Edit tour

Windows Analysis Report
Y0uLilkjPz.exe

Overview

General Information

Sample name:	Y0uLilkjPz.exe renamed because original name is a hash value
Original sample name:	8d84fc99073709f0c6049b80fa088c9af03c5525148e61b2d258cc3f1d4c7d8e.exe
Analysis ID:	1469004
MD5:	899d4c38a9edf64f8513eaaf6f5aa8e4
SHA1:	8dc9f2cf26ef7778031d4a02345cbbc982ab8aac
SHA256:	8d84fc99073709f0c6049b80fa088c9af03c5525148e61b2d258cc3f1d4c7d8e
Tags:	82-9-14-4exe
Infos:

Detection

XenoRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected XenoRAT

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

Uses schtasks.exe or at.exe to add and modify task schedules

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Classification

Process Tree

System is w10x64

Y0uLilkjPz.exe (PID: 7664 cmdline: "C:\Users\user\Desktop\Y0uLilkjPz.exe" MD5: 899D4C38A9EDF64F8513EAAF6F5AA8E4)

Y0uLilkjPz.exe (PID: 7756 cmdline: "C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe" MD5: 899D4C38A9EDF64F8513EAAF6F5AA8E4)

schtasks.exe (PID: 7844 cmdline: "schtasks.exe" /Create /TN "windows" /XML "C:\Users\user\AppData\Local\Temp\tmp99AA.tmp" /F MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Y0uLilkjPz.exe (PID: 7900 cmdline: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe MD5: 899D4C38A9EDF64F8513EAAF6F5AA8E4)

cleanup

Malware Configuration

Threatname: XenoRAT

{"C2 url": "82.9.14.4", "Mutex Name": "Xeno_rat_nd8912d", "Install Folder": "appdata"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Y0uLilkjPz.exe	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1371780059.0000000000B12000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security
Process Memory Space: Y0uLilkjPz.exe PID: 7664	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.Y0uLilkjPz.exe.b10000.0.unpack	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security

Sigma Signatures

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "schtasks.exe" /Create /TN "windows" /XML "C:\Users\user\AppData\Local\Temp\tmp99AA.tmp" /F, CommandLine: "schtasks.exe" /Create /TN "windows" /XML "C:\Users\user\AppData\Local\Temp\tmp99AA.tmp" /F, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe" , ParentImage: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe, ParentProcessId: 7756, ParentProcessName: Y0uLilkjPz.exe, ProcessCommandLine: "schtasks.exe" /Create /TN "windows" /XML "C:\Users\user\AppData\Local\Temp\tmp99AA.tmp" /F, ProcessId: 7844, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "schtasks.exe" /Create /TN "windows" /XML "C:\Users\user\AppData\Local\Temp\tmp99AA.tmp" /F, CommandLine: "schtasks.exe" /Create /TN "windows" /XML "C:\Users\user\AppData\Local\Temp\tmp99AA.tmp" /F, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe" , ParentImage: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe, ParentProcessId: 7756, ParentProcessName: Y0uLilkjPz.exe, ProcessCommandLine: "schtasks.exe" /Create /TN "windows" /XML "C:\Users\user\AppData\Local\Temp\tmp99AA.tmp" /F, ProcessId: 7844, ProcessName: schtasks.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Y0uLilkjPz.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe

Avira: detection malicious, Label: TR/Agent.cpjpa

Found malware configuration

Source: Y0uLilkjPz.exe

Malware Configuration Extractor: XenoRAT {"C2 url": "82.9.14.4", "Mutex Name": "Xeno_rat_nd8912d", "Install Folder": "appdata"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	ReversingLabs: Detection: 76%
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Virustotal: Detection: 81%			Perma Link

Multi AV Scanner detection for submitted file

Source: Y0uLilkjPz.exe	ReversingLabs: Detection: 76%
Source: Y0uLilkjPz.exe	Virustotal: Detection: 81%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Y0uLilkjPz.exe

Joe Sandbox ML: detected

Source: Y0uLilkjPz.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 82.9.14.4

Source: global traffic

TCP traffic: 192.168.2.8:49705 -> 82.9.14.4:4545

Source: Joe Sandbox View

IP Address: 82.9.14.4 82.9.14.4

Source: Joe Sandbox View

ASN Name: NTLGB NTLGB

Source: unknown	TCP traffic detected without corresponding DNS query: 82.9.14.4
Source: unknown	TCP traffic detected without corresponding DNS query: 82.9.14.4
Source: unknown	TCP traffic detected without corresponding DNS query: 82.9.14.4
Source: unknown	TCP traffic detected without corresponding DNS query: 82.9.14.4
Source: unknown	TCP traffic detected without corresponding DNS query: 82.9.14.4
Source: unknown	TCP traffic detected without corresponding DNS query: 82.9.14.4
Source: unknown	TCP traffic detected without corresponding DNS query: 82.9.14.4
Source: unknown	TCP traffic detected without corresponding DNS query: 82.9.14.4
Source: unknown	TCP traffic detected without corresponding DNS query: 82.9.14.4
Source: unknown	TCP traffic detected without corresponding DNS query: 82.9.14.4
Source: unknown	TCP traffic detected without corresponding DNS query: 82.9.14.4
Source: unknown	TCP traffic detected without corresponding DNS query: 82.9.14.4

Source: C:\Users\user\Desktop\Y0uLilkjPz.exe	Code function: 0_2_014F0B12	0_2_014F0B12
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Code function: 2_2_00FF2CC8	2_2_00FF2CC8
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Code function: 2_2_00FF0B15	2_2_00FF0B15
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Code function: 5_2_02600B12	5_2_02600B12

Source: Y0uLilkjPz.exe, 00000000.00000002.1375788013.000000000114E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Y0uLilkjPz.exe
Source: Y0uLilkjPz.exe, 00000000.00000000.1371795673.0000000000B1E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameXeno_manager.exe: vs Y0uLilkjPz.exe
Source: Y0uLilkjPz.exe, 00000000.00000002.1375788013.00000000011EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXeno vs Y0uLilkjPz.exe
Source: Y0uLilkjPz.exe, 00000000.00000002.1375788013.00000000011EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXeno_manager.exe: vs Y0uLilkjPz.exe
Source: Y0uLilkjPz.exe, 00000002.00000002.2614837795.000000000101E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Y0uLilkjPz.exe
Source: Y0uLilkjPz.exe	Binary or memory string: OriginalFilenameXeno_manager.exe: vs Y0uLilkjPz.exe
Source: Y0uLilkjPz.exe.0.dr	Binary or memory string: OriginalFilenameXeno_manager.exe: vs Y0uLilkjPz.exe

Source: Y0uLilkjPz.exe, Encryption.cs	Cryptographic APIs: 'CreateDecryptor'
Source: Y0uLilkjPz.exe.0.dr, Encryption.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/4@0/1

Source: C:\Users\user\Desktop\Y0uLilkjPz.exe

File created: C:\Users\user\AppData\Roaming\XenoManager

Jump to behavior

Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7856:120:WilError_03
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Mutant created: \Sessions\1\BaseNamedObjects\Xeno_rat_nd8912d-admin

Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe

File created: C:\Users\user\AppData\Local\Temp\tmp99AA.tmp

Jump to behavior

Source: Y0uLilkjPz.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Y0uLilkjPz.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Y0uLilkjPz.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Y0uLilkjPz.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Y0uLilkjPz.exe	ReversingLabs: Detection: 76%
Source: Y0uLilkjPz.exe	Virustotal: Detection: 81%

Source: C:\Users\user\Desktop\Y0uLilkjPz.exe

File read: C:\Users\user\Desktop\Y0uLilkjPz.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Y0uLilkjPz.exe "C:\Users\user\Desktop\Y0uLilkjPz.exe"
Source: C:\Users\user\Desktop\Y0uLilkjPz.exe	Process created: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe "C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe"
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /Create /TN "windows" /XML "C:\Users\user\AppData\Local\Temp\tmp99AA.tmp" /F
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe
Source: C:\Users\user\Desktop\Y0uLilkjPz.exe	Process created: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe "C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /Create /TN "windows" /XML "C:\Users\user\AppData\Local\Temp\tmp99AA.tmp" /F	Jump to behavior

Source: C:\Users\user\Desktop\Y0uLilkjPz.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Y0uLilkjPz.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Y0uLilkjPz.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Y0uLilkjPz.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Y0uLilkjPz.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Y0uLilkjPz.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Y0uLilkjPz.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Y0uLilkjPz.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Y0uLilkjPz.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Y0uLilkjPz.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Y0uLilkjPz.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Y0uLilkjPz.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Y0uLilkjPz.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Y0uLilkjPz.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Y0uLilkjPz.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Y0uLilkjPz.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Y0uLilkjPz.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Y0uLilkjPz.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Y0uLilkjPz.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Y0uLilkjPz.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Y0uLilkjPz.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Y0uLilkjPz.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Y0uLilkjPz.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Y0uLilkjPz.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Y0uLilkjPz.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Y0uLilkjPz.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Y0uLilkjPz.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior

