendStringW', 'XInputGetState', 'XInputSetState'

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Program Files (x86)\Google Chrome sandbox.exe.exe

Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Program Files (x86)\Google Chrome sandbox.exe.exe

Jump to dropped file

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: 0.2.K59gVXTgGv.exe.401f560.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3fea2ea.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3f158fa.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3f4ab8a.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3f4ab8a.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.401f560.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.4015f19.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3f158fa.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3fea2ea.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3f41529.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2388229518.0000000003FEA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2388229518.0000000003EE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: K59gVXTgGv.exe PID: 5160, type: MEMORYSTR

Source: C:\Users\user\Desktop\K59gVXTgGv.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google Chrome sandbox.exe.lnk

Jump to behavior

Source: C:\Users\user\Desktop\K59gVXTgGv.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google Chrome sandbox.exe.lnk

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\K59gVXTgGv.exe

File opened: C:\Users\user\Desktop\K59gVXTgGv.exe\:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 0.2.K59gVXTgGv.exe.314dc30.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.2f72050.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2386535902.0000000003146000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2386535902.0000000002F37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: K59gVXTgGv.exe PID: 5160, type: MEMORYSTR

Yara detected AsyncRAT

Source: Yara match	File source: 0.2.K59gVXTgGv.exe.401f560.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3fea2ea.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3f158fa.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3f4ab8a.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3f4ab8a.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.401f560.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.4015f19.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3f158fa.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3fea2ea.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3f41529.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2388229518.0000000003FEA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2388229518.0000000003EE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: K59gVXTgGv.exe PID: 5160, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: K59gVXTgGv.exe, 00000000.00000002.2388229518.0000000003FEA000.00000004.00000800.00020000.00000000.sdmp, K59gVXTgGv.exe, 00000000.00000002.2388229518.0000000003EE0000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Uses ping.exe to sleep

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 43
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 43
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 43	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 43	Jump to behavior

Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Memory allocated: 2CD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Memory allocated: 2E40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Memory allocated: 4E40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Memory allocated: 1140000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Memory allocated: 2AE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Memory allocated: 4AE0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\K59gVXTgGv.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Window / User API: threadDelayed 8312			Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Window / User API: threadDelayed 1532			Jump to behavior

Source: C:\Users\user\Desktop\K59gVXTgGv.exe TID: 2860	Thread sleep time: -32281802128991695s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe TID: 2860	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE TID: 6204	Thread sleep count: 41 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE TID: 6204	Thread sleep time: -41000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE TID: 4140	Thread sleep count: 41 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE TID: 4140	Thread sleep time: -41000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Thread delayed: delay time: 30000			Jump to behavior

Source: K59gVXTgGv.exe, 00000000.00000002.2391605294.0000000007F85000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}#G
Source: K59gVXTgGv.exe, 00000000.00000002.2388229518.00000000040D5000.00000004.00000800.00020000.00000000.sdmp, K59gVXTgGv.exe, 00000000.00000002.2390410734.0000000006900000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: VBoxTray
Source: K59gVXTgGv.exe, 00000000.00000002.2390346304.00000000067B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: K59gVXTgGv.exe, 00000000.00000002.2388229518.0000000003EE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: K59gVXTgGv.exe, 00000000.00000002.2390410734.0000000006900000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: sandboxierpcssGSOFTWARE\VMware, Inc.\VMware VGAuth
Source: K59gVXTgGv.exe, 00000000.00000002.2388229518.0000000003EE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMwareVBox
Source: K59gVXTgGv.exe, 00000000.00000002.2385923555.00000000010E2000.00000004.00000020.00020000.00000000.sdmp, Google Chrome sandbox.exe.exe, 0000000A.00000002.3261484937.0000000000F69000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\K59gVXTgGv.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\K59gVXTgGv.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 0.2.K59gVXTgGv.exe.3f4ab8a.6.raw.unpack, Keylogger.cs	Reference to suspicious API methods: MapVirtualKey(vkCode, 0u)
Source: 0.2.K59gVXTgGv.exe.2f72050.0.raw.unpack, kl.cs	Reference to suspicious API methods: GetAsyncKeyState(num2)
Source: 0.2.K59gVXTgGv.exe.2f72050.0.raw.unpack, OK.cs	Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)

Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 43 > nul && copy "C:\Users\user\Desktop\K59gVXTgGv.exe" "C:\Program Files (x86)\Google Chrome sandbox.exe.exe" && ping 127.0.0.1 -n 43 > nul && "C:\Program Files (x86)\Google Chrome sandbox.exe.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 43	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 43	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Google Chrome sandbox.exe.exe "C:\Program Files (x86)\Google Chrome sandbox.exe.exe"	Jump to behavior

Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Queries volume information: C:\Users\user\Desktop\K59gVXTgGv.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\K59gVXTgGv.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Queries volume information: C:\Program Files (x86)\Google Chrome sandbox.exe.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Google Chrome sandbox.exe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\K59gVXTgGv.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: 0.2.K59gVXTgGv.exe.401f560.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3fea2ea.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3f158fa.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3f4ab8a.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3f4ab8a.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.401f560.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.4015f19.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3f158fa.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3fea2ea.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3f41529.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2388229518.0000000003FEA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2388229518.0000000003EE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: K59gVXTgGv.exe PID: 5160, type: MEMORYSTR

Stealing of Sensitive Information

Yara detected Njrat

Source: Yara match	File source: 0.2.K59gVXTgGv.exe.2f72050.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.4015f19.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.314dc30.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3f41529.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.314dc30.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.2f72050.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3f4ab8a.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.4015f19.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3f158fa.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3fea2ea.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3f41529.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2386535902.0000000003146000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2386535902.0000000002F37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2388229518.0000000003FEA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2388229518.0000000003EE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: K59gVXTgGv.exe PID: 5160, type: MEMORYSTR

Yara detected StormKitty Stealer

Source: Yara match	File source: 0.2.K59gVXTgGv.exe.401f560.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3fea2ea.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3f158fa.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3f4ab8a.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3f4ab8a.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.401f560.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.4015f19.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3f158fa.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3fea2ea.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3f41529.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2388229518.0000000003FEA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2388229518.0000000003EE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: K59gVXTgGv.exe PID: 5160, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.K59gVXTgGv.exe.401f560.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3fea2ea.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3f158fa.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3f4ab8a.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3f4ab8a.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.401f560.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.4015f19.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3f158fa.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3fea2ea.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3f41529.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2388229518.0000000003FEA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2388229518.0000000003EE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: K59gVXTgGv.exe PID: 5160, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: K59gVXTgGv.exe, 00000000.00000002.2388229518.0000000003FEA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Electrum#\Electrum\wallets
Source: K59gVXTgGv.exe, 00000000.00000002.2388229518.0000000003FEA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \bytecoinJaxxk\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb
Source: K59gVXTgGv.exe, 00000000.00000002.2388229518.0000000003FEA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Exodus+\Exodus\exodus.wallet
Source: K59gVXTgGv.exe, 00000000.00000002.2388229518.0000000003FEA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum%\Ethereum\keystore
Source: K59gVXTgGv.exe, 00000000.00000002.2388229518.0000000003FEA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Exodus+\Exodus\exodus.wallet
Source: K59gVXTgGv.exe, 00000000.00000002.2388229518.0000000003FEA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum%\Ethereum\keystore
Source: K59gVXTgGv.exe, 00000000.00000002.2388229518.0000000003FEA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Coinomi1\Coinomi\Coinomi\wallets
Source: K59gVXTgGv.exe, 00000000.00000002.2388229518.0000000003FEA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum%\Ethereum\keystore

Source: Yara match	File source: 0.2.K59gVXTgGv.exe.401f560.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3fea2ea.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3f158fa.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3f4ab8a.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3f4ab8a.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.401f560.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.4015f19.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3f158fa.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3fea2ea.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3f41529.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2388229518.0000000003FEA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2388229518.0000000003EE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: K59gVXTgGv.exe PID: 5160, type: MEMORYSTR

Remote Access Functionality

Yara detected Njrat

Source: Yara match	File source: 0.2.K59gVXTgGv.exe.2f72050.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.4015f19.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.314dc30.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3f41529.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.314dc30.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.2f72050.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3f4ab8a.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.4015f19.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3f158fa.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3fea2ea.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3f41529.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2386535902.0000000003146000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2386535902.0000000002F37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2388229518.0000000003FEA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2388229518.0000000003EE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: K59gVXTgGv.exe PID: 5160, type: MEMORYSTR

Yara detected StormKitty Stealer

Source: Yara match	File source: 0.2.K59gVXTgGv.exe.401f560.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3fea2ea.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3f158fa.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3f4ab8a.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3f4ab8a.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.401f560.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.4015f19.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3f158fa.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3fea2ea.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3f41529.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2388229518.0000000003FEA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2388229518.0000000003EE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: K59gVXTgGv.exe PID: 5160, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.K59gVXTgGv.exe.401f560.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3fea2ea.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3f158fa.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3f4ab8a.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3f4ab8a.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.401f560.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.4015f19.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3f158fa.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3fea2ea.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K59gVXTgGv.exe.3f41529.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2388229518.0000000003FEA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2388229518.0000000003EE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: K59gVXTgGv.exe PID: 5160, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 Input Capture	1 Peripheral Device Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	11 Process Injection	131 Obfuscated Files or Information	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	21 Software Packing	Security Account Manager	12 System Information Discovery	SMB/Windows Admin Shares	1 Screen Capture	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Registry Run Keys / Startup Folder	1 DLL Side-Loading	NTDS	21 Security Software Discovery	Distributed Component Object Model	1 Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Masquerading	LSA Secrets	1 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	31 Virtualization/Sandbox Evasion	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Process Injection	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Hidden Files and Directories	Proc Filesystem	1 Remote System Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
K59gVXTgGv.exe	68%	ReversingLabs	Win32.Trojan.SnakeKeylogger
K59gVXTgGv.exe	65%	Virustotal		Browse
K59gVXTgGv.exe	100%	Avira	HEUR/AGEN.1304596
K59gVXTgGv.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files (x86)\Google Chrome sandbox.exe.exe	100%	Avira	HEUR/AGEN.1304596
C:\Program Files (x86)\Google Chrome sandbox.exe.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google Chrome sandbox.exe.exe	68%	ReversingLabs	Win32.Trojan.SnakeKeylogger

Source	Detection	Scanner	Label
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://api.telegram.org/file/bot	0%	Avira URL Cloud	safe
http://www.google.com	0%	Avira URL Cloud	safe
https://dl.dropbox.com/s/p84aaz28t0hepul/Pass.exe?dl=0	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/LimerBoy/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13	0%	Avira URL Cloud	safe
https://github.com/LimerBoy/StormKitty	0%	Avira URL Cloud	safe
https://api.telegram.org/bot	0%	Avira URL Cloud	safe
194.26.192.92	0%	Avira URL Cloud	safe
https://csp.withgoogle.com/csp/gws/other-hp	0%	Avira URL Cloud	safe
https://pastebin.com/raw/7B75u64B	0%	Avira URL Cloud	safe
http://www.google.com/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.google.com	142.250.185.164	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
194.26.192.92	true	Avira URL Cloud: safe	unknown
http://www.google.com/	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.google.com	K59gVXTgGv.exe, Google Chrome sandbox.exe.exe.4.dr	false	Avira URL Cloud: safe	unknown
https://dl.dropbox.com/s/p84aaz28t0hepul/Pass.exe?dl=0	K59gVXTgGv.exe, 00000000.00000002.2386535902.0000000003146000.00000004.00000800.00020000.00000000.sdmp, K59gVXTgGv.exe, 00000000.00000002.2388229518.0000000003FEA000.00000004.00000800.00020000.00000000.sdmp, K59gVXTgGv.exe, 00000000.00000002.2388229518.0000000003EE0000.00000004.00000800.00020000.00000000.sdmp, K59gVXTgGv.exe, 00000000.00000002.2386535902.0000000002F37000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://raw.githubusercontent.com/LimerBoy/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13	K59gVXTgGv.exe, 00000000.00000002.2388229518.0000000003FEA000.00000004.00000800.00020000.00000000.sdmp, K59gVXTgGv.exe, 00000000.00000002.2388229518.0000000003EE0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/file/bot	K59gVXTgGv.exe, 00000000.00000002.2388229518.0000000003FEA000.00000004.00000800.00020000.00000000.sdmp, K59gVXTgGv.exe, 00000000.00000002.2388229518.0000000003EE0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot	K59gVXTgGv.exe, 00000000.00000002.2388229518.0000000003EE0000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://github.com/LimerBoy/StormKitty	K59gVXTgGv.exe, 00000000.00000002.2388229518.0000000003FEA000.00000004.00000800.00020000.00000000.sdmp, K59gVXTgGv.exe, 00000000.00000002.2388229518.0000000003EE0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	K59gVXTgGv.exe, 00000000.00000002.2386535902.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, Google Chrome sandbox.exe.exe, 0000000A.00000002.3262432650.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://csp.withgoogle.com/csp/gws/other-hp	K59gVXTgGv.exe, 00000000.00000002.2386535902.0000000002E6F000.00000004.00000800.00020000.00000000.sdmp, Google Chrome sandbox.exe.exe, 0000000A.00000002.3262432650.0000000002B0F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://pastebin.com/raw/7B75u64B	K59gVXTgGv.exe, 00000000.00000002.2388229518.0000000003FEA000.00000004.00000800.00020000.00000000.sdmp, K59gVXTgGv.exe, 00000000.00000002.2388229518.0000000003EE0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
142.250.185.164	www.google.com	United States		15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1465048
Start date and time:	2024-07-01 08:26:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 42s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	K59gVXTgGv.exe renamed because original name is a hash value
Original Sample Name:	b7ca45674c6b8a24a6a71315e0e51397.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@10/6@1/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 97% Number of executed functions: 201 Number of non-executed functions: 12
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Google Chrome sandbox.exe.exe, PID 2364 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
02:27:04	API Interceptor	222x Sleep call for process: K59gVXTgGv.exe modified
02:28:07	API Interceptor	20x Sleep call for process: PING.EXE modified
08:27:09	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google Chrome sandbox.exe.lnk

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
C:\Program Files (x86)\Google Chrome sandbox.exe.exe	SUimFrNB4N.exe	Get hash	malicious	LummaC, AsyncRAT, DarkTortilla, Njrat, SmokeLoader, StormKitty	Browse
C:\Program Files (x86)\Google Chrome sandbox.exe.exe	qoe1X4ig0N.exe	Get hash	malicious	LummaC, AsyncRAT, DarkTortilla, LummaC Stealer, Njrat, SmokeLoader, StormKitty	Browse

Created / dropped Files

C:\Program Files (x86)\Google Chrome sandbox.exe.exe

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1735048
Entropy (8bit):	6.632933062634782
Encrypted:	false
SSDEEP:	24576:iRJSuMgl+JTBJ5aB3KoWWbHcXThtehTl5O9TLb:0IEFd/CTqR8P
MD5:	B7CA45674C6B8A24A6A71315E0E51397
SHA1:	79516B1BD2227F08FF333B950DAFB29707916828
SHA-256:	63D2C37FDB370CF6E743BD75E7408F5EDED5BC823A29401EEAFE0BEA921657BB
SHA-512:	F390C2D017C041B60C57A67508341512785EFBD25CB93A5C2849B4A5ADB52931EA92ECA7BBBEF3E0CAE0C919525770582E4C5E2518033C1C61542C0C2C1EBF2F
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 68%
Joe Sandbox View:	Filename: SUimFrNB4N.exe, Detection: malicious, Browse Filename: qoe1X4ig0N.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...g..d..............P......@........... ... ....@.. ....................................`.....................................O.... ..p=...........6...C...`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc...p=... ...>..................@..@.reloc.......`.......4..............@..B........................H.......\w..............H.....................................................+>.~.>...?..?}?U?...?&.{ ...+."..} ...&.{!...+."..}!...&.{"...+."..}"...&.{#...+."..}#...&.{$...+."..}$.....(%.....} .....}!.....}"......}#......}$.....('...&..((.....s)........s........s+........s,........s-........Z........o@...........&..(%....j..{....(...+}.....{....+....{......,.+.....,.r...psE...z..\|....(...+&........".......Vs+...(J...t...........(K...&..(.....*B..(6..

C:\Program Files (x86)\Google Chrome sandbox.exe.exe:Zone.Identifier

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\K59gVXTgGv.exe.log

Download File

Process:	C:\Users\user\Desktop\K59gVXTgGv.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLV1qE4x84qpE4KlKDE4KhKiKhIE4KnKIE4oKNzKoZAE4Kze0E4j:Mp1qHxv2HKlYHKh3oIHKntHo6hAHKzea
MD5:	8275047EA04782E18195CE5F2F076225
SHA1:	86FE553781E50EE2493A6D54A2F329FF94AD0DEE
SHA-256:	302DE184C80A778557AA7F09DDCAB59FED5712B6BC617FDEAFE1E004021FFDDC
SHA-512:	4F7B9BE379C98D5E9609D46FC0B473C66A977C3A081C60872CB8FE344C2785A285E9D9019D49515A6DC5D1E6EFF2D8DD5E5BA49086AF24F8A2F50E6B9EBE588B
Malicious:	true
Reputation:	low
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google Chrome sandbox.exe.lnk

Download File

Process:	C:\Users\user\Desktop\K59gVXTgGv.exe
File Type:	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
Category:	dropped
Size (bytes):	860
Entropy (8bit):	3.5179406048799224
Encrypted:	false
SSDEEP:	12:8wl0M0a/ledp86dUi0n8bdpYiQ+0n60bdpYiQ+0nHgQ/CNUvH4t2YZ/elFlSJm:8gudO6Z0IdRZ06gdRZ0HXOUFqy
MD5:	048DC386A4ED2A90A325DD7716549C15
SHA1:	DF972080CACAF37BB956B468A7485262D067A123
SHA-256:	C83EE8BF1732C9986BAE37F6EBD13B21A194F7531267A403AFF361B8AF8ACB50
SHA-512:	FF9989E974D633ABABF2B96A14A53FFFBA5293C7EEAA2CFA5CCEE37CC3B065DC5A136CFD0956011266ED1CACA653E3703A775A164B593270B381DD6537E4F5A7
Malicious:	false
Preview:	L..................F........................................................A....P.O. .:i.....+00.../C:\...................z.1...........Program Files (x86).X............................................P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)..."...2...........Google Chrome sandbox.exe.exe.l............................................G.o.o.g.l.e. .C.h.r.o.m.e. .s.a.n.d.b.o.x...e.x.e...e.x.e...,...L.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.G.o.o.g.l.e. .C.h.r.o.m.e. .s.a.n.d.b.o.x...e.x.e...e.x.e.4.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.G.o.o.g.l.e. .C.h.r.o.m.e. .s.a.n.d.b.o.x...e.x.e...e.x.e.........*................@Z\|...K.J.....................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.3.................

\Device\Null

Download File

Process:	C:\Windows\SysWOW64\PING.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2342
Entropy (8bit):	4.725019911843614
Encrypted:	false
SSDEEP:	12:PKMRJpTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTL:/Q/5AokItULVDv
MD5:	7A559C3B1494D896C79D9CA23EA8A48F
SHA1:	93713262CF69081EF835824234A91FF57910C861
SHA-256:	8FFB12299478980F44C9E70949F03031BBCA244270E08C429D39807601AE9433
SHA-512:	CC78AF792F52DB67355BE5A5E58D6813E460744CC1B6E3BD4B90B17C6EB919A252BF56184F96F7CF02D72BDA235BC6C19B52BC58CFC17195B37A0F5828201609
Malicious:	false
Preview:	..Pinging 127.0.0.1 with 32 bytes of data:..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: byt

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.632933062634782
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	K59gVXTgGv.exe
File size:	1'735'048 bytes
MD5:	b7ca45674c6b8a24a6a71315e0e51397
SHA1:	79516b1bd2227f08ff333b950dafb29707916828
SHA256:	63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb
SHA512:	f390c2d017c041b60c57a67508341512785efbd25cb93a5c2849b4a5adb52931ea92eca7bbbef3e0cae0c919525770582e4c5e2518033c1c61542c0c2c1ebf2f
SSDEEP:	24576:iRJSuMgl+JTBJ5aB3KoWWbHcXThtehTl5O9TLb:0IEFd/CTqR8P
TLSH:	BB856B06E2A8FED7C409C1788C36C1B143EA7C9AD61781AF24F67E963EF23D41129957
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...g..d..............P......@........... ... ....@.. ....................................`................................

File Icon


Icon Hash:	173149cccc490307

Static PE Info

General

Entrypoint:	0x50132e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x649A1167 [Mon Jun 26 22:29:59 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1012dc	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x102000	0x53d70	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x153600	0x54388
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x156000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xff334	0xff400	62f65a13ea765d5bbd341a2ff8585c91	False	0.6681495240572968	data	6.961855800562577	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x102000	0x53d70	0x53e00	3cd24c7648cc0c247d6c869905635916	False	0.49696989102086436	data	6.211945994263363	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x156000	0xc	0x200	930d619476dd2c8b6b2b8731192b23c1	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x103540	0x134	data			0.4837662337662338
RT_CURSOR	0x103674	0x134	data			0.22402597402597402
RT_CURSOR	0x1037a8	0x134	Targa image data - RLE 64 x 65536 x 1 +32 "\001"			0.2077922077922078
RT_CURSOR	0x1038dc	0x134	data			0.461038961038961
RT_CURSOR	0x103a10	0x134	data			0.39935064935064934
RT_CURSOR	0x103b44	0xcac	data			0.08446362515413071
RT_CURSOR	0x1047f0	0x134	data			0.32142857142857145
RT_CURSOR	0x104924	0xcac	data			0.06103575832305795
RT_CURSOR	0x1055d0	0x10ac	Targa image data 64 x 65536 x 1 +32 " "			0.03280224929709466
RT_CURSOR	0x10667c	0x10ac	Targa image data 64 x 65536 x 1 +32 " "			0.07966260543580131
RT_CURSOR	0x107728	0x10ac	Targa image data 64 x 65536 x 1 +32 " "			0.07872539831302718
RT_CURSOR	0x1087d4	0x10ac	Targa image data 64 x 65536 x 1 +32 " "			0.07591377694470477
RT_CURSOR	0x109880	0x10ac	Targa image data 64 x 65536 x 1 +32 " "			0.03420805998125586
RT_CURSOR	0x10a92c	0x10ac	Targa image data 64 x 65536 x 1 +32 " "			0.03655107778819119
RT_CURSOR	0x10b9d8	0x10ac	Targa image data 64 x 65536 x 1 +32 " "			0.03795688847235239
RT_CURSOR	0x10ca84	0x10ac	Targa image data 64 x 65536 x 1 +32 " "			0.03303655107778819
RT_CURSOR	0x10db30	0x10ac	Targa image data 64 x 65536 x 1 +32 " "			0.036785379568884724
RT_CURSOR	0x10ebdc	0x10ac	Targa image data 64 x 65536 x 1 +32 " "			0.03608247422680412
RT_CURSOR	0x10fc88	0x10ac	Targa image data 64 x 65536 x 1 +32 " "			0.042877225866916585
RT_CURSOR	0x110d34	0x134	Targa image data - RGB - RLE 64 x 65536 x 1 +32 "\001"			0.23376623376623376
RT_CURSOR	0x110e68	0x134	Targa image data - Mono 64 x 65536 x 1 +32 "\001"			0.1590909090909091
RT_CURSOR	0x110f9c	0x134	data			0.3181818181818182
RT_CURSOR	0x1110d0	0x134	data			0.30194805194805197
RT_ICON	0x111204	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.4913294797687861
RT_ICON	0x11176c	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0			0.46435018050541516
RT_ICON	0x112014	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.39072494669509594
RT_ICON	0x112ebc	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0			0.6214539007092199
RT_ICON	0x113324	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0			0.4298780487804878
RT_ICON	0x1143cc	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0			0.32863070539419087
RT_ICON	0x116974	0x7cfc	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced			0.9984998124765596
RT_ICON	0x11e670	0x38	Device independent bitmap graphic, 1 x 2 x 1, image size 0			0.4107142857142857
RT_ICON	0x11e6a8	0x38	Device independent bitmap graphic, 1 x 2 x 1, image size 0			0.4107142857142857
RT_ICON	0x11e6e0	0x38	Device independent bitmap graphic, 1 x 2 x 1, image size 0			0.4107142857142857
RT_ICON	0x11e718	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.4429190751445087
RT_ICON	0x11ec80	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0			0.411101083032491
RT_ICON	0x11f528	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.35047974413646055
RT_ICON	0x1203d0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0			0.6046099290780141
RT_ICON	0x120838	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0			0.40196998123827393
RT_ICON	0x1218e0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0			0.31483402489626555
RT_ICON	0x123e88	0x7c98	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced			0.9978994231251568
RT_ICON	0x12bb20	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.2332089552238806
RT_ICON	0x12c9c8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0			0.3564981949458484
RT_ICON	0x12d270	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.5173410404624278
RT_ICON	0x12d7d8	0x7fa	PNG image data, 256 x 256, 8-bit colormap, non-interlaced			0.8736532810969637
RT_ICON	0x12dfd4	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0			0.06732365145228215
RT_ICON	0x13057c	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0			0.10694183864915573
RT_ICON	0x131624	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0			0.25177304964539005
RT_ICON	0x131a8c	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.2260127931769723
RT_ICON	0x132934	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0			0.3456678700361011
RT_ICON	0x1331dc	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.5079479768786127
RT_ICON	0x133744	0x7c8	PNG image data, 256 x 256, 8-bit colormap, non-interlaced			0.8704819277108434
RT_ICON	0x133f0c	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0			0.06244813278008299
RT_ICON	0x1364b4	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0			0.09803001876172608
RT_ICON	0x13755c	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0			0.23049645390070922
RT_ICON	0x1379c4	0x4a8	Device independent bitmap graphic, 17 x 32 x 32, image size 1088, resolution 2835 x 2835 px/m			0.28439597315436244
RT_ICON	0x137e6c	0x1234	Device independent bitmap graphic, 33 x 66 x 32, image size 4356, resolution 2835 x 2835 px/m			0.11566523605150214
RT_ICON	0x1390a0	0x2668	Device independent bitmap graphic, 49 x 96 x 32, image size 9408, resolution 2835 x 2835 px/m			0.07811228641171684
RT_ICON	0x13b708	0x184b	PNG image data, 257 x 256, 8-bit/color RGBA, non-interlaced			0.992603312429651
RT_ICON	0x13cf54	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.4552023121387283
RT_ICON	0x13d4bc	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0			0.43772563176895307
RT_ICON	0x13dd64	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.4013859275053305
RT_ICON	0x13ec0c	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0			0.5638297872340425
RT_ICON	0x13f074	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0			0.3574108818011257
RT_ICON	0x14011c	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0			0.300103734439834
RT_ICON	0x1426c4	0x6c1c	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced			0.9986631016042781
RT_ICON	0x1492e0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.4653179190751445
RT_ICON	0x149848	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0			0.4426895306859206
RT_ICON	0x14a0f0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.4064498933901919
RT_ICON	0x14af98	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0			0.5709219858156028
RT_ICON	0x14b400	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0			0.3602251407129456
RT_ICON	0x14c4a8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0			0.30072614107883816
RT_ICON	0x14ea50	0x6a18	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced			0.9981958762886598
RT_GROUP_CURSOR	0x155468	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.25
RT_GROUP_CURSOR	0x15547c	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.25
RT_GROUP_CURSOR	0x155490	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x1554a4	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x1554b8	0x22	Lotus unknown worksheet or configuration, revision 0x2			1.0
RT_GROUP_CURSOR	0x1554dc	0x22	Lotus unknown worksheet or configuration, revision 0x2			1.0
RT_GROUP_CURSOR	0x155500	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.2
RT_GROUP_CURSOR	0x155514	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.2
RT_GROUP_CURSOR	0x155528	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.2
RT_GROUP_CURSOR	0x15553c	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.2
RT_GROUP_CURSOR	0x155550	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.2
RT_GROUP_CURSOR	0x155564	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.2
RT_GROUP_CURSOR	0x155578	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.2
RT_GROUP_CURSOR	0x15558c	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.2
RT_GROUP_CURSOR	0x1555a0	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.2
RT_GROUP_CURSOR	0x1555b4	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.2
RT_GROUP_CURSOR	0x1555c8	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.2
RT_GROUP_CURSOR	0x1555dc	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x1555f0	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x155604	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x155618	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_ICON	0x15562c	0x68	data			0.7307692307692307
RT_GROUP_ICON	0x155694	0x14	data			1.1
RT_GROUP_ICON	0x1556a8	0x14	data			1.1
RT_GROUP_ICON	0x1556bc	0x14	data			1.1
RT_GROUP_ICON	0x1556d0	0x68	data			0.7403846153846154
RT_GROUP_ICON	0x155738	0x68	data			0.7115384615384616
RT_GROUP_ICON	0x1557a0	0x68	data			0.7115384615384616
RT_GROUP_ICON	0x155808	0x3e	data			0.8870967741935484
RT_GROUP_ICON	0x155848	0x68	data			0.7307692307692307
RT_GROUP_ICON	0x1558b0	0x68	data			0.7211538461538461
RT_VERSION	0x155918	0x458	data	English	United States	0.44064748201438847