Source: C:\Users\user\Desktop\Y0uLilkjPz.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: Y0uLilkjPz.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Y0uLilkjPz.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: Y0uLilkjPz.exe, DllHandler.cs	.Net Code: DllNodeHandler System.Reflection.Assembly.Load(byte[])
Source: Y0uLilkjPz.exe, DllHandler.cs	.Net Code: DllNodeHandler
Source: Y0uLilkjPz.exe.0.dr, DllHandler.cs	.Net Code: DllNodeHandler System.Reflection.Assembly.Load(byte[])
Source: Y0uLilkjPz.exe.0.dr, DllHandler.cs	.Net Code: DllNodeHandler

Source: Y0uLilkjPz.exe

Static PE information: 0xB6F61BA2 [Sat Apr 9 13:44:02 2067 UTC]

Source: C:\Users\user\Desktop\Y0uLilkjPz.exe

File created: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /Create /TN "windows" /XML "C:\Users\user\AppData\Local\Temp\tmp99AA.tmp" /F

Source: C:\Users\user\Desktop\Y0uLilkjPz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y0uLilkjPz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y0uLilkjPz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y0uLilkjPz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y0uLilkjPz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y0uLilkjPz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y0uLilkjPz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y0uLilkjPz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y0uLilkjPz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y0uLilkjPz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y0uLilkjPz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y0uLilkjPz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y0uLilkjPz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y0uLilkjPz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y0uLilkjPz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\Y0uLilkjPz.exe	Memory allocated: 14B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Y0uLilkjPz.exe	Memory allocated: 2F60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Y0uLilkjPz.exe	Memory allocated: 2CF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Memory allocated: FF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Memory allocated: 2F50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Memory allocated: 14C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Memory allocated: 2600000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Memory allocated: 2900000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Memory allocated: 2740000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Y0uLilkjPz.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Window / User API: threadDelayed 1874			Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Window / User API: threadDelayed 7958			Jump to behavior

Source: C:\Users\user\Desktop\Y0uLilkjPz.exe TID: 7684	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe TID: 7792	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe TID: 7792	Thread sleep time: -28592453314249787s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe TID: 7836	Thread sleep count: 1874 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe TID: 7836	Thread sleep count: 7958 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe TID: 7920	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Y0uLilkjPz.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: Y0uLilkjPz.exe, 00000002.00000002.2614837795.000000000108D000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll0

Source: C:\Users\user\Desktop\Y0uLilkjPz.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\Y0uLilkjPz.exe	Process created: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe "C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe"			Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /Create /TN "windows" /XML "C:\Users\user\AppData\Local\Temp\tmp99AA.tmp" /F			Jump to behavior

Source: C:\Users\user\Desktop\Y0uLilkjPz.exe	Queries volume information: C:\Users\user\Desktop\Y0uLilkjPz.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Queries volume information: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	Queries volume information: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected XenoRAT

Source: Yara match	File source: Y0uLilkjPz.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Y0uLilkjPz.exe.b10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1371780059.0000000000B12000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Y0uLilkjPz.exe PID: 7664, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe, type: DROPPED

Remote Access Functionality

Yara detected XenoRAT

Source: Yara match	File source: Y0uLilkjPz.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Y0uLilkjPz.exe.b10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1371780059.0000000000B12000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Y0uLilkjPz.exe PID: 7664, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	11 Process Injection	1 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	31 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	12 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Y0uLilkjPz.exe	82%	Virustotal		Browse
Y0uLilkjPz.exe	76%	ReversingLabs	ByteCode-MSIL.Trojan.Bigisoft
Y0uLilkjPz.exe	100%	Avira	TR/Agent.cpjpa
Y0uLilkjPz.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	100%	Avira	TR/Agent.cpjpa
C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	76%	ReversingLabs	ByteCode-MSIL.Trojan.Bigisoft
C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe	82%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
82.9.14.4	0%	Avira URL Cloud	safe
82.9.14.4	0%	Virustotal		Browse

Name	Malicious	Antivirus Detection	Reputation
82.9.14.4	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
82.9.14.4	unknown	United Kingdom		5089	NTLGB	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1469004
Start date and time:	2024-07-08 11:33:26 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Y0uLilkjPz.exe renamed because original name is a hash value
Original Sample Name:	8d84fc99073709f0c6049b80fa088c9af03c5525148e61b2d258cc3f1d4c7d8e.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/4@0/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 79 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, d.3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.8.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Y0uLilkjPz.exe, PID 7664 because it is empty
Execution Graph export aborted for target Y0uLilkjPz.exe, PID 7756 because it is empty
Execution Graph export aborted for target Y0uLilkjPz.exe, PID 7900 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
05:34:46	API Interceptor	129x Sleep call for process: Y0uLilkjPz.exe modified
11:34:23	Task Scheduler	Run new task: windows path: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
82.9.14.4	p6lcFOTY1w.exe	Get hash	malicious	Unknown	Browse
	NLTITBRYJB.exe	Get hash	malicious	Unknown	Browse
	8NBazrV9Zv.exe	Get hash	malicious	Unknown	Browse
	kmnApHtP3s.exe	Get hash	malicious	Metasploit	Browse
	B2prAdMRIX.exe	Get hash	malicious	DarkComet	Browse
	undectable.exe	Get hash	malicious	Unknown	Browse
	undectable.exe	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NTLGB	p6lcFOTY1w.exe	Get hash	malicious	Unknown	Browse	82.9.14.4
	NLTITBRYJB.exe	Get hash	malicious	Unknown	Browse	82.9.14.4
	8NBazrV9Zv.exe	Get hash	malicious	Unknown	Browse	82.9.14.4
	kmnApHtP3s.exe	Get hash	malicious	Metasploit	Browse	82.9.14.4
	B2prAdMRIX.exe	Get hash	malicious	DarkComet	Browse	82.9.14.4
	RCIgUmzFVU.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	92.237.232.11
	2EVe9Yt2R8.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	77.100.218.44
	arm5-20240706-0012.elf	Get hash	malicious	Mirai	Browse	82.37.45.21
	undectable.exe	Get hash	malicious	Unknown	Browse	82.9.14.4
	undectable.exe	Get hash	malicious	Unknown	Browse	82.9.14.4

Process:	C:\Users\user\Desktop\Y0uLilkjPz.exe
File Type:	CSV text
Category:	modified
Size (bytes):	226
Entropy (8bit):	5.360398796477698
Encrypted:	false
SSDEEP:	6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
MD5:	3A8957C6382192B71471BD14359D0B12
SHA1:	71B96C965B65A051E7E7D10F61BEBD8CCBB88587
SHA-256:	282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
SHA-512:	76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

C:\Users\user\AppData\Local\Temp\tmp99AA.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	3.9479250055202844
Encrypted:	false
SSDEEP:	12:StLJ+DWg0Sa+Nn/WNeMS7Xp1yd3YL6WVYXqOVl7KfTShhJKShjNI0QBDO1d9HAjE:StLJ+S8AMEoL6fUMhEMj+0Q1itn
MD5:	9D17814D91AFB327BFF9449BEA54F60D
SHA1:	C2752AE63A45FC7292E469AC7CFF62102B54535C
SHA-256:	AA48BE1CBF9A3BFD3EBF27EA789ABB7A0D5ECF88079D808711775FEB4EB1D6CD
SHA-512:	38B1FDF26EF6876FA82ACFA965439AB7E05A0FAF015C98176B73A709C78AA15B0D4E3278CBACDBB0A94CBA0E5FA06268F2B0DFC3189B429809EB8A386BE71930
Malicious:	true
Reputation:	low
Preview:	.. <Task xmlns='http://schemas.microsoft.com/windows/2004/02/mit/task'>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. </LogonTrigger>.. </Triggers>.. <Principals>.. <Principal id='Author'>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. </Settings>.. <Actions>.. <Exec>.. <Command>C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe</Command>..

C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe

Download File

Process:	C:\Users\user\Desktop\Y0uLilkjPz.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	46592
Entropy (8bit):	5.6427831534356665
Encrypted:	false
SSDEEP:	768:pdhO/poiiUcjlJIn9bqmH9Xqk5nWEZ5SbTDa0WI7CPW5h:nw+jjgntH9XqcnW85SbTtWIZ
MD5:	899D4C38A9EDF64F8513EAAF6F5AA8E4
SHA1:	8DC9F2CF26EF7778031D4A02345CBBC982AB8AAC
SHA-256:	8D84FC99073709F0C6049B80FA088C9AF03C5525148E61B2D258CC3F1D4C7D8E
SHA-512:	A8B7346045F9B22F5FBD8D7DB9ED4266DA244C9337A630A3C8F05045E0A9872E21E72F82D45120ADAB9448C2E2B43D35B2B90DE35CAF7F67E0AAEAE4E1FB3056
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XenoRAT, Description: Yara detected XenoRAT, Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 76% Antivirus: Virustotal, Detection: 82%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.................. ........@.. ....................... ............`.....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......,l...^......^...................................................moom825...gB...\v...U.g.6#...E...x..F...(......s....}.....r...p}.....(....(...........s....o......o....s....( ...r...p(!...,.("....6.\|.....(?...V.(......}......}.....6.\|.....(?...6.\|.....(?...6.\|"....(?...6.\|&....(?...6.\|-....(?...6.\|2....(?...6.\|;....(?...6.\|A....(?.....sl...}F.....}I.....}J.....}K....(......}G.....}E...6.{F....om...f..i..i3.....ij(+.......6.{G....oL...2.{G...oM...*

C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Y0uLilkjPz.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.6427831534356665
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Y0uLilkjPz.exe
File size:	46'592 bytes
MD5:	899d4c38a9edf64f8513eaaf6f5aa8e4
SHA1:	8dc9f2cf26ef7778031d4a02345cbbc982ab8aac
SHA256:	8d84fc99073709f0c6049b80fa088c9af03c5525148e61b2d258cc3f1d4c7d8e
SHA512:	a8b7346045f9b22f5fbd8d7db9ed4266da244c9337a630a3c8f05045e0a9872e21e72f82d45120adab9448c2e2b43d35b2b90de35caf7f67e0aaeae4e1fb3056
SSDEEP:	768:pdhO/poiiUcjlJIn9bqmH9Xqk5nWEZ5SbTDa0WI7CPW5h:nw+jjgntH9XqcnW85SbTtWIZ
TLSH:	4423F84C57AC8923E6AF5ABD9432426387B3F3669532E38F08CCD4E9379338558053A7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.................. ........@.. ....................... ............`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x40cb1e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xB6F61BA2 [Sat Apr 9 13:44:02 2067 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xcacc	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe000	0x5d0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x10000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xab24	0xac00	291af9abfa95adcaaf2911a7d8fd2dae	False	0.449718386627907	data	5.726786754870937	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xe000	0x5d0	0x600	413d41ad2a0da7fe255f98970731f053	False	0.453125	data	4.404307394530879	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x10000	0xc	0x200	8e7e070a590558bea4918ccf40b1b853	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xe0a0	0x344	data			0.4533492822966507
RT_MANIFEST	0xe3e4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 8, 2024 11:34:26.111044884 CEST	49705	4545	192.168.2.8	82.9.14.4
Jul 8, 2024 11:34:26.115919113 CEST	4545	49705	82.9.14.4	192.168.2.8
Jul 8, 2024 11:34:26.116013050 CEST	49705	4545	192.168.2.8	82.9.14.4
Jul 8, 2024 11:34:47.490636110 CEST	4545	49705	82.9.14.4	192.168.2.8
Jul 8, 2024 11:34:47.490739107 CEST	49705	4545	192.168.2.8	82.9.14.4
Jul 8, 2024 11:34:57.512006998 CEST	49708	4545	192.168.2.8	82.9.14.4
Jul 8, 2024 11:34:57.516983986 CEST	4545	49708	82.9.14.4	192.168.2.8
Jul 8, 2024 11:34:57.517054081 CEST	49708	4545	192.168.2.8	82.9.14.4
Jul 8, 2024 11:35:18.899566889 CEST	4545	49708	82.9.14.4	192.168.2.8
Jul 8, 2024 11:35:18.899693966 CEST	49708	4545	192.168.2.8	82.9.14.4
Jul 8, 2024 11:35:28.902535915 CEST	61023	4545	192.168.2.8	82.9.14.4
Jul 8, 2024 11:35:28.907533884 CEST	4545	61023	82.9.14.4	192.168.2.8
Jul 8, 2024 11:35:28.907623053 CEST	61023	4545	192.168.2.8	82.9.14.4
Jul 8, 2024 11:35:50.304883003 CEST	4545	61023	82.9.14.4	192.168.2.8
Jul 8, 2024 11:35:50.305010080 CEST	61023	4545	192.168.2.8	82.9.14.4
Jul 8, 2024 11:36:00.309176922 CEST	61024	4545	192.168.2.8	82.9.14.4
Jul 8, 2024 11:36:00.314276934 CEST	4545	61024	82.9.14.4	192.168.2.8
Jul 8, 2024 11:36:00.314352989 CEST	61024	4545	192.168.2.8	82.9.14.4
Jul 8, 2024 11:36:21.676325083 CEST	4545	61024	82.9.14.4	192.168.2.8
Jul 8, 2024 11:36:21.676502943 CEST	61024	4545	192.168.2.8	82.9.14.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 8, 2024 11:35:02.378153086 CEST	53	54776	162.159.36.2	192.168.2.8
Jul 8, 2024 11:35:02.897136927 CEST	53	53447	1.1.1.1	192.168.2.8

Target ID:	0
Start time:	05:34:16
Start date:	08/07/2024
Path:	C:\Users\user\Desktop\Y0uLilkjPz.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Y0uLilkjPz.exe"
Imagebase:	0xb10000
File size:	46'592 bytes
MD5 hash:	899D4C38A9EDF64F8513EAAF6F5AA8E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XenoRAT, Description: Yara detected XenoRAT, Source: 00000000.00000000.1371780059.0000000000B12000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	05:34:17
Start date:	08/07/2024
Path:	C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe"
Imagebase:	0xa70000
File size:	46'592 bytes
MD5 hash:	899D4C38A9EDF64F8513EAAF6F5AA8E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XenoRAT, Description: Yara detected XenoRAT, Source: C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 76%, ReversingLabs Detection: 82%, Virustotal, Browse
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	05:34:22
Start date:	08/07/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"schtasks.exe" /Create /TN "windows" /XML "C:\Users\user\AppData\Local\Temp\tmp99AA.tmp" /F
Imagebase:	0xf30000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	05:34:22
Start date:	08/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	05:34:23
Start date:	08/07/2024
Path:	C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe
Imagebase:	0x5b0000
File size:	46'592 bytes
MD5 hash:	899D4C38A9EDF64F8513EAAF6F5AA8E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Function 014F0B12 Relevance: .6, Instructions: 576COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1376167551.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14f0000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85b27e6885cbb07541c5245412e4609309126fe24241a538ba86dd273db623fd
Instruction ID: 9e7491f04c69f39292159cac7606d6fb503266f9a399a19c1bea4322cdfcd031
Opcode Fuzzy Hash: 85b27e6885cbb07541c5245412e4609309126fe24241a538ba86dd273db623fd
Instruction Fuzzy Hash: 99424874A00249CFDB05DFA8C494A9DBBF2BF89314F1181A9E515EB3AADB31AC45CF50

Function 014F0988 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1376167551.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14f0000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22f4a4ab87f8449d33caa13779f4aa2591da506ffca4b3a851c7ac939229ed5e
Instruction ID: aa8e6e2d0d65c4c83693a5ab3752de9c3ed7862f7e5aeeb67698acdc09424a6e
Opcode Fuzzy Hash: 22f4a4ab87f8449d33caa13779f4aa2591da506ffca4b3a851c7ac939229ed5e
Instruction Fuzzy Hash: 7F21833091030EDFDB45EFA8E96069DBBB2FB84704F008569D4249B26DEB701E45CF81

Function 014F0990 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1376167551.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14f0000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c56b137c9854f70cf41291662285564737d1d8dd4eb5a619e61d826c7146e27
Instruction ID: 53717eefeaf96df1ea3e2514c9b76158e2abcc98a6fc6372c02e0dced1160254
Opcode Fuzzy Hash: 3c56b137c9854f70cf41291662285564737d1d8dd4eb5a619e61d826c7146e27
Instruction Fuzzy Hash: DC21843091031EDFDB45EFA8E96069DBBB2FB84704F008669C4249B26DEB701E05CF81

Function 014F0877 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1376167551.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14f0000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 393371854dd52c058f3bcf9ef9557a334e1d77a4287d45710953b0e04efec36b
Instruction ID: 262545d5d0dd1a70606d0dca8a39ce7d83a85dd5aaac2d658d4b1ac67f0d416d
Opcode Fuzzy Hash: 393371854dd52c058f3bcf9ef9557a334e1d77a4287d45710953b0e04efec36b
Instruction Fuzzy Hash: FB01BC32D1035A8BCB01DBB4CC400DDBB72FFCA320F160666D1017B060EBB4295AC7A0

Function 014F08F9 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1376167551.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14f0000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 274132c4be6df0e8567a5ddc9c92f94d2cf1d7804ed2d7d889482b38ca43941d
Instruction ID: 10b4774669964dbbb28f0e990c83f628c280281f0caf2311b3b0d867eca9955c
Opcode Fuzzy Hash: 274132c4be6df0e8567a5ddc9c92f94d2cf1d7804ed2d7d889482b38ca43941d
Instruction Fuzzy Hash: 8B01F4329102099BEB059B70C894AFFBBBADF85311F14457AD402AB250EF72290697C1