Imports

DLL	Import
mscoree.dll	_CorExeMain

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 1, 2024 08:26:58.001311064 CEST	49705	80	192.168.2.5	142.250.185.164
Jul 1, 2024 08:26:58.006217957 CEST	80	49705	142.250.185.164	192.168.2.5
Jul 1, 2024 08:26:58.006336927 CEST	49705	80	192.168.2.5	142.250.185.164
Jul 1, 2024 08:26:58.006576061 CEST	49705	80	192.168.2.5	142.250.185.164
Jul 1, 2024 08:26:58.011384964 CEST	80	49705	142.250.185.164	192.168.2.5
Jul 1, 2024 08:26:58.671827078 CEST	80	49705	142.250.185.164	192.168.2.5
Jul 1, 2024 08:26:58.671885014 CEST	80	49705	142.250.185.164	192.168.2.5
Jul 1, 2024 08:26:58.671920061 CEST	80	49705	142.250.185.164	192.168.2.5
Jul 1, 2024 08:26:58.671947002 CEST	49705	80	192.168.2.5	142.250.185.164
Jul 1, 2024 08:26:58.671952963 CEST	80	49705	142.250.185.164	192.168.2.5
Jul 1, 2024 08:26:58.671988010 CEST	80	49705	142.250.185.164	192.168.2.5
Jul 1, 2024 08:26:58.672020912 CEST	80	49705	142.250.185.164	192.168.2.5
Jul 1, 2024 08:26:58.672024012 CEST	49705	80	192.168.2.5	142.250.185.164
Jul 1, 2024 08:26:58.672054052 CEST	80	49705	142.250.185.164	192.168.2.5
Jul 1, 2024 08:26:58.672069073 CEST	49705	80	192.168.2.5	142.250.185.164
Jul 1, 2024 08:26:58.672087908 CEST	80	49705	142.250.185.164	192.168.2.5
Jul 1, 2024 08:26:58.672120094 CEST	80	49705	142.250.185.164	192.168.2.5
Jul 1, 2024 08:26:58.672156096 CEST	80	49705	142.250.185.164	192.168.2.5
Jul 1, 2024 08:26:58.672159910 CEST	49705	80	192.168.2.5	142.250.185.164
Jul 1, 2024 08:26:58.672205925 CEST	49705	80	192.168.2.5	142.250.185.164
Jul 1, 2024 08:26:58.677032948 CEST	80	49705	142.250.185.164	192.168.2.5
Jul 1, 2024 08:26:58.677088022 CEST	80	49705	142.250.185.164	192.168.2.5
Jul 1, 2024 08:26:58.677148104 CEST	49705	80	192.168.2.5	142.250.185.164
Jul 1, 2024 08:26:58.760669947 CEST	80	49705	142.250.185.164	192.168.2.5
Jul 1, 2024 08:26:58.760781050 CEST	80	49705	142.250.185.164	192.168.2.5
Jul 1, 2024 08:26:58.760817051 CEST	80	49705	142.250.185.164	192.168.2.5
Jul 1, 2024 08:26:58.760854006 CEST	49705	80	192.168.2.5	142.250.185.164
Jul 1, 2024 08:26:58.761136055 CEST	80	49705	142.250.185.164	192.168.2.5
Jul 1, 2024 08:26:58.761169910 CEST	80	49705	142.250.185.164	192.168.2.5
Jul 1, 2024 08:26:58.761204004 CEST	80	49705	142.250.185.164	192.168.2.5
Jul 1, 2024 08:26:58.761231899 CEST	49705	80	192.168.2.5	142.250.185.164
Jul 1, 2024 08:26:58.761257887 CEST	49705	80	192.168.2.5	142.250.185.164
Jul 1, 2024 08:26:58.770225048 CEST	80	49705	142.250.185.164	192.168.2.5
Jul 1, 2024 08:26:58.770257950 CEST	80	49705	142.250.185.164	192.168.2.5
Jul 1, 2024 08:26:58.770292997 CEST	80	49705	142.250.185.164	192.168.2.5
Jul 1, 2024 08:26:58.770312071 CEST	49705	80	192.168.2.5	142.250.185.164
Jul 1, 2024 08:26:58.773196936 CEST	80	49705	142.250.185.164	192.168.2.5
Jul 1, 2024 08:26:58.773278952 CEST	80	49705	142.250.185.164	192.168.2.5
Jul 1, 2024 08:26:58.773310900 CEST	80	49705	142.250.185.164	192.168.2.5
Jul 1, 2024 08:26:58.773329973 CEST	49705	80	192.168.2.5	142.250.185.164
Jul 1, 2024 08:26:58.773386002 CEST	49705	80	192.168.2.5	142.250.185.164
Jul 1, 2024 08:26:58.779247046 CEST	80	49705	142.250.185.164	192.168.2.5
Jul 1, 2024 08:26:58.779279947 CEST	80	49705	142.250.185.164	192.168.2.5
Jul 1, 2024 08:26:58.779310942 CEST	80	49705	142.250.185.164	192.168.2.5
Jul 1, 2024 08:26:58.779367924 CEST	49705	80	192.168.2.5	142.250.185.164
Jul 1, 2024 08:26:58.785517931 CEST	80	49705	142.250.185.164	192.168.2.5
Jul 1, 2024 08:26:58.785552025 CEST	80	49705	142.250.185.164	192.168.2.5
Jul 1, 2024 08:26:58.785583019 CEST	49705	80	192.168.2.5	142.250.185.164
Jul 1, 2024 08:26:58.785583973 CEST	80	49705	142.250.185.164	192.168.2.5
Jul 1, 2024 08:26:58.785645962 CEST	49705	80	192.168.2.5	142.250.185.164
Jul 1, 2024 08:26:58.791285038 CEST	80	49705	142.250.185.164	192.168.2.5
Jul 1, 2024 08:26:58.791349888 CEST	80	49705	142.250.185.164	192.168.2.5
Jul 1, 2024 08:26:58.791383028 CEST	80	49705	142.250.185.164	192.168.2.5
Jul 1, 2024 08:26:58.791399002 CEST	49705	80	192.168.2.5	142.250.185.164
Jul 1, 2024 08:26:58.797246933 CEST	80	49705	142.250.185.164	192.168.2.5
Jul 1, 2024 08:26:58.797343016 CEST	80	49705	142.250.185.164	192.168.2.5
Jul 1, 2024 08:26:58.797349930 CEST	49705	80	192.168.2.5	142.250.185.164
Jul 1, 2024 08:26:58.797375917 CEST	80	49705	142.250.185.164	192.168.2.5
Jul 1, 2024 08:26:58.797449112 CEST	49705	80	192.168.2.5	142.250.185.164
Jul 1, 2024 08:26:58.803215027 CEST	80	49705	142.250.185.164	192.168.2.5
Jul 1, 2024 08:26:58.803244114 CEST	80	49705	142.250.185.164	192.168.2.5
Jul 1, 2024 08:26:58.803277969 CEST	80	49705	142.250.185.164	192.168.2.5
Jul 1, 2024 08:26:58.803342104 CEST	80	49705	142.250.185.164	192.168.2.5
Jul 1, 2024 08:26:58.803383112 CEST	49705	80	192.168.2.5	142.250.185.164
Jul 1, 2024 08:26:58.803383112 CEST	49705	80	192.168.2.5	142.250.185.164
Jul 1, 2024 08:26:58.809190989 CEST	80	49705	142.250.185.164	192.168.2.5
Jul 1, 2024 08:26:58.809292078 CEST	80	49705	142.250.185.164	192.168.2.5
Jul 1, 2024 08:26:58.809322119 CEST	80	49705	142.250.185.164	192.168.2.5
Jul 1, 2024 08:26:58.809341908 CEST	49705	80	192.168.2.5	142.250.185.164
Jul 1, 2024 08:26:58.809355021 CEST	80	49705	142.250.185.164	192.168.2.5
Jul 1, 2024 08:26:58.809392929 CEST	49705	80	192.168.2.5	142.250.185.164
Jul 1, 2024 08:26:58.849302053 CEST	80	49705	142.250.185.164	192.168.2.5
Jul 1, 2024 08:26:58.849335909 CEST	80	49705	142.250.185.164	192.168.2.5
Jul 1, 2024 08:26:58.849370003 CEST	80	49705	142.250.185.164	192.168.2.5
Jul 1, 2024 08:26:58.849396944 CEST	49705	80	192.168.2.5	142.250.185.164
Jul 1, 2024 08:26:58.849401951 CEST	80	49705	142.250.185.164	192.168.2.5
Jul 1, 2024 08:26:58.849436045 CEST	80	49705	142.250.185.164	192.168.2.5
Jul 1, 2024 08:26:58.849478960 CEST	49705	80	192.168.2.5	142.250.185.164
Jul 1, 2024 08:26:58.853332996 CEST	80	49705	142.250.185.164	192.168.2.5
Jul 1, 2024 08:26:58.853365898 CEST	80	49705	142.250.185.164	192.168.2.5
Jul 1, 2024 08:26:58.853396893 CEST	80	49705	142.250.185.164	192.168.2.5
Jul 1, 2024 08:26:58.853518963 CEST	49705	80	192.168.2.5	142.250.185.164
Jul 1, 2024 08:26:58.859318018 CEST	80	49705	142.250.185.164	192.168.2.5
Jul 1, 2024 08:26:58.859417915 CEST	80	49705	142.250.185.164	192.168.2.5
Jul 1, 2024 08:26:58.859450102 CEST	80	49705	142.250.185.164	192.168.2.5
Jul 1, 2024 08:26:58.859498024 CEST	49705	80	192.168.2.5	142.250.185.164
Jul 1, 2024 08:26:58.865319014 CEST	80	49705	142.250.185.164	192.168.2.5
Jul 1, 2024 08:26:58.865351915 CEST	80	49705	142.250.185.164	192.168.2.5
Jul 1, 2024 08:26:58.865369081 CEST	49705	80	192.168.2.5	142.250.185.164
Jul 1, 2024 08:26:58.865382910 CEST	80	49705	142.250.185.164	192.168.2.5
Jul 1, 2024 08:26:58.865463018 CEST	49705	80	192.168.2.5	142.250.185.164
Jul 1, 2024 08:26:58.889996052 CEST	80	49705	142.250.185.164	192.168.2.5
Jul 1, 2024 08:26:58.890079021 CEST	80	49705	142.250.185.164	192.168.2.5
Jul 1, 2024 08:26:58.890234947 CEST	49705	80	192.168.2.5	142.250.185.164
Jul 1, 2024 08:27:35.064106941 CEST	49705	80	192.168.2.5	142.250.185.164
Jul 1, 2024 08:28:57.393240929 CEST	49718	80	192.168.2.5	142.250.185.164
Jul 1, 2024 08:28:57.398905039 CEST	80	49718	142.250.185.164	192.168.2.5
Jul 1, 2024 08:28:57.398988962 CEST	49718	80	192.168.2.5	142.250.185.164
Jul 1, 2024 08:28:57.399290085 CEST	49718	80	192.168.2.5	142.250.185.164
Jul 1, 2024 08:28:57.404958963 CEST	80	49718	142.250.185.164	192.168.2.5
Jul 1, 2024 08:28:58.071584940 CEST	80	49718	142.250.185.164	192.168.2.5
Jul 1, 2024 08:28:58.071600914 CEST	80	49718	142.250.185.164	192.168.2.5
Jul 1, 2024 08:28:58.071611881 CEST	80	49718	142.250.185.164	192.168.2.5
Jul 1, 2024 08:28:58.071624041 CEST	80	49718	142.250.185.164	192.168.2.5
Jul 1, 2024 08:28:58.071635962 CEST	80	49718	142.250.185.164	192.168.2.5
Jul 1, 2024 08:28:58.071645975 CEST	80	49718	142.250.185.164	192.168.2.5
Jul 1, 2024 08:28:58.071656942 CEST	80	49718	142.250.185.164	192.168.2.5
Jul 1, 2024 08:28:58.071657896 CEST	49718	80	192.168.2.5	142.250.185.164
Jul 1, 2024 08:28:58.071670055 CEST	80	49718	142.250.185.164	192.168.2.5
Jul 1, 2024 08:28:58.071723938 CEST	49718	80	192.168.2.5	142.250.185.164
Jul 1, 2024 08:28:58.071749926 CEST	49718	80	192.168.2.5	142.250.185.164
Jul 1, 2024 08:28:58.071751118 CEST	80	49718	142.250.185.164	192.168.2.5
Jul 1, 2024 08:28:58.071763039 CEST	80	49718	142.250.185.164	192.168.2.5
Jul 1, 2024 08:28:58.071805000 CEST	49718	80	192.168.2.5	142.250.185.164
Jul 1, 2024 08:28:58.076615095 CEST	80	49718	142.250.185.164	192.168.2.5
Jul 1, 2024 08:28:58.076630116 CEST	80	49718	142.250.185.164	192.168.2.5
Jul 1, 2024 08:28:58.076643944 CEST	80	49718	142.250.185.164	192.168.2.5
Jul 1, 2024 08:28:58.076699972 CEST	49718	80	192.168.2.5	142.250.185.164
Jul 1, 2024 08:28:58.160655975 CEST	80	49718	142.250.185.164	192.168.2.5
Jul 1, 2024 08:28:58.160671949 CEST	80	49718	142.250.185.164	192.168.2.5
Jul 1, 2024 08:28:58.160686016 CEST	80	49718	142.250.185.164	192.168.2.5
Jul 1, 2024 08:28:58.160778046 CEST	49718	80	192.168.2.5	142.250.185.164
Jul 1, 2024 08:28:58.161279917 CEST	80	49718	142.250.185.164	192.168.2.5
Jul 1, 2024 08:28:58.161292076 CEST	80	49718	142.250.185.164	192.168.2.5
Jul 1, 2024 08:28:58.161303043 CEST	80	49718	142.250.185.164	192.168.2.5
Jul 1, 2024 08:28:58.161443949 CEST	49718	80	192.168.2.5	142.250.185.164
Jul 1, 2024 08:28:58.161443949 CEST	49718	80	192.168.2.5	142.250.185.164
Jul 1, 2024 08:28:58.170557022 CEST	80	49718	142.250.185.164	192.168.2.5
Jul 1, 2024 08:28:58.170571089 CEST	80	49718	142.250.185.164	192.168.2.5
Jul 1, 2024 08:28:58.170582056 CEST	80	49718	142.250.185.164	192.168.2.5
Jul 1, 2024 08:28:58.170618057 CEST	49718	80	192.168.2.5	142.250.185.164
Jul 1, 2024 08:28:58.173113108 CEST	80	49718	142.250.185.164	192.168.2.5
Jul 1, 2024 08:28:58.173125029 CEST	80	49718	142.250.185.164	192.168.2.5
Jul 1, 2024 08:28:58.173173904 CEST	49718	80	192.168.2.5	142.250.185.164
Jul 1, 2024 08:28:58.173187017 CEST	80	49718	142.250.185.164	192.168.2.5
Jul 1, 2024 08:28:58.173198938 CEST	80	49718	142.250.185.164	192.168.2.5
Jul 1, 2024 08:28:58.173238039 CEST	49718	80	192.168.2.5	142.250.185.164
Jul 1, 2024 08:28:58.189199924 CEST	80	49718	142.250.185.164	192.168.2.5
Jul 1, 2024 08:28:58.189256907 CEST	49718	80	192.168.2.5	142.250.185.164
Jul 1, 2024 08:28:58.189361095 CEST	80	49718	142.250.185.164	192.168.2.5
Jul 1, 2024 08:28:58.189373016 CEST	80	49718	142.250.185.164	192.168.2.5
Jul 1, 2024 08:28:58.189378977 CEST	80	49718	142.250.185.164	192.168.2.5
Jul 1, 2024 08:28:58.189390898 CEST	80	49718	142.250.185.164	192.168.2.5
Jul 1, 2024 08:28:58.189518929 CEST	49718	80	192.168.2.5	142.250.185.164
Jul 1, 2024 08:28:58.189518929 CEST	49718	80	192.168.2.5	142.250.185.164
Jul 1, 2024 08:28:58.193970919 CEST	80	49718	142.250.185.164	192.168.2.5
Jul 1, 2024 08:28:58.193983078 CEST	80	49718	142.250.185.164	192.168.2.5
Jul 1, 2024 08:28:58.193994045 CEST	80	49718	142.250.185.164	192.168.2.5
Jul 1, 2024 08:28:58.194030046 CEST	49718	80	192.168.2.5	142.250.185.164
Jul 1, 2024 08:28:58.197211981 CEST	80	49718	142.250.185.164	192.168.2.5
Jul 1, 2024 08:28:58.197251081 CEST	80	49718	142.250.185.164	192.168.2.5
Jul 1, 2024 08:28:58.197261095 CEST	80	49718	142.250.185.164	192.168.2.5
Jul 1, 2024 08:28:58.197266102 CEST	49718	80	192.168.2.5	142.250.185.164
Jul 1, 2024 08:28:58.197313070 CEST	49718	80	192.168.2.5	142.250.185.164
Jul 1, 2024 08:28:58.203463078 CEST	80	49718	142.250.185.164	192.168.2.5
Jul 1, 2024 08:28:58.203474998 CEST	80	49718	142.250.185.164	192.168.2.5
Jul 1, 2024 08:28:58.203495979 CEST	80	49718	142.250.185.164	192.168.2.5
Jul 1, 2024 08:28:58.203516960 CEST	49718	80	192.168.2.5	142.250.185.164
Jul 1, 2024 08:28:58.209429026 CEST	80	49718	142.250.185.164	192.168.2.5
Jul 1, 2024 08:28:58.209440947 CEST	80	49718	142.250.185.164	192.168.2.5
Jul 1, 2024 08:28:58.209453106 CEST	80	49718	142.250.185.164	192.168.2.5
Jul 1, 2024 08:28:58.209484100 CEST	49718	80	192.168.2.5	142.250.185.164
Jul 1, 2024 08:28:58.209517002 CEST	49718	80	192.168.2.5	142.250.185.164
Jul 1, 2024 08:28:58.249123096 CEST	80	49718	142.250.185.164	192.168.2.5
Jul 1, 2024 08:28:58.249135971 CEST	80	49718	142.250.185.164	192.168.2.5
Jul 1, 2024 08:28:58.249147892 CEST	80	49718	142.250.185.164	192.168.2.5
Jul 1, 2024 08:28:58.249202967 CEST	49718	80	192.168.2.5	142.250.185.164
Jul 1, 2024 08:28:58.249274015 CEST	80	49718	142.250.185.164	192.168.2.5
Jul 1, 2024 08:28:58.249284983 CEST	80	49718	142.250.185.164	192.168.2.5
Jul 1, 2024 08:28:58.249294996 CEST	80	49718	142.250.185.164	192.168.2.5
Jul 1, 2024 08:28:58.249413013 CEST	49718	80	192.168.2.5	142.250.185.164
Jul 1, 2024 08:28:58.249413967 CEST	49718	80	192.168.2.5	142.250.185.164
Jul 1, 2024 08:28:58.253582001 CEST	80	49718	142.250.185.164	192.168.2.5
Jul 1, 2024 08:28:58.253593922 CEST	80	49718	142.250.185.164	192.168.2.5
Jul 1, 2024 08:28:58.253603935 CEST	80	49718	142.250.185.164	192.168.2.5
Jul 1, 2024 08:28:58.253643990 CEST	49718	80	192.168.2.5	142.250.185.164
Jul 1, 2024 08:28:58.259624958 CEST	80	49718	142.250.185.164	192.168.2.5
Jul 1, 2024 08:28:58.259637117 CEST	80	49718	142.250.185.164	192.168.2.5
Jul 1, 2024 08:28:58.259645939 CEST	80	49718	142.250.185.164	192.168.2.5
Jul 1, 2024 08:28:58.259675980 CEST	49718	80	192.168.2.5	142.250.185.164
Jul 1, 2024 08:28:58.259727955 CEST	49718	80	192.168.2.5	142.250.185.164
Jul 1, 2024 08:28:58.265616894 CEST	80	49718	142.250.185.164	192.168.2.5
Jul 1, 2024 08:28:58.265629053 CEST	80	49718	142.250.185.164	192.168.2.5
Jul 1, 2024 08:28:58.265639067 CEST	80	49718	142.250.185.164	192.168.2.5
Jul 1, 2024 08:28:58.265662909 CEST	49718	80	192.168.2.5	142.250.185.164
Jul 1, 2024 08:28:58.271656036 CEST	80	49718	142.250.185.164	192.168.2.5
Jul 1, 2024 08:28:58.271667957 CEST	80	49718	142.250.185.164	192.168.2.5
Jul 1, 2024 08:28:58.271718025 CEST	49718	80	192.168.2.5	142.250.185.164
Jul 1, 2024 08:28:58.319847107 CEST	49718	80	192.168.2.5	142.250.185.164

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 1, 2024 08:26:57.989820957 CEST	55857	53	192.168.2.5	1.1.1.1
Jul 1, 2024 08:26:57.996589899 CEST	53	55857	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 1, 2024 08:26:57.989820957 CEST	192.168.2.5	1.1.1.1	0x2d15	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 1, 2024 08:26:57.996589899 CEST	1.1.1.1	192.168.2.5	0x2d15	No error (0)	www.google.com		142.250.185.164	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.google.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49705	142.250.185.164	80	5160	C:\Users\user\Desktop\K59gVXTgGv.exe