Function 014F0908 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1376167551.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14f0000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02cb14405e085dd87c9d8e2eadf559856cbadf15bd4a1779daf37bfc50ed2807
Instruction ID: fe9189486c4899a3da6570a5475828a505e3e96e4bb63eb2bfebe9005f380c94
Opcode Fuzzy Hash: 02cb14405e085dd87c9d8e2eadf559856cbadf15bd4a1779daf37bfc50ed2807
Instruction Fuzzy Hash: 08F08232E1020997EF15DBB0C465AEFBBBA9FC4700F51852AD512BB340EFB1690697D1

Function 014F0839 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1376167551.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14f0000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ce935a9c978d98a4b0ae5d268329ea837d95830b00ae8248e196ddaa17136c3
Instruction ID: f5f17f42928b5172f1a4edb9ad00f4f128a768627a207f097da957b2f838299a
Opcode Fuzzy Hash: 7ce935a9c978d98a4b0ae5d268329ea837d95830b00ae8248e196ddaa17136c3
Instruction Fuzzy Hash: 35F06D718093899FD742CBB889146597FB4EF06245F2504DAE884CB222E7368E01C756

Function 014F13A2 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1376167551.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14f0000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7679e412e1f3d4f8eee0b7ec19a2a86745671bc2fef3ab8a0a54bf9a55483260
Instruction ID: 5b4487cacae1cfeee7a3113b4148b89af66bbf8c1876e19286016f795b512f9c
Opcode Fuzzy Hash: 7679e412e1f3d4f8eee0b7ec19a2a86745671bc2fef3ab8a0a54bf9a55483260
Instruction Fuzzy Hash: 2EE039B0D5434A8FCB80DFB988421BEBFF1AE85210F1082AFC909E2202E23546128BC1

Function 014F0848 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1376167551.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14f0000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03bed87bb647809ae902fb972e7a9b745f59d6201b11051a2107213a037b987b
Instruction ID: 3a6ddd23c69aa3c82517fb15fea9e0e2b6cf3feb293c4cc72476114b890535e8
Opcode Fuzzy Hash: 03bed87bb647809ae902fb972e7a9b745f59d6201b11051a2107213a037b987b
Instruction Fuzzy Hash: 30D01771905248AFEB11DFB8C50575DBBB9AB05241F20449AE558C7305DB319E50C796

Function 014F13B0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1376167551.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14f0000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fef043d575c0f54f122b0501c9fa8b484036c79d8b33f2a125a1e09fb6ee5efe
Instruction ID: 03567044e8e4ef83a5e718b19a2d242f5e5c21776217a67d96ad4323a66f0989
Opcode Fuzzy Hash: fef043d575c0f54f122b0501c9fa8b484036c79d8b33f2a125a1e09fb6ee5efe
Instruction Fuzzy Hash: A3E042B4D0530E9F8B40EFBA88421AEFFF5AB48200F5085AADA08E3311E67056518BD1

Analysis Process: Y0uLilkjPz.exePID: 7756, Parent PID: 7664COMMON

Executed Functions

Function 00FF0B15 Relevance: .6, Instructions: 574COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2614786208.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ff0000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26bc826d705511348ad8f18f12eea934e2f0015ef2e6ca3f1b22b60de2dd3b69
Instruction ID: 7a436f425ef495b8bf0cc501babef6e40f65654034b685463d55082ca892c65d
Opcode Fuzzy Hash: 26bc826d705511348ad8f18f12eea934e2f0015ef2e6ca3f1b22b60de2dd3b69
Instruction Fuzzy Hash: 64423974A00249CFDB05DFA8C484A9DBBF2BF89324F1581A5E505EB3AADB31AC45DF50

Function 00FF2CC8 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2614786208.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ff0000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7503b2e1e6b8d6c1bb7a3aec761667f9623e34d836293e47c61a5acd9bd62642
Instruction ID: c09edc745392325e7e69fd8d08642e6a36e3374a215b507b53d67a3721a01fc1
Opcode Fuzzy Hash: 7503b2e1e6b8d6c1bb7a3aec761667f9623e34d836293e47c61a5acd9bd62642
Instruction Fuzzy Hash: AB02E175A012099FDB05CF68D484A9DBBF2FF89324F2981A9E405EB366D730ED85CB50

Function 00FF23FD Relevance: .5, Instructions: 521COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2614786208.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ff0000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31d6bc49e9fd7e825f44cd0cdf870a1908a6662c4556c045c69685f13ea7062f
Instruction ID: 77f36890c7991ea4fad6446e97f797deafcb34a451337f69f302bd2a14c2a600
Opcode Fuzzy Hash: 31d6bc49e9fd7e825f44cd0cdf870a1908a6662c4556c045c69685f13ea7062f
Instruction Fuzzy Hash: 8141B071C053889FCB51CFA9C850AEEBFF1AF49350F25806AE945AB2A1CB344945DBA0

Function 00FF357F Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2614786208.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ff0000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6ff44403acc0ea587a784749b3422937d32c8f3fc6bf2f488afc6c4b296d341
Instruction ID: 63314d26d9ea0040d7a3163f42f1c4f592955965944b91db70d98e2b3e17f042
Opcode Fuzzy Hash: f6ff44403acc0ea587a784749b3422937d32c8f3fc6bf2f488afc6c4b296d341
Instruction Fuzzy Hash: 7E31D072A093854FE706CB28C8919EDBFB1EF8B350B1D40D7D140EB2A3D6218D45DB22

Function 00FF35B0 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2614786208.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ff0000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b3fbc637fcf3b799fdea90ce0a5ea74c22bd7ca4ff5d2ea7fcb9a596aadae37
Instruction ID: 42883446cb7e2d82f9df9b501be3a3b0fefe13e571479b5ce00fadf6eb61e19f
Opcode Fuzzy Hash: 6b3fbc637fcf3b799fdea90ce0a5ea74c22bd7ca4ff5d2ea7fcb9a596aadae37
Instruction Fuzzy Hash: 93119072E042088FDB05CF54D8809EEBBF2EF8D320F2981AAD101A7761D7309D45CB60

Function 00FF12A3 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2614786208.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ff0000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dbe38493c55c88686407444c8bfe38f93d147f1764ecc6dbbab6ad471023dfb
Instruction ID: 31f8da5ba6469b9448eb9057517cf8b353c49d753529a0ee386cc198e49ff231
Opcode Fuzzy Hash: 5dbe38493c55c88686407444c8bfe38f93d147f1764ecc6dbbab6ad471023dfb
Instruction Fuzzy Hash: 59A12470A01249CFDB05DFA8C480AACBBB2FF89324F1182A5E515AF3A9D731AC45DF50

Function 00FF3718 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2614786208.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ff0000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04a9f341ce5ea7b27cb41b1601f7bc8a78b3b3647d73bffcc6bc4291d6b6ba8e
Instruction ID: 63094356b9def867c8b38744ef486b89b74266a876542930388685a07abc9113
Opcode Fuzzy Hash: 04a9f341ce5ea7b27cb41b1601f7bc8a78b3b3647d73bffcc6bc4291d6b6ba8e
Instruction Fuzzy Hash: 8A81BF75B002098FDB25DF68C484AADBBF2FF89760F158155E446AB361CB70ED41DBA0

Function 00FF4430 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2614786208.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ff0000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 887f2849bf4ce0816f51f1dbd70181a5b86f25599d3d9203226b310a72091b80
Instruction ID: 95363bec64763a104fbc92bce2db7b47f60aed36334a338c4d71aaea7ce6c47f
Opcode Fuzzy Hash: 887f2849bf4ce0816f51f1dbd70181a5b86f25599d3d9203226b310a72091b80
Instruction Fuzzy Hash: 25814A35B012089FDB04DF68D494A9EBBF2BF8A320F258165E505EB365DB30EC86DB50

Function 00FF1EC8 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2614786208.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ff0000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c05c050f945738d64bd33146b22f95a2a0cba9fc1ddcbee8553d5cde95803f14
Instruction ID: c27486213d1a8360558d9f21c2dc260bba313af6fbc04809b641fd22be0b1041
Opcode Fuzzy Hash: c05c050f945738d64bd33146b22f95a2a0cba9fc1ddcbee8553d5cde95803f14
Instruction Fuzzy Hash: 26715D35A00209CFDB05DF68C850A9DB7F2BF8D310F6582A9D505AB365DB36ED41DBA0

Function 00FF1EB7 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2614786208.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ff0000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e306ce62d72821cdb13ce306f1cdf0e1ce2f5a8c45eee8b00e8a41086395378a
Instruction ID: 64df3e10c76a4d479220feb31296500f0df7ccc4454cd713f4050829492883e1
Opcode Fuzzy Hash: e306ce62d72821cdb13ce306f1cdf0e1ce2f5a8c45eee8b00e8a41086395378a
Instruction Fuzzy Hash: 97517E34B00209CFDB05DF68C850A9DB7F2BF88310F6482A9E505AB366DB36ED01CB90

Function 00FF3AFF Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2614786208.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ff0000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e9bc698a2cefd5846558bff9e41e89af7f78fc7f4bdd6361156822a85ad6dc8
Instruction ID: 617b058b3595bc7e53bb07bf08528a9a33f79c90fda7a387dd8e2c17f5972f5d
Opcode Fuzzy Hash: 9e9bc698a2cefd5846558bff9e41e89af7f78fc7f4bdd6361156822a85ad6dc8
Instruction Fuzzy Hash: A7517F31A10B05DFDB24CF65C8809AAFBF2FF88710B248A5DE59AA7660D731AD45CB50

Function 00FF29D8 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2614786208.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ff0000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f1c256d22c5bb27463084679dd4e689591a4b0710780ac05e54043cdd99120b
Instruction ID: ac734b9d08377a854fd87937db3dd3706b82ff5907cefbae34297df87661ebda
Opcode Fuzzy Hash: 4f1c256d22c5bb27463084679dd4e689591a4b0710780ac05e54043cdd99120b
Instruction Fuzzy Hash: 35515C31A007098FDB15DF68C880ADDBBF2BF89320F158694D515AB3A2D771ED45DBA0

Function 00FF29C7 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2614786208.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ff0000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2403ebb5a02f5d327bd7fe68cf5c2f6bf174b450beeed40bb8cfa396ca702539
Instruction ID: 2d6e08ad10424445c337cbb21fdcb6c2372d73ea5ac94496522557bfbd271543
Opcode Fuzzy Hash: 2403ebb5a02f5d327bd7fe68cf5c2f6bf174b450beeed40bb8cfa396ca702539
Instruction Fuzzy Hash: D2419F30A003058FDB15DF68C8809DEBBF2FF89320B148668E455AB3A1D771AD45CB90

Function 00FF2768 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2614786208.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ff0000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a1c18b5f22ad3d983b3031df35570cecf9931a2654caadeaf9efc315ac18249
Instruction ID: 57c2d139f253ac63ce5ba9eda409845b62f051fbcb8b98749b021cda813ad02e
Opcode Fuzzy Hash: 7a1c18b5f22ad3d983b3031df35570cecf9931a2654caadeaf9efc315ac18249
Instruction Fuzzy Hash: 9C312870D0124D9FDB54CFAAC480BEEBFF5AF48350F24842AE909AB250DB749941DF90

Function 00FF1890 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2614786208.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ff0000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8284d83fa0c14f0bd49da31e570f9c9ce6a51477c8d6cd2608fdfd7e0ce2d55e
Instruction ID: dab64a2a4aca906835069a74e586c940777ca90243d88a98adddd6b89289556b
Opcode Fuzzy Hash: 8284d83fa0c14f0bd49da31e570f9c9ce6a51477c8d6cd2608fdfd7e0ce2d55e
Instruction Fuzzy Hash: 8C219F32D01219EFDF15DFA5D9406EEBBF6EF8A720F108166E501A7211DB306E14DBA0

Function 00FF0797 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2614786208.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ff0000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1da05a31ecec17cd48bd186353eec83587e0bf4bc983b9f06b4694d7739cb408
Instruction ID: 85d6d0d3a6dcc3fe0939d1c4e2dc431870ce0c957e9f922c17125fc63c64ef51
Opcode Fuzzy Hash: 1da05a31ecec17cd48bd186353eec83587e0bf4bc983b9f06b4694d7739cb408
Instruction Fuzzy Hash: 31215C5281E3C55FD703977888692987F71AF63659B1E41DBC0C4CF0A3E6298D4AC3AA

Function 00FF18A0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2614786208.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ff0000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9273105d3b35c956af76ce5f108311dd3458826ddfa069948af0c8baa6040c5
Instruction ID: 25c3ccb5010072b13b46fe517b971f9436ed5535dc5c356f54e206388bfb0ef2
Opcode Fuzzy Hash: d9273105d3b35c956af76ce5f108311dd3458826ddfa069948af0c8baa6040c5
Instruction Fuzzy Hash: D521C032E01219EFDF05EFA5D980ADEBBF6AF8A710F108166D502A7211DB315D04DB90

Function 00FF0981 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2614786208.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ff0000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c385b2e0fe7d6a4d0177d7d6c903abcf827b64afd4ff1b20b4062cc92293cfc3
Instruction ID: 0d773f7b33c504f67894d495bf6d2df9a4400b1b368ffc09373c0750798e85f2
Opcode Fuzzy Hash: c385b2e0fe7d6a4d0177d7d6c903abcf827b64afd4ff1b20b4062cc92293cfc3
Instruction Fuzzy Hash: 0321323090030E9FDB02EFA8E865A9D7FB1FF85704F1056AAD504DB26AD7741A05DF81

Function 00FF0C9A Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2614786208.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ff0000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8eba36e913b2d88c220b2f711cb49f9825fa772bb1c719a4519310866151dbf
Instruction ID: ddd28e19bab2f33b3f74f42ada544f26568ba0bcac145b06b0031084c604c2db
Opcode Fuzzy Hash: a8eba36e913b2d88c220b2f711cb49f9825fa772bb1c719a4519310866151dbf
Instruction Fuzzy Hash: 4D21F475E0024D8FDB05DFA9D8809DDBBF5BF89310F158066D509EB225E730A945DF10

Function 00FF0990 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2614786208.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ff0000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0738b2be1665b96fca4e1e404d0b0e39775814218f96871e1326003ecb737233
Instruction ID: 412a47e3e38eeca3f264443c8f24a4b29ddc5d814c40b15aadab016cd47a5cde
Opcode Fuzzy Hash: 0738b2be1665b96fca4e1e404d0b0e39775814218f96871e1326003ecb737233
Instruction Fuzzy Hash: 0521213090031EDFDB02FFA8E854A9D7BB1FB84705F1096AAD504DB269EB746A05DF81

Function 00FF28A1 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2614786208.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ff0000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3a09e893766b049f23fa2203df4effa6bd1c3597121c1e8d72128194a6c8a20
Instruction ID: b2dd75c7148e1e641b3b82bf88cccea918ce4d4c7afdc8d6a53b5639a33ae06f
Opcode Fuzzy Hash: d3a09e893766b049f23fa2203df4effa6bd1c3597121c1e8d72128194a6c8a20
Instruction Fuzzy Hash: FF113A32D0570A9FDF00DFA9C8805CDFBB5EF9A320F21462AE914B7250E7706A56CB61

Function 00FF31E4 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2614786208.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ff0000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1b9166ffa879f1e8fe0cd4f56d832e3ec50ab343fec940c50694bdf9744ae95
Instruction ID: 179c122257de949058953f43528e4cf43801754d8a1d249af5555d82d11d3f85
Opcode Fuzzy Hash: e1b9166ffa879f1e8fe0cd4f56d832e3ec50ab343fec940c50694bdf9744ae95
Instruction Fuzzy Hash: EE11A732D0978A8FCB068BB8C8104DDBFB1AFC7310B158697C151BB1A1E7701559CB61

Function 00FF28B0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2614786208.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ff0000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f671e1bc9a42d1b787e320ae89cb09ad953caa75859c494fe55c5db482e485bf
Instruction ID: b42646e2e401a16fd88310af1ef5e895b8f29592e35bf04e9898d71cccfc0991
Opcode Fuzzy Hash: f671e1bc9a42d1b787e320ae89cb09ad953caa75859c494fe55c5db482e485bf
Instruction Fuzzy Hash: 37113C32D1160E9BDF00DFA9D8805CEF7B6EF99720F214626E914B7250EB706A56CB50

Function 00FF2BA8 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2614786208.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ff0000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cde8c0527002754cab5a6fa5455505c03968e0f7ab706350adb4cf0ce943a957
Instruction ID: 364897a3f85e421b48314cc6e30f5cc292945c0943a942828f7d78d35d4966b0
Opcode Fuzzy Hash: cde8c0527002754cab5a6fa5455505c03968e0f7ab706350adb4cf0ce943a957
Instruction Fuzzy Hash: 1B114832D0675A9BCB11CFA9C8800CDFBB2FFD9220B154226D101B7160E770295ACBA0

Function 00FF4310 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2614786208.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ff0000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73a1850261b02d151140d47c1047f8025a2002457aceecdb6d2a1aaa91d5041b
Instruction ID: 50196d924596e35a65d02ae6ec8445f35e8a9ae6563948bfc8922b22f4ef1167
Opcode Fuzzy Hash: 73a1850261b02d151140d47c1047f8025a2002457aceecdb6d2a1aaa91d5041b
Instruction Fuzzy Hash: BC118B32D0274A9BCB01CFA9D8400DEFBB2EFDA320B25066AD101B7150E774294ACB51