Timestamp	Bytes transferred	Direction	Data
Jul 1, 2024 08:26:58.006576061 CEST	64	OUT	GET / HTTP/1.1 Host: www.google.com Connection: Keep-Alive
Jul 1, 2024 08:26:58.671827078 CEST	1236	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 06:26:58 GMT Expires: -1 Cache-Control: private, max-age=0 Content-Type: text/html; charset=ISO-8859-1 Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-r-v2lPLc9S4itAJ6OeFjRw' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Set-Cookie: AEC=AQTF6HyAViGHWpclHbpGkp9MY1DIksljjj1V18txPAtxwjkUX0pfgg_wKRI; expires=Sat, 28-Dec-2024 06:26:58 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax Set-Cookie: NID=515=n2zFv__emfA8HY2RktY5rmmo5ou-IINT6-SM3w0pCXkQML7HgMm2KP7yR1iMtjbU5MFxrsJ7oQwud76F27MtAKcU6Nnb2clhwd_lI1XB-5vWTvL9WZCnMRwf8S-qhwZHZx0l5DIOCcSx6pGTHD6Wuerrlv0LB4XdZzKnjM4IUkg; expires=Tue, 31-Dec-2024 06:26:58 GMT; path=/; domain=.google.com; HttpOnly Accept-Ranges: none Vary: Accept-Encoding Transfer-Encoding: chunked Data Raw: 34 36 36 31 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 69 74 65 6d 73 63 6f 70 65 3d 22 22 20 69 74 65 6d 74 79 70 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 2f 57 65 62 50 61 67 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 53 65 61 72 63 68 20 74 68 65 20 77 6f 72 6c 64 27 73 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 2c 20 69 6e 63 6c 75 64 69 6e 67 20 77 65 62 70 61 67 65 73 2c 20 69 6d 61 67 65 73 2c 20 76 69 64 65 6f 73 20 61 6e 64 20 6d 6f 72 65 2e 20 47 6f 6f 67 6c 65 20 Data Ascii: 4661<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en"><head><meta content="Search the world's information, including webpages, images, videos and more. Google
Jul 1, 2024 08:26:58.671885014 CEST	1236	IN	Data Raw: 68 61 73 20 6d 61 6e 79 20 73 70 65 63 69 61 6c 20 66 65 61 74 75 72 65 73 20 74 6f 20 68 65 6c 70 20 79 6f 75 20 66 69 6e 64 20 65 78 61 63 74 6c 79 20 77 68 61 74 20 79 6f 75 27 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 22 20 6e 61 6d 65 3d Data Ascii: has many special features to help you find exactly what you're looking for." name="description"><meta content="noodp, " name="robots"><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"><meta content="/images/branding/googleg/1x
Jul 1, 2024 08:26:58.671920061 CEST	1236	IN	Data Raw: 38 2c 31 30 36 31 2c 31 30 35 34 2c 32 2c 33 2c 31 35 33 31 2c 32 31 35 2c 31 30 38 2c 39 39 31 2c 34 39 38 2c 31 2c 35 37 31 2c 31 39 39 2c 33 37 30 2c 33 32 34 2c 31 2c 34 2c 32 2c 31 35 39 34 2c 32 37 39 2c 37 2c 31 32 2c 36 32 33 2c 31 37 33 Data Ascii: 8,1061,1054,2,3,1531,215,108,991,498,1,571,199,370,324,1,4,2,1594,279,7,12,623,1736,868,44,662,64,3,1,834,437,654,1,3,57,202,528,163,1,2,1435,4,244,179,116,831,121,545,1282,428,36,436,867,122,4,1,6,155,378,142,1570,4,367,3,93,1685,22,107,172,1
Jul 1, 2024 08:26:58.671952963 CEST	1236	IN	Data Raw: 69 2e 74 65 73 74 28 61 29 26 26 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 70 72 6f 74 6f 63 6f 6c 3d 3d 3d 22 68 74 74 70 73 3a 22 26 26 28 67 6f 6f 67 6c 65 2e 6d 6c 26 26 67 6f 6f 67 6c 65 2e 6d 6c 28 45 72 72 6f 72 28 22 61 22 29 2c 21 Data Ascii: i.test(a)&&window.location.protocol==="https:"&&(google.ml&&google.ml(Error("a"),!1,{src:a,glmm:1}),a="");return a}function t(a,b,c,d,k){var e="";b.search("&ei=")===-1&&(e="&ei="+p(d),b.search("&lei=")===-1&&(d=q(d))&&(e+="&lei="+d));d="";var
Jul 1, 2024 08:26:58.671988010 CEST	896	IN	Data Raw: 65 2e 6c 71 2e 70 75 73 68 28 5b 61 2c 62 5d 29 7d 3b 67 6f 6f 67 6c 65 2e 62 78 3d 21 31 3b 67 6f 6f 67 6c 65 2e 6c 78 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 7d 3b 76 61 72 20 64 3d 5b 5d 3b 67 6f 6f 67 6c 65 2e 66 63 65 3d 66 75 6e 63 74 69 6f 6e Data Ascii: e.lq.push([a,b])};google.bx=!1;google.lx=function(){};var d=[];google.fce=function(a,b,c,e){d.push([a,b,c,e])};google.qce=d;}).call(this);google.f={};(function(){document.documentElement.addEventListener("submit",function(b){var a;if(a=b.targ
Jul 1, 2024 08:26:58.672020912 CEST	1236	IN	Data Raw: 39 70 78 3b 76 69 73 69 62 69 6c 69 74 79 3a 68 69 64 64 65 6e 3b 7a 2d 69 6e 64 65 78 3a 39 39 38 3b 72 69 67 68 74 3a 30 7d 2e 67 62 74 6f 20 23 67 62 73 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 7d 23 67 62 78 33 2c 23 67 62 78 34 7b 62 Data Ascii: 9px;visibility:hidden;z-index:998;right:0}.gbto #gbs{background:#fff}#gbx3,#gbx4{background-color:#2d2d2d;background-image:none;_background-image:none;background-position:0 -138px;background-repeat:repeat-x;border-bottom:1px solid #000;font-si
Jul 1, 2024 08:26:58.672054052 CEST	1236	IN	Data Raw: 31 3b 2a 74 6f 70 3a 2d 32 70 78 3b 2a 6c 65 66 74 3a 2d 35 70 78 3b 2a 72 69 67 68 74 3a 35 70 78 3b 2a 62 6f 74 74 6f 6d 3a 34 70 78 3b 2d 6d 73 2d 66 69 6c 74 65 72 3a 22 70 72 6f 67 69 64 3a 44 58 49 6d 61 67 65 54 72 61 6e 73 66 6f 72 6d 2e Data Ascii: 1;top:-2px;left:-5px;right:5px;bottom:4px;-ms-filter:"progid:DXImageTransform.Microsoft.Blur(pixelradius=5)";opacity:1\0/;top:-4px\0/;left:-6px\0/;right:5px\0/;bottom:4px\0/}.gbma{position:relative;top:-1px;border-style:solid dashed dashed
Jul 1, 2024 08:26:58.672087908 CEST	1236	IN	Data Raw: 62 65 3b 63 6f 6c 6f 72 3a 23 33 36 63 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 70 78 3b 70 61 64 64 69 6e 67 2d 74 6f 70 3a 32 70 78 7d 2e 67 62 7a 30 6c 20 2e 67 62 74 73 7b 63 6f 6c 6f 72 3a 23 66 66 66 3b 66 6f 6e 74 2d 77 65 69 67 Data Ascii: be;color:#36c;padding-bottom:1px;padding-top:2px}.gbz0l .gbts{color:#fff;font-weight:bold}.gbtsa{padding-right:9px}#gbz .gbzt,#gbz .gbgt,#gbg .gbgt{color:#ccc!important}.gbtb2{display:block;border-top:2px solid transparent}.gbto .gbzt .gbtb2,.
Jul 1, 2024 08:26:58.672120094 CEST	1236	IN	Data Raw: 34 69 64 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 70 6f 73 69 74 69 6f 6e 3a 2d 34 34 70 78 20 2d 31 30 31 70 78 7d 23 67 62 6d 70 69 64 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 70 6f 73 69 74 69 6f 6e 3a 30 20 30 7d 23 67 62 6d 70 69 2c 23 67 62 6d 70 69 Data Ascii: 4id{background-position:-44px -101px}#gbmpid{background-position:0 0}#gbmpi,#gbmpid{border:none;display:inline-block;height:48px;width:48px}#gbmpiw{display:inline-block;line-height:9px;padding-left:20px;margin-top:10px;position:relative}#gbmpi
Jul 1, 2024 08:26:58.672156096 CEST	1236	IN	Data Raw: 2e 67 62 6d 6c 62 3a 76 69 73 69 74 65 64 7b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 37 70 78 7d 2e 67 62 6d 6c 62 2d 68 76 72 2c 2e 67 62 6d 6c 62 3a 66 6f 63 75 73 7b 6f 75 74 6c 69 6e 65 3a 6e 6f 6e 65 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 Data Ascii: .gbmlb:visited{line-height:27px}.gbmlb-hvr,.gbmlb:focus{outline:none;text-decoration:underline !important}.gbmlbw{color:#ccc;margin:0 10px}.gbmt{padding:0 20px}.gbmt:hover,.gbmt:focus{background:#eee;cursor:pointer;outline:0 solid black;text-d
Jul 1, 2024 08:26:58.677032948 CEST	1236	IN	Data Raw: 67 69 6e 3a 30 20 32 30 70 78 7d 23 67 62 6d 70 6c 70 2e 67 62 70 73 7b 6d 61 72 67 69 6e 3a 30 20 31 30 70 78 7d 2e 67 62 70 63 20 2e 67 62 70 73 7b 63 6f 6c 6f 72 3a 23 30 30 30 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 7d 2e 67 62 70 Data Ascii: gin:0 20px}#gbmplp.gbps{margin:0 10px}.gbpc .gbps{color:#000;font-weight:bold}.gbpc .gbpd{margin-bottom:5px}.gbpd .gbmt,.gbpd .gbps{color:#666 !important}.gbpd .gbmt{opacity:.4;filter:alpha(opacity=40)}.gbps2{color:#666;display:block}.gbp0{dis

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49718	142.250.185.164	80	2364	C:\Program Files (x86)\Google Chrome sandbox.exe.exe

Timestamp	Bytes transferred	Direction	Data
Jul 1, 2024 08:28:57.399290085 CEST	64	OUT	GET / HTTP/1.1 Host: www.google.com Connection: Keep-Alive
Jul 1, 2024 08:28:58.071584940 CEST	1236	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 06:28:57 GMT Expires: -1 Cache-Control: private, max-age=0 Content-Type: text/html; charset=ISO-8859-1 Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-ShaLFNmRdvuZ1kGvyC2zCQ' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Set-Cookie: AEC=AQTF6Hx0BR1qOccPPlnBP0ah0VRPONeHF6wVsKbzautA0RX9vp7SD6AWM-k; expires=Sat, 28-Dec-2024 06:28:57 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax Set-Cookie: NID=515=Yh4z3hcKPq5rzopEiXVFMP1hdi7dC_ZpfPh-HsjarCYTW8LzDlIVRF29CFgRy0v_rgL96cl_I9m1tY_dUgV0gmq8yHD3FrOKqjKcz6OEp392RCOMPq-KJ6Z7PLDfSyTXfwOJ7Z74yZzSPABLARQatSlk1YTtRPhKpE1JkVNmbt0; expires=Tue, 31-Dec-2024 06:28:57 GMT; path=/; domain=.google.com; HttpOnly Accept-Ranges: none Vary: Accept-Encoding Transfer-Encoding: chunked Data Raw: 34 36 63 36 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 69 74 65 6d 73 63 6f 70 65 3d 22 22 20 69 74 65 6d 74 79 70 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 2f 57 65 62 50 61 67 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 53 65 61 72 63 68 20 74 68 65 20 77 6f 72 6c 64 27 73 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 2c 20 69 6e 63 6c 75 64 69 6e 67 20 77 65 62 70 61 67 65 73 2c 20 69 6d 61 67 65 73 2c 20 76 69 64 65 6f 73 20 61 6e 64 20 6d 6f 72 65 2e 20 47 6f 6f 67 6c 65 20 Data Ascii: 46c6<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en"><head><meta content="Search the world's information, including webpages, images, videos and more. Google
Jul 1, 2024 08:28:58.071600914 CEST	1236	IN	Data Raw: 68 61 73 20 6d 61 6e 79 20 73 70 65 63 69 61 6c 20 66 65 61 74 75 72 65 73 20 74 6f 20 68 65 6c 70 20 79 6f 75 20 66 69 6e 64 20 65 78 61 63 74 6c 79 20 77 68 61 74 20 79 6f 75 27 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 22 20 6e 61 6d 65 3d Data Ascii: has many special features to help you find exactly what you're looking for." name="description"><meta content="noodp, " name="robots"><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"><meta content="/images/branding/googleg/1x
Jul 1, 2024 08:28:58.071611881 CEST	1236	IN	Data Raw: 30 2c 32 33 37 2c 34 34 36 2c 34 35 32 2c 32 30 37 2c 31 39 2c 34 37 35 33 2c 31 2c 34 2c 32 2c 38 39 37 2c 34 35 2c 34 36 35 2c 31 39 38 31 2c 31 30 33 38 2c 31 34 2c 32 2c 33 2c 33 39 31 2c 31 31 33 38 2c 32 31 37 2c 31 30 37 2c 37 35 33 2c 32 Data Ascii: 0,237,446,452,207,19,4753,1,4,2,897,45,465,1981,1038,14,2,3,391,1138,217,107,753,2,239,496,1,770,370,356,1136,433,279,7,12,623,1375,361,15,1,1,1621,3,1,834,437,654,1,3,57,202,2129,4,245,294,834,118,1813,479,435,867,396,412,1574,367,3,93,573,11
Jul 1, 2024 08:28:58.071624041 CEST	1236	IN	Data Raw: 74 70 3a 2f 69 2e 74 65 73 74 28 61 29 26 26 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 70 72 6f 74 6f 63 6f 6c 3d 3d 3d 22 68 74 74 70 73 3a 22 26 26 28 67 6f 6f 67 6c 65 2e 6d 6c 26 26 67 6f 6f 67 6c 65 2e 6d 6c 28 45 72 72 6f 72 28 22 61 Data Ascii: tp:/i.test(a)&&window.location.protocol==="https:"&&(google.ml&&google.ml(Error("a"),!1,{src:a,glmm:1}),a="");return a}function t(a,b,c,d,k){var e="";b.search("&ei=")===-1&&(e="&ei="+p(d),b.search("&lei=")===-1&&(d=q(d))&&(e+="&lei="+d));d=""
Jul 1, 2024 08:28:58.071635962 CEST	1236	IN	Data Raw: 6f 6f 67 6c 65 2e 6c 71 2e 70 75 73 68 28 5b 61 2c 62 5d 29 7d 3b 67 6f 6f 67 6c 65 2e 62 78 3d 21 31 3b 67 6f 6f 67 6c 65 2e 6c 78 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 7d 3b 76 61 72 20 64 3d 5b 5d 3b 67 6f 6f 67 6c 65 2e 66 63 65 3d 66 75 6e 63 Data Ascii: oogle.lq.push([a,b])};google.bx=!1;google.lx=function(){};var d=[];google.fce=function(a,b,c,e){d.push([a,b,c,e])};google.qce=d;}).call(this);google.f={};(function(){document.documentElement.addEventListener("submit",function(b){var a;if(a=b.
Jul 1, 2024 08:28:58.071645975 CEST	1120	IN	Data Raw: 77 69 64 74 68 3a 31 30 30 25 3b 7a 2d 69 6e 64 65 78 3a 39 39 30 7d 23 67 62 78 33 7b 6c 65 66 74 3a 30 7d 23 67 62 78 34 7b 72 69 67 68 74 3a 30 7d 23 67 62 62 7b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 7d 23 67 62 62 77 7b 6c 65 66 Data Ascii: width:100%;z-index:990}#gbx3{left:0}#gbx4{right:0}#gbb{position:relative}#gbbw{left:0;position:absolute;top:30px;width:100%}.gbtcb{position:absolute;visibility:hidden}#gbz .gbtcb{right:0}#gbg .gbtcb{left:0}.gbxx{display:none !important}.gbxo{o
Jul 1, 2024 08:28:58.071656942 CEST	1236	IN	Data Raw: 79 6c 65 3a 73 6f 6c 69 64 20 64 61 73 68 65 64 20 64 61 73 68 65 64 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b 62 6f 72 64 65 72 2d 74 6f 70 2d 63 6f 6c 6f 72 3a 23 63 30 63 30 63 30 3b 64 69 73 70 6c 61 79 3a Data Ascii: yle:solid dashed dashed;border-color:transparent;border-top-color:#c0c0c0;display:-moz-inline-box;display:inline-block;font-size:0;height:0;line-height:0;width:0;border-width:3px 3px 0;padding-top:1px;left:4px}#gbztms1,#gbi4m1,#gbi4s,#gbi4t{zo
Jul 1, 2024 08:28:58.071670055 CEST	1236	IN	Data Raw: 6e 74 7d 2e 67 62 74 6f 20 2e 67 62 7a 74 20 2e 67 62 74 62 32 2c 2e 67 62 74 6f 20 2e 67 62 67 74 20 2e 67 62 74 62 32 7b 62 6f 72 64 65 72 2d 74 6f 70 2d 77 69 64 74 68 3a 30 7d 2e 67 62 74 62 20 2e 67 62 74 73 7b 62 61 63 6b 67 72 6f 75 6e 64 Data Ascii: nt}.gbto .gbzt .gbtb2,.gbto .gbgt .gbtb2{border-top-width:0}.gbtb .gbts{background:url(https://ssl.gstatic.com/gb/images/b_8d5afc09.png);_background:url(https://ssl.gstatic.com/gb/images/b8_3615d64d.png);background-position:-27px -22px;border:
Jul 1, 2024 08:28:58.071751118 CEST	1236	IN	Data Raw: 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 7d 23 67 62 6d 70 69 2c 23 67 62 6d 70 69 64 2c 23 67 62 6d 70 69 77 7b 2a 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 7d 23 67 62 67 35 7b 66 6f 6e 74 2d 73 69 7a 65 3a 30 7d 23 67 62 67 73 35 7b 70 Data Ascii: osition:relative}#gbmpi,#gbmpid,#gbmpiw{*display:inline}#gbg5{font-size:0}#gbgs5{padding:5px !important}.gbto #gbgs5{padding:7px 5px 6px !important}#gbi5{background:url(https://ssl.gstatic.com/gb/images/b_8d5afc09.png);_background:url(https://
Jul 1, 2024 08:28:58.071763039 CEST	104	IN	Data Raw: 6e 65 3a 30 20 73 6f 6c 69 64 20 62 6c 61 63 6b 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 6d 30 6c 2c 2e 67 62 6d 30 6c 3a 76 69 73 69 74 65 64 7b 63 6f 6c 6f 72 3a 23 30 30 30 20 Data Ascii: ne:0 solid black;text-decoration:none !important}.gbm0l,.gbm0l:visited{color:#000 !important;font-weight
Jul 1, 2024 08:28:58.076615095 CEST	1236	IN	Data Raw: 3a 62 6f 6c 64 7d 2e 67 62 6d 68 7b 62 6f 72 64 65 72 2d 74 6f 70 3a 31 70 78 20 73 6f 6c 69 64 20 23 62 65 62 65 62 65 3b 66 6f 6e 74 2d 73 69 7a 65 3a 30 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 7d 23 67 62 64 34 20 2e 67 62 6d 63 7b 62 61 63 Data Ascii: :bold}.gbmh{border-top:1px solid #bebebe;font-size:0;margin:10px 0}#gbd4 .gbmc{background:#f5f5f5;padding-top:0}#gbd4 .gbsbic::-webkit-scrollbar-track:vertical{background-color:#f5f5f5;margin-top:2px}#gbmpdv{background:#fff;border-bottom:1px s

Target ID:	0
Start time:	02:26:57
Start date:	01/07/2024
Path:	C:\Users\user\Desktop\K59gVXTgGv.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\K59gVXTgGv.exe"
Imagebase:	0xa70000
File size:	1'735'048 bytes
MD5 hash:	B7CA45674C6B8A24A6A71315E0E51397
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000002.2386535902.0000000003146000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.2386535902.0000000003146000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.2386535902.0000000003146000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000000.00000002.2386535902.0000000003146000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000000.00000002.2386535902.0000000003146000.00000004.00000800.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.2390410734.0000000006900000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.2388229518.00000000040D5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000002.2386535902.0000000002F37000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.2386535902.0000000002F37000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.2386535902.0000000002F37000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000000.00000002.2386535902.0000000002F37000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000000.00000002.2386535902.0000000002F37000.00000004.00000800.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.2386535902.0000000002E6F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.2388229518.0000000003FEA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000002.2388229518.0000000003FEA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.2388229518.0000000003FEA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 00000000.00000002.2388229518.0000000003FEA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2388229518.0000000003FEA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.2388229518.0000000003FEA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000000.00000002.2388229518.0000000003FEA000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: RAT_njRat, Description: Detects njRAT, Source: 00000000.00000002.2388229518.0000000003FEA000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: njrat1, Description: Identify njRat, Source: 00000000.00000002.2388229518.0000000003FEA000.00000004.00000800.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000002.2388229518.0000000003FEA000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000000.00000002.2388229518.0000000003FEA000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.2388229518.0000000003EE0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000002.2388229518.0000000003EE0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.2388229518.0000000003EE0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 00000000.00000002.2388229518.0000000003EE0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2388229518.0000000003EE0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.2388229518.0000000003EE0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000000.00000002.2388229518.0000000003EE0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: RAT_njRat, Description: Detects njRAT, Source: 00000000.00000002.2388229518.0000000003EE0000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: njrat1, Description: Identify njRat, Source: 00000000.00000002.2388229518.0000000003EE0000.00000004.00000800.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000002.2388229518.0000000003EE0000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000000.00000002.2388229518.0000000003EE0000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	02:27:34
Start date:	01/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd" /c ping 127.0.0.1 -n 43 > nul && copy "C:\Users\user\Desktop\K59gVXTgGv.exe" "C:\Program Files (x86)\Google Chrome sandbox.exe.exe" && ping 127.0.0.1 -n 43 > nul && "C:\Program Files (x86)\Google Chrome sandbox.exe.exe"
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	02:27:34
Start date:	01/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	02:27:34
Start date:	01/07/2024
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1 -n 43
Imagebase:	0x7d0000
File size:	18'944 bytes
MD5 hash:	B3624DD758CCECF93A1226CEF252CA12
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	02:28:15
Start date:	01/07/2024
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1 -n 43
Imagebase:	0x7d0000
File size:	18'944 bytes
MD5 hash:	B3624DD758CCECF93A1226CEF252CA12
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	02:28:56
Start date:	01/07/2024
Path:	C:\Program Files (x86)\Google Chrome sandbox.exe.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Google Chrome sandbox.exe.exe"
Imagebase:	0x330000
File size:	1'735'048 bytes
MD5 hash:	B7CA45674C6B8A24A6A71315E0E51397
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 68%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	16.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	143
Total number of Limit Nodes:	5

Executed Functions

Function 02D16E01 Relevance: 12.3, Strings: 9, Instructions: 1010COMMON

Download Yara Rule

Strings

(o]q, xrefs: 02D16FA1
(o]q, xrefs: 02D17479
(o]q, xrefs: 02D16FCD
,aq, xrefs: 02D1735A
(o]q, xrefs: 02D16EE6
(o]q, xrefs: 02D173B9
(o]q, xrefs: 02D173C9
,aq, xrefs: 02D1734A
(o]q, xrefs: 02D1706A

Memory Dump Source

Source File: 00000000.00000002.2386460388.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d10000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID: (o]q$(o]q$(o]q$(o]q$(o]q$(o]q$(o]q$,aq$,aq
API String ID: 0-99275883
Opcode ID: 19bad34fd9e285bae58d4a0193f154115f99414dbd1740d4a2032f85f58400a9
Instruction ID: 92af0ca45c610188b8f562843f10093d979cc96012b2ef3859f0da75b7e1303e
Opcode Fuzzy Hash: 19bad34fd9e285bae58d4a0193f154115f99414dbd1740d4a2032f85f58400a9
Instruction Fuzzy Hash: C8925B34A00609EFDB14CF68E984AAEBBF2FF48314F258555E8459B7A5D730ED41CB90

Function 02D15F20 Relevance: 11.1, Strings: 8, Instructions: 1148COMMON

Download Yara Rule

Strings

Haq, xrefs: 02D165EE
(o]q, xrefs: 02D16722
,aq, xrefs: 02D16AE0
,aq, xrefs: 02D15FF6
,aq, xrefs: 02D16AD2
(o]q, xrefs: 02D16A5A
(o]q, xrefs: 02D16A68
,aq, xrefs: 02D16000

Memory Dump Source

Source File: 00000000.00000002.2386460388.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d10000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID: (o]q$(o]q$(o]q$,aq$,aq$,aq$,aq$Haq
API String ID: 0-2006068749
Opcode ID: 40b6f92985ecc65b27a0a57e5d6de3f43a6c8bf6cd7ecd40365850d68f95cdf3
Instruction ID: 40fbe1c47f2e7128d08243eefc10e61fc9d1861fb2f6785ed340778e3f36c198
Opcode Fuzzy Hash: 40b6f92985ecc65b27a0a57e5d6de3f43a6c8bf6cd7ecd40365850d68f95cdf3
Instruction Fuzzy Hash: F1A28174A00219AFCB14DF69D884AAEBBF6FF88304F158169E905DB7A5DB30DC41CB90

Function 06C0C344 Relevance: 6.9, Strings: 5, Instructions: 627
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Haq, xrefs: 06C0FDF8
(aq, xrefs: 06C0F935
Haq, xrefs: 06C0FBDA
PH]q, xrefs: 06C0F909
Haq, xrefs: 06C0FC39

Memory Dump Source

Source File: 00000000.00000002.2391056664.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID: (aq$Haq$Haq$Haq$PH]q
API String ID: 0-1859950085
Opcode ID: 85bb6e8434d6c54c91314982776a96a89af8e494bd97249e2a00e40067998330
Instruction ID: 5cebccdf2dcdf53ed3bc41d22debc4278a4c31c7cdb5ad9e9dec6b0f9f3c9943
Opcode Fuzzy Hash: 85bb6e8434d6c54c91314982776a96a89af8e494bd97249e2a00e40067998330
Instruction Fuzzy Hash: 5922BF70B002158FDB64EB38C85476E7BA2AF88710F24856DE55ADB3E1CE34DD82CB91

Function 08200040 Relevance: 6.7, Strings: 5, Instructions: 482
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

;]q, xrefs: 08200A6B
@b]q, xrefs: 08200A8B
$]q, xrefs: 08200A79
,baq, xrefs: 08200ABF
], xrefs: 0820006E

Memory Dump Source

Source File: 00000000.00000002.2391690287.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8200000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID: ,baq$@b]q$]$$]q$;]q
API String ID: 0-3197633098
Opcode ID: 880ce4b1a027b150dbddddb119b5ee7879c8dff8ca9754ae3de462f01b731732
Instruction ID: 7b44beb50823b39d2deb80302c4a2c972c699660e940f56fa878f4a6b066154e
Opcode Fuzzy Hash: 880ce4b1a027b150dbddddb119b5ee7879c8dff8ca9754ae3de462f01b731732
Instruction Fuzzy Hash: D4026134B10619CFEB14DF69C894B6E7BA2AF89711F158099E9499B392CF30DC82CF51

Function 08953017 Relevance: 5.6, Instructions: 5646
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2391875024.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8950000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e9b9bb3222e094859fde1bc6fa7e7d665e1e9a0067a4f2abe8974cbac9b3b01
Instruction ID: 8f40f7d9126ba64de19a2bfa243692f94953a4809aca0f705b3ec4761bfcc9db
Opcode Fuzzy Hash: 6e9b9bb3222e094859fde1bc6fa7e7d665e1e9a0067a4f2abe8974cbac9b3b01
Instruction Fuzzy Hash: C5C31B70A15228CFDB54FF79E9886ACBBF2EB89600F0145E9E449A3354DB345E85CF42