Function 00FF39F0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2614786208.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ff0000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c217f1279208e6a2c4eee3158c651d77e47c78c145c264f8092b251d7817c53a
Instruction ID: 47e4b635ff07957db0d7131dd873101de71172a95cf0583d1ced95263b9e6037
Opcode Fuzzy Hash: c217f1279208e6a2c4eee3158c651d77e47c78c145c264f8092b251d7817c53a
Instruction Fuzzy Hash: 6B01D232E0071B9BDB00DBA9CC401CEF7B6EFC9320F218226D12173250EB70290ACB61

Function 00FF07F0 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2614786208.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ff0000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 326f43a7b8c02fda5fed86aa29140588423e95fea7fc195ee831d300e1a192a5
Instruction ID: 71452ece7548bdd2f612df52c550954baf8e6b5d0d52126ec3ac4286b0f67181
Opcode Fuzzy Hash: 326f43a7b8c02fda5fed86aa29140588423e95fea7fc195ee831d300e1a192a5
Instruction Fuzzy Hash: AF11922280E3C55FC703C77888696887F71AF53554B1A41CBC0C4CF1A3EA268D4BC396

Function 00FF19B2 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2614786208.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ff0000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a069393edc9d7eecab663b6abc200f0d59ab7e3c46f12772b8bab2943d80c8f0
Instruction ID: 4e49af495c97cfa4c5ddb6cbf88e2017c8d985d96af99ebd4a1e836438520e0a
Opcode Fuzzy Hash: a069393edc9d7eecab663b6abc200f0d59ab7e3c46f12772b8bab2943d80c8f0
Instruction Fuzzy Hash: C6015E32D1161A9BDB04DBA5EC404DEF775EFC9710B118726E12177160EB70255A8B50

Function 00F8D149 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2614517884.0000000000F8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f8d000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a9fb3083a669b3beda66d172d5fdf1caa073f0ff11072e6ef1c134ac1bdf6aa
Instruction ID: 778743a53903fd6325385ba62c67c98759bbf6d682d83a50b6f056b3445c6ef9
Opcode Fuzzy Hash: 1a9fb3083a669b3beda66d172d5fdf1caa073f0ff11072e6ef1c134ac1bdf6aa
Instruction Fuzzy Hash: FE01A7715047449AF724AA15CC88BA7BF98DF41735F18C51AED094A2C6C7799840D772

Function 00FF46E1 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2614786208.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ff0000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 671f947495558c0c6976bfafb3603aea5086d754be0e07bd7c18c04735925364
Instruction ID: 74e98403e83ee61a6559bb732f7cb4d524b507cce16ca65d4abada192d81e7cf
Opcode Fuzzy Hash: 671f947495558c0c6976bfafb3603aea5086d754be0e07bd7c18c04735925364
Instruction Fuzzy Hash: FC01DE32D1031A8FCB04CBA4DC444CEF3B2EFCA310F264626D11077160EB702A6ACB91

Function 00FF0877 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2614786208.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ff0000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee33a2c5ed66c26eb439c43456dfcdc2022969cdbb97f1f23049aaf5b8257a42
Instruction ID: 32caa727583296f07f9e7522272998b49e3241519463af8d940333b401f17d67
Opcode Fuzzy Hash: ee33a2c5ed66c26eb439c43456dfcdc2022969cdbb97f1f23049aaf5b8257a42
Instruction Fuzzy Hash: C9017C32D1566A9FCB01DBB4CC444DDBB72EFC6610B1A0756D101B70A1E7B4295AC791

Function 00FF19B8 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2614786208.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ff0000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac2f095c1b80cb3e5af9aaa162c97f3b53c9c90fe2dedab13a9b6d0ace1b5ca1
Instruction ID: 7a25c2d652aed5219aa0ee547f688f39b099cac1b22b1639fc7935467c2a8197
Opcode Fuzzy Hash: ac2f095c1b80cb3e5af9aaa162c97f3b53c9c90fe2dedab13a9b6d0ace1b5ca1
Instruction Fuzzy Hash: 1B015A32D1070A9BDB04DBA5E8404DEF3B6EFC9720B118726E22073160EB70255A8A90

Function 00FF4320 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2614786208.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ff0000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d001485aec810415debed13fc10eb954aa5d06a46704a98a116a7ca781d1f6e
Instruction ID: 423dc6a9fb61ddec97a8cc40a73ad0e2102970f372d4cd14ff03099f6eb0b9b2
Opcode Fuzzy Hash: 2d001485aec810415debed13fc10eb954aa5d06a46704a98a116a7ca781d1f6e
Instruction Fuzzy Hash: 80012C32D1260F9BDB00DBA5DC401DEF7B6EFD9720F254626E11177150EB702A5A8791

Function 00FF3200 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2614786208.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ff0000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3c2dea8b5b0a865c17de4a8e01b6c062009d932d0b6d400b7389ad88e39b475
Instruction ID: ceb6707aacb729a309cba8923e72cd8a50559a269f92dac80dfbec5fcc82c3af
Opcode Fuzzy Hash: b3c2dea8b5b0a865c17de4a8e01b6c062009d932d0b6d400b7389ad88e39b475
Instruction Fuzzy Hash: 5E014F32D1060F9BDF14DBA9D8005DEF7B6AFCA720F118626D61177150EB70259ACBA1

Function 00FF08F9 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2614786208.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ff0000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b277c62cfd2216a71aa6fe8aaaf2e88257d96729cb66b442d5a10dbe7a1ea859
Instruction ID: b670d00e7fee53dd690514747d4eb6b90387efcbabc2b4e479d14588d444a1a7
Opcode Fuzzy Hash: b277c62cfd2216a71aa6fe8aaaf2e88257d96729cb66b442d5a10dbe7a1ea859
Instruction Fuzzy Hash: E7F0C832A141499BDF16C770C8666FF7FB2DF84300F1585AAD142A7292DEB4150A9782

Function 00FF46F0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2614786208.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ff0000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c80b38520530fc8ffa42f69b2dfd2027013e053a6f2c872bf0d5d8ca249d382b
Instruction ID: 6de51013726c01a7e3fbd51a7285e135a41ae8ebd0be4f7153a9f50130a01483
Opcode Fuzzy Hash: c80b38520530fc8ffa42f69b2dfd2027013e053a6f2c872bf0d5d8ca249d382b
Instruction Fuzzy Hash: B3016D32E1171B9BCB04DBA5DC444DEF3B6EFC9710F154726D11177150EB70295A8791

Function 00FF2949 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2614786208.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ff0000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca008ac57daaa05d8631d82e1b6097223d2ae1578086e98e61c025d04a283573
Instruction ID: 2c1b0d3f1f7d1e642f072ac882f3ace2a6c0953fc65a5ed463bfe7d94617c0a7
Opcode Fuzzy Hash: ca008ac57daaa05d8631d82e1b6097223d2ae1578086e98e61c025d04a283573
Instruction Fuzzy Hash: C8F0C872D1010D9BCF15DB74C856AEFBBB19F44300F14452ED442A7290EFB01A169BC2

Function 00FF2C40 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2614786208.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ff0000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70d4a39dfb86c61de53be08b2f06ca999d99e3652172e0c7765121394036c507
Instruction ID: becff8591ed8b4cdd966a1fea71ef8fc0eadd67fcea44b98fc9cc272beb7dcde
Opcode Fuzzy Hash: 70d4a39dfb86c61de53be08b2f06ca999d99e3652172e0c7765121394036c507
Instruction Fuzzy Hash: 63F02232A00249DFDF02CBB0C461AFFBFB29F89710F01466AC002AB290DF701906DB82

Function 00FF4768 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2614786208.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ff0000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd4e854a6017e00a71c89b6683512252c6cc0b26fd698888e2cd28a7c0009083
Instruction ID: 5765b79bc696409293f88a08d43786f151fe70b9e20cbfd3aabce76ee21ca8a7
Opcode Fuzzy Hash: dd4e854a6017e00a71c89b6683512252c6cc0b26fd698888e2cd28a7c0009083
Instruction Fuzzy Hash: 46012832D103098FCF05DBA0C4956EFBBB1AF84710F10862EC002A7680EF746906DBC2

Function 00FF3A84 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2614786208.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ff0000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca5075f172647e00f6a9f2b91c71105a4cf82a4939585d9b45455268b719d0e9
Instruction ID: 5e4fd809a93ab40c02ff5d80d34162ccc965061da1033d80dd7b4ae778b0bc48
Opcode Fuzzy Hash: ca5075f172647e00f6a9f2b91c71105a4cf82a4939585d9b45455268b719d0e9
Instruction Fuzzy Hash: DFF0C232E001099BCF05CB71C855AFFBBB29F88300F01452AC402E7290DEB55A069681

Function 00F8D148 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2614517884.0000000000F8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f8d000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 548d50894018af1507955087cb2a75f0ff620a5bcaba8c6e6ba061c68fdc523f
Instruction ID: 3c0ceaa743b31087056f9ce75649dd21f884e7e3eba005d052a7f54cb264c7dc
Opcode Fuzzy Hash: 548d50894018af1507955087cb2a75f0ff620a5bcaba8c6e6ba061c68fdc523f
Instruction Fuzzy Hash: B7F0CD31404344AEF7249A06CC88BA2FFA8EF80734F18C05AED084A2C2C279A844CBB1

Function 00FF312A Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2614786208.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ff0000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2318957d242ed0e41f9393db0bda6064748b97cba1d02fba58be22cbc1965989
Instruction ID: a8e5fc223abf0c94402ec56a1c0d20719b5e34afaccbb30751022c846c297251
Opcode Fuzzy Hash: 2318957d242ed0e41f9393db0bda6064748b97cba1d02fba58be22cbc1965989
Instruction Fuzzy Hash: 96011D71E052499FDB15CFACD480A9CBBF1BF49320F158295E469EB3A1D730D981CB14

Function 00FF1A34 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2614786208.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ff0000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b2d8f92be5859e7af802e52789e1e2b6883e717ce97adae33b4a978b52a76b1
Instruction ID: ef9ec677314288c733dfd1934905a2c68cd1c739a53642676c94a2c438e33561
Opcode Fuzzy Hash: 2b2d8f92be5859e7af802e52789e1e2b6883e717ce97adae33b4a978b52a76b1
Instruction Fuzzy Hash: 45F0F632E10209CBDB45CB60C4546FEBBB1AF84310F10896ED002EB250EF755906E7C1

Function 00FF4398 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2614786208.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ff0000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34c5d88a03bbfdd157ac7d60cac4da75fd808b9363e5e99fc2c4b9735ac1de5b
Instruction ID: 452f7034e1c97bcc4afb1ed950e20aa95aee70d17a0fd0f1079a6c104b3b0f5c
Opcode Fuzzy Hash: 34c5d88a03bbfdd157ac7d60cac4da75fd808b9363e5e99fc2c4b9735ac1de5b
Instruction Fuzzy Hash: 38F0C232A10209CBDF55DB60C455AEFBBB6AF84310F10452AC502F7250EF755906ABD1

Function 00FF3281 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2614786208.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ff0000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9e7538db3b4b266d668a20adc47a26054c6a0d232b15e0fea774fbc7e77545d
Instruction ID: fac172f22aac8feabb867a1f5176b76a1537c5513521080a62829a0cccc1a926
Opcode Fuzzy Hash: e9e7538db3b4b266d668a20adc47a26054c6a0d232b15e0fea774fbc7e77545d
Instruction Fuzzy Hash: C1F0C271E10209CBDF04DF60C4666FEBBB2AF84310F05452AD502A7250EF715A0697C1

Function 00FF2C50 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2614786208.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ff0000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a8596b4eed573ced37d3daa264c0dc8468648056d2998d9e04a591ddc27b64a
Instruction ID: c90f6dc933decd008e7e2839fae3eea0d29cd42aa84181997219073b17e8998f
Opcode Fuzzy Hash: 9a8596b4eed573ced37d3daa264c0dc8468648056d2998d9e04a591ddc27b64a
Instruction Fuzzy Hash: 30F0E932E1020D97DF05D760C455AFFBBB65F84710F004926C502BB250DF71590697C2

Function 00FF0908 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2614786208.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ff0000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f0745933845d3330e47a7b15b3930b34ef445b8b6fe41419e06d3c1db6e1624
Instruction ID: 8b838a921114040e67fb245c14df035e87ecfea0e6102b58c950d58c96f05086
Opcode Fuzzy Hash: 7f0745933845d3330e47a7b15b3930b34ef445b8b6fe41419e06d3c1db6e1624
Instruction Fuzzy Hash: 4FF0E932E1010D97EF15D770C4656EFBBB69F84700F004526D102B7351EFB1590597D1

Function 00FF3A90 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2614786208.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ff0000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8d4373ea449a69562d9868df80aa5684efc0ac16a045af256b35d3e1d467a64
Instruction ID: 959c61738a91f75726db06ef3836ec05fd56585878f4a627862d25b46bcc0f14
Opcode Fuzzy Hash: d8d4373ea449a69562d9868df80aa5684efc0ac16a045af256b35d3e1d467a64
Instruction Fuzzy Hash: 5BF0E232E0010D97DF04DB71C415AFFBBF69F88300F01842AC513A7290DFB15A0696C1

Function 00FF13A1 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2614786208.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ff0000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 334334bc26b2fbcbd7f3a9030775859e56e12dd457a630417ad531d76b6df418
Instruction ID: 726ec6a23e242fbcdddee3d41448e917023894feccb16f144949ae5c4d4a26c4
Opcode Fuzzy Hash: 334334bc26b2fbcbd7f3a9030775859e56e12dd457a630417ad531d76b6df418
Instruction Fuzzy Hash: 56F0A570D0424A8FCB50DFB988821AEBFF0AE45210F2445AEC989A3611F27516619FC1

Function 00FF2B3D Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2614786208.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ff0000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7829134c39e88165cb07afce0327b4d30a21789fcbbffd55c309add7e3eb229
Instruction ID: 9055af867686be859da3a19d1c93e1b883f9b95504030b77296ffdacb790c710
Opcode Fuzzy Hash: a7829134c39e88165cb07afce0327b4d30a21789fcbbffd55c309add7e3eb229
Instruction Fuzzy Hash: DDD02B36F047188FD7049FA998004ECFBA1EFC063071482A2C51497262C7748606DB97

Function 00FF3C62 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2614786208.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ff0000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfa14b5eca4f372c4aeeef5cca0467f4c7bc48285c9001cc7332637f4e65a4ed
Instruction ID: 91c1efebdf7761d4564069cf38c6643a3ad25abb4ddcb2153c4ae43ca82c7f65
Opcode Fuzzy Hash: dfa14b5eca4f372c4aeeef5cca0467f4c7bc48285c9001cc7332637f4e65a4ed
Instruction Fuzzy Hash: D8D05B31B043059FDB549BACA8145DCFFF0AEC513171481ABD559D7252D7318552C722

Function 00FF2B4E Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2614786208.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ff0000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8732d3306990b196b4d5c32ac3cfe489f0ed704eda864ca9466a003ac4079a23
Instruction ID: 0d221a0bd1ded9b6a492a3f4463977ec2e4032b748b6d016c157b583aaaf0ffc
Opcode Fuzzy Hash: 8732d3306990b196b4d5c32ac3cfe489f0ed704eda864ca9466a003ac4079a23
Instruction Fuzzy Hash: 31D02B31B043058FEB449FACA8000DCBBA0AAC423071441AAC119D3292C730C5048B22

Function 00FF0848 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2614786208.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ff0000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3655a0a0c11159f444382b645bd68a7880f7d1a5089e50a078687142523685f8
Instruction ID: 5f7adfb72362a89528a570f9c9ba2c910cd9f442cd6b5eb53988e04d1d855aa5
Opcode Fuzzy Hash: 3655a0a0c11159f444382b645bd68a7880f7d1a5089e50a078687142523685f8
Instruction Fuzzy Hash: E0D01771D0524CAFEB01DFB4C90575D7BB8AB05280F204496E448C7211DA319E11D795

Function 00FF3188 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2614786208.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ff0000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcafe7d19145de195857067c1c03804c65c4620ff8af651162ed25bebb686509
Instruction ID: 66e0eae8d34d0c5f0dfb19f2ae53e9b523041dec8f51adcfedddf765728f46cf
Opcode Fuzzy Hash: dcafe7d19145de195857067c1c03804c65c4620ff8af651162ed25bebb686509
Instruction Fuzzy Hash: E4D05E36F053098FDB089BA8E8141ECBBE0AB8423072581BBD11AC72A2D73085558722

Function 00FF317F Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2614786208.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ff0000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd4bbe085136b29a0ffbe7cebda13bb09843400f826f54247b7ff2ec079acdea
Instruction ID: 70eda51cfc77a6200c710ec8f0cd0a5e43e328916daea3dcdbbb9cd106cf6266
Opcode Fuzzy Hash: cd4bbe085136b29a0ffbe7cebda13bb09843400f826f54247b7ff2ec079acdea
Instruction Fuzzy Hash: DED05E32A152058FEB088BA8EC045ACBBA0EBC123172581BAD11ACB2A2D63085529714

Function 00FF13B0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2614786208.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ff0000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fef043d575c0f54f122b0501c9fa8b484036c79d8b33f2a125a1e09fb6ee5efe
Instruction ID: d34603598e0bf8e6320c2680d82cbf53de5d1ec13b64a889138c6ed9ac19a028
Opcode Fuzzy Hash: fef043d575c0f54f122b0501c9fa8b484036c79d8b33f2a125a1e09fb6ee5efe
Instruction Fuzzy Hash: 74E042B5D0530E9F8B40EFBA88421BEBFF5AF48200F6085AADA08E3311F67456519BD1