Function 08953030 Relevance: 5.6, Instructions: 5633
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2391875024.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8950000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9a96c015997728ee6bf2a3b3fb984318349ae30bb739aee4eb57ff859a5af32
Instruction ID: 3b612b1bc3daf2e6b3a37b70fa64373834b93205bdbbab09a2ed027a5dadd646
Opcode Fuzzy Hash: b9a96c015997728ee6bf2a3b3fb984318349ae30bb739aee4eb57ff859a5af32
Instruction Fuzzy Hash: BEC31B70A15228CFDB54FF79E9886ACBBF2EB89600F0145E9E449A3354DB345E85CF42

Function 06C44018 Relevance: 5.2, Instructions: 5170
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2391190168.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c40000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b31831baa29566cb89e526bca572f7602a0a3cc211cef7f543b4151a5fd2e64f
Instruction ID: 3b4560fdb6158c25ff7d3ee9d3713332c7e5c669048c416ea37bc18d10668adb
Opcode Fuzzy Hash: b31831baa29566cb89e526bca572f7602a0a3cc211cef7f543b4151a5fd2e64f
Instruction Fuzzy Hash: A1B31A74A112288BCB54FF79E98826CBBF2FB88700F4589E9D489A3254EF345D85CF45

Function 0895D85C Relevance: 3.5, Strings: 2, Instructions: 957COMMON

Download Yara Rule

Strings

$]q, xrefs: 0895E0F2
$]q, xrefs: 0895E10A

Memory Dump Source

Source File: 00000000.00000002.2391875024.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8950000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: ada8e009753aa5b4353bf891e43421b9587490fb5669bad85c4b466e9b769ed3
Instruction ID: cefdf2db6c725d076e0767a3e5765553b4585b81f8fe860ff2b11c9459879d1e
Opcode Fuzzy Hash: ada8e009753aa5b4353bf891e43421b9587490fb5669bad85c4b466e9b769ed3
Instruction Fuzzy Hash: 7672A170E142298BDB68BFB8D98476D7BB2EF88604F4149A9E44DB3340EF385D45CB52

Function 02D112A7 Relevance: 2.7, Strings: 2, Instructions: 238COMMON

Download Yara Rule

Strings

8aq, xrefs: 02D1134E
8aq, xrefs: 02D1135E

Memory Dump Source

Source File: 00000000.00000002.2386460388.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d10000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID: 8aq$8aq
API String ID: 0-1589283582
Opcode ID: 726cb16236477338a2d0c1c0e7f2232522a21da05e962178e61f1276152fbfa7
Instruction ID: 0070c78090508dac09c9e41d434d1e1e466324e2e0625e64cb3ea04813f83b1a
Opcode Fuzzy Hash: 726cb16236477338a2d0c1c0e7f2232522a21da05e962178e61f1276152fbfa7
Instruction Fuzzy Hash: CEB1BF74E01229CFDB14DFA9D944B9DBBB2BF89300F2085A9D549AB354DB30AE85CF40

Function 0698310C Relevance: 1.3, Instructions: 1264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2390700943.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6980000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4077a5b2a27af14f82ab62bb84d31a381cffe1a835218238c5aeadfd4bc6bd61
Instruction ID: b0088c89f5aae74fb83476de7f80f04f4b6a3baa6c54eb6d1adc89b42a78b1be
Opcode Fuzzy Hash: 4077a5b2a27af14f82ab62bb84d31a381cffe1a835218238c5aeadfd4bc6bd61
Instruction Fuzzy Hash: BAB24B70A1422A8FCB58FF78D9886ADBBB2EF88704F4145E9D449A3354DB386D85CF41

Function 082066A0 Relevance: .8, Instructions: 775COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391690287.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8200000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 431ebf215913787495baf581f2e86d9f37c5336a0e0b6590a5ca44a42ce25d31
Instruction ID: ba68fc8da09a2eacc8730571c831f15aa70fae1a9aebdd8fbe9aeaa60c48dba8
Opcode Fuzzy Hash: 431ebf215913787495baf581f2e86d9f37c5336a0e0b6590a5ca44a42ce25d31
Instruction Fuzzy Hash: 79420070A043158FCB05EBB9D88855DBFF2FF89204B45866EE049E7352DF389856CB52

Function 06C04040 Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391056664.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f405fadc8b867c494a50e6b19674c29cd6c510454afe754b0f27675dd235b3c
Instruction ID: 8621a0ecbb25b225f5f01a886a2daefbb8c70cc564f460d54b23c1d057f6a07c
Opcode Fuzzy Hash: 0f405fadc8b867c494a50e6b19674c29cd6c510454afe754b0f27675dd235b3c
Instruction Fuzzy Hash: 09527D74A003468FCB54EF28C844B99B7B2FF85314F2186A9D5596F3A1DB71AD82CF81

Function 06C0403B Relevance: .6, Instructions: 581COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391056664.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a039666b54083ddd9a5b0bda8e360b385b8e8086b045d4ba0db524ac3dcc2f2e
Instruction ID: f1c19c8c0e494250f9185e104fa6cc1a1e78570e3496819e3a2f21872acd8d00
Opcode Fuzzy Hash: a039666b54083ddd9a5b0bda8e360b385b8e8086b045d4ba0db524ac3dcc2f2e
Instruction Fuzzy Hash: 56528D34A003468FCB54EF28C844B99B7B2FF85314F2186A9D5596F3A1DB71AD82CF81

Function 0820666D Relevance: .6, Instructions: 572COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391690287.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8200000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3f89ae238902231f3453272395fbcb7ee0ff5ea0c913e3acfeb9d1f5cb1c615
Instruction ID: 50da71cf31113b2bc23ee793e06e8de1335f950274d07958ef6cc133d69f5106
Opcode Fuzzy Hash: a3f89ae238902231f3453272395fbcb7ee0ff5ea0c913e3acfeb9d1f5cb1c615
Instruction Fuzzy Hash: 27228D71E103158FCB08EFB9D88855EBBF2FF89204B558A2DE049A7351EF389856CB51

Function 02D19F98 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2386460388.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d10000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51fd03f144af0cbed3f1d0b48d0f2105304e39e4aa6d1f8e19af9ecd7836c500
Instruction ID: 7465bc8ca6229d8425e9d9248f0b844f3bbd7cef0bb0d3631345253510c66993
Opcode Fuzzy Hash: 51fd03f144af0cbed3f1d0b48d0f2105304e39e4aa6d1f8e19af9ecd7836c500
Instruction Fuzzy Hash: 1971E474E012199FDB04DFA9D994BEEBBF2BF88700F248529E414AB395D7349981CF90

Function 02D1A1D8 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2386460388.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d10000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21b06057417995f192c74abeb1df4d667631d7507ae14771e17aecafafe769c2
Instruction ID: cb1c9b1b3ab0859a6fbe578a55bba67de7bfad6dae7c886c9822487c9e767cc7
Opcode Fuzzy Hash: 21b06057417995f192c74abeb1df4d667631d7507ae14771e17aecafafe769c2
Instruction Fuzzy Hash: 87F02436E44344EBEF118BA4DC51BECBF30EB4B310F200095E618BF6A1D226A857C700

Function 0895D888 Relevance: 4.7, Strings: 3, Instructions: 952
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 0895E0F2
$]q, xrefs: 0895E10A
$]q, xrefs: 0895E116

Memory Dump Source

Source File: 00000000.00000002.2391875024.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8950000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q
API String ID: 0-182748909
Opcode ID: d73829918fcc4a29618a1cff123d217039f811923c104f335e5f9a1df89e72e9
Instruction ID: f0abe718d8498f25403517ce98dff9ef5a4aac12009413292217d197c726b56f
Opcode Fuzzy Hash: d73829918fcc4a29618a1cff123d217039f811923c104f335e5f9a1df89e72e9
Instruction Fuzzy Hash: F672A170E142298BDB68BFB8D98476D7BB2EF88604F4149A9E44DB3340EF385D45CB52

Function 02D1B898 Relevance: 4.0, Strings: 3, Instructions: 253
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 02D1B998
$]q, xrefs: 02D1B9A4
Haq, xrefs: 02D1BA44

Memory Dump Source

Source File: 00000000.00000002.2386460388.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d10000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID: Haq$$]q$$]q
API String ID: 0-1533201563
Opcode ID: 9ae5b79e1357d1837b1b257463a94b7ba029a5cd349a564b91aada5835d0afa5
Instruction ID: 513597f7aca054b2af4836cf334d6be8e9f9cc222552cddbb544f5fee8c3176f
Opcode Fuzzy Hash: 9ae5b79e1357d1837b1b257463a94b7ba029a5cd349a564b91aada5835d0afa5
Instruction Fuzzy Hash: 4481B130704215AFCB09AF79A49967E3EE7EF88648B14402AE946C7795DF34CC12DB91

Function 089505A0 Relevance: 4.0, Strings: 3, Instructions: 251
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(aq, xrefs: 08950719
(aq, xrefs: 089507B7
(aq, xrefs: 08950745

Memory Dump Source

Source File: 00000000.00000002.2391875024.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8950000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID: (aq$(aq$(aq
API String ID: 0-2593664646
Opcode ID: 849d41f9e717a8984b3988bf928f9cf5c878b223000a22dc2d7fc3e38682d9cf
Instruction ID: 37d0b40c762f882693156467d64f2daacd803dc49052c18924fc061b3f9f4122
Opcode Fuzzy Hash: 849d41f9e717a8984b3988bf928f9cf5c878b223000a22dc2d7fc3e38682d9cf
Instruction Fuzzy Hash: A3A19070E007099FCB14EFA9C85469EBBF5FF89310F14856DE805AB391DB709985CBA1

Function 02D1BC18 Relevance: 4.0, Strings: 3, Instructions: 235
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Haq, xrefs: 02D1BD42
Haq, xrefs: 02D1BD0F
4']q, xrefs: 02D1BE03

Memory Dump Source

Source File: 00000000.00000002.2386460388.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d10000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID: 4']q$Haq$Haq
API String ID: 0-1526952785
Opcode ID: 175b3dd961cbb35f8bc85d3bb6249e60727624eeb2fbf2956ad029af81efcf7d
Instruction ID: 3d4731a1ac5f148bacd796ba29035d67d8b657c6e418785a1cc55956d1525f48
Opcode Fuzzy Hash: 175b3dd961cbb35f8bc85d3bb6249e60727624eeb2fbf2956ad029af81efcf7d
Instruction Fuzzy Hash: 13818D75600215AFCB159F68E848BAE7BB2FF88318F154466F946DB3A0DB34DC41CBA1

Function 08950B80 Relevance: 2.9, Strings: 2, Instructions: 416COMMON

Download Yara Rule

Strings

Haq, xrefs: 08950CC1
Haq, xrefs: 08950C38

Memory Dump Source

Source File: 00000000.00000002.2391875024.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8950000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID: Haq$Haq
API String ID: 0-4016896955
Opcode ID: c75af0c5c448131dbcaa7b2c36c77451874b3b8b6d12ffc1df582627c7e4a962
Instruction ID: 09e268396a8fcd469f3f231dbeffab3e7ab1994221e3c8e141ef8d23c0e1ea40
Opcode Fuzzy Hash: c75af0c5c448131dbcaa7b2c36c77451874b3b8b6d12ffc1df582627c7e4a962
Instruction Fuzzy Hash: 23D1C170B142158BCB48BBB9D85426E7BB6FF89604F41496DD44AE3390EF388C16C7A6

Function 06C0C9A0 Relevance: 2.8, Strings: 2, Instructions: 298COMMON

Download Yara Rule

Strings

PH]q, xrefs: 06C0CC7C
PH]q, xrefs: 06C0CB0E

Memory Dump Source

Source File: 00000000.00000002.2391056664.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: cfcd28b2d14bcfec6396073fe9c29754b409f230d6bd81383b98e9b6cecde46b
Instruction ID: 4d6eebc47235741a81e09426dc5b9ebc6310d8bfc5075b0bd07d208e5f46efa7
Opcode Fuzzy Hash: cfcd28b2d14bcfec6396073fe9c29754b409f230d6bd81383b98e9b6cecde46b
Instruction Fuzzy Hash: EAC12874A00215CFDB54DF68D994AAD7BF2FF88310B2546A8E416EB3A1DB31ED41CB50

Function 02D15821 Relevance: 2.8, Strings: 2, Instructions: 289COMMON

Download Yara Rule

Strings

Haq, xrefs: 02D15A01
Haq, xrefs: 02D15A34

Memory Dump Source

Source File: 00000000.00000002.2386460388.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d10000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID: Haq$Haq
API String ID: 0-4016896955
Opcode ID: 337f05d511cfc24ac486fc961ad05216ae180577fdd7f28650a0ec0396260d16
Instruction ID: 3748dd1cf497e2cad19d8ee94ff9e5a19e1eacf9d5ba9376ed490d3eb6a61349
Opcode Fuzzy Hash: 337f05d511cfc24ac486fc961ad05216ae180577fdd7f28650a0ec0396260d16
Instruction Fuzzy Hash: BBA1AF74700219AFCB04AF68E898B6E7BA6BBC8701F548528F906DB781DF74DC51CB91

Function 06C03F08 Relevance: 2.7, Strings: 2, Instructions: 160COMMON

Download Yara Rule

Strings

Haq, xrefs: 06C056A0
(aq, xrefs: 06C05582

Memory Dump Source

Source File: 00000000.00000002.2391056664.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID: (aq$Haq
API String ID: 0-3785302501
Opcode ID: d922741446741eefaceda406931d368c426652987055f3787492413b6f555569
Instruction ID: 946bebab8b6460aacc2be84408cb80af76d0e55fdc74de21513c25f275fbd9e7
Opcode Fuzzy Hash: d922741446741eefaceda406931d368c426652987055f3787492413b6f555569
Instruction Fuzzy Hash: 8B513334A04251DFD759AF2CC0546BEBBA2EF85310F1885AED44ADB391CB34A982CB91

Function 08951DC7 Relevance: 2.6, Strings: 2, Instructions: 101COMMON

Download Yara Rule

Strings

Te]q, xrefs: 08951E89
TJbq, xrefs: 08951E9E

Memory Dump Source

Source File: 00000000.00000002.2391875024.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8950000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID: TJbq$Te]q
API String ID: 0-3147309840
Opcode ID: 7382bfde6ae6d5a348d8868d0ca3b91d039adf8c953f09a8a39e61fcb8dbd864
Instruction ID: a1dc681d465805444db4e27f6c901f33ba9cf5a0699e5466247c897053490e4c
Opcode Fuzzy Hash: 7382bfde6ae6d5a348d8868d0ca3b91d039adf8c953f09a8a39e61fcb8dbd864
Instruction Fuzzy Hash: 4031C7707182158FC709BBB8E894A2E7BF6EFC9614B01085DE449D7391DF389C0A8796

Function 08951DE0 Relevance: 2.6, Strings: 2, Instructions: 91COMMON

Download Yara Rule

Strings

Te]q, xrefs: 08951E89
TJbq, xrefs: 08951E9E

Memory Dump Source

Source File: 00000000.00000002.2391875024.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8950000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID: TJbq$Te]q
API String ID: 0-3147309840
Opcode ID: ed9e412d3eff1eb249c996e688297cae42d0dd7d964f5d0ed982740c0f075555
Instruction ID: af9526035e3d0af02f207392bb652c6020b5714fcf88c92189d3b8cbbaa61d41
Opcode Fuzzy Hash: ed9e412d3eff1eb249c996e688297cae42d0dd7d964f5d0ed982740c0f075555
Instruction Fuzzy Hash: 3821E4707141158BC708BBBDE898A2E7BE6EFC8604B41486CE44AE7390DF349C068796

Function 0895AB60 Relevance: 2.3, Strings: 1, Instructions: 1019COMMON

Download Yara Rule

Strings

@, xrefs: 0895B25C

Memory Dump Source

Source File: 00000000.00000002.2391875024.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8950000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: fe28e908e179c13b380b81caa3989de53e00e45ffcba46f75b824f88e1d2210a
Instruction ID: 750411495e2e7b841bc5b795ff85ff61baf78adb38cf413dc434012921845ba4
Opcode Fuzzy Hash: fe28e908e179c13b380b81caa3989de53e00e45ffcba46f75b824f88e1d2210a
Instruction Fuzzy Hash: 2A62F030A183158FC705BB79E84812D7FF2EF89614F4649ADE489E7291DF388C4AC792

Function 06989F28 Relevance: 1.7, APIs: 1, Instructions: 199COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0698A17E

Memory Dump Source

Source File: 00000000.00000002.2390700943.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6980000_K59gVXTgGv.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: bc9e80187b58614948f65c290d2a3fb4c4bb293903754183633bb179bb91be6e
Instruction ID: a17f15b39544dd83f1b211ef1a885a789a5c5210a37a386dde2a13398a9886b9
Opcode Fuzzy Hash: bc9e80187b58614948f65c290d2a3fb4c4bb293903754183633bb179bb91be6e
Instruction Fuzzy Hash: 3A712570A00B058FD7A4EF6AD44476ABBF5FF88604F10892EE48AD7A40DB75E845CB91

Function 06AD0838 Relevance: 1.7, APIs: 1, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2390919207.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ad0000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ef56a3d09e9bffc29d07ac49de54165f17e1bd0b6d34c86271db67beeb66eb9
Instruction ID: c06835a242a38427a6730961b79d630b1c75b1f705c90496f7849021d9ae5717
Opcode Fuzzy Hash: 6ef56a3d09e9bffc29d07ac49de54165f17e1bd0b6d34c86271db67beeb66eb9
Instruction Fuzzy Hash: 1D5113B1C00249AFDF16CF99C884ACEBFB6FF49300F14816AE919AB261D3719945CF91

Function 06AD0823 Relevance: 1.7, APIs: 1, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2390919207.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ad0000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a334a574a8f83b0bae18cdb5f8f5cd3ba2f15d179bd7b406dec16e6d63bd85ee
Instruction ID: ef585001b6af058be1c536213496ac9fde636799a04ce7433d7649a25bd5f65d
Opcode Fuzzy Hash: a334a574a8f83b0bae18cdb5f8f5cd3ba2f15d179bd7b406dec16e6d63bd85ee
Instruction Fuzzy Hash: 2951F0B1C00249AFDF15CFA9C884ACEBFB6FF49300F15816AE919AB221D3719955CF91

Function 06AD0898 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06AD09AA

Memory Dump Source

Source File: 00000000.00000002.2390919207.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ad0000_K59gVXTgGv.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 4724813b61d83941f697a4e8110e368a6515e34597be35d7200b3490976d5717
Instruction ID: bd9cefce5e16ea16e12507ef108fa2aa41372ab6dcc54374e41dbc2dc46e3f9f
Opcode Fuzzy Hash: 4724813b61d83941f697a4e8110e368a6515e34597be35d7200b3490976d5717
Instruction Fuzzy Hash: 2541B2B5D10309DFDB14DF9AC884ADEBBB5FF88310F24812AE819AB210D7759945CF91

Function 0698C3F8 Relevance: 1.6, APIs: 1, Instructions: 98COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0698C3C6,?,?,?,?,?), ref: 0698C487

Memory Dump Source

Source File: 00000000.00000002.2390700943.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6980000_K59gVXTgGv.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 148dc1e69997b45001119fa383b6c4a15bc2de422d4b9b12d0b564fef3d57858
Instruction ID: efaf075c7b024e86d4efbef61a21613cf50b4942b22ac6fff1e004149f4a84cb
Opcode Fuzzy Hash: 148dc1e69997b45001119fa383b6c4a15bc2de422d4b9b12d0b564fef3d57858
Instruction Fuzzy Hash: 5841487A900249EFDB01DF99D844AEEBFF9FB88310F14801AE919A7320D3359954CFA1

Function 06AD2E50 Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 06AD2F11

Memory Dump Source

Source File: 00000000.00000002.2390919207.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ad0000_K59gVXTgGv.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 6528c8415a61a9554cf1f3faf59903445d83c5c342d2c44e882c1e98ea146cce
Instruction ID: a9e35e671cfcdfa5cfbbd2da3fea6d8469c7e149235e363df1591d6f1ba60012
Opcode Fuzzy Hash: 6528c8415a61a9554cf1f3faf59903445d83c5c342d2c44e882c1e98ea146cce
Instruction Fuzzy Hash: FB4158B89002059FCB54DF99C848B9ABBF5FF88310F24C499E51AAB321C774A945CFA0

Function 0698B690 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0698C3C6,?,?,?,?,?), ref: 0698C487

Memory Dump Source

Source File: 00000000.00000002.2390700943.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6980000_K59gVXTgGv.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0170f387f5183e56b5b71bb1bee192e47b20af9a792dca9c616a18b782c7ebbf
Instruction ID: 5ed750b5a07ba3accd7da785b1a82dd690dbcc58cf02d6d01f9a1b36ed534daf
Opcode Fuzzy Hash: 0170f387f5183e56b5b71bb1bee192e47b20af9a792dca9c616a18b782c7ebbf
Instruction Fuzzy Hash: 2C2107B5D00309DFDB10DFAAD484AEEBBF4EB48310F10841AE915A3310C375A944CFA5

Function 02D17C3F Relevance: 1.6, Strings: 1, Instructions: 307COMMON

Download Yara Rule

Strings

(o]q, xrefs: 02D17C11

Memory Dump Source

Source File: 00000000.00000002.2386460388.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d10000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID: (o]q
API String ID: 0-794736227
Opcode ID: 10b3943510209d26d6a081c7b61db7158a0439c224bbf8664e4a9807c32bba51
Instruction ID: 43522177d2cf5af2d6459bc2cff3d2a0b8cba8f09399949c20ab5abf7a42f13c
Opcode Fuzzy Hash: 10b3943510209d26d6a081c7b61db7158a0439c224bbf8664e4a9807c32bba51
Instruction Fuzzy Hash: 1FC10875A00219DFDB14CFA8D984AADFBF2BF88314B258155E915AB7A1CB31EC41CB60

Function 06C4B91F Relevance: 1.6, APIs: 1, Instructions: 57fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000), ref: 06C4B990

Memory Dump Source

Source File: 00000000.00000002.2391190168.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c40000_K59gVXTgGv.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 634667eb78ae3cdfb65c631a16258b3f0fa4a6e85a66eae48e762af2ab4bf323
Instruction ID: 953e9279d0e8d188c7e2beac6235d632c055d14af30c1e6ad9bd5c16208e6621
Opcode Fuzzy Hash: 634667eb78ae3cdfb65c631a16258b3f0fa4a6e85a66eae48e762af2ab4bf323
Instruction Fuzzy Hash: 382133B5C0065A9FCB14DF9AD445B9EFBF4BB48320F11812AD819A7240D339AA44CFA6

Function 06C4B920 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000), ref: 06C4B990

Memory Dump Source

Source File: 00000000.00000002.2391190168.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c40000_K59gVXTgGv.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: d7dbd803acc42a079a718f78f69d9643addb7df496734a9ea8d6fffffdb35183
Instruction ID: 90ba00c3a6d44e0fdea5af4d588ce8bb1b97b53d85e9b49127729ea311e81f57
Opcode Fuzzy Hash: d7dbd803acc42a079a718f78f69d9643addb7df496734a9ea8d6fffffdb35183
Instruction Fuzzy Hash: 1F1144B1C0065A9FCB14DF9AD444B9EFBF4FF48320F11812AD819A7240D339AA44CFA5

Function 0698A39A Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,0698A1F9,00000800,00000000,00000000), ref: 0698A40A

Memory Dump Source

Source File: 00000000.00000002.2390700943.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6980000_K59gVXTgGv.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 98015259f44829f472282f90af37491ff9810111f9fb60c87fb4e1c5909dc2ac
Instruction ID: 14fdc5dedac534c6303709dd37517951ba695fe6e9556106624e69cdcce0cf5d
Opcode Fuzzy Hash: 98015259f44829f472282f90af37491ff9810111f9fb60c87fb4e1c5909dc2ac
Instruction Fuzzy Hash: 6F1129B6C003099FDB10DFAAD444ADEFBF8EB88310F11841AD519A7600C375A545CFA5

Function 069899B8 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,0698A1F9,00000800,00000000,00000000), ref: 0698A40A

Memory Dump Source

Source File: 00000000.00000002.2390700943.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6980000_K59gVXTgGv.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e084689f8f1013c0e69a8163b4ecc10837a8707c89a70e22fdc4e2dffbff76d1
Instruction ID: 633510317b3ee2b51c1287840d5d7c976387baacf1894e0cfaf62503a28fee26
Opcode Fuzzy Hash: e084689f8f1013c0e69a8163b4ecc10837a8707c89a70e22fdc4e2dffbff76d1
Instruction Fuzzy Hash: AE11E4B6D00349DFDB10DF9AD448A9EFBF8EB89310F11842EE919A7600C375A945CFA5

Function 0698A118 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0698A17E

Memory Dump Source

Source File: 00000000.00000002.2390700943.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6980000_K59gVXTgGv.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 91863b81c6355c8773fbe81a8e959b210e97e49577544f85fdaced8440510f2c
Instruction ID: 80b9c1107002366e4f9feca7bdb38c417fc8bc98808f7f73aa08cb838ec47147
Opcode Fuzzy Hash: 91863b81c6355c8773fbe81a8e959b210e97e49577544f85fdaced8440510f2c
Instruction Fuzzy Hash: 2411E0B5C003498FCB10DF9AD844ADEFBF8EB88724F15841AD829A7610C379A545CFA5

Function 0820CE28 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0820CE8D

Memory Dump Source

Source File: 00000000.00000002.2391690287.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8200000_K59gVXTgGv.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 57d4a83a039a234b33236042924ba6960536861c97b7e7b5658e847d269b03a1
Instruction ID: e81a8d84017f617e079bddf316503428fd507851af65aeac04532d1ed608bf77
Opcode Fuzzy Hash: 57d4a83a039a234b33236042924ba6960536861c97b7e7b5658e847d269b03a1
Instruction Fuzzy Hash: 561106B5800349DFCB10DF9AD449BDEBFF8EB49320F108459E519A7651C375A544CFA1

Function 0820CE30 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0820CE8D

Memory Dump Source

Source File: 00000000.00000002.2391690287.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8200000_K59gVXTgGv.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: d7212af8a084a9356c91ff26898b7a6946eb5c1cda0c336842618f3eb68a7929
Instruction ID: 350cdd555c380a8200111fef506d3326513210e26cca3b82204455f263e6cc21
Opcode Fuzzy Hash: d7212af8a084a9356c91ff26898b7a6946eb5c1cda0c336842618f3eb68a7929
Instruction Fuzzy Hash: 191112B58003499FCB10DF9AD888BDEFBF8EB48320F10841AE919A3240C375A944CFA1