Function 00FF399E Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2614786208.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ff0000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5b50ce19a9ae694c5a4856666e02f3a899926d69298a9c70d8cc4716dfc64e2
Instruction ID: 5a839a3aa88c1c893deb3631d24787cef91ddb36d52991a41b26fdb4a7386dd7
Opcode Fuzzy Hash: a5b50ce19a9ae694c5a4856666e02f3a899926d69298a9c70d8cc4716dfc64e2
Instruction Fuzzy Hash: 00D0A732B052098FDB209BECA8001DCFBB0EAC513171482A3C559E7251D7718511C733

Function 00FF2116 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2614786208.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ff0000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37866378d232dbc8a25f955a69413241ed8a54a91cc579e2e38377fcc7221247
Instruction ID: 22688f0e9d1b9dbbc71d454ec8d9b2430953364005e15d48ece1cda3e7e67dff
Opcode Fuzzy Hash: 37866378d232dbc8a25f955a69413241ed8a54a91cc579e2e38377fcc7221247
Instruction Fuzzy Hash: C0D0C936B0424A8FDB259BA898101ECBBE0AAC913175102A6C62AD76A1D7618A558762

Function 00FF210D Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2614786208.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ff0000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea36f6b0535d921668db395a25d65379dee2b6eca6a17354f2dda29dc18b6a90
Instruction ID: 8077def3a806dab9db3aca1d276c0a9940045abe093af2f4801b43a1bba9ed25
Opcode Fuzzy Hash: ea36f6b0535d921668db395a25d65379dee2b6eca6a17354f2dda29dc18b6a90
Instruction Fuzzy Hash: 63D023327003058FDF04CFE49C001DC77B1EBC413175101F1C11597251C76049139721

Analysis Process: Y0uLilkjPz.exePID: 7900, Parent PID: 660COMMON

Executed Functions

Function 02600B12 Relevance: .6, Instructions: 578COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1440030831.0000000002600000.00000040.00000800.00020000.00000000.sdmp, Offset: 02600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2600000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f043a93d5cb260860c46c3fe62227684d4d4e5cd21f0715db5a8c49eb4892706
Instruction ID: 290899f60e11612be771583c8de48f3ae939105b185b8d4c356b150a70861832
Opcode Fuzzy Hash: f043a93d5cb260860c46c3fe62227684d4d4e5cd21f0715db5a8c49eb4892706
Instruction Fuzzy Hash: 38420674A002498FDB09DFA8D484A9DBBF2BF89314F1581A9E405EF3A9DB31AD45CF50

Function 02600988 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1440030831.0000000002600000.00000040.00000800.00020000.00000000.sdmp, Offset: 02600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2600000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 611772e99d5f6c5a12da66281a32b8f6bd5e51bb44d247be0501ce372591c9d6
Instruction ID: f986f00b02a83c87a38063250484c8e8b11c80f0939cfab9be6af69bd7cd4635
Opcode Fuzzy Hash: 611772e99d5f6c5a12da66281a32b8f6bd5e51bb44d247be0501ce372591c9d6
Instruction Fuzzy Hash: 35212134910309DFDB01EFA8E88469D7BB1FB84708F0086A9D4089F369EB706A05CF91

Function 026007F0 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1440030831.0000000002600000.00000040.00000800.00020000.00000000.sdmp, Offset: 02600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2600000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c91b695870404b9eb0c619c212f1a585956ca0e4995e46d520a38d556f9e422b
Instruction ID: c99c654d590de595f4d4070d858a4a380dbe21900f68bc606bca71ce4778acd7
Opcode Fuzzy Hash: c91b695870404b9eb0c619c212f1a585956ca0e4995e46d520a38d556f9e422b
Instruction Fuzzy Hash: AEF017A180E3C49FE703CBB488246497F74AF07250B2A41CBD484CF2A3D6288D04D76A

Function 02600990 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1440030831.0000000002600000.00000040.00000800.00020000.00000000.sdmp, Offset: 02600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2600000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d0f97629b517ab106d29248e6667e52967eacddc8613ab772a4b11eca1fd232
Instruction ID: 0446744df9b6abb6d6ebb1432d2c7c2984e4ee443db7c669c49ee87963684dee
Opcode Fuzzy Hash: 5d0f97629b517ab106d29248e6667e52967eacddc8613ab772a4b11eca1fd232
Instruction Fuzzy Hash: B5210034914319DFDB01EFA8E88469D7BF1FB84709F0086A9D4089F369EB706A05DF91

Function 02600877 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1440030831.0000000002600000.00000040.00000800.00020000.00000000.sdmp, Offset: 02600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2600000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c78e3aa8c1f9069ccbe9b897b8e2be74d5b75ecfe0efa1fd884c32144ea75a
Instruction ID: 7681677ddaa8ade55ca688f1a75ce686ecaeeee65aa4dbadaeba7cc0fdf3a06d
Opcode Fuzzy Hash: 14c78e3aa8c1f9069ccbe9b897b8e2be74d5b75ecfe0efa1fd884c32144ea75a
Instruction Fuzzy Hash: 6301DF32D1176A8BCB01DBB0CC400CDBB72FFC6320F160616D101BB060EBB0294AC7A1

Function 026008F9 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1440030831.0000000002600000.00000040.00000800.00020000.00000000.sdmp, Offset: 02600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2600000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45ef627dbdfa412243db7b10dfa26670ee04c06269586316d282847ba4aa4c16
Instruction ID: 5ff24b3b2dc9d311dc74ba53037e6be1caf4bf62f1974feb35b2d827a11046e7
Opcode Fuzzy Hash: 45ef627dbdfa412243db7b10dfa26670ee04c06269586316d282847ba4aa4c16
Instruction Fuzzy Hash: 63F0C232E202099BEB099BA0C8956EFBBB9DF85310F048566D012EB280DEB4190A97D1

Function 02600908 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1440030831.0000000002600000.00000040.00000800.00020000.00000000.sdmp, Offset: 02600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2600000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 294d7e3eb7330aef94b4834368ec74edd016b676abf5430c4ca5fd555d6500a7
Instruction ID: e4a55b60acea05a8f602a19dc98e27400c0e0766b9993adab592bf044528ce69
Opcode Fuzzy Hash: 294d7e3eb7330aef94b4834368ec74edd016b676abf5430c4ca5fd555d6500a7
Instruction Fuzzy Hash: E8F08932E2020997EF09D770C4556EFBBB69F84700F414525D513BB380DF71590697D1

Function 026013AB Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1440030831.0000000002600000.00000040.00000800.00020000.00000000.sdmp, Offset: 02600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2600000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a86c500d9074b9ac25879c2e280f4f38364d28b1b00a4a9da489d7b32e563f54
Instruction ID: 7ffc18ebfdb4ab7ca55dc47ce98fdaa77b2010610d71cb80061f445b751791a8
Opcode Fuzzy Hash: a86c500d9074b9ac25879c2e280f4f38364d28b1b00a4a9da489d7b32e563f54
Instruction Fuzzy Hash: F4E0B6B4D0528A9ECF45DFB998811AEBFF1AF89210F5485AEC909E3201E6741251CFD1

Function 02600848 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1440030831.0000000002600000.00000040.00000800.00020000.00000000.sdmp, Offset: 02600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2600000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b9ee717845f7c6436deb4482927cfc3b879f0eb658fb6d65ffd514d7d51403f
Instruction ID: d9691e2f690a9360381347aa406f6332786368c314c4a816a3eecfef29c84bd6
Opcode Fuzzy Hash: 3b9ee717845f7c6436deb4482927cfc3b879f0eb658fb6d65ffd514d7d51403f
Instruction Fuzzy Hash: 42D017B1905388AFEB01DFB4C84575D7BB8AB05240F20449AE448C7341DB31DE10D795

Function 026013B0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1440030831.0000000002600000.00000040.00000800.00020000.00000000.sdmp, Offset: 02600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2600000_Y0uLilkjPz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fef043d575c0f54f122b0501c9fa8b484036c79d8b33f2a125a1e09fb6ee5efe
Instruction ID: 3a5f1d8d9f3b78a2e3487a6463bc55f89790146ffcc52404821f66fec2c7c21a
Opcode Fuzzy Hash: fef043d575c0f54f122b0501c9fa8b484036c79d8b33f2a125a1e09fb6ee5efe
Instruction Fuzzy Hash: 5CE042B4D0534E9F8B48EFB998821AEBFF5AB49200F5085AA8908E3240F67456519FD1

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Y0uLilkjPz.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: XenoRAT

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Y0uLilkjPz.exe.log

C:\Users\user\AppData\Local\Temp\tmp99AA.tmp

C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe

C:\Users\user\AppData\Roaming\XenoManager\Y0uLilkjPz.exe:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Windows Analysis Report
Y0uLilkjPz.exe