Function 0895BEF6 Relevance: 1.5, Strings: 1, Instructions: 242COMMON

Download Yara Rule

Strings

LR]q, xrefs: 0895C12F

Memory Dump Source

Source File: 00000000.00000002.2391875024.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8950000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: 26258df74be90325e81866708e7a33a2db3671606336828df16898e35bca0a6f
Instruction ID: 43baba21b61de1f9d7cede460ad683ebf61e2c257756da1a9b6af5d38e150fff
Opcode Fuzzy Hash: 26258df74be90325e81866708e7a33a2db3671606336828df16898e35bca0a6f
Instruction Fuzzy Hash: B4710630A0D3958FC706BB74989426D7FB1EF86618F0505EED585E72A3DA384C4AC793

Function 0895BF64 Relevance: 1.4, Strings: 1, Instructions: 179COMMON

Download Yara Rule

Strings

LR]q, xrefs: 0895C12F

Memory Dump Source

Source File: 00000000.00000002.2391875024.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8950000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: cdef38becc2b114eeb71dd47d48e9df43fa4f2e8ddf6622ea6d5a049ce10c1fb
Instruction ID: 8df15532afb8a24d23d24ca5fcc33278077f0caf94e9b883d19a64f97f72e579
Opcode Fuzzy Hash: cdef38becc2b114eeb71dd47d48e9df43fa4f2e8ddf6622ea6d5a049ce10c1fb
Instruction Fuzzy Hash: BF511470B083158FC705BBB9E89526D7FB1EF89608F41096DE085E7292DF38484AC792

Function 0895EF28 Relevance: 1.4, Strings: 1, Instructions: 178COMMON

Download Yara Rule

Strings

d8bq, xrefs: 0895F328

Memory Dump Source

Source File: 00000000.00000002.2391875024.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8950000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID: d8bq
API String ID: 0-3484500975
Opcode ID: 9c5d1e1c9db33a2406e2c90364316aa73564f4b090eba61c512297c4d8a38f20
Instruction ID: b44ddc6d184c8b28779a2db6e0396403fc2b5a50d47f348aa5029f6cbae79fcc
Opcode Fuzzy Hash: 9c5d1e1c9db33a2406e2c90364316aa73564f4b090eba61c512297c4d8a38f20
Instruction Fuzzy Hash: F5613235B00119DFCB14EF68D4589AE7BB6AF88726F144469ED02A7391CF71DD42CBA0

Function 0895BFA7 Relevance: 1.4, Strings: 1, Instructions: 160COMMON

Download Yara Rule

Strings

LR]q, xrefs: 0895C12F

Memory Dump Source

Source File: 00000000.00000002.2391875024.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8950000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: f764050456ac6902304aa98a4ff31c2e4e0b1630d7a4fbad43dcf664a57e0ead
Instruction ID: 3fb8f7eb5311526004618f898c9307b89983b2b6777370e9191542598b3acc9c
Opcode Fuzzy Hash: f764050456ac6902304aa98a4ff31c2e4e0b1630d7a4fbad43dcf664a57e0ead
Instruction Fuzzy Hash: 2751F130B183158FC705BBB9E89562D7FB1EF89608F41486DE089E7291DE385C4AC792

Function 06C04AC8 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

Haq, xrefs: 06C04BE7

Memory Dump Source

Source File: 00000000.00000002.2391056664.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID: Haq
API String ID: 0-725504367
Opcode ID: b51282ed6d1cbb102b7a6d3f67f115a280ae7d64e5e0e94734f83b6c55ee730e
Instruction ID: 3db0bff9d66d59829756d6f7204a2d5a05da3a27b6a5127f4138df1a18145c21
Opcode Fuzzy Hash: b51282ed6d1cbb102b7a6d3f67f115a280ae7d64e5e0e94734f83b6c55ee730e
Instruction Fuzzy Hash: 524123367006119FD70A6F79985067F7BE7ABC5611B14842AEA06CB3C4DE38CC82C3E2

Function 06C0F75B Relevance: 1.4, Strings: 1, Instructions: 146COMMON

Download Yara Rule

Strings

PH]q, xrefs: 06C0F909

Memory Dump Source

Source File: 00000000.00000002.2391056664.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: 1c4bd6945d000484070ec0d4c8a72cff25a0bcfbf87a99ed786b313550b7f1c3
Instruction ID: 32248c80ed9a449a44ddb6db9437dadc3994c01d3f3ce824759ef04cd33ea1bf
Opcode Fuzzy Hash: 1c4bd6945d000484070ec0d4c8a72cff25a0bcfbf87a99ed786b313550b7f1c3
Instruction Fuzzy Hash: 1E515F31B005058FEB64DF29C994BA9B7B1FF49310F14866DE926DB2A1CB30ED85CB90

Function 0895BFD0 Relevance: 1.4, Strings: 1, Instructions: 144COMMON

Download Yara Rule

Strings

LR]q, xrefs: 0895C12F

Memory Dump Source

Source File: 00000000.00000002.2391875024.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8950000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: aa356cd7b461f12fa74786579fa2d61c773c194ed50edf0db549fb697e06230e
Instruction ID: a2a94a134035dc04bd739b07336ae0774968b742c60d71a5efd059d6d7b29bf3
Opcode Fuzzy Hash: aa356cd7b461f12fa74786579fa2d61c773c194ed50edf0db549fb697e06230e
Instruction Fuzzy Hash: D9419170B142158BD708BBB9E88562E7BF6EF88708F41492DE549E3290DF385C45C792

Function 06C0C991 Relevance: 1.4, Strings: 1, Instructions: 131COMMON

Download Yara Rule

Strings

PH]q, xrefs: 06C0CB0E

Memory Dump Source

Source File: 00000000.00000002.2391056664.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: 660b5091f0cb6f53ef824123076f64b7d96e33f363fc0ef79691b381dbc9421c
Instruction ID: 3cfdb5db982f46c11c7137920275451fe3687ab88d84acfc9657e21aa93b0c72
Opcode Fuzzy Hash: 660b5091f0cb6f53ef824123076f64b7d96e33f363fc0ef79691b381dbc9421c
Instruction Fuzzy Hash: 43510534A00215CFDB54DF68D998AA97BF1BF4C321B214AA8E416EB3A1DB30EC41CF50

Function 02D17A98 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

(o]q, xrefs: 02D17C11

Memory Dump Source

Source File: 00000000.00000002.2386460388.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d10000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID: (o]q
API String ID: 0-794736227
Opcode ID: 6cba12612e559654a263aa2b53ff65cd7d1705328e08c4072e57ce52a9ba5e7b
Instruction ID: 8568f4853bd0076c36697763310532668c9381ec30dba1a33098eb78e4a70687
Opcode Fuzzy Hash: 6cba12612e559654a263aa2b53ff65cd7d1705328e08c4072e57ce52a9ba5e7b
Instruction Fuzzy Hash: 29418F35B002049FD7149B69E854AAEBBF6FBCC611F144569E916D7791CF31EC02CBA0

Function 08952CC3 Relevance: 1.4, Strings: 1, Instructions: 103COMMON

Download Yara Rule

Strings

D, xrefs: 08952D1A

Memory Dump Source

Source File: 00000000.00000002.2391875024.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8950000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID: D
API String ID: 0-2746444292
Opcode ID: 8bf1bba46e17eb5e103c998b252d6bd849e2d4c9accc0638a159472ad61356e8
Instruction ID: 9faaac3292804f480abd4091c8c54c00b6fee854788947af74762e405aeec16f
Opcode Fuzzy Hash: 8bf1bba46e17eb5e103c998b252d6bd849e2d4c9accc0638a159472ad61356e8
Instruction Fuzzy Hash: 3931445544E3C25FC70397B49C642857FB0AF03215B1A06EBC8D1CB6E7E668094AC7A7

Function 06C0F934 Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

(aq, xrefs: 06C0F935

Memory Dump Source

Source File: 00000000.00000002.2391056664.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID: (aq
API String ID: 0-600464949
Opcode ID: 93bc5ffb2b201ab375f442698d0e45359df995e243c5c84306d792e9561aa9f5
Instruction ID: edbfa112fc58d6863a1aa532bd0fced7b27c95facc3805349f7ce5521ad029f2
Opcode Fuzzy Hash: 93bc5ffb2b201ab375f442698d0e45359df995e243c5c84306d792e9561aa9f5
Instruction Fuzzy Hash: D04175307006018FD7A5DF38D458B5A37A2BF85724F25856DE4AACB2E1DF74D986CB40

Function 08952E30 Relevance: 1.3, Strings: 1, Instructions: 89COMMON

Download Yara Rule

Strings

43^q, xrefs: 08952E0B

Memory Dump Source

Source File: 00000000.00000002.2391875024.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8950000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID: 43^q
API String ID: 0-2065357395
Opcode ID: 61f7afbd2013d55b5cf2a28afc5d80c5fdf0ffce14cb264b4457955787765eb8
Instruction ID: 0dcd084af11bf725ccd3076f7620a34498fab1d669fa4b564207f5e813850766
Opcode Fuzzy Hash: 61f7afbd2013d55b5cf2a28afc5d80c5fdf0ffce14cb264b4457955787765eb8
Instruction Fuzzy Hash: FC21F9717182158FD704BBB9F88462E7BB6EBC9714F91482DE449E3384CE389C16C762

Function 02D1C0C0 Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

4']q, xrefs: 02D1C13A

Memory Dump Source

Source File: 00000000.00000002.2386460388.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d10000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: 69b491dec955efc36364316eb91cfecaa29349a5e6b2828648bb2ea037c800a9
Instruction ID: 125323686b565c19e0feaf369a22114b3737b8a09e7b43ce7613fad3da335e91
Opcode Fuzzy Hash: 69b491dec955efc36364316eb91cfecaa29349a5e6b2828648bb2ea037c800a9
Instruction Fuzzy Hash: C021E2347A8155ABCB14DE66FC406BB7BEAEBA9210F044827F892C7744DB30DC81C762

Function 02D116A9 Relevance: 1.3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

Strings

8aq, xrefs: 02D11763

Memory Dump Source

Source File: 00000000.00000002.2386460388.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d10000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID: 8aq
API String ID: 0-538729646
Opcode ID: efb1908771c084eb72ff33db66a09325c0dac5a3d7c3accd272061308f9b5f7c
Instruction ID: 482aae5d237a4579000d2835872102320eff19a469efeda2ad493051125089dc
Opcode Fuzzy Hash: efb1908771c084eb72ff33db66a09325c0dac5a3d7c3accd272061308f9b5f7c
Instruction Fuzzy Hash: F431B2B4E012099FDB04DFAAD5406EEBBF2BF88304F248469E515B7350DB349A46CF51

Function 06C00E7F Relevance: 1.3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

Strings

V, xrefs: 06C00E8D

Memory Dump Source

Source File: 00000000.00000002.2391056664.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID: V
API String ID: 0-1342839628
Opcode ID: cf3a1129c6fd8c0ff218a9d0b02a7370585b41da0022916eb05fe4671e550d16
Instruction ID: a05575e98c9f4164c4d78269c85acdb0b4ada5bd1539b504973ac333e80a1387
Opcode Fuzzy Hash: cf3a1129c6fd8c0ff218a9d0b02a7370585b41da0022916eb05fe4671e550d16
Instruction Fuzzy Hash: 68310131D14B499ECB01EFB8C854499F771FF95300B118B9AE9596B122EB30E6D5CB80

Function 02D11798 Relevance: 1.3, Strings: 1, Instructions: 53COMMON

Download Yara Rule

Strings

8aq, xrefs: 02D11763

Memory Dump Source

Source File: 00000000.00000002.2386460388.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d10000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID: 8aq
API String ID: 0-538729646
Opcode ID: 3ff80e4c92db09e7f4eab1f0206211040d5fb160edb1e0eba5145fde3a3bc804
Instruction ID: c7ad38b1ab29a3ed769446885b13d39c89333f0453e0612287a3c4483ead2263
Opcode Fuzzy Hash: 3ff80e4c92db09e7f4eab1f0206211040d5fb160edb1e0eba5145fde3a3bc804
Instruction Fuzzy Hash: 5111C1B5D0525BEFCB00CFA8E4445ADFBB1EF05210F60419AE154AB392D334DA46DB42

Function 08952DE0 Relevance: 1.3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

Strings

43^q, xrefs: 08952E0B

Memory Dump Source

Source File: 00000000.00000002.2391875024.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8950000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID: 43^q
API String ID: 0-2065357395
Opcode ID: 65f183eb21958a482fbef03c177626a14a5ae0c6679d0de238ba0067ffd9ad0b
Instruction ID: 39e1310e8946c286566dc75fdc649a3785b9a08fd977b09d03c22b278362405e
Opcode Fuzzy Hash: 65f183eb21958a482fbef03c177626a14a5ae0c6679d0de238ba0067ffd9ad0b
Instruction Fuzzy Hash: 0B016D74A112059FCB08EFA9F4556AD7BB2EB85215F2089AAEC06CB340DE745D069B90

Function 06C01BA8 Relevance: .8, Instructions: 787COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391056664.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b62eb72b50c0b4ab95a888694171c9bb7e3a6a22d75c40fd15990c659f6af6db
Instruction ID: dbfe61632a00a144fca6a8ddfc2cb2932f157c08fbb87acf351471e03aaa5ee9
Opcode Fuzzy Hash: b62eb72b50c0b4ab95a888694171c9bb7e3a6a22d75c40fd15990c659f6af6db
Instruction Fuzzy Hash: 3D62E3B0E10B954BEFF49F78C48C3AEB691AB56350F50491EC2BACA6C0DF389641DB45

Function 0895B7CF Relevance: .5, Instructions: 529COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391875024.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8950000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c492eec4d1dc35a686e95f22d7cd92f8d17b7b88d96da3bdce2e775804918738
Instruction ID: 8e99d0e291c20ae2859e9b43f72f809f4f9fca559f7208dad9c691b337771432
Opcode Fuzzy Hash: c492eec4d1dc35a686e95f22d7cd92f8d17b7b88d96da3bdce2e775804918738
Instruction Fuzzy Hash: 3F12F170A183548FC705FBB8E99426D7FF1EF89604F4509AAE489E7392DB385C06CB52

Function 0895D225 Relevance: .5, Instructions: 461COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391875024.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8950000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9c66ae9973e8496a2c1ccc74f3f59f1e04cec49a92831eecddf619845543ed7
Instruction ID: 3f6ce4744a9f29342912a808372d2de00bc74e8d59c6a405cce622947b0702e0
Opcode Fuzzy Hash: e9c66ae9973e8496a2c1ccc74f3f59f1e04cec49a92831eecddf619845543ed7
Instruction Fuzzy Hash: 64F1D570A1C3518FD305BB78D9546197FF2EF8A604F4649AEE489E7292DA3C8C4AC353

Function 06C01BE8 Relevance: .5, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391056664.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01f2b9913bdc0c9125593502a62a0d73d53999a3bc68145f5d92dad818579437
Instruction ID: 85773a530bf636c1e436e571587fff174b4044839ee26ee9a53e595cba1b57f9
Opcode Fuzzy Hash: 01f2b9913bdc0c9125593502a62a0d73d53999a3bc68145f5d92dad818579437
Instruction Fuzzy Hash: 27124EF0D15BD24AEFF89F68848C39FB690AB15340F20491FC1FAC9695DB389286DB45

Function 0895B8A1 Relevance: .5, Instructions: 451COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391875024.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8950000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d94faf084bf9e1b4931fb9efe38032858d76fc41eb5a1a301b6fb53e606491d
Instruction ID: 62574ed9f3f6773b83c57a43e63a203b1bb165055df7030400dbd793102e25eb
Opcode Fuzzy Hash: 0d94faf084bf9e1b4931fb9efe38032858d76fc41eb5a1a301b6fb53e606491d
Instruction Fuzzy Hash: 8FF1B170A142198FC744FFB9E98466D7BF2FF88614F414928E449E3394EB38AC46CB52

Function 0895CC40 Relevance: .4, Instructions: 438COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391875024.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8950000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2be1e0caad2851493879d235de05d482eabf9915544187664f88e20c873255a
Instruction ID: 7516beaf82d3b6359c9d0912c6b740e31b021e4057751df13bc26042430145b9
Opcode Fuzzy Hash: f2be1e0caad2851493879d235de05d482eabf9915544187664f88e20c873255a
Instruction Fuzzy Hash: CDE17E71A142158BC704FBB9E98426DBBB2EB8C614F854938E449F3354DF3C9C86C766

Function 06C0A113 Relevance: .4, Instructions: 410COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391056664.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5d93b855cb6db3f3e5b8ef099fda3317bcc985e06cfdf735b650968f79176f0
Instruction ID: 2f6eadfc2f3f8ef04684ed42ad1d9489952e9b803af08109b342d3b45f240b47
Opcode Fuzzy Hash: d5d93b855cb6db3f3e5b8ef099fda3317bcc985e06cfdf735b650968f79176f0
Instruction Fuzzy Hash: 67021974A00205DFDB44DFA8D498AAD7BF2BF89314F1585A8E409DB3A2DB34ED85CB50

Function 0895F340 Relevance: .3, Instructions: 340COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391875024.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8950000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69e9408831e77a8118ae227876209ee7bc14d2a28419d0a62eaae97d2e13e706
Instruction ID: fa7a286126ff009c4fec6416c6e9f1f646633ada3c2a051152b555053cfc8b01
Opcode Fuzzy Hash: 69e9408831e77a8118ae227876209ee7bc14d2a28419d0a62eaae97d2e13e706
Instruction Fuzzy Hash: 46C1A13470021A9FCB05EF68D854AAE7BA7BF88715F148469ED069B3A1DF30DC52CB91

Function 0895C57C Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391875024.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8950000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df5b339ad81180e393a9de3371b36f73f4bd6e293b6234a51ad88c99c4b95b32
Instruction ID: 51edf0a1050426e2ef03839a96ba149d85c7cbdad076322f842d28a7b594efac
Opcode Fuzzy Hash: df5b339ad81180e393a9de3371b36f73f4bd6e293b6234a51ad88c99c4b95b32
Instruction Fuzzy Hash: 89B1AF70A14224CFCB04FBB9E95816D7BB2EF89608F414969E449F7390DF389C06C7A6

Function 0895B2D2 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391875024.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8950000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f04dd2aa6217961ea977ff059d2774e7b35bc30f6ddb0bdb28c7451725c1349
Instruction ID: d58904b29d6fcacc0d57b34e42e72d54250ddadd6c0e8d529d4f510ae75ba0f5
Opcode Fuzzy Hash: 0f04dd2aa6217961ea977ff059d2774e7b35bc30f6ddb0bdb28c7451725c1349
Instruction Fuzzy Hash: 7C91AE35A14725CBCB44BBB9E48912D7FF2EF88610F454978E845E3354DF389846CB91

Function 0895B2E0 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391875024.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8950000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0f7883a0872abb7f04983b6e8dc6a994318cf334fc9cf498376704fed91d3df
Instruction ID: 2343a2dc0f2ad50aaba976e00d98e28bf1edc864aefc0e33ea1e481e068ddd74
Opcode Fuzzy Hash: c0f7883a0872abb7f04983b6e8dc6a994318cf334fc9cf498376704fed91d3df
Instruction Fuzzy Hash: CB91BE35A24725CBCB44BBB9E48912D7FF2EF88610F450978E845E3354DF389846CB91

Function 02D15B28 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2386460388.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d10000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da0072bf403bb3c983860362e18a236d3766d3e8903486d56ad323a16295f03d
Instruction ID: 6dc1958dec251a136d6988dec7b13387dacd334fec581de71709b0db54fc8fd6
Opcode Fuzzy Hash: da0072bf403bb3c983860362e18a236d3766d3e8903486d56ad323a16295f03d
Instruction Fuzzy Hash: AB61CF743002129FCB149F78E498B3A7BE2ABC8254F544569E846CB791DF38DC42CB91

Function 06C0C364 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391056664.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed9e65275eca1a50014855217872101ca95ae09f5a1bd85346e5a66e3c05e618
Instruction ID: c449a1f6493cb38fccba2de3b08e10a997f5fe87e46b07d9badfc0e74918e028
Opcode Fuzzy Hash: ed9e65275eca1a50014855217872101ca95ae09f5a1bd85346e5a66e3c05e618
Instruction Fuzzy Hash: 45711774640605CFDB54DB28C898E697BF1BF89314F2589A9E54ACB3B2DB30EC45CB60

Function 02D1BF79 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2386460388.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d10000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f89e92af9efeb8195d00098b540f121a6b0b854dfe98925ab9a7c3f3bbf83119
Instruction ID: 3aaf15211136d1675e1dd0c3d12d7d91e666b6cfa2fde17cb4ac154180d3f413
Opcode Fuzzy Hash: f89e92af9efeb8195d00098b540f121a6b0b854dfe98925ab9a7c3f3bbf83119
Instruction Fuzzy Hash: BD51CE317A4111AFC714DF3DE888A2A7BE5BF4821471944BBE44ACB7A1EB31DC41CB52

Function 06C08EC0 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391056664.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c84da2b0a69c5d39792d2ca3f00076832ed8bffabecc88870b7bcf0d26b39f2b
Instruction ID: c137dace86a646e401d1d23b1e8fe5df92d4c879418603ef6bdb9d15da6a596f
Opcode Fuzzy Hash: c84da2b0a69c5d39792d2ca3f00076832ed8bffabecc88870b7bcf0d26b39f2b
Instruction Fuzzy Hash: DC410570A093408FDBA5EB78C41422E7BB7AF8A614F1485ADD06ECB7D1CB35D942CB41

Function 06C0931F Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391056664.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b75c181648f1c6798117645e6b96db33d2986e7e210128984b1c31d1bce331f
Instruction ID: 87d2e1649bf35d7100df83f082ffc421eead5bb0f202ad4bb0f20e2b2308e990
Opcode Fuzzy Hash: 3b75c181648f1c6798117645e6b96db33d2986e7e210128984b1c31d1bce331f
Instruction Fuzzy Hash: E241B2707006019FE7A8EB64C894B6EB3A6FF85704F1045ADE1168B3E1CB75AD06CB90

Function 06C03E64 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391056664.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62443914f84d1dd9a64c1fa58cd2e2cfb0c2607e1459459dd6263f4905bbe385
Instruction ID: 1d88b9f76e911069ff32fd43a317c2f9a80f6ffb9cc7b7a29de43d0bb98a81b1
Opcode Fuzzy Hash: 62443914f84d1dd9a64c1fa58cd2e2cfb0c2607e1459459dd6263f4905bbe385
Instruction Fuzzy Hash: 3A41A0B490031ACFDB54DFA9D8806AFBBF5FF49310F14852AD915E7281D7349904CBA1

Function 06C0933C Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391056664.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fc51b05d820cf411344d5ae6af048c9725386a5c4cfa16cc8c13d57bf92cdba
Instruction ID: f38ca82d87b10aef3027e1559dcc148c058338874b2045e739f11fcc79bf119a
Opcode Fuzzy Hash: 9fc51b05d820cf411344d5ae6af048c9725386a5c4cfa16cc8c13d57bf92cdba
Instruction Fuzzy Hash: 9D4183707006019FEBA4EB65C884B6AB3A6FF85714F10856DE1168B3E1CB76ED46CB50

Function 06C09F50 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391056664.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 632303855eb9a062efad3022544c527c94f01f549076e393c880c3cc9c054e8d
Instruction ID: 49016ab102ce075758b0f730fa83c2f75ef74f987a34d62e5a64c16056cef502
Opcode Fuzzy Hash: 632303855eb9a062efad3022544c527c94f01f549076e393c880c3cc9c054e8d
Instruction Fuzzy Hash: 2741BF707007158FD7A8EF38C85052E77F2AF89214B20466DD45A8B3E2DE35ED06CBA1

Function 0895C2F4 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391875024.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8950000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb9cbfa089038d30732398b76600947d2b82b4fd5a38e29621aff036fde09d2e
Instruction ID: 1eba210af71d45fc427ee726bc49da1c697138da945ac8089000874f23ebaa9a
Opcode Fuzzy Hash: eb9cbfa089038d30732398b76600947d2b82b4fd5a38e29621aff036fde09d2e
Instruction Fuzzy Hash: FD413574D003099FDB14EF99D884BAEBBF5BF48319F14802DE81AAB250C774A945CB95

Function 06C0B451 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391056664.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e923df0027421fb5b5f20e36e0fec912f9905bf1e13656146cb4d8918e4e14f
Instruction ID: 0be3b4865cfe6399aca25d9eaacd4113266b5bd7b89edaeb6336ef9d8bb4b33c
Opcode Fuzzy Hash: 1e923df0027421fb5b5f20e36e0fec912f9905bf1e13656146cb4d8918e4e14f
Instruction Fuzzy Hash: CB4191707006019FEBA4DB64C884B7EB3B6BF85714F14466DE1168B3E1CB75AD46CB60

Function 02D11928 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2386460388.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d10000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b065324870689d25d83af14130b8cd29c467743451853127a8f23fa95613fc8
Instruction ID: fd98d7eb9dac1b03c4d9fc447dc22803e7ca1170e2176c360239b364c7ef1640
Opcode Fuzzy Hash: 9b065324870689d25d83af14130b8cd29c467743451853127a8f23fa95613fc8
Instruction Fuzzy Hash: EA51E174D04219DFDB14DFA9E4483EDBBF1AF88305F14842AD119A6394EB789A86CF50

Function 08950590 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391875024.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8950000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afeb970c680d241800abb0fbbd8199ece8e8b20f877917e02a46aaf1de2a616c
Instruction ID: 04b04fc5d247a4da6699b895facd4411dc8ccb788ff1a57affd4a0c4f0621dff
Opcode Fuzzy Hash: afeb970c680d241800abb0fbbd8199ece8e8b20f877917e02a46aaf1de2a616c
Instruction Fuzzy Hash: 22416031900B099FCB14EFA9C84469EF7B5FF88314F15C66DE8097B264EB70A985CB90

Function 0895C2F8 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391875024.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8950000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c164dcbcc94ef7dd8ea6df542e6b75a0f85228e3727e9739af0f3262d4c134a1
Instruction ID: 2fe3766e09329a6a41f53f24076d2739adea2e0700186b6e14a74ba229b61692
Opcode Fuzzy Hash: c164dcbcc94ef7dd8ea6df542e6b75a0f85228e3727e9739af0f3262d4c134a1
Instruction Fuzzy Hash: 49414474D003099FDB14EF99C884BAEBBF5BF48319F14802DE81AAB290C774A841CF95

Function 06C03020 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391056664.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f86782fc4d51275ece2849dde24708da9c08f58cd3914da3c4432395dc38f55
Instruction ID: b5c562191816c5769e28a2111fd2f187b2d03ae0264071a304a2c4966964906f
Opcode Fuzzy Hash: 4f86782fc4d51275ece2849dde24708da9c08f58cd3914da3c4432395dc38f55
Instruction Fuzzy Hash: A431F631B052928FEB94DB29C8447BE37BAAF84614F18407AE509DB2D1DB38C941C7A1

Function 06C0DBB8 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391056664.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecc6bb13159a83de0b7c6f41c2d43ea901bd81510616f050bb26152057a03c1d
Instruction ID: 1edb4381f39e7d80cf09eb8bfc3e4d9158564d56c6ec15cf0f88b56c7d7380e5
Opcode Fuzzy Hash: ecc6bb13159a83de0b7c6f41c2d43ea901bd81510616f050bb26152057a03c1d
Instruction Fuzzy Hash: 4D319C70700A118FDB98AB38D85863E7BE2AF89214B14866DE05AC73E1DF74E942CB45

Function 06C0DBC8 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391056664.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c6272152f138c09ce89f347154954d049bc6d90be8acce61645b2ee2b864001
Instruction ID: 64e54b5035c3f7f0a749348c1fbaa50c93a83c9fce218f8e9cde43073cefe7f3
Opcode Fuzzy Hash: 7c6272152f138c09ce89f347154954d049bc6d90be8acce61645b2ee2b864001
Instruction Fuzzy Hash: 20319C70700A118FDB98AB38D85863E7BE6AF89614B14866DE05AC73D1DF74ED02CB85

Function 06C0B164 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391056664.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8929ec7f40e1939599610d84c859cdd361a6eb6c6ba58e27a4d0853adb86567c
Instruction ID: 59884e2f490451342177c4e8b3b224943cdb3b16496a7fb295297c719830e86d
Opcode Fuzzy Hash: 8929ec7f40e1939599610d84c859cdd361a6eb6c6ba58e27a4d0853adb86567c
Instruction Fuzzy Hash: FA310A347106118FEB94DB29C884B6A73E6FF89714F1586A9E45ACB3A1DF30ED41CB90

Function 0895C1AE Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391875024.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8950000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 387fa0ba66917f77f6006fc350f7d5f5b9a9a7dddd1f4b2d1f9f884ce96d6ae7
Instruction ID: ce7545f446dcc81d2dc8076190350d3b7b87b1c6d20fa77c80b82e81edc60bf3
Opcode Fuzzy Hash: 387fa0ba66917f77f6006fc350f7d5f5b9a9a7dddd1f4b2d1f9f884ce96d6ae7
Instruction Fuzzy Hash: 9D310930A0D3954FD301BBB99C5819DBFB1EF86618F0546AED4D5E72A2D6384C06C763

Function 06C0C6E0 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391056664.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7afbde2d4ae6889302e69758aa3e934e62316bee439fd56d953d9426f746285
Instruction ID: afa9c6fc9619c144e2937ad53314ba8cbf87bba1a77dd3241231b3b3a8bd1ca9
Opcode Fuzzy Hash: f7afbde2d4ae6889302e69758aa3e934e62316bee439fd56d953d9426f746285
Instruction Fuzzy Hash: DD314A34B046008FEB95DB28C844B6977F6AF89704F1686AEE456CB3B2DB30ED41CB50

Function 02D14A68 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2386460388.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d10000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2749ba22c48a55e4ea2853064526793a328328bb172d14ad9d4f11a40978212
Instruction ID: 804f807fad93a108d1872c226398d4cd8b1c636aafa7f44afb424cc7d8cac826
Opcode Fuzzy Hash: b2749ba22c48a55e4ea2853064526793a328328bb172d14ad9d4f11a40978212
Instruction Fuzzy Hash: 2D318435744209AFDB05AF99E594A6F3FA2FB88314F048018F90687755CF35DC61DB90

Function 06C0E570 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391056664.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14a1460b993d2f5c5b9869dec92cb05033c1940eba2cfa564416c6736c638daf
Instruction ID: d25f9ee6feabd10e1c3abedcc29b8ce61d4889656abe1c6ca01f534330342e33
Opcode Fuzzy Hash: 14a1460b993d2f5c5b9869dec92cb05033c1940eba2cfa564416c6736c638daf
Instruction Fuzzy Hash: 7F411474640605CFDB44DF28C988E997BB1BF89314F2589A9E54ACB372DB30EC45CB60

Function 02D1C1A8 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2386460388.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d10000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62764579cb4c4855a5f9b1847d11bd9567ed88cd59f279a28c94850edc99b066
Instruction ID: ea877106ebad151760a505a868fe802eb81797c413de0618d2c3f428c68bd851
Opcode Fuzzy Hash: 62764579cb4c4855a5f9b1847d11bd9567ed88cd59f279a28c94850edc99b066
Instruction Fuzzy Hash: BF21D1303642026BEB2967B9A49477E3A979FD5A04F14C03BD402CBB95EF68CC42D383

Function 06C0F1E0 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391056664.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3796202ec60f9b6dfd623a4f645cb9dc3b63d5ee59b12e009883e876dcad2854
Instruction ID: f69e4835293297384b12c2764fd925ade51a8667a37da6827263878e30468ce9
Opcode Fuzzy Hash: 3796202ec60f9b6dfd623a4f645cb9dc3b63d5ee59b12e009883e876dcad2854
Instruction Fuzzy Hash: 8F3160306106008FD7A4DF28C448B6637A6FF84725F65C56DE86A8B2E1DF74E9C6CB40

Function 06C0CFD8 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391056664.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc83d866e9beec05f3a4eb86616cb6835d3b8fc18b4f525b366fa5a19488cd25
Instruction ID: 7933a28a215abe0a307e470101df42a5644a1b92ab274857a9e542edc757b6df
Opcode Fuzzy Hash: dc83d866e9beec05f3a4eb86616cb6835d3b8fc18b4f525b366fa5a19488cd25
Instruction Fuzzy Hash: 0521BE34B081458FABD667BA982463E26D79FC46A9718402DD90BCB3D0EF25DE03C392

Function 06C09F3F Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391056664.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 147b8a09c60bd5609720880063d5099783072544922e25478c9d5b89c908b421
Instruction ID: 35b6fd785750f8879d6e795b691906db9f05958a494dc16be5f71a4148c92f20
Opcode Fuzzy Hash: 147b8a09c60bd5609720880063d5099783072544922e25478c9d5b89c908b421
Instruction Fuzzy Hash: 862191707007008FD764EF39D890A5AB7F2AF89614B20567DD46A9B3E2DB31EC06CB61

Function 06C0CC95 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391056664.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ae9de5cbac76667a8624442023245b0bc18583ca698002f44052bac8153e9ea
Instruction ID: a11a0f2eca03ac3d207ced92cbb4f4744ede167710707bd03b3133d2f8c185ac
Opcode Fuzzy Hash: 3ae9de5cbac76667a8624442023245b0bc18583ca698002f44052bac8153e9ea
Instruction Fuzzy Hash: A1310D74A002058FDB94EF69C454A9D7BF2EF88325F244169E806AB3A1CB35ED81CF50

Function 02D15D78 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2386460388.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d10000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd124c6ef404041bf31a94952720e383e2b7a2e662e70e37128bc5508546aaae
Instruction ID: a606f3bba689d2b7c89abb44aaa5ddb2a08e34a14b96aedb9655c20513bcb9d7
Opcode Fuzzy Hash: cd124c6ef404041bf31a94952720e383e2b7a2e662e70e37128bc5508546aaae
Instruction Fuzzy Hash: DE21F639740611DBCB259B69F498A2A77A2FFC87557184279E906CB794CF34DC02CBC0

Function 06C0FF20 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391056664.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 387d29ece398e5b4e283e3182afd1bba2397f0fe1bb042d62c43039287271591
Instruction ID: 12b6f27afdd86919eb728540e7bfa99f354d3ef20709423a0d08351a9915a3b0
Opcode Fuzzy Hash: 387d29ece398e5b4e283e3182afd1bba2397f0fe1bb042d62c43039287271591
Instruction Fuzzy Hash: 8C010470E102198FDF54EBB4C9646AEBBF6AF8D214F104828D912B7390EF385D45CBA0

Function 06C0CFC9 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391056664.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fb2b80ef6871c6f2e400122573b46e4567668077af2408d65c54accafc4ae0f
Instruction ID: 35b544d68be8a2360007dfb9eedcc8f5b2b320871680ad826f4870a0227f22dd
Opcode Fuzzy Hash: 0fb2b80ef6871c6f2e400122573b46e4567668077af2408d65c54accafc4ae0f
Instruction Fuzzy Hash: AB110634B081418FBB86677A982463E7A979FC5655718006DD90BCB3D1DF25DD03C392

Function 06C04AB8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391056664.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da8c170e194c8d185f365a6d4155f93af69bdcb159e293f00279379c0580bbd9
Instruction ID: 408ce88bd69e954468c720d0e6907fe7eb7b58162427e99841dc139ab06ae9b6
Opcode Fuzzy Hash: da8c170e194c8d185f365a6d4155f93af69bdcb159e293f00279379c0580bbd9
Instruction Fuzzy Hash: 8221323AA00911DBE7466F98D88077FB7E6EB84301F50851AEA06C72D0DF38CC92C3A1

Function 0138D5B8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2386227971.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_138d000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f849ecfd147d3aaa69d386ded5c679a95dcdb7b8c1dc45af2e4574b61c5dee7c
Instruction ID: 4df13d0a812b51d47dcc9061ac2452dc1a194e467e81b8f9869fa446cd253f75
Opcode Fuzzy Hash: f849ecfd147d3aaa69d386ded5c679a95dcdb7b8c1dc45af2e4574b61c5dee7c
Instruction Fuzzy Hash: AC2128B1504308DFDF05EF98D9C0B16BF65FB8432CF24856DD9090B286C336D456C6A1

Function 06C0C304 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391056664.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6c566f2a599139724095c57621efae966e674a4f66a4deeb1c2f8a6db7cbf36
Instruction ID: 5f67bbe69264fe8a8187197d00e54eabe392fdc2e208d286a1651f1992e8cc7c
Opcode Fuzzy Hash: a6c566f2a599139724095c57621efae966e674a4f66a4deeb1c2f8a6db7cbf36
Instruction Fuzzy Hash: 85314F306106018FD754DB28C488BA677E2FF85715F15857AE59ECB3A1CF74AC86CB40

Function 06C00E90 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391056664.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96b4ec727330d7c6c96783dc009849c01b2093952c39fec4fd77b7046572483f
Instruction ID: 996422bdc5349f9aa28ccdfd5a6de5aa1f3cbd47f06c48cf1149bbfc6504be25
Opcode Fuzzy Hash: 96b4ec727330d7c6c96783dc009849c01b2093952c39fec4fd77b7046572483f
Instruction Fuzzy Hash: E031FE32D10B099ECB01AFA8C854899F771FF95340B118B5AE9596B221FB30E695CB80

Function 06C01910 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391056664.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a78f8a0da787e7c2ee2ba9bc183b29e9f71559367d14ee62b4caa6ed2ff7530c
Instruction ID: 9d51a84a6e9d074f895989f9e3cea02653ebb535e10bbed4dae6fbd347fe3b0a
Opcode Fuzzy Hash: a78f8a0da787e7c2ee2ba9bc183b29e9f71559367d14ee62b4caa6ed2ff7530c
Instruction Fuzzy Hash: B121D471A00254AFEB41CFA8C880AEEBBF5FF49310B18406AF918C7651C731DA11CBA0

Function 0895A966 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391875024.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8950000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 308c2e66bc92e0235219c54b6fce21d2ebb71ded6fb813298807e8a03fbfab0b
Instruction ID: d6d9dee64ab88537aa1d8962034962904447c1aeab85a9f62781df8da6872bcb
Opcode Fuzzy Hash: 308c2e66bc92e0235219c54b6fce21d2ebb71ded6fb813298807e8a03fbfab0b
Instruction Fuzzy Hash: 0C21157441E3C19FE7136B3498282943F70AF43215B1A05EBE4D1CB0E3EB39994AC72A

Function 06C04D18 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391056664.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaec4d4a1ca50e785135c7ca1190a881f6caeef8ed4e9f422413e173acd53e62
Instruction ID: f21098aa3553c707e24fa8d1455a1a9b1556e7b765efd707799ae57c762849b7
Opcode Fuzzy Hash: aaec4d4a1ca50e785135c7ca1190a881f6caeef8ed4e9f422413e173acd53e62
Instruction Fuzzy Hash: 9821BE74A0021A8BDF51DF69DC805BFBBF5EF45300B04852AE818EB285E734DA11C7A2

Function 02C4D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2386285334.0000000002C4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c4d000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d6255609bf2947252cda67451e2110b71a277e7aaaa86af11aebec0e742ccd2
Instruction ID: a0274dfc729b26210226fe1a052a5f56f3e7a0b46ccb218b752649367e7d8cb4
Opcode Fuzzy Hash: 1d6255609bf2947252cda67451e2110b71a277e7aaaa86af11aebec0e742ccd2
Instruction Fuzzy Hash: D82107B1604200EFDB15EF14D9C0B26BBA5FB84314F24C6ADED0B4B352CB36D846CA61

Function 02C4D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2386285334.0000000002C4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c4d000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e3034f0e736a65a63ea200afedf00fc6d4c11e4cbc117ebb16e5b1c5c506167
Instruction ID: 82e7178bf247c82d7b920d1318349448b00f3988bffd22f23957ee3d8cca6b9b
Opcode Fuzzy Hash: 3e3034f0e736a65a63ea200afedf00fc6d4c11e4cbc117ebb16e5b1c5c506167
Instruction Fuzzy Hash: 3521F2B1604240DFDB14EF14D9C4B27BBA5EB84314F24C5ADE80B4B246CB3AE407CAA1

Function 06C0C880 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391056664.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20a7ed131ac9cfaef40f30332f2d20bffcb3c3d96aed0f3b4f7d59266efa2b70
Instruction ID: 220e4fc0147c2b86024dd1a89a9993bbc38dd801c1148a7ab8dcd280dcdca68c
Opcode Fuzzy Hash: 20a7ed131ac9cfaef40f30332f2d20bffcb3c3d96aed0f3b4f7d59266efa2b70
Instruction Fuzzy Hash: 343139346106018FD754DB28C858BA577E2FF85315F1585AAE58ECB3A1CF74AC86CB40

Function 06C00CE0 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391056664.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42dde2f849d515e97bdf4b00f705c7ce04936e62d60018e9a652e8a51a21f95d
Instruction ID: 648ae68938e23d8a90bd7616e86e1976e2fc9e830364aed4226bee9509df42be
Opcode Fuzzy Hash: 42dde2f849d515e97bdf4b00f705c7ce04936e62d60018e9a652e8a51a21f95d
Instruction Fuzzy Hash: 0A11D6383046214FEB45BB68C81176F7697EBC9704F04442AE152D7BDACE759C0287A1

Function 02D111B8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2386460388.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d10000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6bd135c876b7ff2deb322dd5741af0baeb7dfdcd44af20ac1c2b1773d5907cc
Instruction ID: eb909f8c0c80e20e507501d8aabf24d52b55c6c1322aea003438eabb20cc99bf
Opcode Fuzzy Hash: c6bd135c876b7ff2deb322dd5741af0baeb7dfdcd44af20ac1c2b1773d5907cc
Instruction Fuzzy Hash: 94213874E012199BDB08DFAAD4083EEBBF2AB89304F04942AD515B3390DB388A45CF64

Function 08950800 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391875024.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8950000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e61f907db4a06b39e70cc06cf1c2dd9b36815e45ec639aba21fde05f8535ec4
Instruction ID: 4b773e0ce29e161d17726b8492c35c8f07a1ae24b77cc21daad18be9bdfb0da7
Opcode Fuzzy Hash: 1e61f907db4a06b39e70cc06cf1c2dd9b36815e45ec639aba21fde05f8535ec4
Instruction Fuzzy Hash: 2D31E0B0D002189FDB20DF9AC588BCEBBF5BB48314F24841AE905BB240C3B66845CFA5

Function 0895F909 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391875024.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8950000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fefcf3c1c2a97501207c172b721d1626c70cb8ede59126aa5f7a7d5bf42eb1d
Instruction ID: 554c76b9b8e2ecf4b29ef5bbcd340bacd2bbdc0e2104c22ad6b57085b41b0723
Opcode Fuzzy Hash: 2fefcf3c1c2a97501207c172b721d1626c70cb8ede59126aa5f7a7d5bf42eb1d
Instruction Fuzzy Hash: 7E219D717000098FCB44EF79C864ABE7BFABBC8611B248468E906E7391DE34DD01CB60

Function 02D14A58 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2386460388.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d10000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 943336373c762a2f4dde81a98543988a74b49269a5b47b6907a16ea06e4557eb
Instruction ID: 3134a2c3dc25d9ebe6458fc81ec910c1c4b40b46435ebd65aac6ba8f22f7fae9
Opcode Fuzzy Hash: 943336373c762a2f4dde81a98543988a74b49269a5b47b6907a16ea06e4557eb
Instruction Fuzzy Hash: 3521D575348209AFD705AF69F468B6B3BA1FB84718F048029F9068B791CB34DC61DB90

Function 06C0935C Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391056664.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c746c783c69bfa13e34e83dfd8bbfc3855c86e67e97683a5422bf635ef22804
Instruction ID: 74d5c2be4a757fc137340ab840b66442016cdd00b6c7b124c55388158c588c7a
Opcode Fuzzy Hash: 6c746c783c69bfa13e34e83dfd8bbfc3855c86e67e97683a5422bf635ef22804
Instruction Fuzzy Hash: 5811D031704604CFD764EF79C88882AB7B5EF8631171056AEE00ACB3B0DA31EE85CB61

Function 06C00CF0 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391056664.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e55a7a3f858f0382621ecf872a16218f21abe521ccf9aa070a48f0353aa210b
Instruction ID: ed6b8c4b159b39b5e9196bef763e5da714a74d636049f42c62767f9a0a0321b1
Opcode Fuzzy Hash: 4e55a7a3f858f0382621ecf872a16218f21abe521ccf9aa070a48f0353aa210b
Instruction Fuzzy Hash: 9F11B2383002214FEB44BB69D81176F76DBEBC8B04F04442AE112D7BDACEB5AC4253A1

Function 02D11AC0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2386460388.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d10000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f3defaf9e5b11e56bccc222b944d6f20a6d38f57b332657ce14b9cc228a0aca
Instruction ID: a04c6dd6d91eee007a12d956578b32c02b1262b2d1d0589b63128716e6f45397
Opcode Fuzzy Hash: 6f3defaf9e5b11e56bccc222b944d6f20a6d38f57b332657ce14b9cc228a0aca
Instruction Fuzzy Hash: E5211874E002099FDB14CFAAD848BADBBF2EF8A314F149029E505B73A0DB749945CF64

Function 0895EF1A Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391875024.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8950000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 551f5ace488c94f2ec2a6c2a0f9eb3d669ac2a71664e15e58a4064cb91016f09
Instruction ID: a0d8d2be3ca4d48fe662d4cc9661fef809c135be149241ef3e668e87bc77a00d
Opcode Fuzzy Hash: 551f5ace488c94f2ec2a6c2a0f9eb3d669ac2a71664e15e58a4064cb91016f09
Instruction Fuzzy Hash: EB213A75A00208EFCF05EFA4E944ADD7BB2EF48321F144429ED02B7260DB319D55CB60

Function 06C05759 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391056664.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31f0cb2146a3601343a2d34a801885b4bbd3b45e85968e39071cc2ddf10b7a4a
Instruction ID: e71544e7cb01ce73b6128bdeb44b477bbe8d1f046c245d75f5724be3cef1f681
Opcode Fuzzy Hash: 31f0cb2146a3601343a2d34a801885b4bbd3b45e85968e39071cc2ddf10b7a4a
Instruction Fuzzy Hash: F0112B347103009FEB659729C990B6B73A2EBC5320F64CA6EE4459B2D0CB74D942CB90

Function 02C4D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2386285334.0000000002C4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c4d000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d47eb463cc27b28bc833d62d70b58659eccbe9c2a5834f0a73dd5521d4e7212e
Instruction ID: 80b4a266498a24e999797d875013094b1160d3f51d361d89605587dcec35f723
Opcode Fuzzy Hash: d47eb463cc27b28bc833d62d70b58659eccbe9c2a5834f0a73dd5521d4e7212e
Instruction Fuzzy Hash: F42195755093C08FCB02DF24D594715BF71EB46214F28C5DAD8498F6A7C33A940BCB62

Function 06C03E34 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391056664.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ef850a979f946e43d7bd524fc6e33346a4d1d5a57a4684857ed0e57e57bb9a5
Instruction ID: da7b5de6b3119f41ff1ead07d81efa0d93134d9ee2cd81bcf5b1703f1445840e
Opcode Fuzzy Hash: 1ef850a979f946e43d7bd524fc6e33346a4d1d5a57a4684857ed0e57e57bb9a5
Instruction Fuzzy Hash: B4113DB02006069FD399AB3DC840627B3E2FBC5614B348D6D91268B7A0DF75F956DBE0

Function 02D17A8A Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2386460388.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d10000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 203bd4ae10ac133663bedb0b85647f586edebe8ddcc3f857859078b78fe45d0c
Instruction ID: cd0fa2556751bf9d7b01e99f379923f8b14f48fb4388282f4eed24d5429fc8fe
Opcode Fuzzy Hash: 203bd4ae10ac133663bedb0b85647f586edebe8ddcc3f857859078b78fe45d0c
Instruction Fuzzy Hash: 7911513AB10204ABDB14CF64E989BDDBBB5FF8C311F144565E916A7790CB71AC10CBA0

Function 06C07EC1 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391056664.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6f497c28e2bf277120c6ab82cbff28ced1a082d422cd6e5022ce96717a543a7
Instruction ID: de6ea2ab570c56f7457f3323624eff0305830e53b243057d7e794949cd29dad2
Opcode Fuzzy Hash: f6f497c28e2bf277120c6ab82cbff28ced1a082d422cd6e5022ce96717a543a7
Instruction Fuzzy Hash: 3B1163B16007069FD39AAB3CC80061673E2FFC1604B348C6DD1268B7A0DB75F956DBA0

Function 02D15E68 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2386460388.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d10000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2525ddd2e89a6319dbf9fc47a4e245c42e76440c60aeb899dcf793d9842c1539
Instruction ID: 6277fc4d9f3c68270ad7fb01309efd1b61bef6a57e241b634a35af85bc50f051
Opcode Fuzzy Hash: 2525ddd2e89a6319dbf9fc47a4e245c42e76440c60aeb899dcf793d9842c1539
Instruction Fuzzy Hash: 93117C703007069FC340AF6AE494A2AB7D6FF89A5475440BDE60ACB7A1DF75DC06C790

Function 06C05768 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391056664.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1fc7ddf834223f6bd525f18e69ceb878a7235faeb5b6d51e5d3710c3ba58d64
Instruction ID: 78cf13382dd66cfd4f0489b372a0910e995caff5e52341eb7a4fb3c49c036b1c
Opcode Fuzzy Hash: a1fc7ddf834223f6bd525f18e69ceb878a7235faeb5b6d51e5d3710c3ba58d64
Instruction Fuzzy Hash: 2311C6347103009FEBA4E629C950B6A73E6EBC4710FA4C92EE8099B2C4CB75D802CB90

Function 08950B6F Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391875024.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8950000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83a817f81026481a276112aa176c8c5f28b9e9d819fb8a60416aee50836a9c45
Instruction ID: 2f339188a147fcfff2d5d617553f7ff2a05576ebbe445d92e3b4253fc936b18f
Opcode Fuzzy Hash: 83a817f81026481a276112aa176c8c5f28b9e9d819fb8a60416aee50836a9c45
Instruction Fuzzy Hash: AE01D472F00A265BD795FB2A9C90A7FB7EFEFC8654B15452DD465C7340EE30880283A0

Function 06C08EB1 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391056664.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 379aac3427502d42c6961872be6649926500e8ce5b1f8db97e2d336752c729ff
Instruction ID: 54e189894fc0d3ea190a218102bc4ceb98248842e5028c54a6d49e2e33467ed8
Opcode Fuzzy Hash: 379aac3427502d42c6961872be6649926500e8ce5b1f8db97e2d336752c729ff
Instruction Fuzzy Hash: CF112330E073008BEFB9AB35880016E7BBBDF82A25B00C9AED06A976D0C735D241CF01

Function 02D19298 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2386460388.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d10000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9caa33fd495ff093473bcef9d5359ae2a02bb33bef880831631f85b520433fb
Instruction ID: 26e4f069244660a134d03dd081415d8098c8b202780eb515e2c9109659d55b66
Opcode Fuzzy Hash: b9caa33fd495ff093473bcef9d5359ae2a02bb33bef880831631f85b520433fb
Instruction Fuzzy Hash: 48110A317007019FC724DF69E8A4A6AB7F6EF85314318896DE44AC7BA1CB61EC46CB90

Function 02D19332 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2386460388.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d10000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14bebfd5a13a903986379881ae9987793eec30ad39bcce54982024e89246ed50
Instruction ID: cf4f430267032f735b115e85643064fed0d43c4c5fae942cc48837bd436fc5d8
Opcode Fuzzy Hash: 14bebfd5a13a903986379881ae9987793eec30ad39bcce54982024e89246ed50
Instruction Fuzzy Hash: DB111975E002199BDF04DFA9D8547EEBBF1FB48700F10852AEA14B7390D774A905CBA4

Function 0138D5B3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2386227971.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_138d000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
Instruction ID: d845bf3722262458edb374a462325ccb212dcecb6f17884c2993bc7e4ed60d54
Opcode Fuzzy Hash: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
Instruction Fuzzy Hash: 8711DF72404344CFCB02DF54D5C4B16BF71FB84328F2486A9D8090B256C336D45ACBA1

Function 02D111A8 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2386460388.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d10000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18ec63189544868b278b1e1a4e2f10a177f6ca1f1b237cc1bfb549185fa6e3bc
Instruction ID: c2165463d5327e2250320c39c751a8d34fc35df06b2bd7a2fe8f565792d18d3c
Opcode Fuzzy Hash: 18ec63189544868b278b1e1a4e2f10a177f6ca1f1b237cc1bfb549185fa6e3bc
Instruction Fuzzy Hash: E8018075E012089BDB08DFEAD4093EEBBF6AB89304F14D429D544B3344DB348A45CF64

Function 02C4D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2386285334.0000000002C4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c4d000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
Instruction ID: cab9e8c5fbb8018124cf397beff7d8e7c98f24dba2a402797890949544586091
Opcode Fuzzy Hash: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
Instruction Fuzzy Hash: 2D11BB75904280DFCB12DF10D5C4B16BBA1FB84214F24C6A9DC4A4B696C33AD84ACB61

Function 02D19340 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2386460388.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d10000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e46f2fd2c867110e3f302b798900e2f63a8d08be9b0a3355113caa101e179d19
Instruction ID: a71042713cb6ad6f428d453211cc7da71fc0853964f863d50156c8107e36c68f
Opcode Fuzzy Hash: e46f2fd2c867110e3f302b798900e2f63a8d08be9b0a3355113caa101e179d19
Instruction Fuzzy Hash: 5F11F575E002199BCF04DFA9D854BEEBBF5FB88710F10842AE614B7390D774A905CBA4

Function 02D1BB88 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2386460388.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d10000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aadf618db52508b4786ab1385288a4961b00f6873d1c7aa3a6eace23991c9f5
Instruction ID: 4a2bf7cd75131391e7a265e07e7973b5b4a63d54f89bfa0f554afc58946fe80a
Opcode Fuzzy Hash: 2aadf618db52508b4786ab1385288a4961b00f6873d1c7aa3a6eace23991c9f5
Instruction Fuzzy Hash: 3A01D872B041156FDB16DE98A844BAF3FE7DBC8650F18802AF946D7744CA75CC12DBA0

Function 06C0C229 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391056664.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2e1d3d0be098a201d206d607549da948859cea8f80d92de0f387f088730e30e
Instruction ID: 9ad1883e7bf780f797c62956b5d3ecc0443ad61bd9e170aaffbe54916b386067
Opcode Fuzzy Hash: c2e1d3d0be098a201d206d607549da948859cea8f80d92de0f387f088730e30e
Instruction Fuzzy Hash: 0901F131304200CFD724DF79E8548AABBB9AF8621170502AEF045CB3B2CA31DE84C760

Function 06C087C0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391056664.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c128d111e31aa683fda8db6baadc8369ee2ab245b36192c2516267f88a0ae060
Instruction ID: 90f3edc4e25de682ba9e38c19687accf42d9763f4282cc6c11e384c47415431d
Opcode Fuzzy Hash: c128d111e31aa683fda8db6baadc8369ee2ab245b36192c2516267f88a0ae060
Instruction Fuzzy Hash: 8111B6316107424FC7259F2ED81422B7FF2EF85324B208B5DE0AA876E1DB74A8068B90

Function 06C01920 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391056664.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 609e9428272ec05bcbcdb1a8ac039b9788a86b36a89b04f7fd8662609aafb0c4
Instruction ID: 0faf44d951593d9dc4549e1ecedeb040216fa39cd894d6d074a4be14843ff57a
Opcode Fuzzy Hash: 609e9428272ec05bcbcdb1a8ac039b9788a86b36a89b04f7fd8662609aafb0c4
Instruction Fuzzy Hash: 2E116171A002099FDF55DFA9C884AAEBBF5FF48710F144429E929D7750D730DA10CBA1

Function 02D11918 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2386460388.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d10000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b50869bd1ceba9b416230a43e07bb1f9b34f562328b4ab32219a2f158a3e811a
Instruction ID: 12faa19b1f18d8682a96c2482f11354b519d903f69201a2d1b28eddbc7b01486
Opcode Fuzzy Hash: b50869bd1ceba9b416230a43e07bb1f9b34f562328b4ab32219a2f158a3e811a
Instruction Fuzzy Hash: EF115BB1C00619DBEF04DFAAD8483EEBBF1FF88304F048529D514A7290E7B84649CB91

Function 06C055C8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391056664.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55c6f02d3ae367478b1964bdc70deb4f8d19dbf9a3415b05c4ec5bf90ec5cf69
Instruction ID: 4c686db1e4f170753be83e247a366205fa2e262fec7d02c7d46d04c1dc15790e
Opcode Fuzzy Hash: 55c6f02d3ae367478b1964bdc70deb4f8d19dbf9a3415b05c4ec5bf90ec5cf69
Instruction Fuzzy Hash: 5301D472D06A22AFE7B45F09C200225FBA8BF44B14B88422FD41893B80C771F691CFE1

Function 0138D821 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2386227971.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_138d000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c09ae7a0f0eea6e2b23a1e7c979a7a009fedde1ce1c8f278a7efdae8fa0ecd41
Instruction ID: 2cfcbe963f379e57d08bc5361feba393f706528e40951736f885e803169a0293
Opcode Fuzzy Hash: c09ae7a0f0eea6e2b23a1e7c979a7a009fedde1ce1c8f278a7efdae8fa0ecd41
Instruction Fuzzy Hash: 9C01DB71415344AAE7106B9ADDC4767BFACEF41368F18C41AED4D0A6C6C3759844C6B1

Function 02D1BED0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2386460388.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d10000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69325ce704d1ec5837f77f63801ab4125de053fa35776a385d47817aa32e1ac9
Instruction ID: 3837574fff2ab8e5d8cadc48d17eceacf6e64f018c3a69aff5c6d2f44148340e
Opcode Fuzzy Hash: 69325ce704d1ec5837f77f63801ab4125de053fa35776a385d47817aa32e1ac9
Instruction Fuzzy Hash: 18F096313006115B87159A2EB858A2EBBDDEFC8A69755407BFD05CB7A1DF21DC06CB90

Function 06C001D4 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391056664.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7770b5ea7f2e7d85acb61a659fe8b1ac7ac7ab54cd0f07aee59f69a55898be03
Instruction ID: aea172aad5e8f545a46a597cb021c66d633637ed11366fa725b4151768d687ff
Opcode Fuzzy Hash: 7770b5ea7f2e7d85acb61a659fe8b1ac7ac7ab54cd0f07aee59f69a55898be03
Instruction Fuzzy Hash: 4FF0F6303051A28FEB98DA3EC848A3E3BDEAFC4A55705006DE40AC73E0DE29DD41C7A0

Function 06C087D0 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391056664.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a138e93818b8f9d36301b85ade2c21473f61a4647ab0b53b43210ddf6f7f992
Instruction ID: e990ee39928bf1580eccaa15c2dacf6c4e90f72be4a1a85513f8ed44908a0985
Opcode Fuzzy Hash: 2a138e93818b8f9d36301b85ade2c21473f61a4647ab0b53b43210ddf6f7f992
Instruction Fuzzy Hash: 4D015E71610B118FC724EB2AD44465BBBF2EB88325F208B1CF59A87695DB74A8468B90

Function 0895F7F0 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391875024.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8950000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c234c0e7d9e7fe48f6e714399cc193af8e20819b30b72b872ae3e4aebbd6afdf
Instruction ID: 9e75e53d9236e1c3b4108ef08bf22518284c6b1564f1603de1199dce074b3f15
Opcode Fuzzy Hash: c234c0e7d9e7fe48f6e714399cc193af8e20819b30b72b872ae3e4aebbd6afdf
Instruction Fuzzy Hash: 51F0A43A300209ABCF125E44EC44B9E3B76EF89721F008026FA05961A2CB719825D7A5

Function 06C02FB3 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391056664.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44c690ad5265dac5536f898e23f413ab282949f6e237a96e9df10c8c2331df97
Instruction ID: 9b91a8bdd3b11a62f40a81d0979202e3fb34d4ef8d5b5a223d1648c06bdb18db
Opcode Fuzzy Hash: 44c690ad5265dac5536f898e23f413ab282949f6e237a96e9df10c8c2331df97
Instruction Fuzzy Hash: FEF021303091A14FEB559B39C85493D3BAE5F45915309009EE406CB7E1DF29CD41C7A0

Function 06C0CF50 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391056664.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d94d90f75b769820e50289bdde9f0a7ab68dc8b621d56db3d5738a04b115eb67
Instruction ID: 079d82debb315c4fc3dcd3ffadd85db4d9e8ceff0f091f39c1e5c18f316f3c79
Opcode Fuzzy Hash: d94d90f75b769820e50289bdde9f0a7ab68dc8b621d56db3d5738a04b115eb67
Instruction Fuzzy Hash: D6F0F0313102408FD696EA3D9880BAA3B9AAFC5620F05016EE145CB3A1DF308D46DBE2

Function 08952D6E Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391875024.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8950000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 092b6ffb7a7237ec687662379b73a234788b7abe8c0dbadb925c7f251bf70986
Instruction ID: d0ed68c937e127bea9eac333e5f36b989b28f0f6eae5f9dc86cc0d45095f8581
Opcode Fuzzy Hash: 092b6ffb7a7237ec687662379b73a234788b7abe8c0dbadb925c7f251bf70986
Instruction Fuzzy Hash: 01018FA490E3C68FC703EB70D9652487FB09F17204F1505DBD885CF1A3EA781909DB96

Function 06C0C324 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391056664.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 089cbfe297152423390851a44d4e3d7e1dedede45e9c2b2de6dcb5f881edb41d
Instruction ID: f25afaf3289e5d421455411df4c95e562ca11d7d819d8d745642278c44f72d6d
Opcode Fuzzy Hash: 089cbfe297152423390851a44d4e3d7e1dedede45e9c2b2de6dcb5f881edb41d
Instruction Fuzzy Hash: FCF06D317101058FD695E62E8840B6A76DAEFC4620F54456EE546C7390DF30DC05D792

Function 0138D820 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2386227971.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_138d000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6344632d4570ea2926eaf9273e93ea677d9d064c60f3b4c53971baacf3ee3a6
Instruction ID: ca043d3476b49186a83408254f29590ace1d599d2e7263a50ee24881132d50b6
Opcode Fuzzy Hash: e6344632d4570ea2926eaf9273e93ea677d9d064c60f3b4c53971baacf3ee3a6
Instruction Fuzzy Hash: 39F0CD71404344AEE7109B0ACD84B62FFA8EB41328F18C45AED4D0A286C3799844CAB0

Function 06C0CB79 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391056664.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8e60da9e75dcc6e1bc9cbf0f83ea902114900f8700a5800e8b8c5c3530b4d8d
Instruction ID: f17958bf4d332082279d5d9f06171d22e6097221b78a40a08f77d1c87bb5a931
Opcode Fuzzy Hash: c8e60da9e75dcc6e1bc9cbf0f83ea902114900f8700a5800e8b8c5c3530b4d8d
Instruction Fuzzy Hash: 0A01B279A00104CFDB54DF68C484998BBF1FF48325F2542A9E915AB3A0C732EE82CF90

Function 02D1B359 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2386460388.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d10000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98bb2f72ea29c3378bd8932d3ec9ecf3006e31a5a482d03e19dda90429d0fad1
Instruction ID: bff63656e8912a7543000926651da91d5067365213c6dfd26ae375eb09ea6de3
Opcode Fuzzy Hash: 98bb2f72ea29c3378bd8932d3ec9ecf3006e31a5a482d03e19dda90429d0fad1
Instruction Fuzzy Hash: 30F05C32A002447BDB191A347454AFEBF52DFD0214F05452AFC85C6601DF358C22DB90

Function 06C08638 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391056664.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebe2618485185a4f970d5bd398cc2fdf6e6b921cc5c93085a511e8feeef731e6
Instruction ID: 979258b46e025d3b4326e4133a09cd3fab9fcff3f53a1599a811873875ee29b7
Opcode Fuzzy Hash: ebe2618485185a4f970d5bd398cc2fdf6e6b921cc5c93085a511e8feeef731e6
Instruction Fuzzy Hash: 3BE0923A3002004FC3545B5DA0182B9BFABEBC5331F14016FE08AD3291CF784C424761

Function 06C04CE0 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391056664.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a6f48e264e0fe64942d6559e038f93e7cfab483bb96644c204b7481cff20959
Instruction ID: b44a206a4cdf5407b84b52f8ba4584af8faa372cd1db81ba8c5eb32d60f65a15
Opcode Fuzzy Hash: 6a6f48e264e0fe64942d6559e038f93e7cfab483bb96644c204b7481cff20959
Instruction Fuzzy Hash: 08E0923B1052546FC7024795EC05EC1BFA99B09260B09C096E1498B263C2518810EBA1

Function 06C01B98 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391056664.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c754335568e0d5b1ec86670e8e9b389cb5049ad9a11c5a6df00a3d54168eb57
Instruction ID: 7387571ff47b2e96576f02a66a531ce80e2b89cf2a4a7126e781e45f1a57f53a
Opcode Fuzzy Hash: 0c754335568e0d5b1ec86670e8e9b389cb5049ad9a11c5a6df00a3d54168eb57
Instruction Fuzzy Hash: AAE068394201286FE302629DE840AC1FBAAE70E320F0A01C2E04443992D358DC8147A2

Function 06C01B50 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391056664.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74fc1664f9333db5d4110e2e10a7cbcd55158b092e32ab2216c6d61c687d601f
Instruction ID: 7214dbe4b867e9696fcbafe130c4b27c27f92076c0755e3177e7aa00fe7d8fa9
Opcode Fuzzy Hash: 74fc1664f9333db5d4110e2e10a7cbcd55158b092e32ab2216c6d61c687d601f
Instruction Fuzzy Hash: D5E09B37650524CBC700DB88FC40576B3E9E754B653188357E90CCAA10E33BE812C3C0

Function 02D11660 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2386460388.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d10000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d84dffd2540893647ec423d53d48b0b29acf190d934975e88b0689bcc97c31f8
Instruction ID: ae8ea495279f835bfa3d81a9144f470d6e7d0f01aae49a6e4770395c2d0cd888
Opcode Fuzzy Hash: d84dffd2540893647ec423d53d48b0b29acf190d934975e88b0689bcc97c31f8
Instruction Fuzzy Hash: A2E01AB8D45209EBCB40EFA8E54939EBBF4EB48315F5489A6D948E3300EB348A55DB41

Function 02D19207 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2386460388.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d10000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0abe3a8d606c8f0f295f8ea7fd4435e7bd395aee19bc48f4fe38b34e321b0e7
Instruction ID: e2a6927fc7d987cf4776e29af1a2bceb38ed94ab05de1305d1211ee213197eae
Opcode Fuzzy Hash: b0abe3a8d606c8f0f295f8ea7fd4435e7bd395aee19bc48f4fe38b34e321b0e7
Instruction Fuzzy Hash: A8E0861234C1D90BCB4616BE18781AD6F634F8319735484B7D159CF39BCD158C568361

Function 06C03F24 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391056664.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6860269c1e469ba46e094456117b3f684a8269f38e4efe95d84c1eece6704fbe
Instruction ID: 6372c7af8eeaaba90ad871280a131a022777187ab2f71db800a07696178a716b
Opcode Fuzzy Hash: 6860269c1e469ba46e094456117b3f684a8269f38e4efe95d84c1eece6704fbe
Instruction Fuzzy Hash: 05E02635220010CFCB00E71CC588BE433A8EB4A300F5989B3F54ADB314C275A8828B80

Function 06C03E54 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391056664.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b92e94fd5840e87ff1e4a0ee9fd265002dc7bcdb42ad4b1207939a282431469a
Instruction ID: 72f1837fc23f15614ef1216442359e0e380855f3548a50d7dd0c2f8a71c6a77c
Opcode Fuzzy Hash: b92e94fd5840e87ff1e4a0ee9fd265002dc7bcdb42ad4b1207939a282431469a
Instruction Fuzzy Hash: FBE0C237245214EF8B466B8A9C44CD6BFD9EB09370708C856F60E47272C6129C10EBD4

Function 02D11670 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2386460388.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d10000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae621a8b62687a794c94e596429691e01c4005f773f1698b64d90560ef028d11
Instruction ID: f054571ed1c0c7881a2ebe53056c3c68bfbbee7a0d8ffa03f01c90d7caaa00d4
Opcode Fuzzy Hash: ae621a8b62687a794c94e596429691e01c4005f773f1698b64d90560ef028d11
Instruction Fuzzy Hash: 0CE04F78D05208EFCB00EFB8A54829DBBF4AB48301F1489A6D90893300E7308A54DB41

Function 06C09A87 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391056664.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f8d29c6768dc26a8b03b193ef0b3fecb10f5e3a2805b1d15bfd39b19d7dfeaa
Instruction ID: 6d2960fe43671707d93a5f355ea0a53c6e1c98dab8dbc65697d4906ba967139c
Opcode Fuzzy Hash: 0f8d29c6768dc26a8b03b193ef0b3fecb10f5e3a2805b1d15bfd39b19d7dfeaa
Instruction Fuzzy Hash: FAE08C30201200DFCB018B24DC00A773BB0AE5222431A8BAAF416CF1F3D22ACC42CAA0

Function 06C08648 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391056664.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 550600ec2d1ef74e3c6cba40257bbba763f453e39cf08eb2eb5a6f96289b2cf6
Instruction ID: 33a27ca46aa7b5e0d4c8f7eccb98cbc6c1db977ae22508646cfbb539e4e93f37
Opcode Fuzzy Hash: 550600ec2d1ef74e3c6cba40257bbba763f453e39cf08eb2eb5a6f96289b2cf6
Instruction Fuzzy Hash: AAD05E323001144B8608365EA41C66EFEDFEBC9632B14402BFA0AD3341CEB94C0247E5

Function 06C075D0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391056664.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36f5fd08634c083d11c7f7ded3a8f7328796efaf1a670ada5881086f58ab9ee2
Instruction ID: 75310e733c730a11cc575b6258c23b6a213b0ce90f49df8e06179c23d6ccc01c
Opcode Fuzzy Hash: 36f5fd08634c083d11c7f7ded3a8f7328796efaf1a670ada5881086f58ab9ee2
Instruction Fuzzy Hash: 75D05E333581249FD3449BB8F848E9277ECDF48665B0940A6E20CCB661DAA2E8008790

Function 06C0AC07 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391056664.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b1b82d894430c4e8d7f7a2e2ec58f3c19809060eab22a73f4dc5684969eefcb
Instruction ID: 7eb8aff5ffc6233238939be094cb80ff42acbb692bc0378e0b2ac4ec212e4337
Opcode Fuzzy Hash: 0b1b82d894430c4e8d7f7a2e2ec58f3c19809060eab22a73f4dc5684969eefcb
Instruction Fuzzy Hash: FCD0A7213092A01F8646233C38540B92FE6CFCB06135904F7F1CAD7346CC484D0743A1

Function 06C02D30 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391056664.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 808eaf56c5438fb7a5bd72d7ee3a49c2e277fb3654d2a0e5a3d94ea4ec5da1db
Instruction ID: 584639f15c61843e066a2a0a918a97435e4f215b989b1e1aaccd896cc5ca7f85
Opcode Fuzzy Hash: 808eaf56c5438fb7a5bd72d7ee3a49c2e277fb3654d2a0e5a3d94ea4ec5da1db
Instruction Fuzzy Hash: 5FE0C22171D6E15BDA8B33282C7412D2A424F83424B09169BE076EA2D2CD5C4916D38B

Function 08952DA8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391875024.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8950000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02809a5f16b1f5c2a5ea086cc5f68818c3064cb68b15a1004760479413cdec2a
Instruction ID: edbacc4ffcf7696370499ca3c9fead8e8644bba0daacc7d040831fe9a32d9676
Opcode Fuzzy Hash: 02809a5f16b1f5c2a5ea086cc5f68818c3064cb68b15a1004760479413cdec2a
Instruction Fuzzy Hash: 44D01270904109EBCF40EFA8E94159DBBB5EB45304B1045E9EC09D7300DA716E059FD0

Function 06C02D40 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391056664.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e54f8997d0ab03d8aa3ae5602ea4e58c348cf3bddc8f71632b5ff4e1e1f3bd5
Instruction ID: 1efd99663b41023720f10747565baf941d8abee38f5689bf249d1523523da4c7
Opcode Fuzzy Hash: 7e54f8997d0ab03d8aa3ae5602ea4e58c348cf3bddc8f71632b5ff4e1e1f3bd5
Instruction Fuzzy Hash: 64D0C922708924935DDA3258682967D314A8F86915B06046AE51A9A7C0CE688E12D3CA

Function 02D17B45 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2386460388.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d10000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 312b26e9ac98141efc4cdd49898d192f2ed3e5f7d9bfb64ea12955fec5915c3d
Instruction ID: 680503a17b20a9f303af03dd24f5d25e654d6d5e74511c32f5198a661249d268
Opcode Fuzzy Hash: 312b26e9ac98141efc4cdd49898d192f2ed3e5f7d9bfb64ea12955fec5915c3d
Instruction Fuzzy Hash: 95D0673AB400189FCB049F9CEC508DDBB76FB98321B448526F915A3261CA31A921DB90

Function 02D19442 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2386460388.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d10000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c49accfd4864280cfb3c25b192bd8ab2a89ad5f69b14f0a955473cea3ab0340
Instruction ID: d1b8462b9225f5708a604289d9c98a00c1713d02462adac8fcae9217f873f552
Opcode Fuzzy Hash: 4c49accfd4864280cfb3c25b192bd8ab2a89ad5f69b14f0a955473cea3ab0340
Instruction Fuzzy Hash: 55D0C93801520A86C745F76AE889A553B2AEBD06057B48B20B9064621ADF78A9AA8694

Function 02D19448 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2386460388.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d10000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6640210bffbb204713045c0f6d6fbe4e1daf2326f4877610d9bf1705428395c
Instruction ID: 4ecb245ec4b5871461048fc7ceb6163724089b0cc4b08ae7bc1dba435f76abfc
Opcode Fuzzy Hash: f6640210bffbb204713045c0f6d6fbe4e1daf2326f4877610d9bf1705428395c
Instruction Fuzzy Hash: 49C0123800420A86C745F76AF8859153B2BABC06047708A20B40606219DF7868A687D0

Function 06C09A98 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391056664.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e98b0e25eee49aaa65357bdc8fa9de33772f42f5bfc5abfe49e95819a0ff59f2
Instruction ID: 4a51a15528ef2336a7d0ddbdb8d596d0c81f4ea65fd5f8a9456adbf3c55f99e3
Opcode Fuzzy Hash: e98b0e25eee49aaa65357bdc8fa9de33772f42f5bfc5abfe49e95819a0ff59f2
Instruction Fuzzy Hash: 6ED01230500204CFC700DB68D9449117BA5EF45705324C5A9F4088F233D732EC42CA90

Function 02D191EA Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2386460388.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d10000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e63db7cc987668b6fa9f75e8261b4a3f3d7e631e97124c0d8a328db1a81c3541
Instruction ID: effe376d7d537c1e92ebd7ac5160ba3d24172c0b7cc56675a29bf153d4649f31
Opcode Fuzzy Hash: e63db7cc987668b6fa9f75e8261b4a3f3d7e631e97124c0d8a328db1a81c3541
Instruction Fuzzy Hash: 93C09223B0002807C60576ADF80916D6387EAC59FB32602BAD609EBB85CD6AEC0B57D1

Non-executed Functions

Function 02D1426F Relevance: 4.0, Strings: 3, Instructions: 264COMMON

Download Yara Rule

Strings

Xaq, xrefs: 02D142AF
$]q, xrefs: 02D14296
`, xrefs: 02D14601

Memory Dump Source

Source File: 00000000.00000002.2386460388.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d10000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID: Xaq$`$$]q
API String ID: 0-2495635447
Opcode ID: 0bc4088a650b7f66f1301f3117ab9a21a40127ba66f1adf6cf7989c3aef13b77
Instruction ID: 004e11251eeedbc8f1d6b6e9d488c5e00211eb4ae5ad2b54dba594b4241e1af5
Opcode Fuzzy Hash: 0bc4088a650b7f66f1301f3117ab9a21a40127ba66f1adf6cf7989c3aef13b77
Instruction Fuzzy Hash: 1B917F75F002189BDB08AF79A46467E7BB3BFC8714B04892DD446E7384CE34DC428B91

Function 08208C00 Relevance: 3.3, Instructions: 3301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391690287.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8200000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37d92b0d18d82692f1b2423ee97ef96a80674dca83ae08b8c6e565845cf67c22
Instruction ID: 2be0705f8536af3dc40d73fed0c9a2d2aff352b23deeb16a514a51543ae5a266
Opcode Fuzzy Hash: 37d92b0d18d82692f1b2423ee97ef96a80674dca83ae08b8c6e565845cf67c22
Instruction Fuzzy Hash: 4F537DB0A142288BC754FB78E88869DBBB2EF89304F4185EDD149A3291DF385DC5CF56

Function 0820E0F8 Relevance: 2.8, Strings: 2, Instructions: 298COMMON

Download Yara Rule

Strings

PH]q, xrefs: 0820E3BB
PH]q, xrefs: 0820E2E3

Memory Dump Source

Source File: 00000000.00000002.2391690287.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8200000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: bcea4078cbd401aaf960277dd58846e2c9eb713bffdda3ca72190348bddebb32
Instruction ID: 040b70f6ee6ab7814f2aaba6dfaae950e826427ade3ed0f8d5d4f19f10410065
Opcode Fuzzy Hash: bcea4078cbd401aaf960277dd58846e2c9eb713bffdda3ca72190348bddebb32
Instruction Fuzzy Hash: 38D1DA74A10605CFDB08DF69C598AA9B7F1BF4C301F2684A9E405EB3A2DB31AD41CF60

Function 02D18218 Relevance: 1.6, Strings: 1, Instructions: 327COMMON

Download Yara Rule

Strings

Xaq, xrefs: 02D1822F

Memory Dump Source

Source File: 00000000.00000002.2386460388.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d10000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID: Xaq
API String ID: 0-686314484
Opcode ID: 128884516488722d2c3559a8449ac2e69dae8426371613da3a29e5b1f2ed3ebe
Instruction ID: 074613703c80dcd88b6ce9c16e76cae060eaf911dffba0b9eff80992647ce1db
Opcode Fuzzy Hash: 128884516488722d2c3559a8449ac2e69dae8426371613da3a29e5b1f2ed3ebe
Instruction Fuzzy Hash: 63B1A270B04255DBEB689F79A45433ABAE3ABC4B05F184D69D8C2D6B84CF34CC81EB51

Function 06C0DF28 Relevance: .3, Instructions: 319COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391056664.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1b01f35cfab73dcf22cdeb479639b16d8122e81d9e76347c4c43f3ed897a753
Instruction ID: f077462319993351919741a86bea66375369569ffd443d26c560ba7429b6e835
Opcode Fuzzy Hash: d1b01f35cfab73dcf22cdeb479639b16d8122e81d9e76347c4c43f3ed897a753
Instruction Fuzzy Hash: 2AA181B0B002559FDB58BBB8882477F7AA7AFC8750F148569D00ADB3D4DE389E438791

Function 0698EA80 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2390700943.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6980000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fddc0cb503b692f6c236095ba95d28d4c3e0f05fe3addcbc27e522680d3b9396
Instruction ID: 6542e61aa5d689d3d9b24ee93b517c26867b2a949deff221460452f689a7bfe0
Opcode Fuzzy Hash: fddc0cb503b692f6c236095ba95d28d4c3e0f05fe3addcbc27e522680d3b9396
Instruction Fuzzy Hash: C812B0F042174A8BE398DF26E84A1C53FF2F7C5318B544319E2612A2D1DBB8558BCF65

Function 06C4EA77 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391190168.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c40000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfbb47dec9c92e9cd1c6a78a26870ac3fe53ab02f0bd569085f6d4b797480d52
Instruction ID: 17953563d513c43110f5cd5e63267fa9399d1930b63cdcba7607fa23d0ada5f8
Opcode Fuzzy Hash: cfbb47dec9c92e9cd1c6a78a26870ac3fe53ab02f0bd569085f6d4b797480d52
Instruction Fuzzy Hash: 54D10635C2075A8BCB11EBA5D95469DF3B1FF95300F20879AE40A77250EB706ECACB91

Function 06C4EA78 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391190168.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c40000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bb26b0b46f4b157e81b841d6edd6d035188665ccf9c439cf1f654c775055419
Instruction ID: ec3ac91f81276c8417713f5c71b8a354448372b7bb5f2a062c785b4d0cd6f0d0
Opcode Fuzzy Hash: 4bb26b0b46f4b157e81b841d6edd6d035188665ccf9c439cf1f654c775055419
Instruction Fuzzy Hash: 9BD10635C2075A8BCB11EBA5D95469DF3B1FF95300F20879AE40A77250EB706ECACB91

Function 0698CB94 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2390700943.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6980000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f72045f8e5e0b936498fdb2bf1cca9839b3fcee47f64699068d6202ace9d2af4
Instruction ID: d08de4c91a70534ebdd956b72abe18cadeef16e125407f53fc06adecfaf3d836
Opcode Fuzzy Hash: f72045f8e5e0b936498fdb2bf1cca9839b3fcee47f64699068d6202ace9d2af4
Instruction Fuzzy Hash: E6A18032E10215CFCF45EFB5D85059EBBB6FFC5300B25856AE815AB221EB31E945CB90

Function 0698EA71 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2390700943.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6980000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55714250351e58ea91bc2ba53124191624dca8edc47cc6dc9ff3515bf536e0ed
Instruction ID: 83900bcc74a0f0db6bc51b10de36f7c9e1fadefa586f1d64750348b6c659d34b
Opcode Fuzzy Hash: 55714250351e58ea91bc2ba53124191624dca8edc47cc6dc9ff3515bf536e0ed
Instruction Fuzzy Hash: 9FC117B082174A8BD798DF26E84A1C97FB2FBC5318B544319E1612B2D0DFB8548BCF65

Function 02D1B280 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;]q, xrefs: 02D1B2BE
\;]q, xrefs: 02D1B2B2
\;]q, xrefs: 02D1B296
\;]q, xrefs: 02D1B28C

Memory Dump Source

Source File: 00000000.00000002.2386460388.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d10000_K59gVXTgGv.jbxd

Similarity

API ID:
String ID: \;]q$\;]q$\;]q$\;]q
API String ID: 0-2351511683
Opcode ID: 9a82e24aea35eebbc3fdfefc7449be30ef2be0316bfd541fc2146e6912cb3731
Instruction ID: a67fb2863319ebdbf5ccde774dac14d7cbe1f3cd4369e9f528fdefb74200cbf1
Opcode Fuzzy Hash: 9a82e24aea35eebbc3fdfefc7449be30ef2be0316bfd541fc2146e6912cb3731
Instruction Fuzzy Hash: 3C018F71710015AFCB6C8E7EE484A3E77E6AF8AB68725816BE445CB760DB30DC45C750

Analysis Process: Google Chrome sandbox.exe.exePID: 2364, Parent PID: 1876COMMON

Executed Functions

Function 01145F20 Relevance: 11.1, Strings: 8, Instructions: 1143COMMON

Download Yara Rule

Strings

,aq, xrefs: 01145FF6
,aq, xrefs: 01146AD2
Haq, xrefs: 011465EE
,aq, xrefs: 01146AE0
(o]q, xrefs: 01146A5A
(o]q, xrefs: 01146A68
,aq, xrefs: 01146000
(o]q, xrefs: 01146722

Memory Dump Source

Source File: 0000000A.00000002.3262058060.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1140000_Google Chrome sandbox.jbxd

Similarity

API ID:
String ID: (o]q$(o]q$(o]q$,aq$,aq$,aq$,aq$Haq
API String ID: 0-2006068749
Opcode ID: 2707c8d32e984fd51ff07d17751eef1b0fa78411aa3971e22b26688d0e0b1a4f
Instruction ID: 0645ee66ad9705943b956fea0ed91247b8edb2af6585fdf982a2aab5acc074ed
Opcode Fuzzy Hash: 2707c8d32e984fd51ff07d17751eef1b0fa78411aa3971e22b26688d0e0b1a4f
Instruction Fuzzy Hash: ACA27F70A002198FDB19DF69C884AAEBBF2FF89B04F158469E545EB365DB30DC41CB91

Function 011412A7 Relevance: 2.7, Strings: 2, Instructions: 238COMMON

Download Yara Rule

Strings

8aq, xrefs: 0114134E
8aq, xrefs: 0114135E

Memory Dump Source

Source File: 0000000A.00000002.3262058060.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1140000_Google Chrome sandbox.jbxd

Similarity

API ID:
String ID: 8aq$8aq
API String ID: 0-1589283582
Opcode ID: 6d773711576e96fdc835a6cf90f23e461444ff0675a2cbca55002cf403baafc7
Instruction ID: 738f992ebf7814a2747c32d072bcaa029ae31baa6cd09d65ad9c44ece5c83a2b
Opcode Fuzzy Hash: 6d773711576e96fdc835a6cf90f23e461444ff0675a2cbca55002cf403baafc7
Instruction Fuzzy Hash: 51B1C374E04258CFDB14CFA9C994B9DBBB2BF89300F2481A9E409BB265DB306985CF41

Function 01145821 Relevance: 2.8, Strings: 2, Instructions: 287COMMON

Download Yara Rule

Strings

Haq, xrefs: 01145A01
Haq, xrefs: 01145A34

Memory Dump Source

Source File: 0000000A.00000002.3262058060.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1140000_Google Chrome sandbox.jbxd

Similarity

API ID:
String ID: Haq$Haq
API String ID: 0-4016896955
Opcode ID: 207da280910e8dfce0ef9c12961d4da151f09a4b2345e4e37fcdbbd88eb1769c
Instruction ID: 4c19ef558bbb7d34f9be7bf886679eba1a668ce39cfdb84b118f49054b590878
Opcode Fuzzy Hash: 207da280910e8dfce0ef9c12961d4da151f09a4b2345e4e37fcdbbd88eb1769c
Instruction Fuzzy Hash: 23A1AD3070021A9FDB49AF68C899B6E7BA7EB88751F148428F506DB381CF74DD46CB91

Function 01147C3F Relevance: 1.6, Strings: 1, Instructions: 323COMMON

Download Yara Rule

Strings

(o]q, xrefs: 01147C11

Memory Dump Source

Source File: 0000000A.00000002.3262058060.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1140000_Google Chrome sandbox.jbxd

Similarity

API ID:
String ID: (o]q
API String ID: 0-794736227
Opcode ID: fb8497c0bab981daed6d05b953c414154ec8e5d1166da7e3e25445cc3331dc4a
Instruction ID: 90c5a871b589606315ca64a6d5d226de1734944941fa3077f0397a5318c71ce5
Opcode Fuzzy Hash: fb8497c0bab981daed6d05b953c414154ec8e5d1166da7e3e25445cc3331dc4a
Instruction Fuzzy Hash: FFD11C75A10215CFCB09CFACC9849AEBBF6FF89710B198459E515AB3A1CB35EC41CB50

Function 01147A98 Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

(o]q, xrefs: 01147C11

Memory Dump Source

Source File: 0000000A.00000002.3262058060.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1140000_Google Chrome sandbox.jbxd

Similarity

API ID:
String ID: (o]q
API String ID: 0-794736227
Opcode ID: 35ec3f5395bf4ae7c55e5ff85abb17104f3e22c9a88df68b127069856dd99781
Instruction ID: 3d6109fabaa87b08bb27e39f14a94436bf8d5fc9566ef3b4ed39d3ac6e4cdf85
Opcode Fuzzy Hash: 35ec3f5395bf4ae7c55e5ff85abb17104f3e22c9a88df68b127069856dd99781
Instruction Fuzzy Hash: FC41BF357002059FCB199F69D854AAEBBF6FBCCA10F244469E906E7391CF309C02CBA1

Function 011416A9 Relevance: 1.3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

Strings

8aq, xrefs: 01141763

Memory Dump Source

Source File: 0000000A.00000002.3262058060.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1140000_Google Chrome sandbox.jbxd

Similarity

API ID:
String ID: 8aq
API String ID: 0-538729646
Opcode ID: 34c2bf25a63528c37a744c979a6d3efa6c1b4ff2ac890a5ed77dd58242dbe115
Instruction ID: d3661ba89a96975b8fb88b94a2b2a1d4fa309eaed1fa4fa4ce5e0b3484f9831d
Opcode Fuzzy Hash: 34c2bf25a63528c37a744c979a6d3efa6c1b4ff2ac890a5ed77dd58242dbe115
Instruction Fuzzy Hash: 193104B4D052499FDB08DFAAD544AEEBBF2BF89300F24846AE804B7360D7355A46CF51

Function 01141798 Relevance: 1.3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

Strings

8aq, xrefs: 01141763

Memory Dump Source

Source File: 0000000A.00000002.3262058060.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1140000_Google Chrome sandbox.jbxd

Similarity

API ID:
String ID: 8aq
API String ID: 0-538729646
Opcode ID: 79195ddfb58f18843e97215a3554ad2d081b8b165c7b9d3074de6eebd050a7bb
Instruction ID: 62a14bdb2f02cdcec79ff5bfce162c6082a0df0b7f0b1ab079af24e179fe78d8
Opcode Fuzzy Hash: 79195ddfb58f18843e97215a3554ad2d081b8b165c7b9d3074de6eebd050a7bb
Instruction Fuzzy Hash: 21110175D0529BEFCF01CFB8D4445ADBFB1EF01215F2042AAE460AB292D730A646DB42

Function 01145B28 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3262058060.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1140000_Google Chrome sandbox.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75371c568e5b84f1122acd9488333ad0e3d8ab5c6955de30e99671b81385722e
Instruction ID: 56b46bece701fb64747930106a4a305c02b61073da5a3f910eb609fc7aa930c2
Opcode Fuzzy Hash: 75371c568e5b84f1122acd9488333ad0e3d8ab5c6955de30e99671b81385722e
Instruction Fuzzy Hash: B061AC343002058FDB599B78C49873E7AE7AF88B54F198629E586CB391DF34DC42CB91

Function 01141928 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3262058060.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1140000_Google Chrome sandbox.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bf5d9508dee2a30a428c122b01d7dc6174d1b89f566bb08622c7eaf9f2e4bd8
Instruction ID: 87515a5e5a3803ebda16d5165c980aeaf71c7803b0a08a4a1b900021ddd885da
Opcode Fuzzy Hash: 2bf5d9508dee2a30a428c122b01d7dc6174d1b89f566bb08622c7eaf9f2e4bd8
Instruction Fuzzy Hash: E951E374D00249DFDB18DFA9D4487EDBBF1BF88305F24842AD415A6290DB785A85CF51

Function 01144A68 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3262058060.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1140000_Google Chrome sandbox.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afffa10906816f5a74d812a92316f70c4ab7851736a107467aec063ae6e7b85c
Instruction ID: dfbdeb4b4ded7559fad1c850b295bdfb43095f405a148c3423bff5bcedca20dc
Opcode Fuzzy Hash: afffa10906816f5a74d812a92316f70c4ab7851736a107467aec063ae6e7b85c
Instruction Fuzzy Hash: 7B316D343002099FCB0A9F69E445BAE7BA2FB88710F144029F9069B351CB75DD26CB91

Function 01145D88 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3262058060.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1140000_Google Chrome sandbox.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec54e04822152d7610e8c3bea42c7a8175a7275413c4748f079b50702ca93989
Instruction ID: 918aa662e8f5601523e2b4960d640d9542495b5e7f96b9accde9ea4b59070ea1
Opcode Fuzzy Hash: ec54e04822152d7610e8c3bea42c7a8175a7275413c4748f079b50702ca93989
Instruction Fuzzy Hash: 1821F0357006218BD7299B29D898A2EBBA3EFC5A517194179E94ADB390CF34DC03CBC1

Function 011411B8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3262058060.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1140000_Google Chrome sandbox.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 299108d7a7c7e0119e81be793e842335f4f9297a8591057c01cba278283603b7
Instruction ID: d37084fa1f0585b5fcf950074643e72ae50c439296a655eac73cf36586e0fc98
Opcode Fuzzy Hash: 299108d7a7c7e0119e81be793e842335f4f9297a8591057c01cba278283603b7
Instruction Fuzzy Hash: 27213BB4E012099FDB08DFAAD4487EEBBF6BB89310F14902AD411B7290DB385A45CF64

Function 01144A58 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3262058060.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1140000_Google Chrome sandbox.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ad9b40de6fc66d2d61495ecaca8de28fbf66669433e22c90884f4a4047417c4
Instruction ID: 70f22c60bc31bd9c43fc948d8f159ef2b733b01c1a90332a91fec4caa30ced52
Opcode Fuzzy Hash: 1ad9b40de6fc66d2d61495ecaca8de28fbf66669433e22c90884f4a4047417c4
Instruction Fuzzy Hash: 2E21D5313042489FDB099F69E459B6B7BB2EB84710F144039F9069B391CB78DD16CBA2

Function 01141AC0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3262058060.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1140000_Google Chrome sandbox.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4c392d283267fc7bf865036c5bcbee9ca8eec61d2156cac31b0b0cfd150ac41
Instruction ID: 18d597913b1a48c594591e208c2d7b4797a8512edf22acb569f1d77593bd48ef
Opcode Fuzzy Hash: b4c392d283267fc7bf865036c5bcbee9ca8eec61d2156cac31b0b0cfd150ac41
Instruction Fuzzy Hash: 3F211874D002089FDB08DFAAD848BEDBBF1AF8A310F149029E405BB3A1DB745945CF54

Function 01145D78 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3262058060.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1140000_Google Chrome sandbox.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1dd77b6ff4e16f2718ab950e4a10a7543bc1d270ee1a02814237265d937692c
Instruction ID: 44e2d829004619219061123c72091c6ff998784f90d3ee6439e7232747f3312b
Opcode Fuzzy Hash: c1dd77b6ff4e16f2718ab950e4a10a7543bc1d270ee1a02814237265d937692c
Instruction Fuzzy Hash: DE11E3357006118BD7299B2AD898A2EBBA7FFC5A557194078E546DB390CF20DC03C7D0

Function 01147A8A Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3262058060.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1140000_Google Chrome sandbox.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bccb05694d3ee86f0c44f7659e9d28c72b6d94148c5bb4f20f29a3389f8cc99b
Instruction ID: abd9196848c9090e9d02c160eb825fd5ae15da1f84aae2ad7ad9960c6b152c16
Opcode Fuzzy Hash: bccb05694d3ee86f0c44f7659e9d28c72b6d94148c5bb4f20f29a3389f8cc99b
Instruction Fuzzy Hash: 9C114C367002049FDB148F65DC89BDEBBB6BB8C710F148029E916A7390CB71AD15CBA0

Function 01145E68 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3262058060.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1140000_Google Chrome sandbox.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33d7af714ef5f68bc23fa58b1a7801eab5f5d924bed91faa20d0d0194e7e6115
Instruction ID: fa692cd08fbcf7e3964396e5973cf15fbc86e0cf56dcf1b62f01b543f585e8a1
Opcode Fuzzy Hash: 33d7af714ef5f68bc23fa58b1a7801eab5f5d924bed91faa20d0d0194e7e6115
Instruction Fuzzy Hash: AD11C2703006018FC3589E7ED09061AB7D6FF89A4071540BEE20ADB3A2DF72DC05C792

Function 01149298 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3262058060.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1140000_Google Chrome sandbox.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91e9a472a0eb46ea83469d53044fd8ccd9adb2d0e8af410dd4746812674c1bbe
Instruction ID: 75324f58a5cffd4c1f499382c80ea69660b9ad3d709a9e7a71dbcd34131edba9
Opcode Fuzzy Hash: 91e9a472a0eb46ea83469d53044fd8ccd9adb2d0e8af410dd4746812674c1bbe
Instruction Fuzzy Hash: 86115E703046048FD728CF6EE894A27B7F6EFC9618314896DE54AC76A1CB71EC46CB41

Function 01149332 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3262058060.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1140000_Google Chrome sandbox.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48c68b0e28474e5f19a1de27419bf359863ea512146e2baa2c93c585b4136332
Instruction ID: 9f7e63a4427bc3c6ddb5d0346ff9f44466f1a384b264367aeefa2fc8fb83d85f
Opcode Fuzzy Hash: 48c68b0e28474e5f19a1de27419bf359863ea512146e2baa2c93c585b4136332
Instruction Fuzzy Hash: 9F11F372E002199FDB04DFAAD840BEEBBF5FB89700F14802AE614B7390D7746905CBA1

Function 01149340 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3262058060.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1140000_Google Chrome sandbox.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: befa0bc3e7d0cda641a610caa1b2e02dd0cb1ef25075d8d604a4776d83ed61f3
Instruction ID: 0aadff11de4ba0d6af3e27e9ee4a035ed2621e11e8292ca0856080bc6f8ad9b7
Opcode Fuzzy Hash: befa0bc3e7d0cda641a610caa1b2e02dd0cb1ef25075d8d604a4776d83ed61f3
Instruction Fuzzy Hash: 25112271E002198BCF08DFAAD840BEEBBF5FB89700F10802AE614B7390D7746905CBA0

Function 01141918 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3262058060.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1140000_Google Chrome sandbox.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe35e81ff023de483b6477fd4c2c4b1d0206861dfbed0bde0ac298ea68a1df0f
Instruction ID: 76c143984fc9dff511a64e2b4920e6b06c7aa37c03e5639fb5af6ff3a4c59820
Opcode Fuzzy Hash: fe35e81ff023de483b6477fd4c2c4b1d0206861dfbed0bde0ac298ea68a1df0f
Instruction Fuzzy Hash: 81111BB5D00259DFEF04DFAAD8493EDBBF5FB88305F048429D110A6290E7B85249CB91

Function 01145E5A Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3262058060.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1140000_Google Chrome sandbox.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c43d1255db3b0c99af1ac646a7d4c0aaeeb016e4445ac88c3eebbc8870b8c750
Instruction ID: ba51da9339821264d03170251879822de3da2432e7cf56897021919b807a7d26
Opcode Fuzzy Hash: c43d1255db3b0c99af1ac646a7d4c0aaeeb016e4445ac88c3eebbc8870b8c750
Instruction Fuzzy Hash: 06F0E2713006049BD304DF6AE880B1ABBE9FF85B50B18406AE609DB352DB32EC05C7A6

Function 01141660 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3262058060.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1140000_Google Chrome sandbox.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0aface5b949d5780e1400be1a94ae2f35c3efdb16cdac159a628ffcb84a1481
Instruction ID: e7c40b2eeee99c4d3a0de9fd8b92185a97fe874b25a3f2e3c9afad824f8855dc
Opcode Fuzzy Hash: c0aface5b949d5780e1400be1a94ae2f35c3efdb16cdac159a628ffcb84a1481
Instruction Fuzzy Hash: B2F01C74D09288AFDB04DFB9A5892DCBFB0AB4E311F1485A6A944E6260D7304A469B41

Function 01149207 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3262058060.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1140000_Google Chrome sandbox.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5e55741b7287010cc82449517de0de007d34d54ad774078041e1ae25ad135fd
Instruction ID: 6efd267c8ed1b931688009d26b49afaffd7124d8d5e93cfd9dc7aaa0d0b3523b
Opcode Fuzzy Hash: b5e55741b7287010cc82449517de0de007d34d54ad774078041e1ae25ad135fd
Instruction Fuzzy Hash: 1DE086227091D90FCB472ABE587815E6F325B8259735444B7D145CF39BCE158C06C3A1

Function 01141670 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3262058060.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1140000_Google Chrome sandbox.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c524d4e7a8c8b81510d71883d1185167bdaad2c4b9dce92307ed273f8674b932
Instruction ID: d90b8900bda47623c7337b8ed8cf6dc7e2cfe385dcac7e65103e5a0d62c4efc6
Opcode Fuzzy Hash: c524d4e7a8c8b81510d71883d1185167bdaad2c4b9dce92307ed273f8674b932
Instruction Fuzzy Hash: F7E04F74D0520CEFCB04EFB9A54829CBBF4AB49301F1485A5A808A3210E7705A84CB41

Function 01147B45 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3262058060.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1140000_Google Chrome sandbox.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deddb7d9b7df720d5d2f499d294472da678d479ee9e6009fe3751258f2b00c2b
Instruction ID: 9e628a4ebf9b9b3524f3af8bfe4444389b6b7708bc761065f56e025193a28ae9
Opcode Fuzzy Hash: deddb7d9b7df720d5d2f499d294472da678d479ee9e6009fe3751258f2b00c2b
Instruction Fuzzy Hash: A6D0673AB401199FCB059F9CEC508DDFB76FB98321B448526F915A3261CA319921DB90

Function 01149442 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3262058060.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1140000_Google Chrome sandbox.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abc2afc853149b77fc584fe1cdd4498b0b243595050c0a24beed872cce1f081d
Instruction ID: 2e1f934c23fe473e33f340377225b61b0c6be875c11772edb72e6b6b36449842
Opcode Fuzzy Hash: abc2afc853149b77fc584fe1cdd4498b0b243595050c0a24beed872cce1f081d
Instruction Fuzzy Hash: 05D0A93000020A4ACF00F7AAF882A5A7B6AEB80200B748E10B0060B209DEB8689B8790

Function 01149448 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3262058060.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1140000_Google Chrome sandbox.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c84ff54ab93dd7da7df57bf6a837db00d150704bda5378e7a47631de55502bbb
Instruction ID: 5e7b03d068d2d6d6ddb242e613d4c29b5bcc6f5d1d1e8cb273c2074348e00b6d
Opcode Fuzzy Hash: c84ff54ab93dd7da7df57bf6a837db00d150704bda5378e7a47631de55502bbb
Instruction Fuzzy Hash: 46C0123400420A46CF45F7BAF885A19776BEBC0204B709E11B4060B159DEB8599B87D0

Function 011491EA Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3262058060.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1140000_Google Chrome sandbox.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3efde89566fc3df294698e0e1622c31a8a8e71e9abaa8dd29ea72ea0f77f86d6
Instruction ID: 6758ed4ad026dbe957305abad7454275345f0beccca8416df1bea03c73c61843
Opcode Fuzzy Hash: 3efde89566fc3df294698e0e1622c31a8a8e71e9abaa8dd29ea72ea0f77f86d6
Instruction Fuzzy Hash: A6C09B2370002407860565BDF40516D53C7D6C55F731511BBD608E7745CD579C0747D1

Non-executed Functions

Function 011441A7 Relevance: 5.1, Strings: 4, Instructions: 69COMMON

Download Yara Rule

Strings

t, xrefs: 01144174
4']q, xrefs: 0114421E
4']q, xrefs: 01144241
4']q, xrefs: 011441E6

Memory Dump Source

Source File: 0000000A.00000002.3262058060.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1140000_Google Chrome sandbox.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$t
API String ID: 0-4245401686
Opcode ID: 1632155ba16f5c30a66429cc30f3cb8e803cea2db99e286fb7d2b488c00d0c86
Instruction ID: a5f9fb06d89de249bdfd0c218be4a8c0632eb1a181755135f5601acf0545ac89
Opcode Fuzzy Hash: 1632155ba16f5c30a66429cc30f3cb8e803cea2db99e286fb7d2b488c00d0c86
Instruction Fuzzy Hash: A121BF30E042499FDB05EF78E45039D7FF1EB46308F2449A9D0489B352DF799A1A8B52

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report K59gVXTgGv.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: AsyncRAT

Threatname: Njrat

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Google Chrome sandbox.exe.exe

C:\Program Files (x86)\Google Chrome sandbox.exe.exe:Zone.Identifier

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\K59gVXTgGv.exe.log

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google Chrome sandbox.exe.lnk

\Device\Null

Static File Info

General

File Icon

Windows Analysis Report
K59gVXTgGv.exe

Function 06C0C344 Relevance: 6.9, Strings: 5, Instructions: 627
COMMON

Function 08200040 Relevance: 6.7, Strings: 5, Instructions: 482
COMMON

Function 08953017 Relevance: 5.6, Instructions: 5646
COMMON

Function 08953030 Relevance: 5.6, Instructions: 5633
COMMON

Function 06C44018 Relevance: 5.2, Instructions: 5170
COMMON

Function 0895D888 Relevance: 4.7, Strings: 3, Instructions: 952
COMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre