Edit tour

Windows Analysis Report
Server.exe

Overview

General Information

Sample name:	Server.exe
Analysis ID:	1477925
MD5:	5133a39682e9f9c6b6245193d0e71c8a
SHA1:	fe6e514468854217f86079d3e111815fb52de928
SHA256:	8b947486ed56599c2fbb60f77d60b3215e5f2dd5cda1fd94dafe5ca4825c217b
Infos:

Detection

Njrat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Njrat

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to log keystrokes (.Net Source)

Creates autostart registry keys with suspicious names

Drops PE files to the startup folder

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies the windows firewall

Protects its processes via BreakOnTermination flag

Uses netsh to modify the Windows network and firewall settings

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May infect USB drives

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Startup Folder File Write

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Stores files to the Windows start menu directory

Uses 32bit PE files

Yara signature match

Classification

Process Tree

System is w10x64

Server.exe (PID: 4204 cmdline: "C:\Users\user\Desktop\Server.exe" MD5: 5133A39682E9F9C6B6245193D0E71C8A)

server.exe (PID: 2828 cmdline: "C:\Users\user\AppData\Roaming\server.exe" MD5: 5133A39682E9F9C6B6245193D0E71C8A)

netsh.exe (PID: 5688 cmdline: netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\server.exe" "server.exe" ENABLE MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

conhost.exe (PID: 6052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

server.exe (PID: 5680 cmdline: "C:\Users\user\AppData\Roaming\server.exe" .. MD5: 5133A39682E9F9C6B6245193D0E71C8A)

server.exe (PID: 4072 cmdline: "C:\Users\user\AppData\Roaming\server.exe" .. MD5: 5133A39682E9F9C6B6245193D0E71C8A)

server.exe (PID: 4296 cmdline: "C:\Users\user\AppData\Roaming\server.exe" .. MD5: 5133A39682E9F9C6B6245193D0E71C8A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
NjRAT	RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.	AQUATIC PANDA Earth Lusca Operation C-Major The Gorgon Group	http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/ http://blogs.360.cn/post/analysis-of-apt-c-37.html http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/ https://asec.ahnlab.com/1369	https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

Malware Configuration

Threatname: Njrat

{"Host": "127.0.0.1", "Port": "6652", "Version": "im523", "Campaign ID": "HacKed", "Install Name": "server.exe", "Install Dir": "AppData"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Server.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Server.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x64c1:$a1: get_Registry 0x7eee:$a3: Download ERROR 0x81e0:$a5: netsh firewall delete allowedprogram "
Server.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x80d6:$a1: netsh firewall add allowedprogram 0x82d0:$b1: [TAP] 0x8276:$b2: & exit 0x8242:$c1: md.exe /k ping 0 & del
Server.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x81e0:$s1: netsh firewall delete allowedprogram 0x80d6:$s2: netsh firewall add allowedprogram 0x8240:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 6B 00 20 00 70 00 69 00 6E 00 67 0x7eca:$s4: Execute ERROR 0x7f2a:$s4: Execute ERROR 0x7eee:$s5: Download ERROR 0x8286:$s6: [kl]

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\73e4ea7af59bea49b79c8c5f799f272d.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\73e4ea7af59bea49b79c8c5f799f272d.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x64c1:$a1: get_Registry 0x7eee:$a3: Download ERROR 0x81e0:$a5: netsh firewall delete allowedprogram "
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\73e4ea7af59bea49b79c8c5f799f272d.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x80d6:$a1: netsh firewall add allowedprogram 0x82d0:$b1: [TAP] 0x8276:$b2: & exit 0x8242:$c1: md.exe /k ping 0 & del
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\73e4ea7af59bea49b79c8c5f799f272d.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x81e0:$s1: netsh firewall delete allowedprogram 0x80d6:$s2: netsh firewall add allowedprogram 0x8240:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 6B 00 20 00 70 00 69 00 6E 00 67 0x7eca:$s4: Execute ERROR 0x7f2a:$s4: Execute ERROR 0x7eee:$s5: Download ERROR 0x8286:$s6: [kl]
C:\Users\user\AppData\Roaming\server.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Users\user\AppData\Roaming\server.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x64c1:$a1: get_Registry 0x7eee:$a3: Download ERROR 0x81e0:$a5: netsh firewall delete allowedprogram "
C:\Users\user\AppData\Roaming\server.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x80d6:$a1: netsh firewall add allowedprogram 0x82d0:$b1: [TAP] 0x8276:$b2: & exit 0x8242:$c1: md.exe /k ping 0 & del
C:\Users\user\AppData\Roaming\server.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x81e0:$s1: netsh firewall delete allowedprogram 0x80d6:$s2: netsh firewall add allowedprogram 0x8240:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 6B 00 20 00 70 00 69 00 6E 00 67 0x7eca:$s4: Execute ERROR 0x7f2a:$s4: Execute ERROR 0x7eee:$s5: Download ERROR 0x8286:$s6: [kl]
Click to see the 3 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.2017217921.0000000000FD2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000000.00000000.2017217921.0000000000FD2000.00000002.00000001.01000000.00000003.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x62c1:$a1: get_Registry 0x7cee:$a3: Download ERROR 0x7fe0:$a5: netsh firewall delete allowedprogram "
00000000.00000000.2017217921.0000000000FD2000.00000002.00000001.01000000.00000003.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x7ed6:$a1: netsh firewall add allowedprogram 0x80d0:$b1: [TAP] 0x8076:$b2: & exit 0x8042:$c1: md.exe /k ping 0 & del
00000002.00000002.4476615014.00000000026C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Server.exe PID: 4204	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: server.exe PID: 2828	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.Server.exe.fd0000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0.0.Server.exe.fd0000.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x64c1:$a1: get_Registry 0x7eee:$a3: Download ERROR 0x81e0:$a5: netsh firewall delete allowedprogram "
0.0.Server.exe.fd0000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x80d6:$a1: netsh firewall add allowedprogram 0x82d0:$b1: [TAP] 0x8276:$b2: & exit 0x8242:$c1: md.exe /k ping 0 & del
0.0.Server.exe.fd0000.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x81e0:$s1: netsh firewall delete allowedprogram 0x80d6:$s2: netsh firewall add allowedprogram 0x8240:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 6B 00 20 00 70 00 69 00 6E 00 67 0x7eca:$s4: Execute ERROR 0x7f2a:$s4: Execute ERROR 0x7eee:$s5: Download ERROR 0x8286:$s6: [kl]

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\AppData\Roaming\server.exe" .., EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\server.exe, ProcessId: 2828, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\73e4ea7af59bea49b79c8c5f799f272d

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\server.exe, ProcessId: 2828, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\73e4ea7af59bea49b79c8c5f799f272d.exe

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\AppData\Roaming\server.exe" .., EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\server.exe, ProcessId: 2828, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\73e4ea7af59bea49b79c8c5f799f272d

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Server.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\73e4ea7af59bea49b79c8c5f799f272d.exe	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Users\user\AppData\Roaming\server.exe	Avira: detection malicious, Label: TR/ATRAPS.Gen

Found malware configuration

Source: 00000000.00000000.2017217921.0000000000FD2000.00000002.00000001.01000000.00000003.sdmp

Malware Configuration Extractor: Njrat {"Host": "127.0.0.1", "Port": "6652", "Version": "im523", "Campaign ID": "HacKed", "Install Name": "server.exe", "Install Dir": "AppData"}

Multi AV Scanner detection for domain / URL

Source: https://dl.dropbox.com/s/p84aaz28t0hepul/Pass.exe?dl=0

Virustotal: Detection: 7%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\73e4ea7af59bea49b79c8c5f799f272d.exe	ReversingLabs: Detection: 94%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\73e4ea7af59bea49b79c8c5f799f272d.exe	Virustotal: Detection: 83%	Perma Link
Source: C:\Users\user\AppData\Roaming\server.exe	ReversingLabs: Detection: 94%
Source: C:\Users\user\AppData\Roaming\server.exe	Virustotal: Detection: 83%	Perma Link

Multi AV Scanner detection for submitted file

Source: Server.exe	ReversingLabs: Detection: 94%
Source: Server.exe	Virustotal: Detection: 83%			Perma Link

Yara detected Njrat

Source: Yara match	File source: Server.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Server.exe.fd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2017217921.0000000000FD2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4476615014.00000000026C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Server.exe PID: 4204, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: server.exe PID: 2828, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\73e4ea7af59bea49b79c8c5f799f272d.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\server.exe, type: DROPPED

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\73e4ea7af59bea49b79c8c5f799f272d.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\server.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Server.exe

Joe Sandbox ML: detected

Source: Server.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\Server.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: Server.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Server.exe, 00000000.00000000.2017217921.0000000000FD2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: autorun.inf
Source: Server.exe, 00000000.00000000.2017217921.0000000000FD2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: [autorun]
Source: Server.exe, 00000000.00000002.2085744740.0000000003631000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: Server.exe, 00000000.00000002.2085744740.0000000003631000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: server.exe, 00000002.00000002.4476615014.00000000026C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: server.exe, 00000002.00000002.4476615014.00000000026C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: Server.exe	Binary or memory string: autorun.inf
Source: Server.exe	Binary or memory string: [autorun]
Source: 73e4ea7af59bea49b79c8c5f799f272d.exe.2.dr	Binary or memory string: autorun.inf
Source: 73e4ea7af59bea49b79c8c5f799f272d.exe.2.dr	Binary or memory string: [autorun]
Source: server.exe.0.dr	Binary or memory string: autorun.inf
Source: server.exe.0.dr	Binary or memory string: [autorun]

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 127.0.0.1

Source: server.exe, 00000002.00000002.4475784599.000000000078D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.microsoft.
Source: server.exe, 00000002.00000002.4475784599.000000000078D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.microsoft.LinkId=42127
Source: Server.exe, 73e4ea7af59bea49b79c8c5f799f272d.exe.2.dr, server.exe.0.dr	String found in binary or memory: https://dl.dropbox.com/s/p84aaz28t0hepul/Pass.exe?dl=0

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: Server.exe, kl.cs	.Net Code: VKCodeToUnicode
Source: server.exe.0.dr, kl.cs	.Net Code: VKCodeToUnicode
Source: 73e4ea7af59bea49b79c8c5f799f272d.exe.2.dr, kl.cs	.Net Code: VKCodeToUnicode

E-Banking Fraud

Yara detected Njrat

Source: Yara match	File source: Server.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Server.exe.fd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2017217921.0000000000FD2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4476615014.00000000026C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Server.exe PID: 4204, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: server.exe PID: 2828, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\73e4ea7af59bea49b79c8c5f799f272d.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\server.exe, type: DROPPED

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\AppData\Roaming\server.exe

Process information set: 01 00 00 00

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: Server.exe, type: SAMPLE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: Server.exe, type: SAMPLE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: Server.exe, type: SAMPLE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.0.Server.exe.fd0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.0.Server.exe.fd0000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.0.Server.exe.fd0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 00000000.00000000.2017217921.0000000000FD2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000000.00000000.2017217921.0000000000FD2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\73e4ea7af59bea49b79c8c5f799f272d.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\73e4ea7af59bea49b79c8c5f799f272d.exe, type: DROPPED	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\73e4ea7af59bea49b79c8c5f799f272d.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\server.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Users\user\AppData\Roaming\server.exe, type: DROPPED	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\Users\user\AppData\Roaming\server.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen

Source: C:\Users\user\AppData\Roaming\server.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\AppData\Roaming\server.exe	Code function: 2_2_0083BEEE NtQuerySystemInformation,	2_2_0083BEEE
Source: C:\Users\user\AppData\Roaming\server.exe	Code function: 2_2_0083BC1E NtSetInformationProcess,	2_2_0083BC1E
Source: C:\Users\user\AppData\Roaming\server.exe	Code function: 2_2_0083BEB3 NtQuerySystemInformation,	2_2_0083BEB3
Source: C:\Users\user\AppData\Roaming\server.exe	Code function: 2_2_0083BBFC NtSetInformationProcess,	2_2_0083BBFC

Source: Server.exe, 00000000.00000002.2084872092.00000000014EE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenamemscorwks.dllT vs Server.exe

Source: Server.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Server.exe, type: SAMPLE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: Server.exe, type: SAMPLE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: Server.exe, type: SAMPLE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.0.Server.exe.fd0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.0.Server.exe.fd0000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.0.Server.exe.fd0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 00000000.00000000.2017217921.0000000000FD2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000000.00000000.2017217921.0000000000FD2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\73e4ea7af59bea49b79c8c5f799f272d.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\73e4ea7af59bea49b79c8c5f799f272d.exe, type: DROPPED	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\73e4ea7af59bea49b79c8c5f799f272d.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Users\user\AppData\Roaming\server.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\Users\user\AppData\Roaming\server.exe, type: DROPPED	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\Users\user\AppData\Roaming\server.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi

Source: classification engine

Classification label: mal100.troj.adwa.spyw.evad.winEXE@9/6@0/1

Source: C:\Users\user\AppData\Roaming\server.exe	Code function: 2_2_0083B82A AdjustTokenPrivileges,		2_2_0083B82A
Source: C:\Users\user\AppData\Roaming\server.exe	Code function: 2_2_0083B7F3 AdjustTokenPrivileges,		2_2_0083B7F3

Source: C:\Users\user\Desktop\Server.exe

File created: C:\Users\user\AppData\Roaming\server.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\server.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\server.exe	Mutant created: \Sessions\1\BaseNamedObjects\73e4ea7af59bea49b79c8c5f799f272d
Source: C:\Users\user\AppData\Roaming\server.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6052:120:WilError_03

Source: Server.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Server.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\Server.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Server.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Server.exe	ReversingLabs: Detection: 94%
Source: Server.exe	Virustotal: Detection: 83%

Source: C:\Users\user\Desktop\Server.exe

File read: C:\Users\user\Desktop\Server.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Server.exe "C:\Users\user\Desktop\Server.exe"
Source: C:\Users\user\Desktop\Server.exe	Process created: C:\Users\user\AppData\Roaming\server.exe "C:\Users\user\AppData\Roaming\server.exe"
Source: C:\Users\user\AppData\Roaming\server.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\server.exe" "server.exe" ENABLE
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\server.exe "C:\Users\user\AppData\Roaming\server.exe" ..
Source: unknown	Process created: C:\Users\user\AppData\Roaming\server.exe "C:\Users\user\AppData\Roaming\server.exe" ..
Source: unknown	Process created: C:\Users\user\AppData\Roaming\server.exe "C:\Users\user\AppData\Roaming\server.exe" ..
Source: C:\Users\user\Desktop\Server.exe	Process created: C:\Users\user\AppData\Roaming\server.exe "C:\Users\user\AppData\Roaming\server.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\server.exe" "server.exe" ENABLE	Jump to behavior

Source: C:\Users\user\Desktop\Server.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Server.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Section loaded: uxtheme.dll	Jump to behavior

Source: C:\Users\user\AppData\Roaming\server.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: Server.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\Server.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: Server.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: Server.exe, OK.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: server.exe.0.dr, OK.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: 73e4ea7af59bea49b79c8c5f799f272d.exe.2.dr, OK.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\Server.exe	File created: C:\Users\user\AppData\Roaming\server.exe			Jump to dropped file
Source: C:\Users\user\AppData\Roaming\server.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\73e4ea7af59bea49b79c8c5f799f272d.exe			Jump to dropped file

Boot Survival

Creates autostart registry keys with suspicious names

Source: C:\Users\user\AppData\Roaming\server.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 73e4ea7af59bea49b79c8c5f799f272d

Jump to behavior

Drops PE files to the startup folder

Source: C:\Users\user\AppData\Roaming\server.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\73e4ea7af59bea49b79c8c5f799f272d.exe

Jump to dropped file

Source: C:\Users\user\AppData\Roaming\server.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\73e4ea7af59bea49b79c8c5f799f272d.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\server.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\73e4ea7af59bea49b79c8c5f799f272d.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\73e4ea7af59bea49b79c8c5f799f272d.exe\:Zone.Identifier:$DATA			Jump to behavior

Source: C:\Users\user\AppData\Roaming\server.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 73e4ea7af59bea49b79c8c5f799f272d	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 73e4ea7af59bea49b79c8c5f799f272d	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 73e4ea7af59bea49b79c8c5f799f272d	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 73e4ea7af59bea49b79c8c5f799f272d	Jump to behavior

Source: C:\Users\user\Desktop\Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\Server.exe	Memory allocated: 1970000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Server.exe	Memory allocated: 3630000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Server.exe	Memory allocated: 5630000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Memory allocated: 890000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Memory allocated: 26C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Memory allocated: 46C0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Memory allocated: D50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Memory allocated: 2A60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Memory allocated: D80000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Memory allocated: 1120000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Memory allocated: 2FB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Memory allocated: 4FB0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Memory allocated: B00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Memory allocated: 2790000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Memory allocated: 4790000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Server.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\AppData\Roaming\server.exe	Window / User API: threadDelayed 356	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Window / User API: threadDelayed 3334	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Window / User API: threadDelayed 4671	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Window / User API: foregroundWindowGot 437	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Window / User API: foregroundWindowGot 1264	Jump to behavior

Source: C:\Users\user\Desktop\Server.exe TID: 3784	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe TID: 3288	Thread sleep time: -356000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe TID: 3288	Thread sleep time: -4671000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe TID: 1848	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe TID: 5684	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe TID: 5228	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\Server.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\server.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: server.exe, 00000002.00000002.4475784599.000000000078D000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000003.00000003.2150879472.0000000000F01000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Roaming\server.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\server.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Server.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: Server.exe, kl.cs	Reference to suspicious API methods: MapVirtualKey(a, 0u)
Source: Server.exe, kl.cs	Reference to suspicious API methods: GetAsyncKeyState(num2)
Source: Server.exe, OK.cs	Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)

Source: C:\Users\user\Desktop\Server.exe

Process created: C:\Users\user\AppData\Roaming\server.exe "C:\Users\user\AppData\Roaming\server.exe"

Jump to behavior

Source: server.exe, 00000002.00000002.4476615014.00000000029C3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4476615014.00000000026C1000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4476615014.00000000029D5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: server.exe, 00000002.00000002.4476615014.00000000026C1000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4476615014.00000000029D5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: program managerL.
Source: server.exe, 00000002.00000002.4475784599.000000000070E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerTI
Source: server.exe, 00000002.00000002.4476615014.00000000026C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: program manager
Source: server.exe, 00000002.00000002.4476615014.00000000029C3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4476615014.00000000026C1000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4476615014.00000000029D5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@9

Source: C:\Windows\SysWOW64\netsh.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\server.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Modifies the windows firewall

Source: C:\Users\user\AppData\Roaming\server.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\server.exe" "server.exe" ENABLE

Uses netsh to modify the Windows network and firewall settings

Source: C:\Users\user\AppData\Roaming\server.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\server.exe" "server.exe" ENABLE

Stealing of Sensitive Information

Yara detected Njrat

Source: Yara match	File source: Server.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Server.exe.fd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2017217921.0000000000FD2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4476615014.00000000026C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Server.exe PID: 4204, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: server.exe PID: 2828, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\73e4ea7af59bea49b79c8c5f799f272d.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\server.exe, type: DROPPED

Remote Access Functionality

Yara detected Njrat

Source: Yara match	File source: Server.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Server.exe.fd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2017217921.0000000000FD2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4476615014.00000000026C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Server.exe PID: 4204, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: server.exe PID: 2828, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\73e4ea7af59bea49b79c8c5f799f272d.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\server.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	1 Native API	221 Registry Run Keys / Startup Folder	1 Access Token Manipulation	1 Masquerading	1 Input Capture	11 Security Software Discovery	Remote Services	1 Input Capture	1 Application Layer Protocol	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	12 Process Injection	21 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	221 Registry Run Keys / Startup Folder	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 Access Token Manipulation	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Process Injection	LSA Secrets	1 Peripheral Device Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	12 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Server.exe	95%	ReversingLabs	ByteCode-MSIL.Backdoor.njRAT
Server.exe	83%	Virustotal		Browse
Server.exe	100%	Avira	TR/ATRAPS.Gen
Server.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\73e4ea7af59bea49b79c8c5f799f272d.exe	100%	Avira	TR/ATRAPS.Gen
C:\Users\user\AppData\Roaming\server.exe	100%	Avira	TR/ATRAPS.Gen
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\73e4ea7af59bea49b79c8c5f799f272d.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\server.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\73e4ea7af59bea49b79c8c5f799f272d.exe	95%	ReversingLabs	ByteCode-MSIL.Backdoor.njRAT
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\73e4ea7af59bea49b79c8c5f799f272d.exe	83%	Virustotal		Browse
C:\Users\user\AppData\Roaming\server.exe	95%	ReversingLabs	ByteCode-MSIL.Backdoor.njRAT
C:\Users\user\AppData\Roaming\server.exe	83%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
http://go.microsoft.	0%	Virustotal		Browse
127.0.0.1	0%	Avira URL Cloud	safe
http://go.microsoft.LinkId=42127	0%	Avira URL Cloud	safe
https://dl.dropbox.com/s/p84aaz28t0hepul/Pass.exe?dl=0	0%	Avira URL Cloud	safe
127.0.0.1	0%	Virustotal		Browse
http://go.microsoft.	0%	Avira URL Cloud	safe
https://dl.dropbox.com/s/p84aaz28t0hepul/Pass.exe?dl=0	8%	Virustotal		Browse

Name	Malicious	Antivirus Detection	Reputation
127.0.0.1	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://go.microsoft.	server.exe, 00000002.00000002.4475784599.000000000078D000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://dl.dropbox.com/s/p84aaz28t0hepul/Pass.exe?dl=0	Server.exe, 73e4ea7af59bea49b79c8c5f799f272d.exe.2.dr, server.exe.0.dr	false	8%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://go.microsoft.LinkId=42127	server.exe, 00000002.00000002.4475784599.000000000078D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1477925
Start date and time:	2024-07-22 06:42:10 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Server.exe
Detection:	MAL
Classification:	mal100.troj.adwa.spyw.evad.winEXE@9/6@0/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 146 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
00:43:13	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 73e4ea7af59bea49b79c8c5f799f272d "C:\Users\user\AppData\Roaming\server.exe" ..
00:43:22	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run 73e4ea7af59bea49b79c8c5f799f272d "C:\Users\user\AppData\Roaming\server.exe" ..
00:43:30	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 73e4ea7af59bea49b79c8c5f799f272d "C:\Users\user\AppData\Roaming\server.exe" ..
00:43:38	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\73e4ea7af59bea49b79c8c5f799f272d.exe
00:43:46	API Interceptor	428418x Sleep call for process: server.exe modified

Process:	C:\Users\user\Desktop\Server.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	525
Entropy (8bit):	5.259753436570609
Encrypted:	false
SSDEEP:	12:Q3LaJU2C9XAn10Ug+9pfu9t0U29xtUz1B0U2uk71K6xhk7v:MLF2CpI3zffup29Iz52Ve
MD5:	260E01CC001F9C4643CA7A62F395D747
SHA1:	492AD0ACE3A9C8736909866EEA168962D418BE5A
SHA-256:	4BC52CCF866F489772A6919A0CC2C55B1432729D6BDF29E17E5853ABDFAB6030
SHA-512:	01AF7D75257E3DBD460E328F5C057D0367B83D3D9397E89CA3AE54AB9B2842D62352D8CCB4BE98ACE0C5667846759D32C199DE39ECCD0CF9CD6A83267D27E7C4
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7d443c6c007fe8696f9aa6ff1da53ef7\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\73e4ea7af59bea49b79c8c5f799f272d.exe

Download File

Process:	C:\Users\user\AppData\Roaming\server.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	37888
Entropy (8bit):	5.5728706859593
Encrypted:	false
SSDEEP:	384:WkZTUiSmL1G5k2gyk/4sP9S/ksVW0erAF+rMRTyN/0L+EcoinblneHQM3epzXnNP:BZX32bk/4sYssVWbrM+rMRa8Nuprt
MD5:	5133A39682E9F9C6B6245193D0E71C8A
SHA1:	FE6E514468854217F86079D3E111815FB52DE928
SHA-256:	8B947486ED56599C2FBB60F77D60B3215E5F2DD5CDA1FD94DAFE5CA4825C217B
SHA-512:	CD8F7320738C9098429E17997643EFF7920568E2FE0F6AF8F64A087A8BAA8311DC977C565CFDFF164B30BB31E952F2CED65E7E0CEDE562AF9805B9EE6A9B14E5
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\73e4ea7af59bea49b79c8c5f799f272d.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\73e4ea7af59bea49b79c8c5f799f272d.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\73e4ea7af59bea49b79c8c5f799f272d.exe, Author: Brian Wallace @botnet_hunter Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\73e4ea7af59bea49b79c8c5f799f272d.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 95% Antivirus: Virustotal, Detection: 83%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f................................. ........@.. ....................................@.................................`...K.......@............................................................................ ............... ..H............text........ ...................... ..`.rsrc...@...........................@..@.reloc..............................@..B........................H........e...E..........................................................&.(......*..(.......s.........s.........s.........s...........0...........~....o.....+...0...........~....o.....+...0...........~....o.....+...0...........~....o.....+...0.............(....(.....+.....0............(.....+...0................(.....+...0............(.....+...0.. ...................,.(...+.+.+....+....0...........................*..(..........0..&........~..............,.(...+.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\73e4ea7af59bea49b79c8c5f799f272d.exe:Zone.Identifier

Download File

Process:	C:\Users\user\AppData\Roaming\server.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\server.exe

Download File

Process:	C:\Users\user\Desktop\Server.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	37888
Entropy (8bit):	5.5728706859593
Encrypted:	false
SSDEEP:	384:WkZTUiSmL1G5k2gyk/4sP9S/ksVW0erAF+rMRTyN/0L+EcoinblneHQM3epzXnNP:BZX32bk/4sYssVWbrM+rMRa8Nuprt
MD5:	5133A39682E9F9C6B6245193D0E71C8A
SHA1:	FE6E514468854217F86079D3E111815FB52DE928
SHA-256:	8B947486ED56599C2FBB60F77D60B3215E5F2DD5CDA1FD94DAFE5CA4825C217B
SHA-512:	CD8F7320738C9098429E17997643EFF7920568E2FE0F6AF8F64A087A8BAA8311DC977C565CFDFF164B30BB31E952F2CED65E7E0CEDE562AF9805B9EE6A9B14E5
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\server.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\AppData\Roaming\server.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Roaming\server.exe, Author: Brian Wallace @botnet_hunter Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\server.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 95% Antivirus: Virustotal, Detection: 83%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f................................. ........@.. ....................................@.................................`...K.......@............................................................................ ............... ..H............text........ ...................... ..`.rsrc...@...........................@..@.reloc..............................@..B........................H........e...E..........................................................&.(......*..(.......s.........s.........s.........s...........0...........~....o.....+...0...........~....o.....+...0...........~....o.....+...0...........~....o.....+...0.............(....(.....+.....0............(.....+...0................(.....+...0............(.....+...0.. ...................,.(...+.+.+....+....0...........................*..(..........0..&........~..............,.(...+.

C:\Users\user\AppData\Roaming\server.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Server.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

\Device\ConDrv

Download File

Process:	C:\Windows\SysWOW64\netsh.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	313
Entropy (8bit):	4.971939296804078
Encrypted:	false
SSDEEP:	6:/ojfKsUTGN8Ypox42k9L+DbGMKeQE+vigqAZs2E+AYeDPO+Yswyha:wjPIGNrkHk9iaeIM6ADDPOHyha
MD5:	689E2126A85BF55121488295EE068FA1
SHA1:	09BAAA253A49D80C18326DFBCA106551EBF22DD6
SHA-256:	D968A966EF474068E41256321F77807A042F1965744633D37A203A705662EC25
SHA-512:	C3736A8FC7E6573FA1B26FE6A901C05EE85C55A4A276F8F569D9EADC9A58BEC507D1BB90DBF9EA62AE79A6783178C69304187D6B90441D82E46F5F56172B5C5C
Malicious:	false
Reputation:	high, very likely benign file
Preview:	..IMPORTANT: Command executed successfully...However, "netsh firewall" is deprecated;..use "netsh advfirewall firewall" instead...For more information on using "netsh advfirewall firewall" commands..instead of "netsh firewall", see KB article 947709..at https://go.microsoft.com/fwlink/?linkid=121488 .....Ok.....

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.5728706859593
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Server.exe
File size:	37'888 bytes
MD5:	5133a39682e9f9c6b6245193d0e71c8a
SHA1:	fe6e514468854217f86079d3e111815fb52de928
SHA256:	8b947486ed56599c2fbb60f77d60b3215e5f2dd5cda1fd94dafe5ca4825c217b
SHA512:	cd8f7320738c9098429e17997643eff7920568e2fe0f6af8f64a087a8baa8311dc977c565cfdff164b30bb31e952f2ced65e7e0cede562af9805b9ee6a9b14e5
SSDEEP:	384:WkZTUiSmL1G5k2gyk/4sP9S/ksVW0erAF+rMRTyN/0L+EcoinblneHQM3epzXnNP:BZX32bk/4sYssVWbrM+rMRa8Nuprt
TLSH:	C5032A4D7FE18178C5FD067B09B2D41207BAE04B6E23D90E8EE564EA37636C18B54AF1
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f................................. ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x40abae
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x669CE50A [Sun Jul 21 10:38:02 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xab60	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc000	0x240	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x8bb4	0x8c00	852cd61c68d19db94551bae5d6a6a91f	False	0.46353236607142856	data	5.6043219115970215	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xc000	0x240	0x400	f7ce2f7b506ce16c06c85a549ef2cd98	False	0.3134765625	data	4.968771659524424	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xe000	0xc	0x200	14e8c9d445c6e20e65bc602fcc627817	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0xc058	0x1e7	XML 1.0 document, ASCII text, with CRLF line terminators			0.5338809034907598

Imports

DLL	Import
mscoree.dll	_CorExeMain

Target ID:	0
Start time:	00:43:00
Start date:	22/07/2024
Path:	C:\Users\user\Desktop\Server.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Server.exe"
Imagebase:	0xfd0000
File size:	37'888 bytes
MD5 hash:	5133A39682E9F9C6B6245193D0E71C8A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000000.2017217921.0000000000FD2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000000.00000000.2017217921.0000000000FD2000.00000002.00000001.01000000.00000003.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000000.00000000.2017217921.0000000000FD2000.00000002.00000001.01000000.00000003.sdmp, Author: Brian Wallace @botnet_hunter
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	00:43:07
Start date:	22/07/2024
Path:	C:\Users\user\AppData\Roaming\server.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\server.exe"
Imagebase:	0x70000
File size:	37'888 bytes
MD5 hash:	5133A39682E9F9C6B6245193D0E71C8A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000002.00000002.4476615014.00000000026C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\server.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\AppData\Roaming\server.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Roaming\server.exe, Author: Brian Wallace @botnet_hunter Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\server.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 95%, ReversingLabs Detection: 83%, Virustotal, Browse
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	00:43:13
Start date:	22/07/2024
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\server.exe" "server.exe" ENABLE
Imagebase:	0x1080000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	00:43:13
Start date:	22/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	00:43:21
Start date:	22/07/2024
Path:	C:\Users\user\AppData\Roaming\server.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\server.exe" ..
Imagebase:	0x3a0000
File size:	37'888 bytes
MD5 hash:	5133A39682E9F9C6B6245193D0E71C8A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	00:43:30
Start date:	22/07/2024
Path:	C:\Users\user\AppData\Roaming\server.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\server.exe" ..
Imagebase:	0x9d0000
File size:	37'888 bytes
MD5 hash:	5133A39682E9F9C6B6245193D0E71C8A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	00:43:38
Start date:	22/07/2024
Path:	C:\Users\user\AppData\Roaming\server.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\server.exe" ..
Imagebase:	0x160000
File size:	37'888 bytes
MD5 hash:	5133A39682E9F9C6B6245193D0E71C8A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Function 018DA612 Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 018DA6B9

Memory Dump Source

Source File: 00000000.00000002.2085239933.00000000018DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 018DA000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 68ce36109e9cc830393c4e3c6762719eebfe6ec6168a4aaefe5c5429dec67435
Instruction ID: eacc89f73107d9873286d58c04a9463fc4068799122a18ec4eee9bf416d256ab
Opcode Fuzzy Hash: 68ce36109e9cc830393c4e3c6762719eebfe6ec6168a4aaefe5c5429dec67435
Instruction Fuzzy Hash: 8B3181755093806FE712CB65DC85B96BFF8EF06314F08849AE984CB293D365E909C762

Function 018DA361 Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,9FCCB87E,00000000,00000000,00000000,00000000), ref: 018DA40C

Memory Dump Source

Source File: 00000000.00000002.2085239933.00000000018DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 018DA000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 32e8908c06f2da50795464e0db07168095897dbf7ecbc9eed17459ddcdcc4182
Instruction ID: 98135ac603bbc1d018288f278e51c0488c76ee8e95c9fb8c9db7cae59dac1a03
Opcode Fuzzy Hash: 32e8908c06f2da50795464e0db07168095897dbf7ecbc9eed17459ddcdcc4182
Instruction Fuzzy Hash: B8317C75504780AFE722CB15CC84BA6BBF8EF06710F08859AE985CB292D364E909CB61

Function 018DA462 Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E24,9FCCB87E,00000000,00000000,00000000,00000000), ref: 018DA4F8

Memory Dump Source

Source File: 00000000.00000002.2085239933.00000000018DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 018DA000, based on PE: false

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 307385e41ad8ee6008c898ac28eab9db3c4dc76488883c915f2cf30726726553
Instruction ID: 487148158fc5d9e969f554e10ead446b794b35caa48e5c3eea60fa094eec22ac
Opcode Fuzzy Hash: 307385e41ad8ee6008c898ac28eab9db3c4dc76488883c915f2cf30726726553
Instruction Fuzzy Hash: C021B0721043806FE7228F55DC44FA7BFBCEF46210F08849AE985CB652C364E908C771

Function 018DAA07 Relevance: 1.6, APIs: 1, Instructions: 72fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,?,?), ref: 018DAA86

Memory Dump Source

Source File: 00000000.00000002.2085239933.00000000018DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 018DA000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: b7138d07b0dd0dbe03acf825d72f772c6c097f0684fc9e9b2e8d663543d76f00
Instruction ID: 923cbab6cf7352c45621cb085fe6dae75d432a4f2549107ce0feed1c0aee2f61
Opcode Fuzzy Hash: b7138d07b0dd0dbe03acf825d72f772c6c097f0684fc9e9b2e8d663543d76f00
Instruction Fuzzy Hash: 5F2171B65093809FD711CB25DD45B52BFF8EF06314F0984AAE985DB163D224D909CB61

Function 018DA646 Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 018DA6B9

Memory Dump Source

Source File: 00000000.00000002.2085239933.00000000018DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 018DA000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 3deed158847d38067438bfdc64f1684db117e9c00bcd75bdbb644c762f09c709
Instruction ID: 74214704855bf59300f423cae8ca496885a9345a97d5fe7552c2ab1d7f97c52c
Opcode Fuzzy Hash: 3deed158847d38067438bfdc64f1684db117e9c00bcd75bdbb644c762f09c709
Instruction Fuzzy Hash: 7C21B0716002049FE710DB65DC85BA6FBE8EF14314F188469E945CB642D375E908CA71

Function 018DA392 Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,9FCCB87E,00000000,00000000,00000000,00000000), ref: 018DA40C

Memory Dump Source

Source File: 00000000.00000002.2085239933.00000000018DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 018DA000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 5d3c06653a9caab62759be7600ce39e9fd21822bef01dcd9c3c2937a6460d236
Instruction ID: 3f0815c750767462dc65f38b7ffee7c09c51d204b38dc9454167450edba03790
Opcode Fuzzy Hash: 5d3c06653a9caab62759be7600ce39e9fd21822bef01dcd9c3c2937a6460d236
Instruction Fuzzy Hash: 5A219D76200304AEE720CE15CC84FA6BBECEF14714F18855AE945CB651D764EA08CA71

Function 018DA486 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E24,9FCCB87E,00000000,00000000,00000000,00000000), ref: 018DA4F8

Memory Dump Source

Source File: 00000000.00000002.2085239933.00000000018DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 018DA000, based on PE: false

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 68192397ea0ae79893ce3d565cad008d79578de4ae840024cae250103c32c8a1
Instruction ID: 956e77810df65f33db965bb9c1ef9e3c6a14fdc97468cbb03f30486d055cdd55
Opcode Fuzzy Hash: 68192397ea0ae79893ce3d565cad008d79578de4ae840024cae250103c32c8a1
Instruction Fuzzy Hash: 0811EE72100304AFEB218E55DC84FA7BBECEF14314F18845AED45CB642D365E9088AB2

Function 018DA2D2 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 018DA330

Memory Dump Source

Source File: 00000000.00000002.2085239933.00000000018DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 018DA000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: d09df068f9219da51693533cdcf5e8b381b6487430a67602273e9d4935500198
Instruction ID: 7db833af641b570cad67b43e317b08f462d2f89dd0fc75344260c620b94c96fb
Opcode Fuzzy Hash: d09df068f9219da51693533cdcf5e8b381b6487430a67602273e9d4935500198
Instruction Fuzzy Hash: 5F21297140E3C09FDB138B259C55A52BFB49F47224F0984DBED848F2A3C269A908DB62

Function 018DAC24 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(?), ref: 018DAC80

Memory Dump Source

Source File: 00000000.00000002.2085239933.00000000018DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 018DA000, based on PE: false

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: 47c8036120b2f36af0ed4d38676a449845caac67dab72ff110348ce5eed6efc4
Instruction ID: a61be7850c692f1b51adfd90bd52f2caf61a2c5699e5b53a12a51012328a7ca4
Opcode Fuzzy Hash: 47c8036120b2f36af0ed4d38676a449845caac67dab72ff110348ce5eed6efc4
Instruction Fuzzy Hash: 381160715093809FD712CB29DC95B52BFB8DF46220F0884EAED45CB252D265E908CB62

Function 018DA8A4 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,?), ref: 018DA903

Memory Dump Source

Source File: 00000000.00000002.2085239933.00000000018DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 018DA000, based on PE: false

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 0feb246e203596b01d80bfd9d1abf7683cd92cf6b2feeb576aef9117d1067593
Instruction ID: c109dd22288b3b6efed0ce102d527a8a37cacf641f299e6cc56dde42d979dd6f
Opcode Fuzzy Hash: 0feb246e203596b01d80bfd9d1abf7683cd92cf6b2feeb576aef9117d1067593
Instruction Fuzzy Hash: 0D1190755083849FDB11CF25DC85B56BFE8EF06220F0984AAED85CB252D278E948CB62

Function 018DAA3E Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,?,?), ref: 018DAA86

Memory Dump Source

Source File: 00000000.00000002.2085239933.00000000018DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 018DA000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 9a7d26d18d5883f97010c277c92936ed8753cef346306c7225f8134effb3a01e
Instruction ID: a77fe6a584fdee3318ed97f3b75f451af7ccf7a532fc1c54e8751e34ea6bcc21
Opcode Fuzzy Hash: 9a7d26d18d5883f97010c277c92936ed8753cef346306c7225f8134effb3a01e
Instruction Fuzzy Hash: F211CE726003048FEB10CF29D980B52FBE8EF05320F18C56AED49CB242D335E908CA62

Function 018DA8C6 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,?), ref: 018DA903

Memory Dump Source

Source File: 00000000.00000002.2085239933.00000000018DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 018DA000, based on PE: false

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 668a2b409f516ff8ee6a3cb471e00c573a95fd4e7b094c459c4cf0ee1bdd7b9f
Instruction ID: 2b3d846538b1c1b640c3a3f2ac86854091735e4b209e7ba9cf6002e8e0c060dc
Opcode Fuzzy Hash: 668a2b409f516ff8ee6a3cb471e00c573a95fd4e7b094c459c4cf0ee1bdd7b9f
Instruction Fuzzy Hash: 020192766003049FDB10CF29D885766FBE8EF05324F18C4AADD45CB746D779E948CA62

Function 018DAC46 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(?), ref: 018DAC80

Memory Dump Source

Source File: 00000000.00000002.2085239933.00000000018DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 018DA000, based on PE: false

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: 07eb7dad871e3213a215dd1ce7f1b9b1adb8cf285b4712f5ae4a993b56064359
Instruction ID: 2d41c76963d22dee08f14b2af6fb8511da037e76e0c5f875656cf3715e776bf7
Opcode Fuzzy Hash: 07eb7dad871e3213a215dd1ce7f1b9b1adb8cf285b4712f5ae4a993b56064359
Instruction Fuzzy Hash: 3F018C71A042048FDB10CF69D885766BBE8EF05324F18C4AAED49CB656D379E908CAA1

Function 018DA2FE Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 018DA330

Memory Dump Source

Source File: 00000000.00000002.2085239933.00000000018DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 018DA000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 3b63e99f8ec51a978bd879fbcd77464d17c49ca48bff9d36754d03c0cadb77c5
Instruction ID: 87b97cde29812a389e877e91b9187f7547db3c521ea53074c56fee7bb31fef1b
Opcode Fuzzy Hash: 3b63e99f8ec51a978bd879fbcd77464d17c49ca48bff9d36754d03c0cadb77c5
Instruction Fuzzy Hash: A0F0FF35804344CFDB148F09D884761FBE4EF05324F08C49ADD488B352D3BAE908CAA2

Function 01B80938 Relevance: .5, Instructions: 490COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085594507.0000000001B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01B80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a646f7c1674482e117ee6389bf3c5d493f745f7b38184c4a554778b27ed7614
Instruction ID: 6ed3f672021076d9895fbdde8c5cc3c5f542c45ddc0cfeb2608f0277a69a8a34
Opcode Fuzzy Hash: 3a646f7c1674482e117ee6389bf3c5d493f745f7b38184c4a554778b27ed7614
Instruction Fuzzy Hash: AF026D317002519FCB18EB78D461AAE77E2EF89309B1044BDE406DB3A5EF399C46CB91

Function 01B80310 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085594507.0000000001B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01B80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38531e7f9da932059bac9c8a1f9e17c59119956ffb0d5e2bc476a9f97a19b3bd
Instruction ID: 689547b68d9185d97d0f6e41b305d17844b81ba6751f0f46740530efadb13d11
Opcode Fuzzy Hash: 38531e7f9da932059bac9c8a1f9e17c59119956ffb0d5e2bc476a9f97a19b3bd
Instruction Fuzzy Hash: B75104317002018BD718AB3994546BE77E7EBD6344B1444A9E501DF3A4EF3DCE4ACBA2

Function 01B803BD Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085594507.0000000001B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01B80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c74faefd5cb1b18660507abe60f41b2d33e8c789c666a5ef136860520c0e273f
Instruction ID: a2ad0e14d83880aee7ad7d396e9efcde4cc4d92b9c6ee6f6446457b58ef2ab38
Opcode Fuzzy Hash: c74faefd5cb1b18660507abe60f41b2d33e8c789c666a5ef136860520c0e273f
Instruction Fuzzy Hash: 4A41E5317102124BDB18B77990246BD36D7AFD6288B08446DE542DF7A4EF3DCE0A87A3

Function 01B80080 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085594507.0000000001B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01B80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2c25d5d21c5a59f3de1ed92d4ee52852be210104753facb70e687e9787a196b
Instruction ID: 2ba309d391fb2d7abcd1d8331ff703b99883b487b7b7a02fcd2fd83e58e80468
Opcode Fuzzy Hash: f2c25d5d21c5a59f3de1ed92d4ee52852be210104753facb70e687e9787a196b
Instruction Fuzzy Hash: 5B511C302256C28BC714DB38E5949C977E2FBA120A740956DE4848B66DFB3C9D4ECFC2

Function 01BD05DF Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085679041.0000000001BD0000.00000040.00000020.00020000.00000000.sdmp, Offset: 01BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7de7a56f86293829ef3da52057e0f53af3a88be5d6844532a9661e921792be0c
Instruction ID: 4d0ef226313f2188259cd8c734ecf8756d960534335f783d97366804070181bd
Opcode Fuzzy Hash: 7de7a56f86293829ef3da52057e0f53af3a88be5d6844532a9661e921792be0c
Instruction Fuzzy Hash: 2601D6764093805FC3118B56EC41893BFECDF8623070984ABEC498B712D229E909CB72

Function 01B80006 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085594507.0000000001B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01B80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 369f9cf6066ab1301551667b4826037ca54269f3751b580aa973e12373e30536
Instruction ID: c2f2f54243905b5dcf85c424147b1ab322b14e6f0be9dfb762229eb2bd2f2637
Opcode Fuzzy Hash: 369f9cf6066ab1301551667b4826037ca54269f3751b580aa973e12373e30536
Instruction Fuzzy Hash: A90144A244E3C19FC343472048285907F71AE57221B5E01CBD8D1CB2A7E61E5C19E726

Function 01B8088A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085594507.0000000001B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01B80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 321c369f9b4cd506a7b1cb2c7cb66956d3351331eedb2df0307626b584ea4d8b
Instruction ID: 1adb38641bdd40d49247e68eb69e17e6ea3c79f00552a9d9450654ca081f9d43
Opcode Fuzzy Hash: 321c369f9b4cd506a7b1cb2c7cb66956d3351331eedb2df0307626b584ea4d8b
Instruction Fuzzy Hash: E2016970A04242DFC700EB24D05849DB7E2EBA4319F10892DE485CB758FB358E088B83

Function 01BD0606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085679041.0000000001BD0000.00000040.00000020.00020000.00000000.sdmp, Offset: 01BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d0f8c03b31faee76432a0428124926a59d6770920b400e8545a7179012de780
Instruction ID: a78625c0e68fa63339c20340fd38ff6fcfb6d7431c0dc28accdc3d1faaf7d5c7
Opcode Fuzzy Hash: 6d0f8c03b31faee76432a0428124926a59d6770920b400e8545a7179012de780
Instruction Fuzzy Hash: FDE06DB66006048BD750CF0AEC41452F7D8EB84630708C47BDC0D8BB01D239B5088AA5

Function 018D23F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085224568.00000000018D2000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4126f849d64aaa8855bff726a13850ee898a76cbb065bf8dfd143e98b2f88552
Instruction ID: 8f43d080bb778f855b0baebc5c8ccdff171320a0a38472318db07ef9f2e6a233
Opcode Fuzzy Hash: 4126f849d64aaa8855bff726a13850ee898a76cbb065bf8dfd143e98b2f88552
Instruction Fuzzy Hash: 7CD05E792057C14FE317DA1CC1A4F953BE6BB61718F4A44F9AC00CB763C768D681D600

Function 018D23BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085224568.00000000018D2000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f16121c21490f398158c77665112bb5ff8be933f4a2c2ac561dfa90b9cf32867
Instruction ID: 6e4d54d274dc9572a4bf535234ee6705abd166d6b8988e30b0837dc5188d2e2d
Opcode Fuzzy Hash: f16121c21490f398158c77665112bb5ff8be933f4a2c2ac561dfa90b9cf32867
Instruction Fuzzy Hash: D5D05E342002814FD729DA0CC6D4F593BD5AF90B14F0645E8AC10CB772CBA4D9D0CA00

Analysis Process: server.exePID: 2828, Parent PID: 4204COMMON

Executed Functions

Function 0083B7F3 Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 0083B873

Memory Dump Source

Source File: 00000002.00000002.4476101488.000000000083A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083A000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 30269951c45342e3f6a4167b375766361b9fa98c06fe05efc4c91959635a679e
Instruction ID: 198a7f83421ddbe78a9bdea9837b6e4576f0450a7cd0bb55c7f88373ce5a8412
Opcode Fuzzy Hash: 30269951c45342e3f6a4167b375766361b9fa98c06fe05efc4c91959635a679e
Instruction Fuzzy Hash: 272180755097849FDB128F25DC44B52BFB8EF46310F0884AAE985CB563D375E908CBA2

Function 0083BEB3 Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 0083BF29

Memory Dump Source

Source File: 00000002.00000002.4476101488.000000000083A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083A000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 95b2d34826777232d6e2c6e36daab6b7fef9857db72469a81401edebbe976550
Instruction ID: d1f85b9bc1deac511a2defc499271af9ef7466e93ac7cb32f204131081ff71f1
Opcode Fuzzy Hash: 95b2d34826777232d6e2c6e36daab6b7fef9857db72469a81401edebbe976550
Instruction Fuzzy Hash: 8221C0B14097C09FDB238B20DC45A52FFB4EF17314F0984DBE9848B1A3D265A909CB62

Function 0083B82A Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 0083B873

Memory Dump Source

Source File: 00000002.00000002.4476101488.000000000083A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083A000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: ae05d161084e82cb4a14b4989678d1c1a971948cc94904dbe964d96cfaa7fa6e
Instruction ID: 5d01c58a818724e41eda13279cbe3129659d30b0125312cd5189dd8d8f869771
Opcode Fuzzy Hash: ae05d161084e82cb4a14b4989678d1c1a971948cc94904dbe964d96cfaa7fa6e
Instruction Fuzzy Hash: 94114C719006049FDB20CF55D884B66BBE8EF54324F0884AAEE45CB661D375E818DBA1

Function 0083BBFC Relevance: 1.6, APIs: 1, Instructions: 50nativeCOMMON

Download Yara Rule

APIs

NtSetInformationProcess.NTDLL(?,?,?,?), ref: 0083BC59

Memory Dump Source

Source File: 00000002.00000002.4476101488.000000000083A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083A000, based on PE: false

Similarity

API ID: InformationProcess
String ID:
API String ID: 1801817001-0
Opcode ID: 07818a41c9e6e2bc8ac6508fa08de3d064edecdb04e590c6073f1921d77960c3
Instruction ID: 4a2a516c7a2888bd1b0c4d8f2bdde5bfb8c4f4d1676d9c1103c82c81a3bf8c90
Opcode Fuzzy Hash: 07818a41c9e6e2bc8ac6508fa08de3d064edecdb04e590c6073f1921d77960c3
Instruction Fuzzy Hash: 2C11A3714087809FCB228F15DC45A52FFB4EF46310F08C49AED854B562C275A818CB62

Function 0083BC1E Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtSetInformationProcess.NTDLL(?,?,?,?), ref: 0083BC59

Memory Dump Source

Source File: 00000002.00000002.4476101488.000000000083A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083A000, based on PE: false

Similarity

API ID: InformationProcess
String ID:
API String ID: 1801817001-0
Opcode ID: 8e3385d361351f18b7b4e6b259fcad1ed1f801f8856627afbc3a482875190ef4
Instruction ID: 2bc224e83e641a068fc6587759f65e8561038db21bf95a0ad98099e8fe52509f
Opcode Fuzzy Hash: 8e3385d361351f18b7b4e6b259fcad1ed1f801f8856627afbc3a482875190ef4
Instruction Fuzzy Hash: 6E018F714006049FDB208F45D885B61FBE4FF58324F08C09ADE458B666C77AE819DBA2

Function 0083BEEE Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 0083BF29

Memory Dump Source

Source File: 00000002.00000002.4476101488.000000000083A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083A000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 8e3385d361351f18b7b4e6b259fcad1ed1f801f8856627afbc3a482875190ef4
Instruction ID: 730e6cdb702adf02c74a34d1208c8e26c9cad25d21c06b5dc6fdc6a839f3eb26
Opcode Fuzzy Hash: 8e3385d361351f18b7b4e6b259fcad1ed1f801f8856627afbc3a482875190ef4
Instruction Fuzzy Hash: 15018F754006049FDB208F45DC84B61FBE0FF58324F08C09ADE494A655C776E818DFA2

Function 048B142F Relevance: 1.6, APIs: 1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4478619972.00000000048B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de1b29a573c7f8959dde6d34dbba56df1a753a95692c60fd616f1906ffefb9dd
Instruction ID: 0dfe2082b462c907b7614123284dceebd37552123fab529947ee785bdbb01910
Opcode Fuzzy Hash: de1b29a573c7f8959dde6d34dbba56df1a753a95692c60fd616f1906ffefb9dd
Instruction Fuzzy Hash: 5641BE724093C05FE7138B219C45A92BFB4EF07224F0985DBE9848F6A3D265A908C7B2

Function 00A61120 Relevance: 1.6, APIs: 1, Instructions: 115COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00A61147

Memory Dump Source

Source File: 00000002.00000002.4476405874.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: aa8f16b0f5e0fcf8a2b70013b85968e6affee8a0a3d646782ba825cf294de18c
Instruction ID: 58668f54330d68aac321f40dff8d43324291762a4f3deedd1ffe5dbc92c66077
Opcode Fuzzy Hash: aa8f16b0f5e0fcf8a2b70013b85968e6affee8a0a3d646782ba825cf294de18c
Instruction Fuzzy Hash: C841B031B102118FCB04DF74C8946AEB7F6AF94214B588179D909CB39ADB39CE46CBE0

Function 00A6110F Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00A61147

Memory Dump Source

Source File: 00000002.00000002.4476405874.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: ef5706e8f93c7fe94736d4120575f576400921dc09bbde7189fb4e5fdfd77157
Instruction ID: d5847563347988a0326c817f37986286af25d6476ab5c6ae25017eb8e57e04b9
Opcode Fuzzy Hash: ef5706e8f93c7fe94736d4120575f576400921dc09bbde7189fb4e5fdfd77157
Instruction Fuzzy Hash: F1418E316112158FCB04DF74C8946AA7BF2AF95344B588179D849DB3AADB38CD46CBE0

Function 048B0E1F Relevance: 1.6, APIs: 1, Instructions: 98registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 048B0EE6

Memory Dump Source

Source File: 00000002.00000002.4478619972.00000000048B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048B0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: a824d78680c38b9babe5eb13f20c80475e1072a29c05e75ec5d7a1361f5d6874
Instruction ID: afa649a35e98a062c38788e9c1848329bec51f36b0547d8093801373cafeb354
Opcode Fuzzy Hash: a824d78680c38b9babe5eb13f20c80475e1072a29c05e75ec5d7a1361f5d6874
Instruction Fuzzy Hash: 05317C6550E3C06FD3138B218C61A61BFB4EF47610F0E85CBE8C48B6A3D619A909C7B2

Function 0083AB1E Relevance: 1.6, APIs: 1, Instructions: 91registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 0083ABD1

Memory Dump Source

Source File: 00000002.00000002.4476101488.000000000083A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 3522d43c12869222cedc14a3113c59b22b62f96af726c831e8596e89724d5fdf
Instruction ID: acd620837a140b2932b22426009cd63631b7c19f963f4ca13115580bbd20c95a
Opcode Fuzzy Hash: 3522d43c12869222cedc14a3113c59b22b62f96af726c831e8596e89724d5fdf
Instruction Fuzzy Hash: 7631B5715083806FE7228B51DC84FA7BFBCEF56314F08849AE984CB152D225E949C772

Function 048B1BDE Relevance: 1.6, APIs: 1, Instructions: 91windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNELBASE(?,00000E24,?,?), ref: 048B1C9A

Memory Dump Source

Source File: 00000002.00000002.4478619972.00000000048B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048B0000, based on PE: false

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 302d10d739fbf0209fb9ecdd5d581b9133cc4cf99dfbd64772859aa29d997a20
Instruction ID: af421b5bc129412fbf56127e38724f80dab724d62087938221b062bc57b30eeb
Opcode Fuzzy Hash: 302d10d739fbf0209fb9ecdd5d581b9133cc4cf99dfbd64772859aa29d997a20
Instruction Fuzzy Hash: 02317C7250D3C45FD7138B618C61AA6BFB4EF47610F1D84CBD8C48F2A3D624A919D7A2

Function 048B1944 Relevance: 1.6, APIs: 1, Instructions: 90timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E24,C6EE5EE1,00000000,00000000,00000000,00000000), ref: 048B19E1

Memory Dump Source

Source File: 00000002.00000002.4478619972.00000000048B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048B0000, based on PE: false

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: c83c9bac8cb822080693f236b4a5bdaf25f7f242f051b7ea06c842e19a254466
Instruction ID: cc20e97e7b8fd20665f646d98ebe7734962caceeb1ba48e0a6f129e726390af7
Opcode Fuzzy Hash: c83c9bac8cb822080693f236b4a5bdaf25f7f242f051b7ea06c842e19a254466
Instruction Fuzzy Hash: BB3105721053806FD7128F60DC44B96BFB8EF16310F08859AE984CF193D225A809C7B1

Function 0083A612 Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0083A6B9

Memory Dump Source

Source File: 00000002.00000002.4476101488.000000000083A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083A000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 52301cd77a037af37b958423b605b749ceebdac3a734d63a884a9c07f7e54876
Instruction ID: f84655ebd8255ddfa67c7d353a850337d4c9b245b7248b922723f8177d4dd9f2
Opcode Fuzzy Hash: 52301cd77a037af37b958423b605b749ceebdac3a734d63a884a9c07f7e54876
Instruction Fuzzy Hash: 8F31B3B15093806FE711CB25CC85B96BFF8EF16310F08849AE984CF292D375E809C762

Function 048B1338 Relevance: 1.6, APIs: 1, Instructions: 89COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 048B13CF

Memory Dump Source

Source File: 00000002.00000002.4478619972.00000000048B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048B0000, based on PE: false

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 6a5e8c099f2551c6bb47f43ec98c9353a3ffb2a87026bc120b205127278bb736
Instruction ID: 681352ae0b44e00d0d7048b125d436b776722e1d32e8c42d134fd3c01502c222
Opcode Fuzzy Hash: 6a5e8c099f2551c6bb47f43ec98c9353a3ffb2a87026bc120b205127278bb736
Instruction Fuzzy Hash: 6A318F71604344AFE721CF64DC45FABBFB8EF05214F0889AAE985DB652D324E848CB61

Function 0083AE79 Relevance: 1.6, APIs: 1, Instructions: 86fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0083AF1D

Memory Dump Source

Source File: 00000002.00000002.4476101488.000000000083A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083A000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c9a41b3915e2b8f25c6a1fa81ebeea07c51d418195f9038379dd573eb6ef991a
Instruction ID: 2a6a509688001dc9698c2fb66ddeb34d17548c67967c7190139445a229ae3dd8
Opcode Fuzzy Hash: c9a41b3915e2b8f25c6a1fa81ebeea07c51d418195f9038379dd573eb6ef991a
Instruction Fuzzy Hash: 71319FB1504740AFEB21CF65DC84F56BBE8FF15310F08859EE9858B662D375E809CB62

Function 0083A361 Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,C6EE5EE1,00000000,00000000,00000000,00000000), ref: 0083A40C

Memory Dump Source

Source File: 00000002.00000002.4476101488.000000000083A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 8a6d3931556b7b2666c8d651f7da01d50b4dff63fab1b4ee4cf5d618afdd6252
Instruction ID: 01a043ab4acf1b3a37e95d76ceb82fccb157898b6b2c871009185cb5029ac4e2
Opcode Fuzzy Hash: 8a6d3931556b7b2666c8d651f7da01d50b4dff63fab1b4ee4cf5d618afdd6252
Instruction Fuzzy Hash: CB318175504740AFD721CF11CC84FA7BBF8EF55710F08859AE985CB292D364E949CBA2

Function 0083BB11 Relevance: 1.6, APIs: 1, Instructions: 79COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E24,C6EE5EE1,00000000,00000000,00000000,00000000), ref: 0083BB98

Memory Dump Source

Source File: 00000002.00000002.4476101488.000000000083A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083A000, based on PE: false

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: 626482dc70a906f8391ba13281b43e5032919435a05768eec12755941f38d80d
Instruction ID: 11dcce96da7ef14f0dbe0eac652e165cc54b94882bd9752bfb66fc98a62119b0
Opcode Fuzzy Hash: 626482dc70a906f8391ba13281b43e5032919435a05768eec12755941f38d80d
Instruction Fuzzy Hash: 7221D6715093846FE712CB60DC84B96BFB8EF46310F0884DBE944CF192D269A909C761

Function 0083AF74 Relevance: 1.6, APIs: 1, Instructions: 79COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,C6EE5EE1,00000000,00000000,00000000,00000000), ref: 0083B009

Memory Dump Source

Source File: 00000002.00000002.4476101488.000000000083A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083A000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: a1ad86e0e7180ba6ce347209dee0a729323aaf94b76216d072ea57720f58495b
Instruction ID: fbad50013fbd417a554813ee74d7036183b8d174f076ee2541345523d4ce618d
Opcode Fuzzy Hash: a1ad86e0e7180ba6ce347209dee0a729323aaf94b76216d072ea57720f58495b
Instruction Fuzzy Hash: FF213AB54097806FE7128B15DC81BA3BFBCEF56320F0881D6E9848F2A3D364A909C771

Function 0083A462 Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E24,C6EE5EE1,00000000,00000000,00000000,00000000), ref: 0083A4F8

Memory Dump Source

Source File: 00000002.00000002.4476101488.000000000083A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083A000, based on PE: false

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: b2da1f34f654668a4b05bb9245533154dc72bbc1ec8605945c1e7fb21e762f63
Instruction ID: 87bd23ca48057c263760636bb6f33bf4fe67b4fc29ecece7979ec86380d5b3d5
Opcode Fuzzy Hash: b2da1f34f654668a4b05bb9245533154dc72bbc1ec8605945c1e7fb21e762f63
Instruction Fuzzy Hash: B02190725047806FD7228F51DC44FA7BFB8EF56210F08859AE985CB652D264E848C7B2

Function 048B0F12 Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 048B0F9E

Memory Dump Source

Source File: 00000002.00000002.4478619972.00000000048B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048B0000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 048288d159410b5d573476664ad7d7e65e8b33d8aed43704ec3dd1da14141a13
Instruction ID: 211fafbcac2940e39ef9d085692b165a454017f6bdc39b2206a65611b2cf09e2
Opcode Fuzzy Hash: 048288d159410b5d573476664ad7d7e65e8b33d8aed43704ec3dd1da14141a13
Instruction Fuzzy Hash: 0121A071509380AFE721CF61DC44F96FFB8EF06210F08899EE9858B692C375E408CB62

Function 0083AE9E Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0083AF1D

Memory Dump Source

Source File: 00000002.00000002.4476101488.000000000083A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083A000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 90a3d8a362a15a2222fc33e7c6a5d56979d50941a256f62d38740e6a0d157619
Instruction ID: 6a98469dce11c7e2d523d42a8c03d9449716eb905f037378d5a1e8471ec43ac8
Opcode Fuzzy Hash: 90a3d8a362a15a2222fc33e7c6a5d56979d50941a256f62d38740e6a0d157619
Instruction Fuzzy Hash: 8321A1B1500204AFEB20CF65CD44B66FBE8FF18314F088559E985CB651D775E808CBA2

Function 0083BDE4 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,C6EE5EE1,00000000,?,?,?,?,?,?,?,?,6C923C58), ref: 0083BE6A

Memory Dump Source

Source File: 00000002.00000002.4476101488.000000000083A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083A000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: d4e0f9970e0632c7430f1747c53981b1ccb8407eadff37f66a0cbfa37ba2981f
Instruction ID: 8be82eaee88d627b9d53975efa88ebeb8e5528b6ff78f4f9c73c5ce1e0c04d3b
Opcode Fuzzy Hash: d4e0f9970e0632c7430f1747c53981b1ccb8407eadff37f66a0cbfa37ba2981f
Instruction Fuzzy Hash: 83216B715093C09FDB12CB65DC54A92BFB8EF47310F0D84EBE984CB1A3D224A818CB62

Function 048B1246 Relevance: 1.6, APIs: 1, Instructions: 76registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,C6EE5EE1,00000000,00000000,00000000,00000000), ref: 048B12E4

Memory Dump Source

Source File: 00000002.00000002.4478619972.00000000048B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048B0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 35239b05f6265b302e07993936cb34009ff58dabbe139652ce6fc7e4f645c09f
Instruction ID: 203f42012846f4f6dfd116bcea0d6405e5d9a835cfce98700b3b1460f5cc7519
Opcode Fuzzy Hash: 35239b05f6265b302e07993936cb34009ff58dabbe139652ce6fc7e4f645c09f
Instruction Fuzzy Hash: D3219F72504780AFE721CF55DC44F97BBF8AF59310F08859AE985CB692D325E508CBA1

Function 048B135E Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 048B13CF

Memory Dump Source

Source File: 00000002.00000002.4478619972.00000000048B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048B0000, based on PE: false

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 22e606d8afd04e1092226fcddc623bd2e2c7992da607e8eb369083495e9f160d
Instruction ID: a7507316f2f0f32f015c7a083680387ee6eb0a17c04d411509036e60b726048c
Opcode Fuzzy Hash: 22e606d8afd04e1092226fcddc623bd2e2c7992da607e8eb369083495e9f160d
Instruction Fuzzy Hash: B921C571600304AFE720DF24DC44BABBBECEF14214F08896AE985CB745E334E4488AB1

Function 0083AB52 Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 0083ABD1

Memory Dump Source

Source File: 00000002.00000002.4476101488.000000000083A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 96cef569ecabe981dfdb711d894d63fdbf33028764c4118c14b4f7719a58429b
Instruction ID: 7ed93b6edf9aeb93b55598884ae73a5b089f560318734ba5a722b87d33dad61e
Opcode Fuzzy Hash: 96cef569ecabe981dfdb711d894d63fdbf33028764c4118c14b4f7719a58429b
Instruction Fuzzy Hash: C121D172500204AFE720DF11DC84FABFBECEF64324F04845AE985CB651D725E84C8AB2

Function 048B1DB3 Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetProcessWorkingSetSize.KERNEL32(?,00000E24,C6EE5EE1,00000000,00000000,00000000,00000000), ref: 048B1E2F

Memory Dump Source

Source File: 00000002.00000002.4478619972.00000000048B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048B0000, based on PE: false

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: 23c573935d754a84fac86041ed27371df8b667ae8801d637dc3a90abf9d4d354
Instruction ID: ce384f183fe85f7a8be846cd146e49d6fe31297640a98c112c9e9de85571c506
Opcode Fuzzy Hash: 23c573935d754a84fac86041ed27371df8b667ae8801d637dc3a90abf9d4d354
Instruction Fuzzy Hash: FB21C5715043806FD711CF21DC44B97BFB8EF45210F08859AE944CB252D374E508CB61

Function 048B1CCF Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GetProcessWorkingSetSize.KERNEL32(?,00000E24,C6EE5EE1,00000000,00000000,00000000,00000000), ref: 048B1D4B

Memory Dump Source

Source File: 00000002.00000002.4478619972.00000000048B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048B0000, based on PE: false

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: 23c573935d754a84fac86041ed27371df8b667ae8801d637dc3a90abf9d4d354
Instruction ID: 9485429a21923023e5c762eee7a7aa9006209cf6bebd19ccd5e3b41c0d2bf30a
Opcode Fuzzy Hash: 23c573935d754a84fac86041ed27371df8b667ae8801d637dc3a90abf9d4d354
Instruction Fuzzy Hash: 3F2192715093846FD711CF61DC44BABBFA8EF46214F08899AE945CB252D365E508CBA2

Function 0083A646 Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0083A6B9

Memory Dump Source

Source File: 00000002.00000002.4476101488.000000000083A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083A000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 0ffc9eced15c9b193e6188db11bf4d2d84fd8200331e13ee8806868b2bdb4084
Instruction ID: 378086d24a1ed53944710f59e4fdf8061ecbf0408a666614c73e212fd6342ccb
Opcode Fuzzy Hash: 0ffc9eced15c9b193e6188db11bf4d2d84fd8200331e13ee8806868b2bdb4084
Instruction Fuzzy Hash: 7D21D4716002049FE720DF25CD85BA6FBE8EF64314F08846AED84CB741E775E809CAB2

Function 0083B5DF Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 0083B656

Memory Dump Source

Source File: 00000002.00000002.4476101488.000000000083A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083A000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: fdcf5f4fc93cb0f79494ff563f4f871092d46f835722c046a0646f75bdf86f0f
Instruction ID: be730b576af28e39dc144e7b62baf5cd29c95809c0a6d70cf37422615b63ec64
Opcode Fuzzy Hash: fdcf5f4fc93cb0f79494ff563f4f871092d46f835722c046a0646f75bdf86f0f
Instruction Fuzzy Hash: C1219FB16083805FDB11CF25CC55B62BFF8EF56210F08849AED84CB253D265E808CB61

Function 048B0CAA Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000E24,C6EE5EE1,00000000,00000000,00000000,00000000), ref: 048B0D29

Memory Dump Source

Source File: 00000002.00000002.4478619972.00000000048B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048B0000, based on PE: false

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 7d15320d29235a253578dd206f52c6d65edf99561b243daa37d4d8a75d075657
Instruction ID: a0d3f979b323adb93bbdb24db2bb5955be2f36773cee16708abd899f311ee1f1
Opcode Fuzzy Hash: 7d15320d29235a253578dd206f52c6d65edf99561b243daa37d4d8a75d075657
Instruction Fuzzy Hash: FC219F71405380AFDB22CF51DC44FA7BFB8EF56210F08899AE9858B252C225E408CBB2

Function 0083A392 Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,C6EE5EE1,00000000,00000000,00000000,00000000), ref: 0083A40C

Memory Dump Source

Source File: 00000002.00000002.4476101488.000000000083A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: e906a5ac71978bc5dcc4db55f4c2460c98d3d81b1b286be1f1c5d0e8b92db0dc
Instruction ID: b51ee9f211cb81960ce042afb49c8ec7f1583cdab0c804d9ac8508109419cd27
Opcode Fuzzy Hash: e906a5ac71978bc5dcc4db55f4c2460c98d3d81b1b286be1f1c5d0e8b92db0dc
Instruction Fuzzy Hash: CA21AE76200604AFEB20CE11CC84FA7F7ECEF54710F08855AE985CB651D365E808CAB2

Function 0083AC19 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,?), ref: 0083AC97

Memory Dump Source

Source File: 00000002.00000002.4476101488.000000000083A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083A000, based on PE: false

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 4b93d0a82f09dc12031cfc5110d0d271cfd5d5b4ebc9e3f8580c7ced429bfce3
Instruction ID: 5cb05ef173bccc43cf13086aeb2e02c7ce949a3d5d2e9b33c1c1aaaa9cf888ef
Opcode Fuzzy Hash: 4b93d0a82f09dc12031cfc5110d0d271cfd5d5b4ebc9e3f8580c7ced429bfce3
Instruction Fuzzy Hash: 5921C2715093C45FDB12CB25DC85B92BFA8EF46324F0884DAE885CB263D2749849CB62

Function 0083B8C0 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0083B92C

Memory Dump Source

Source File: 00000002.00000002.4476101488.000000000083A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083A000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 43074b30faad94c79cc62e11ebb164820c2c4cc84f2e4b5dbf76eb4b5847c992
Instruction ID: 964dd2a096a770520499813a4de72b11a15cf9cf4e350286871da8592841ac9b
Opcode Fuzzy Hash: 43074b30faad94c79cc62e11ebb164820c2c4cc84f2e4b5dbf76eb4b5847c992
Instruction Fuzzy Hash: 9821F3B25093C05FDB02CB25DC54792BFB4EF47324F0884DAED858F663D224A908CB62

Function 048B1B1F Relevance: 1.6, APIs: 1, Instructions: 68networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 048B1B9E

Memory Dump Source

Source File: 00000002.00000002.4478619972.00000000048B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048B0000, based on PE: false

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: 3cc3f9762f73531ca293630c6036d0ac9f88cf4459b656fbeb40019b183b0733
Instruction ID: 5ce20c4624cb6dedd8661ad058eb67a177a3a79d287a228d28449cabe46a53f7
Opcode Fuzzy Hash: 3cc3f9762f73531ca293630c6036d0ac9f88cf4459b656fbeb40019b183b0733
Instruction Fuzzy Hash: F721B3710097849FDB22CF61CC44A92BFF4EF06310F0985DAE9858F262D375A809CB61

Function 0083A710 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0083A780

Memory Dump Source

Source File: 00000002.00000002.4476101488.000000000083A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083A000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 49142d304f9e01c4033823c911978ae6af769231e9852cb351059cb3bd17788a
Instruction ID: cadd495a26732fa0d135b94f1f5a156939d350a879555877adf1cd8de2622525
Opcode Fuzzy Hash: 49142d304f9e01c4033823c911978ae6af769231e9852cb351059cb3bd17788a
Instruction Fuzzy Hash: 4B21D2B55087809FDB01CF65ED85752BFB8EF42324F0884ABEC858B253D335A905CBA2

Function 048B150E Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 048B1582

Memory Dump Source

Source File: 00000002.00000002.4478619972.00000000048B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048B0000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 9e29669540347f2c9d20fef5d260156b7df5c23daf6d65db3b0e0682e2439566
Instruction ID: 43bed1190b81b5d9d03e1483036743dc6be1651d522e620d12b2302920b84ce1
Opcode Fuzzy Hash: 9e29669540347f2c9d20fef5d260156b7df5c23daf6d65db3b0e0682e2439566
Instruction Fuzzy Hash: 8821CD71500204AFE721CF55DC49BA6FBE8EF28324F08895AE9858A751D376F508CBA2

Function 048B0F32 Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 048B0F9E

Memory Dump Source

Source File: 00000002.00000002.4478619972.00000000048B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048B0000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 7969de5d95118548d2d2c61e078f81bf3618b74283c5350830319f4333c04161
Instruction ID: c43ea48340e1497fa35a8f7056ba251270895ce559f4f181e2a63d307db37f2a
Opcode Fuzzy Hash: 7969de5d95118548d2d2c61e078f81bf3618b74283c5350830319f4333c04161
Instruction Fuzzy Hash: 9D21C271504204AFEB21CF55DD44F96FBE4EF15314F08895AED868A791D376F408CBA2

Function 0083A486 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E24,C6EE5EE1,00000000,00000000,00000000,00000000), ref: 0083A4F8

Memory Dump Source

Source File: 00000002.00000002.4476101488.000000000083A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083A000, based on PE: false

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 5bdedad0118be5e33a087a97b08b3dbfc0f510aa7902948db2eccdbd0a45a86f
Instruction ID: d4547c62966992b0760bffbabc5c138e6c158b397af4d9bd4a536fd5f12f000f
Opcode Fuzzy Hash: 5bdedad0118be5e33a087a97b08b3dbfc0f510aa7902948db2eccdbd0a45a86f
Instruction Fuzzy Hash: 2A11D072500604AFEB20CE51DC84FA7FBECEF64714F08855AED85CA652D375E848CAB2

Function 048B1272 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,C6EE5EE1,00000000,00000000,00000000,00000000), ref: 048B12E4

Memory Dump Source

Source File: 00000002.00000002.4478619972.00000000048B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048B0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 1db602e697540889a1df769578b5ac09d5131b1e8d4d0e04bb972d411aae7dca
Instruction ID: 57a14fcc04dfb99f44fb5307b3f30dc392ad2533153fba2308db1321bd00fc61
Opcode Fuzzy Hash: 1db602e697540889a1df769578b5ac09d5131b1e8d4d0e04bb972d411aae7dca
Instruction Fuzzy Hash: 9711AF72600604AFE720CE55DC44FA7F7E8EF18754F08865AE985CB751D365F508CAB1

Function 0083ADB4 Relevance: 1.6, APIs: 1, Instructions: 64fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,?,?), ref: 0083AE1E

Memory Dump Source

Source File: 00000002.00000002.4476101488.000000000083A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083A000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 8dcf47b1cb948994842715c5aa601822166f2cd6896ddf4ab93db5c55c06f32f
Instruction ID: 31b05d1e1ac3add0faf9161e77102a0f66288702acb669302f271603f0e579cc
Opcode Fuzzy Hash: 8dcf47b1cb948994842715c5aa601822166f2cd6896ddf4ab93db5c55c06f32f
Instruction Fuzzy Hash: 481184B15043809FD715CF65DC85B57BFE8EF45310F0884AAED85CB652D235E804CB62

Function 0083A14A Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

EnumWindows.USER32(?,00000E24,?,?), ref: 0083A1BD

Memory Dump Source

Source File: 00000002.00000002.4476101488.000000000083A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083A000, based on PE: false

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: 60d2851203f94b7937bc6dbdd386b92f117151a01117baeda835b2ec618df253
Instruction ID: 91bd2262a63094f98ac13a686b258f254a2089251624aabade564fca833b2bf9
Opcode Fuzzy Hash: 60d2851203f94b7937bc6dbdd386b92f117151a01117baeda835b2ec618df253
Instruction Fuzzy Hash: 1011D3715093806FC311CB25CC45F66BFB8EF86620F19819FEC489B682D325F915CBA2

Function 048B1982 Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E24,C6EE5EE1,00000000,00000000,00000000,00000000), ref: 048B19E1

Memory Dump Source

Source File: 00000002.00000002.4478619972.00000000048B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048B0000, based on PE: false

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 063bdf2422abbed5842fe81771d5844d697cd56e8e88c721fe6544e191530059
Instruction ID: 03e930e5f881ed66c66ef2521358823eb670f0682594b7e764236c4174a7a8d8
Opcode Fuzzy Hash: 063bdf2422abbed5842fe81771d5844d697cd56e8e88c721fe6544e191530059
Instruction Fuzzy Hash: DE11D371500204AFEB21CF51DC44FABBBE8EF14714F08895AE945CA651D375F448CBB1

Function 048B1DD6 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SetProcessWorkingSetSize.KERNEL32(?,00000E24,C6EE5EE1,00000000,00000000,00000000,00000000), ref: 048B1E2F

Memory Dump Source

Source File: 00000002.00000002.4478619972.00000000048B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048B0000, based on PE: false

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: 6d64e9086014ebc3e863d03cbecc1d3c93f2591f1acff856b0df9df2942b3759
Instruction ID: 5c3e4f22c6ef532730d207aa4effca5684b57063f9feb52f78017fa88e33a81b
Opcode Fuzzy Hash: 6d64e9086014ebc3e863d03cbecc1d3c93f2591f1acff856b0df9df2942b3759
Instruction Fuzzy Hash: 0F11B271600204AFEB21CF55DC84BAABBA8DF15224F08896AE945CB651D775E8488AB1

Function 048B1CF2 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

GetProcessWorkingSetSize.KERNEL32(?,00000E24,C6EE5EE1,00000000,00000000,00000000,00000000), ref: 048B1D4B

Memory Dump Source

Source File: 00000002.00000002.4478619972.00000000048B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048B0000, based on PE: false

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: 6d64e9086014ebc3e863d03cbecc1d3c93f2591f1acff856b0df9df2942b3759
Instruction ID: 0890f5d4833ecb51b08bd0e652d36ce65fdfa4ade74773f91e14c7d142041d69
Opcode Fuzzy Hash: 6d64e9086014ebc3e863d03cbecc1d3c93f2591f1acff856b0df9df2942b3759
Instruction Fuzzy Hash: BE11B271600204AFEB20CF55DC85BABBBA8EF15224F08896AE945CF645D775E4088AA1

Function 0083BB42 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E24,C6EE5EE1,00000000,00000000,00000000,00000000), ref: 0083BB98

Memory Dump Source

Source File: 00000002.00000002.4476101488.000000000083A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083A000, based on PE: false

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: 09dbed12ea4badba4493084f99712b486057d46686e1dc03b49c16fc9e881900
Instruction ID: 29be5433e3d91bfa78dd9b44277cc73ce18f5ae60f84c64e782b11641c67e360
Opcode Fuzzy Hash: 09dbed12ea4badba4493084f99712b486057d46686e1dc03b49c16fc9e881900
Instruction Fuzzy Hash: C311E771500204AFEB10CF15DC84BABF7ACEF54324F18C46AED45CB645D779E8088AA1

Function 048B0CCA Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000E24,C6EE5EE1,00000000,00000000,00000000,00000000), ref: 048B0D29

Memory Dump Source

Source File: 00000002.00000002.4478619972.00000000048B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048B0000, based on PE: false

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: d74a51bcbfcbd718a848a42c608404d985a2d17b15c7710e2b5ac5790e1b0200
Instruction ID: a754469a05e8b5efb7c8af99ab2346c404d8f2d14965340b1f67fdcde4059023
Opcode Fuzzy Hash: d74a51bcbfcbd718a848a42c608404d985a2d17b15c7710e2b5ac5790e1b0200
Instruction Fuzzy Hash: 9B11B271500204AFEB21CF51DC44BABFBA8EF15714F088A5AE9458B655D375F4488BB2

Function 0083AA81 Relevance: 1.6, APIs: 1, Instructions: 57comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 0083AAE0

Memory Dump Source

Source File: 00000002.00000002.4476101488.000000000083A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083A000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 0e98cb03de1680ea677269a2b211c8aae3c545bfc8c061d6365b3a72cb92fa0d
Instruction ID: d9fe92d9c6e3bc0ad72926a9a0446a8adcac2c4226b6e8af1cfb3b72338bad83
Opcode Fuzzy Hash: 0e98cb03de1680ea677269a2b211c8aae3c545bfc8c061d6365b3a72cb92fa0d
Instruction Fuzzy Hash: 29115E715093C05FDB128B25DC44692BFB4EF47220F0888DAED848F153C265A948CBA2

Function 048B0218 Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 048B027E

Memory Dump Source

Source File: 00000002.00000002.4478619972.00000000048B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048B0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 81c2e974d6f9a56b68e4bca21c7a096859bb56e072b362b0060449b456bdf5da
Instruction ID: 9f4f8acdf71a4445243f9d4099b6d04c79816daf44ff5c714a923eae33c40b0f
Opcode Fuzzy Hash: 81c2e974d6f9a56b68e4bca21c7a096859bb56e072b362b0060449b456bdf5da
Instruction Fuzzy Hash: 0F115171408780AFDB22CF55DC84A52FFF4EF4A320F08899EE9858B662C375E418DB61

Function 0083A2D2 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0083A330

Memory Dump Source

Source File: 00000002.00000002.4476101488.000000000083A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083A000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: c3495a30e7b353f74a1934993aab9816758d17a00bcca87b17d2da7d327db76c
Instruction ID: 0013b251cac7a9bc0d170e0684e7bc77673c5d7c868ee894c7db1eeedac54a3c
Opcode Fuzzy Hash: c3495a30e7b353f74a1934993aab9816758d17a00bcca87b17d2da7d327db76c
Instruction Fuzzy Hash: 3E1151754097806FDB128B15DD44762BFB4EF46724F0980DAED848B263D266A808DB62

Function 0083B60E Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 0083B656

Memory Dump Source

Source File: 00000002.00000002.4476101488.000000000083A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083A000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: d2dfd5d456e2cd0fa08aa17a6c7427b21df24e9218957a81208569be1993ccf0
Instruction ID: 6f49968eb32865c3b0540566d462019f6607b370c8865f6fec086a2987ceafba
Opcode Fuzzy Hash: d2dfd5d456e2cd0fa08aa17a6c7427b21df24e9218957a81208569be1993ccf0
Instruction Fuzzy Hash: 1511A1B16006048FDB50CF25D886B56FBE8EF65324F08C46AED49CB752E775E814CAA1

Function 0083ADD6 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,?,?), ref: 0083AE1E

Memory Dump Source

Source File: 00000002.00000002.4476101488.000000000083A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083A000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: d2dfd5d456e2cd0fa08aa17a6c7427b21df24e9218957a81208569be1993ccf0
Instruction ID: 0f7b3c913b8e18c5ec37d1f9684aa5cbf3c245930f5e5f1367545eace2fb0703
Opcode Fuzzy Hash: d2dfd5d456e2cd0fa08aa17a6c7427b21df24e9218957a81208569be1993ccf0
Instruction Fuzzy Hash: 8C11A1B26002048FDB14CF2AD885B56FBE8EF54724F08C4AADD89CB751D335E804CBA2

Function 0083AFB6 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,C6EE5EE1,00000000,00000000,00000000,00000000), ref: 0083B009

Memory Dump Source

Source File: 00000002.00000002.4476101488.000000000083A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083A000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: d0d7c58944953e9dd77743ee32b1641e2fde8ff39c7731918ac924232c8c39bd
Instruction ID: 1ef2bb289dbfaa27c6aaf7cfb9b056521daaab6f0a9c50d9bc15b926f7d2440b
Opcode Fuzzy Hash: d0d7c58944953e9dd77743ee32b1641e2fde8ff39c7731918ac924232c8c39bd
Instruction Fuzzy Hash: 5D01D671500604AFE720CB11DC84BABF7A8EF64724F18C056EE048B741D379E9488AB2

Function 0083A9E4 Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

WaitForInputIdle.USER32(?,?), ref: 0083AA3B

Memory Dump Source

Source File: 00000002.00000002.4476101488.000000000083A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083A000, based on PE: false

Similarity

API ID: IdleInputWait
String ID:
API String ID: 2200289081-0
Opcode ID: 2187a3ad678f4c1e9966181c500c32d189ee5d889f7f656f8d90cdcdd8ac5e16
Instruction ID: 4b5f3a299fae1d3f952a6ccf5ebc8a7d78528ebbfef08b5936606d631bafa9b4
Opcode Fuzzy Hash: 2187a3ad678f4c1e9966181c500c32d189ee5d889f7f656f8d90cdcdd8ac5e16
Instruction Fuzzy Hash: 1D119E714087809FDB11CF65DD84B52BFA8EF46320F08849AED858B262D279A808CB62

Function 0083BE2A Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,C6EE5EE1,00000000,?,?,?,?,?,?,?,?,6C923C58), ref: 0083BE6A

Memory Dump Source

Source File: 00000002.00000002.4476101488.000000000083A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083A000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: f1d914fb54af7447fb73137b360f36f82ce7efcd5070e20ae7a3e0d72c9dd55b
Instruction ID: f7e5d1498a19eda9fd3fb5d74b38a802f4690a0552f50480c718396c0fbf2824
Opcode Fuzzy Hash: f1d914fb54af7447fb73137b360f36f82ce7efcd5070e20ae7a3e0d72c9dd55b
Instruction Fuzzy Hash: 6F11A1B16002048FDB20CF29D884B96FBE8EF54320F08C4AADE49CB651D335E808CBA1

Function 048B1B52 Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 048B1B9E

Memory Dump Source

Source File: 00000002.00000002.4478619972.00000000048B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048B0000, based on PE: false

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: b162bb7a53eacc0582c7b954c918f4b8c5e6cdf1af6398b4930b55eb7e663edb
Instruction ID: 676c6176e51e9eca8527f58cf8df58fb81693c404169bb73b2d8dab08608f52f
Opcode Fuzzy Hash: b162bb7a53eacc0582c7b954c918f4b8c5e6cdf1af6398b4930b55eb7e663edb
Instruction Fuzzy Hash: A7115E315006089FDB20CF55D844BA6FBE4EF08354F08899ADD858B622E376E418DBA1

Function 0083AC5A Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,?), ref: 0083AC97

Memory Dump Source

Source File: 00000002.00000002.4476101488.000000000083A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083A000, based on PE: false

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 515750ce4087870747ac111b864be1f6b2ebe3280bce65420bb86c0edefbf7cf
Instruction ID: 05fc6c634a343e4da7c89fc362985979537c43a23c92c4607f8f27f86162aab5
Opcode Fuzzy Hash: 515750ce4087870747ac111b864be1f6b2ebe3280bce65420bb86c0edefbf7cf
Instruction Fuzzy Hash: E201B1716002448FDB24CF29D885766FBE8FF55324F08C4AADD89CB752D379E844DAA2

Function 0083A172 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

EnumWindows.USER32(?,00000E24,?,?), ref: 0083A1BD

Memory Dump Source

Source File: 00000002.00000002.4476101488.000000000083A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083A000, based on PE: false

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: a29d46727c136d142b1d01f794a8a7471c6b4e27016517100014c3e01c5c58bd
Instruction ID: 41d8a40653a38cb280b2fe411a4511d5f1153145b24e9f8af8a6f256469aee8a
Opcode Fuzzy Hash: a29d46727c136d142b1d01f794a8a7471c6b4e27016517100014c3e01c5c58bd
Instruction Fuzzy Hash: 9C01B171600200AFD310DF16CC45B66FBE8EB88A20F14815AEC089B741D731F915CBE2

Function 048B1C4A Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNELBASE(?,00000E24,?,?), ref: 048B1C9A

Memory Dump Source

Source File: 00000002.00000002.4478619972.00000000048B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048B0000, based on PE: false

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: add053af82324c72f6f458f3d3f3516cb349c164449774102a1192b56cec240a
Instruction ID: bfa12f67e71019ac3a986614958bf870086f7c9c39b50d04ec5d09adb67fec12
Opcode Fuzzy Hash: add053af82324c72f6f458f3d3f3516cb349c164449774102a1192b56cec240a
Instruction Fuzzy Hash: 7701B171600200AFD350DF16CC45B66FBE8EB88B20F14811AEC089B741D731F915CBE2

Function 048B023A Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 048B027E

Memory Dump Source

Source File: 00000002.00000002.4478619972.00000000048B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048B0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e12583a2cb8c5024ab87e9141b653924710de9cb0f7764761ca918a8a256011b
Instruction ID: c16f7b25e9a125898a2a6e03059e79d4aa5508c0006698650f7318ad178d5f76
Opcode Fuzzy Hash: e12583a2cb8c5024ab87e9141b653924710de9cb0f7764761ca918a8a256011b
Instruction Fuzzy Hash: 67015E315007049FDB218F95D984B56FBE4EF09314F08C99ADD858A651D376E418DBA2

Function 0083A74E Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0083A780

Memory Dump Source

Source File: 00000002.00000002.4476101488.000000000083A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083A000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: bf77b58c49fd4ca39477ebba22649d9f0017266c3c385daa6d49d5a2d5c915eb
Instruction ID: 7c8c580f6626c31480e0cddf3ac361066e4f793acf1835a26ff0cf5b4435bc86
Opcode Fuzzy Hash: bf77b58c49fd4ca39477ebba22649d9f0017266c3c385daa6d49d5a2d5c915eb
Instruction Fuzzy Hash: 3001DF716002048FDB10CF25D984766FBE4EF45324F08C4ABDC89CB752D37AE808CAA2

Function 0083B8FA Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0083B92C

Memory Dump Source

Source File: 00000002.00000002.4476101488.000000000083A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083A000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 5ad77f77d89e7e14974348220cb2002bce60a54ba80abe8db048db5d9b16a757
Instruction ID: 1d7389011729277edb7949ca310bad7d6c578dad34f9e45e6c82cc367a883f55
Opcode Fuzzy Hash: 5ad77f77d89e7e14974348220cb2002bce60a54ba80abe8db048db5d9b16a757
Instruction Fuzzy Hash: C801BCB1A006448FDB10CF15D884766FBE4EF55724F08C0AADE49CB656D379E808CAA2

Function 048B0E96 Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 048B0EE6

Memory Dump Source

Source File: 00000002.00000002.4478619972.00000000048B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048B0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: d2ef6a868365ef63f1376f4783ad92449280cf83feddeedfe967c5169383c0c6
Instruction ID: 1542776ce826a6a1d4722a5b8004d6dd9998173f0ee1789c2d5ae4b28687682f
Opcode Fuzzy Hash: d2ef6a868365ef63f1376f4783ad92449280cf83feddeedfe967c5169383c0c6
Instruction Fuzzy Hash: 4A01A271500600ABD350DF16CC46F66FBE8FB88A20F14811AEC089BB41D771F915CBE6

Function 0083AA06 Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

WaitForInputIdle.USER32(?,?), ref: 0083AA3B

Memory Dump Source

Source File: 00000002.00000002.4476101488.000000000083A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083A000, based on PE: false

Similarity

API ID: IdleInputWait
String ID:
API String ID: 2200289081-0
Opcode ID: 477d5fcbb9a008d6cc13939722de2733ea8181daa321e4db8e71c3943f57a8b6
Instruction ID: 85838ca872731dfa7616c4c64444cb52f6d6d7e4d4c687e7546165c29f6c7271
Opcode Fuzzy Hash: 477d5fcbb9a008d6cc13939722de2733ea8181daa321e4db8e71c3943f57a8b6
Instruction Fuzzy Hash: F701F2325002448FDB10CF15D984766FBE4EF45324F08C8AADD898F252D37AE808CFA2

Function 0083AAAE Relevance: 1.5, APIs: 1, Instructions: 39comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 0083AAE0

Memory Dump Source

Source File: 00000002.00000002.4476101488.000000000083A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083A000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: d68fa4256e686afd2e82e951ae7fea4d9e1d516d7cc8c7fb0dcf2b5977811522
Instruction ID: 232362f77911f2fdf6c11ce0e89c940da96616fa6b1dbfda458d910184f3f8b2
Opcode Fuzzy Hash: d68fa4256e686afd2e82e951ae7fea4d9e1d516d7cc8c7fb0dcf2b5977811522
Instruction Fuzzy Hash: 1801D1719042448FDB10CF15D984766FBE4EF55324F08C8AADD898F356D37AE848CEA2

Function 0083A2FE Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0083A330

Memory Dump Source

Source File: 00000002.00000002.4476101488.000000000083A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083A000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: ff3cab1519ebb51c5b13553fb62643c457e175aa923da4f29a1cac8fe52e01b3
Instruction ID: 27935129bb70603fc878b7f89d9c5f20d5c40cb496c24c2441cabc92ff0978e8
Opcode Fuzzy Hash: ff3cab1519ebb51c5b13553fb62643c457e175aa923da4f29a1cac8fe52e01b3
Instruction Fuzzy Hash: BCF0AF35904644CFDB10CF09D884765FBE4EF55324F08C09ADD898B756D27AE848CAA3

Function 00A70F7C Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4476429642.0000000000A70000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a5e235be23c05b8c9ce4451c33610e31aece2f4fe799b43571d4fe79a2062f
Instruction ID: e0a798d637a79f162dd89dd7c4754adcf34613ff0a432a79a58161a69b2041dd
Opcode Fuzzy Hash: 65a5e235be23c05b8c9ce4451c33610e31aece2f4fe799b43571d4fe79a2062f
Instruction Fuzzy Hash: 89212E7550D7C09FD7138B289C51B52BFB4EF43614F09C4DBD9898F593C2299849C7A2

Function 00A70934 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4476429642.0000000000A70000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 110822c6484d212e41d6f384011862974e6bd41abcd03b6fba1cd36a1f055039
Instruction ID: cb937d52da7fc0b659cc53492548262e306e204ea6d841fba64fe81fb05c8753
Opcode Fuzzy Hash: 110822c6484d212e41d6f384011862974e6bd41abcd03b6fba1cd36a1f055039
Instruction Fuzzy Hash: 6911AF31204280DFE715CB10D980F66B7A5AB89718F24C99CEA8D4B793C77BD856CA51

Function 00A70FD6 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4476429642.0000000000A70000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a83c61ac157f35a14f46f7245102385197c77807a2ef91c4081cf2d4a4f99e39
Instruction ID: 26bb09016ed3e55c1a989ef76097d1a88f42b9b0ce1dc128909019efbbbf41d3
Opcode Fuzzy Hash: a83c61ac157f35a14f46f7245102385197c77807a2ef91c4081cf2d4a4f99e39
Instruction Fuzzy Hash: 59017575514680CBD720CB19D984B65FBE4EB55724F08C46ADD4D4BB41C37EA888CAA2

Function 00A705DF Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4476429642.0000000000A70000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bed19f8e3e56083eeb91e39f17b8cced9e51d572ee65ca7003fbddb5a5c2391
Instruction ID: 2e62fd498b325558719ad23bbd89408943727bd7db6b0535a5f8de20db8ad249
Opcode Fuzzy Hash: 0bed19f8e3e56083eeb91e39f17b8cced9e51d572ee65ca7003fbddb5a5c2391
Instruction Fuzzy Hash: 21018B7550D7905FD711CB15AC51863FFB8DF86530709C49FEC498B652D125A908C772

Function 00A709F0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4476429642.0000000000A70000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6be295edf29338edade0617eef55253e6bcb45af7d9f8b9e6ca450542c707195
Instruction ID: efe39493e53d13a9fcb841229c99845d98b9622286802bf9158bdaec012ed412
Opcode Fuzzy Hash: 6be295edf29338edade0617eef55253e6bcb45af7d9f8b9e6ca450542c707195
Instruction Fuzzy Hash: C4F01D35104644DFC715CF00D940F16FBA2EB89718F24CAADE94907752C737D813DA81

Function 00A70606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4476429642.0000000000A70000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 995a740ca0d7a87d044efaa2aac27ccc52c4eb10907b19c7b13e1edb9ae76135
Instruction ID: d199dd323b3966d334ce8a3faa51f7fbf4cb745c7bf28a39a040db7f673c4eb4
Opcode Fuzzy Hash: 995a740ca0d7a87d044efaa2aac27ccc52c4eb10907b19c7b13e1edb9ae76135
Instruction Fuzzy Hash: 3CE092B66006004BD750CF0AFC81462F7D8EB84630B18C07FDC0D8BB11D636F508CAA6

Function 008323F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4476083552.0000000000832000.00000040.00000800.00020000.00000000.sdmp, Offset: 00832000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47963038a680a7f0d782bf39d7eaa83ddd770a9a90f7d380b9c973cb347305a4
Instruction ID: a20ffdb725bfdcfa114dbebd8a83e50d3facda6b506059e4cc2fe17add3e176b
Opcode Fuzzy Hash: 47963038a680a7f0d782bf39d7eaa83ddd770a9a90f7d380b9c973cb347305a4
Instruction Fuzzy Hash: 59D05E792056C14FD316DA1CC1A4F9537D4BBA1718F4A48F9A800CB763C768E981D640

Function 008323BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4476083552.0000000000832000.00000040.00000800.00020000.00000000.sdmp, Offset: 00832000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d67f3c11ab1e5579487c253bcf0050879b85f17b03877a1574b801d8cc14072
Instruction ID: 1c8c4c7d4a60bebda3cc908bd08705e34433ae691ceae02aae0a362f911fa4a5
Opcode Fuzzy Hash: 3d67f3c11ab1e5579487c253bcf0050879b85f17b03877a1574b801d8cc14072
Instruction Fuzzy Hash: 1DD05E352402814FC725DA0CC6D4F5977D4FF90B14F0644E8AC10CB772C7A8D8C0CA40

Analysis Process: server.exePID: 5680, Parent PID: 1028COMMON

Executed Functions

Function 00CBA612 Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 00CBA6B9

Memory Dump Source

Source File: 00000006.00000002.2284637623.0000000000CBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBA000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 41f0d9fcb634bd8b77a1bb90a22c6db9da1d1bfeb0644d1c9822e918c3f3861c
Instruction ID: 622a6c4b4af638440cabea59fb21ff8cda01fd9a63b26cc5d4a54ba546681758
Opcode Fuzzy Hash: 41f0d9fcb634bd8b77a1bb90a22c6db9da1d1bfeb0644d1c9822e918c3f3861c
Instruction Fuzzy Hash: 133181B55093806FE712CB25DC45B96BFF8EF16314F08849AE984CB292D365E909C762

Function 00CBA361 Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,FC3102A9,00000000,00000000,00000000,00000000), ref: 00CBA40C

Memory Dump Source

Source File: 00000006.00000002.2284637623.0000000000CBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBA000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: a2d959a7d8b4cad48bea6b520f2cab1cc5e29556701e2814360bb43661f975dc
Instruction ID: a1a5f5932284c7c897d2ed830ffbc3fd32c8603dc201dd409239141f52831c66
Opcode Fuzzy Hash: a2d959a7d8b4cad48bea6b520f2cab1cc5e29556701e2814360bb43661f975dc
Instruction Fuzzy Hash: C9318075504740AFE721CF11CC84F93BBF8EF15310F08859AE9858B292D364E909CB72

Function 00CBA462 Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E24,FC3102A9,00000000,00000000,00000000,00000000), ref: 00CBA4F8

Memory Dump Source

Source File: 00000006.00000002.2284637623.0000000000CBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBA000, based on PE: false

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: d9a9683f798deb18d4789b5eb30d56c7162b2d99f41ad6797ed5043ece54f2a9
Instruction ID: 7ffd6028fc8cfe65cfc2070e80e18c14e5df3152b256f8257a7ca53653d2dbb2
Opcode Fuzzy Hash: d9a9683f798deb18d4789b5eb30d56c7162b2d99f41ad6797ed5043ece54f2a9
Instruction Fuzzy Hash: 0521C1765047806FD7228F11DC44FA7BFBCEF56310F08849AE985CB652D264E948CB72

Function 00CBA646 Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 00CBA6B9

Memory Dump Source

Source File: 00000006.00000002.2284637623.0000000000CBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBA000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 1920544b3c963951e83b95042ae5dfac8ae01245d735dc1876c64bda81d67f9c
Instruction ID: 6e5e47255b01b5c0047bc518a82f9ef9b285dedb37d53b8947710add092b363b
Opcode Fuzzy Hash: 1920544b3c963951e83b95042ae5dfac8ae01245d735dc1876c64bda81d67f9c
Instruction Fuzzy Hash: 9221C2B56042009FE720DF26CC45BA6FBE8EF14314F088469E9848B741D775E909CA72

Function 00CBA392 Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,FC3102A9,00000000,00000000,00000000,00000000), ref: 00CBA40C

Memory Dump Source

Source File: 00000006.00000002.2284637623.0000000000CBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBA000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: b53feabc5c99105b8cefe241b1c204568d7410ede782acf20f3c0b47346ed675
Instruction ID: da5935826d1261027af494b2ced7263891c021b8f5d07c80bdbed0f6fe761fa9
Opcode Fuzzy Hash: b53feabc5c99105b8cefe241b1c204568d7410ede782acf20f3c0b47346ed675
Instruction Fuzzy Hash: CE219D75600604AFEB20CF16DC84FA7F7ECEF14710F08856AE985CB651D7A5E909CAB2

Function 00CBA710 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00CBA780

Memory Dump Source

Source File: 00000006.00000002.2284637623.0000000000CBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBA000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: a664987ef26028ce0ae6970476ad8516421ec66a3bbbe1d5c2cd4d01c8d44da2
Instruction ID: e480cdb584a60ed3213f2ddabb6be22ed321d3f50f74bf789f9e27b54699875d
Opcode Fuzzy Hash: a664987ef26028ce0ae6970476ad8516421ec66a3bbbe1d5c2cd4d01c8d44da2
Instruction Fuzzy Hash: E421C3B55083809FDB028F25DC85751BFB8EF02324F0984DBDC858F693D235A905CB62

Function 00CBA486 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E24,FC3102A9,00000000,00000000,00000000,00000000), ref: 00CBA4F8

Memory Dump Source

Source File: 00000006.00000002.2284637623.0000000000CBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBA000, based on PE: false

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 416dc0b7b87c9e46943135f7e6e75ed1ac83f0d3820ee57aa82d495919814843
Instruction ID: bf0c74ae5946a5d4b1b878d663979b160fc81b6ec163e92955af3a921a421f39
Opcode Fuzzy Hash: 416dc0b7b87c9e46943135f7e6e75ed1ac83f0d3820ee57aa82d495919814843
Instruction Fuzzy Hash: 0111BE76600600AFEB318E11DC45FA7BBECEF24710F08855AED858A641D365E9488AB2

Function 00CBA74E Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00CBA780

Memory Dump Source

Source File: 00000006.00000002.2284637623.0000000000CBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBA000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: e1baf2ca7ca4c6425273f8450224dbebdc72997b9e6b4cd9eedd997259160809
Instruction ID: fc541fbf3f7231d90d75b17e1a569877ede7c94bbf4dd962eb3cc8e9cc7c5d6c
Opcode Fuzzy Hash: e1baf2ca7ca4c6425273f8450224dbebdc72997b9e6b4cd9eedd997259160809
Instruction Fuzzy Hash: B201D4756042009FDB10CF16D885795FBE4DF15320F08C4ABDC859B742D779E804CEA2

Function 04B60310 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2284977979.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5a1ed175e9351f5e913ca141a2f84862d41497383d534a4c0bf0b379f081ea3
Instruction ID: 8fd41cd37b2195317fa5341b145e3be08c595e419f7429569836875bb7701986
Opcode Fuzzy Hash: b5a1ed175e9351f5e913ca141a2f84862d41497383d534a4c0bf0b379f081ea3
Instruction Fuzzy Hash: 055101317142018FCB08EB79E451BBD76E7AB85344B048469E406DB3E5DF39DD0697A2

Function 04B603BD Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2284977979.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e73930ef54e86b47ba0a0c52cf261ea262ad87d9a87cc3741323732f974d1863
Instruction ID: 0cbcee7d984eb9c1734e0c345ecf70d17fd177bf508af789ff7ece9bd15e2713
Opcode Fuzzy Hash: e73930ef54e86b47ba0a0c52cf261ea262ad87d9a87cc3741323732f974d1863
Instruction Fuzzy Hash: 6041E0317101114BCB08FB7A9425BBD36D79FD5248B08446AE406DB3E5DF2DCD0697E2

Function 04B60080 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2284977979.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 097a6f3df020368277e7ba039a54da582719523a1a2d064aeaa34d3892283b53
Instruction ID: d8cbaa0f16c16e2aa74b6eaa19b1a21be5ec5aa127f8eeccb13ec6178a5b2fcf
Opcode Fuzzy Hash: 097a6f3df020368277e7ba039a54da582719523a1a2d064aeaa34d3892283b53
Instruction Fuzzy Hash: FE5131312256828BC714FB74E595A8D7BB6FBA1208741892ED0448B76EDB789D0BCBC1

Function 04B60006 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2284977979.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 900dc4ec04abc10bfd25b0c212063ac7ebb48602e466b3f89d7c3c8886f4a0c4
Instruction ID: e5a157fbb92d70bff929388952b88701f7cdd61ead072531694b0997118f380b
Opcode Fuzzy Hash: 900dc4ec04abc10bfd25b0c212063ac7ebb48602e466b3f89d7c3c8886f4a0c4
Instruction Fuzzy Hash: 8901AB9640E3C18FD703077468256807FB06D23110B4B40EBC1D2CB5A3E24D1D0ACB22

Function 00D705E0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2284749797.0000000000D70000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1a23299863eae070fb46afaac2c20f2329d05df92248bd1763574ff9dc47eae
Instruction ID: 297276e44c1a7dd5db1a00f5b11836e1ad05b7cdb502242b0d42c1ce1f2b1c73
Opcode Fuzzy Hash: a1a23299863eae070fb46afaac2c20f2329d05df92248bd1763574ff9dc47eae
Instruction Fuzzy Hash: 44018B7550D7C06FD7118B15AC51862FFBCDB86620709C49FEC8997A52D125A809CB72

Function 00D70606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2284749797.0000000000D70000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06b10bd5bc964ef0d30e02fd6030c91a7afb67bf50e754751ff3e33a3797adf0
Instruction ID: ad69c332f09e84114e27b45848f620da54a1aaf3bef648d71bd967dc8758f02d
Opcode Fuzzy Hash: 06b10bd5bc964ef0d30e02fd6030c91a7afb67bf50e754751ff3e33a3797adf0
Instruction Fuzzy Hash: A1E06DBAA046008F9750CF0AEC41452F7D8EB84630718C06BDC0D8BB01D639B5098AA5

Function 00CB23F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2284625911.0000000000CB2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e35946aa9a22ed60fa895130d7835fd2a96bdf7bded551860ac7cb217fd4eef
Instruction ID: 4f4be277594ce1344fb75778920a199c946c9ceab8196e983546f0dcd3e87988
Opcode Fuzzy Hash: 5e35946aa9a22ed60fa895130d7835fd2a96bdf7bded551860ac7cb217fd4eef
Instruction Fuzzy Hash: 03D05E792456C14FD316DA1CC1A4FD53BD4AF61719F4A44F9A8008BB63C768DA85EA00

Function 00CB23BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2284625911.0000000000CB2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9365664e1d67e91de23275c0a5272e2b64312bc58634eaf5d8ce89acde314ab5
Instruction ID: c89bcecc83823f32fe2a617e569268b5ddab54d505a743222ccccd7f303adde5
Opcode Fuzzy Hash: 9365664e1d67e91de23275c0a5272e2b64312bc58634eaf5d8ce89acde314ab5
Instruction Fuzzy Hash: 52D05E342002814FC725DA0CC6D4F9937D8AF54B14F0644E8AC208B772C7A8D9C0CA00

Analysis Process: server.exePID: 4072, Parent PID: 1028COMMON

Executed Functions

Function 00F6A612 Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 00F6A6B9

Memory Dump Source

Source File: 00000007.00000002.2365163063.0000000000F6A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F6A000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: b189901fed227177305ef0996fe196ec772c9ac314c5ddfa5f04382e33ca5599
Instruction ID: 0e9c12681442498c39864aaddf6cf7663867555fe7893559241c27b47da63183
Opcode Fuzzy Hash: b189901fed227177305ef0996fe196ec772c9ac314c5ddfa5f04382e33ca5599
Instruction Fuzzy Hash: 5931A1B15093806FE711CB25CC45B96BFF8EF16310F08849AE984CF292D365E809CB62

Function 00F6A361 Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,07E0D837,00000000,00000000,00000000,00000000), ref: 00F6A40C

Memory Dump Source

Source File: 00000007.00000002.2365163063.0000000000F6A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F6A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 6b0c973dc8576aac28bd7484bb8f9c1992ccdd2b9a0f4e5830120c7c2877aa46
Instruction ID: 99633404af03872bd650957a68bea5140cb84b6f2cb5280a03d07e1b940790d7
Opcode Fuzzy Hash: 6b0c973dc8576aac28bd7484bb8f9c1992ccdd2b9a0f4e5830120c7c2877aa46
Instruction Fuzzy Hash: 0B31A071504740AFD721CF11CC85F92BBF8EF15320F08859AE985DB292D364E808CB62

Function 00F6A462 Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E24,07E0D837,00000000,00000000,00000000,00000000), ref: 00F6A4F8

Memory Dump Source

Source File: 00000007.00000002.2365163063.0000000000F6A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F6A000, based on PE: false

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 42b03d9907684226656655ad0b6e8d5e433129a11110da90e70a49f1a24aed2d
Instruction ID: d2efb68fcfffe62e4587dd93e6d70b047e5b75e9a2bd72601f024eaa9c273212
Opcode Fuzzy Hash: 42b03d9907684226656655ad0b6e8d5e433129a11110da90e70a49f1a24aed2d
Instruction Fuzzy Hash: 4F2192B25043806FD722CF11DC44F67BFB8EF56620F08859AE985DB652D264E848CB72

Function 00F6A646 Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 00F6A6B9

Memory Dump Source

Source File: 00000007.00000002.2365163063.0000000000F6A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F6A000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: e32b8a4f16b845e001be6e201374e08a8c87b74425bedcd3745ccfc4765f3977
Instruction ID: e4cd6831d900986e31cc182e637eda09ec7cd3feea5065cd51ab5a1606059647
Opcode Fuzzy Hash: e32b8a4f16b845e001be6e201374e08a8c87b74425bedcd3745ccfc4765f3977
Instruction Fuzzy Hash: 7821C2B16002009FE710DF25CC45BA6FBE8EF25324F088469E948DB741D376E808CA72

Function 00F6A392 Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,07E0D837,00000000,00000000,00000000,00000000), ref: 00F6A40C

Memory Dump Source

Source File: 00000007.00000002.2365163063.0000000000F6A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F6A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: e33fd06365cc0cbb2e77c926cc1ddaa59f2fb50c56d77a9bdce7a552c5b816a2
Instruction ID: 41dcec21e2836aecbca1596e4fcfdd46ef121fdd7fedbe91553f0642b27e2335
Opcode Fuzzy Hash: e33fd06365cc0cbb2e77c926cc1ddaa59f2fb50c56d77a9bdce7a552c5b816a2
Instruction Fuzzy Hash: 7D21AE72600604AFE720CF11CC85FA7B7ECEF14720F08855AE945DB751D765E848DA72

Function 00F6A710 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00F6A780

Memory Dump Source

Source File: 00000007.00000002.2365163063.0000000000F6A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F6A000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: d9640f4a56960819babbf505cfcddcf360014c8f0065c81f079c6e5d57a8a78d
Instruction ID: 68b437421f8ca5b8b9c45e4a154f73d3d919692df385ac0634bc0fe2facf1e0b
Opcode Fuzzy Hash: d9640f4a56960819babbf505cfcddcf360014c8f0065c81f079c6e5d57a8a78d
Instruction Fuzzy Hash: 6521A1B55093809FD7028F25DC85751BFB8EF12324F0984EBDC858F693D275A905DB62

Function 00F6A486 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E24,07E0D837,00000000,00000000,00000000,00000000), ref: 00F6A4F8

Memory Dump Source

Source File: 00000007.00000002.2365163063.0000000000F6A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F6A000, based on PE: false

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: f0f65beccb14926dbace31d2375195fc774562eed16a55ea9158d10315824549
Instruction ID: 8025650e470f2553cd962254b4f394219e554c126e8409c7cbfa7c7f2e44bc8a
Opcode Fuzzy Hash: f0f65beccb14926dbace31d2375195fc774562eed16a55ea9158d10315824549
Instruction Fuzzy Hash: E711D3B2600600AFE720CE11DC45FA7FBECEF24720F08855AED469B651D775E848DAB2

Function 00F6A74E Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00F6A780

Memory Dump Source

Source File: 00000007.00000002.2365163063.0000000000F6A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F6A000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 276a88066c390a01e5614e0e78aafbaaed4a980a0303c12b7ff375a406439d20
Instruction ID: 6a49cce3547f730bce61e6fd9ed04c77035e6c907d7f9b21a7fad4d7a8efc88c
Opcode Fuzzy Hash: 276a88066c390a01e5614e0e78aafbaaed4a980a0303c12b7ff375a406439d20
Instruction Fuzzy Hash: 7A01BCB1A002008FDB10CF25D885766FBA4DF15320F08C4AADC498B642D279E808DEA2

Function 05190310 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2365810934.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fe4799ba3e5ce657c4c99fd8a43a3669dedb1619873d5a7a7e0f78f76f4a500
Instruction ID: 9898d162fb253b713e89a52aaa2d9617f79f36ae0718db83aea888ca53fc5551
Opcode Fuzzy Hash: 6fe4799ba3e5ce657c4c99fd8a43a3669dedb1619873d5a7a7e0f78f76f4a500
Instruction Fuzzy Hash: 6F5131717002018FDB18EB79946467E37E7AB89244B044569E442DF3EAEF3ECC46C7A2

Function 051903BD Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2365810934.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feb81837c7abcffd5d61e38ce47c9a813b4c998a88f4bce2d7dbfa23889462d2
Instruction ID: beecb709fa82598a1fdc0e7a870635fd9a8fec4a5d6d788fca296a6b216e429c
Opcode Fuzzy Hash: feb81837c7abcffd5d61e38ce47c9a813b4c998a88f4bce2d7dbfa23889462d2
Instruction Fuzzy Hash: 7D41F171B105118BDB18BB7994642BD36D76FD52887084029E482DF3E9EF3ECD0697A3

Function 05190080 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2365810934.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a830e89077b2b1c97ae32d1d0895efea81c487af01d1737a8f7ab3e185c125b0
Instruction ID: 86a2b435cd80c2175cdeafbc8ac766ecf3f26831c502bb1a8830c81ce7fa0d97
Opcode Fuzzy Hash: a830e89077b2b1c97ae32d1d0895efea81c487af01d1737a8f7ab3e185c125b0
Instruction Fuzzy Hash: A35133B062554A9BC714FF34E5F598977B3BBA42487008929E0848B77DFB389909CBC2

Function 00F405DF Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2365118127.0000000000F40000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 785d769b3670dac070b4674632f6fb92de0b377cbd0d0ab797a4a2039036e8a7
Instruction ID: 3b990f4292087d556621908975f33967f444a41710ddcc7acee2f4b2ffa3f5d3
Opcode Fuzzy Hash: 785d769b3670dac070b4674632f6fb92de0b377cbd0d0ab797a4a2039036e8a7
Instruction Fuzzy Hash: 0A01D6B65093805FD701CB15AC40863FFB8EB9663070884AFEC8D8B652D225A808CBB2

Function 05190007 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2365810934.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce90ffc7e168b46b652793bd253cf0562cbc3707ac6221e4e6a2bec07a60de6f
Instruction ID: 541d96a619257ba5391ee236c56d1babd0903f166170c1d2f57ca45cbdc2fb54
Opcode Fuzzy Hash: ce90ffc7e168b46b652793bd253cf0562cbc3707ac6221e4e6a2bec07a60de6f
Instruction Fuzzy Hash: EFF07AB684E3C08FD7138770AC216903F70AB27215B4F01D7D4C0CB1A3E65D494AD722

Function 00F40606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2365118127.0000000000F40000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f728979e6c678862da78de62ec455a90d5ee6feefab567232d6f0b9578fd930c
Instruction ID: 32d5eeeef8e1a0bec1ff9fba26158766d5606d09a712a8c7f1d65b46cdf69795
Opcode Fuzzy Hash: f728979e6c678862da78de62ec455a90d5ee6feefab567232d6f0b9578fd930c
Instruction Fuzzy Hash: 91E092B66006004B9750CF0AFC41462F7E8EB84630B08C07FDC0D8BB01D275F508CAA5

Function 00F623F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2365148582.0000000000F62000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F62000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c948d678e0005ee3681d8c06579e7897f9a09cf18180df92c6368d549511c3ba
Instruction ID: 31055f23b9da371dd49283936fb01fb7460f0198a7d04f4c393adb1a941ef53a
Opcode Fuzzy Hash: c948d678e0005ee3681d8c06579e7897f9a09cf18180df92c6368d549511c3ba
Instruction Fuzzy Hash: C4D05E79605AC14FD316DA1CC1A8FA537D4AF61728F4A44F9A8008BB63CB68D985E600

Function 00F623BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2365148582.0000000000F62000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F62000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8f557445e8c2bbdd080ad47ec0e6293bb07901c3e6fd8e61fdaf55869b41400
Instruction ID: 130b9f764397842ec2472eba797dff6b2f9ac0a234ebd22f16ab47cb5ab08689
Opcode Fuzzy Hash: b8f557445e8c2bbdd080ad47ec0e6293bb07901c3e6fd8e61fdaf55869b41400
Instruction Fuzzy Hash: B5D05E346006814FC725DB0CC6D5F5937D4AF50B24F0644E9AC108B762C7A8D8C0DA00

Analysis Process: server.exePID: 4296, Parent PID: 1028COMMON

Executed Functions

Function 00B90310 Relevance: 3.9, Strings: 3, Instructions: 191COMMON

Download Yara Rule

Strings

-[k^, xrefs: 00B904DA, 00B904DF
[k^, xrefs: 00B90545, 00B9054A
=[k^, xrefs: 00B90477, 00B9047C

Memory Dump Source

Source File: 00000008.00000002.2446788739.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Similarity

API ID:
String ID: [k^$-[k^$=[k^
API String ID: 0-3244988689
Opcode ID: 8972de679b7d55798ebf279de7f0c2158524a40ac2cad982fb7fb946eb4935cf
Instruction ID: 2a4494d4fbe30f75264be45e9f3da840c7914820d92c35e1fd548fbf74891e6d
Opcode Fuzzy Hash: 8972de679b7d55798ebf279de7f0c2158524a40ac2cad982fb7fb946eb4935cf
Instruction Fuzzy Hash: 2451FE327101068FCB08FB7898506BE33E7AB85344B45817AE406CB3A6DF39CD4797A2

Function 00B903BD Relevance: 3.9, Strings: 3, Instructions: 135COMMON

Download Yara Rule

Strings

-[k^, xrefs: 00B904DA, 00B904DF
[k^, xrefs: 00B90545, 00B9054A
=[k^, xrefs: 00B90477, 00B9047C

Memory Dump Source

Source File: 00000008.00000002.2446788739.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Similarity

API ID:
String ID: [k^$-[k^$=[k^
API String ID: 0-3244988689
Opcode ID: 86a0fb2d2513c2c15193d6c0bbded6e8f64f3af1679f352b769d24f2f854a13f
Instruction ID: 2d1c95cd983136e9fd2463ca98317f3e1bb5cf62c64a957c45ed15a1f01597a5
Opcode Fuzzy Hash: 86a0fb2d2513c2c15193d6c0bbded6e8f64f3af1679f352b769d24f2f854a13f
Instruction Fuzzy Hash: 9D41DE327105128BCB08BBB988646BD32D79FD5288745807AE006DB3E5DF2D8D4797A2

Function 00A6A612 Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 00A6A6B9

Memory Dump Source

Source File: 00000008.00000002.2446382120.0000000000A6A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A6A000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 8cfcd224d1356a80a7d5d2ec1967ea73c42bb6d265abc44b9542959c8ca8ef2e
Instruction ID: e28baca32c21bf9f3011c163d235c78ad8e3032d0de1a9760414a5dbf39f1d05
Opcode Fuzzy Hash: 8cfcd224d1356a80a7d5d2ec1967ea73c42bb6d265abc44b9542959c8ca8ef2e
Instruction Fuzzy Hash: 993181B55093806FE711CB25DC45B96BFF8EF16314F08849AE984CB292D365E909CB62

Function 00A6A361 Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,15B60B79,00000000,00000000,00000000,00000000), ref: 00A6A40C

Memory Dump Source

Source File: 00000008.00000002.2446382120.0000000000A6A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A6A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 7556ed6dc9bd84ef1b688250211eee5d92c657445e5de281b0ac646fdc713a17
Instruction ID: af8d71df03d293595396be359a47a628e4ff52de16337aa2e3d17dc15e9fa7f8
Opcode Fuzzy Hash: 7556ed6dc9bd84ef1b688250211eee5d92c657445e5de281b0ac646fdc713a17
Instruction Fuzzy Hash: 04318E75504780AFE722CF11CC84F92BBF8EF16310F08859AE985DB292D364E909CB62

Function 00A6A462 Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E24,15B60B79,00000000,00000000,00000000,00000000), ref: 00A6A4F8

Memory Dump Source

Source File: 00000008.00000002.2446382120.0000000000A6A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A6A000, based on PE: false

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 6681498ef8e406de00d9d10f20f85abcf63d5b840502f0b8834049d8882170b2
Instruction ID: 00b2a3c65684d07e253521cd471481d9419a1ed2463b0e9c8f2d027dcbb5108a
Opcode Fuzzy Hash: 6681498ef8e406de00d9d10f20f85abcf63d5b840502f0b8834049d8882170b2
Instruction Fuzzy Hash: 4F2190765043806FD722CF11DC44FA7BFB8EF56310F08859AE985DB652D264E848CB72

Function 00A6A646 Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 00A6A6B9

Memory Dump Source

Source File: 00000008.00000002.2446382120.0000000000A6A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A6A000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 28697591f85019287d632d0460a7172d7e3723e7de931db87701b9848d901295
Instruction ID: c69491de722c5c9f6f10495bd5c8e19723abe08e1393d1f622694afce9185e6c
Opcode Fuzzy Hash: 28697591f85019287d632d0460a7172d7e3723e7de931db87701b9848d901295
Instruction Fuzzy Hash: C421B0B5600204AFE710DB25CC45BA6FBF8EF24324F088469E9449B641D375E808CA72

Function 00A6A392 Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,15B60B79,00000000,00000000,00000000,00000000), ref: 00A6A40C

Memory Dump Source

Source File: 00000008.00000002.2446382120.0000000000A6A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A6A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 00d9c77058e1239694816b0f783abcde61821b66682d97073cc5c92df260506c
Instruction ID: 5547316e29c63c7b96c9073bbe7ae974a3373b3ffe7f0426cb5efa25aba0f133
Opcode Fuzzy Hash: 00d9c77058e1239694816b0f783abcde61821b66682d97073cc5c92df260506c
Instruction Fuzzy Hash: 04219A75200604AEE720CF11CC88FA6B7FCEF24710F08845AE9469B692D764E808CAB2

Function 00A6A710 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00A6A780

Memory Dump Source

Source File: 00000008.00000002.2446382120.0000000000A6A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A6A000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: a1bdfa98124c21d22b66157d996ca6d9a74a08f4bfd550dd1420a502e7d54bd4
Instruction ID: fefd3e4e206167f33304941ca1017c603c82e21ab97e2a367213906b7a7dbc6f
Opcode Fuzzy Hash: a1bdfa98124c21d22b66157d996ca6d9a74a08f4bfd550dd1420a502e7d54bd4
Instruction Fuzzy Hash: 1721C3B55083809FD7028F25DC85751BFB8EF12324F0984DBDC858F693D235A905CB62

Function 00A6A486 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E24,15B60B79,00000000,00000000,00000000,00000000), ref: 00A6A4F8

Memory Dump Source

Source File: 00000008.00000002.2446382120.0000000000A6A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A6A000, based on PE: false

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: ed1e9edbffe9e8fb80d2da9f4799e46273ecd34f5f33c9420b79fe4ee073cea3
Instruction ID: d2794d053c14f0df7f001272aca27ec269a367b576dfe45c8b509deaa42091cc
Opcode Fuzzy Hash: ed1e9edbffe9e8fb80d2da9f4799e46273ecd34f5f33c9420b79fe4ee073cea3
Instruction Fuzzy Hash: D211BE76600604AFEB20CF11DC44FA7FBFCEF24714F08855AED469A641D765E8088AB2

Function 00A6A74E Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00A6A780

Memory Dump Source

Source File: 00000008.00000002.2446382120.0000000000A6A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A6A000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 2d35dff4ade7578d47bd5947273266e6ed14793295c7df1780d65109a1def4d2
Instruction ID: 7d5223ad2cda206a790fa5113ebbe7a401e4720fee10ef91d04138b3cbf66dfa
Opcode Fuzzy Hash: 2d35dff4ade7578d47bd5947273266e6ed14793295c7df1780d65109a1def4d2
Instruction Fuzzy Hash: F801BC756002048FDB108F25D8847A6FBB4DF25320F08C4AADC49CB642D279E808CEA2

Function 00B90080 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2446788739.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13256461fc282057531edfee1fc57f6b5ee105b5f89e0665d3b0ddacbcbb649a
Instruction ID: ed6cb214de97f1e84c73a7cb51e890cf724dbcde279863354dacda8586eff845
Opcode Fuzzy Hash: 13256461fc282057531edfee1fc57f6b5ee105b5f89e0665d3b0ddacbcbb649a
Instruction Fuzzy Hash: 5851453121654ECBC704FB78E99499977A3ABA0248341CB2AD0444B76EDB3C995BCBC1

Function 00B305E0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2446690759.0000000000B30000.00000040.00000020.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a06f45a384921aacf0d2d517caea8f5766f8892c8202017be2e35dca20162441
Instruction ID: 5628563082318d54a57be32ce84a50890a2b1acdde9157c3c52dc7d398df7cac
Opcode Fuzzy Hash: a06f45a384921aacf0d2d517caea8f5766f8892c8202017be2e35dca20162441
Instruction Fuzzy Hash: 8F01D6B64097806FD7128B16AC41862FFB8EF86220709C49BEC498B753D225B818CB72

Function 00B90006 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2446788739.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cfd3b23a7ab5a42a3a8628475880cfd379e70f7162ea5e4e37f0f2c0659ad5a
Instruction ID: 4a7ddf4e387c52a4bbb5e7896db72598239bde015f4c63f55d5583b281296cb0
Opcode Fuzzy Hash: 7cfd3b23a7ab5a42a3a8628475880cfd379e70f7162ea5e4e37f0f2c0659ad5a
Instruction Fuzzy Hash: B1F0688640E3C14FD70713741C386603FB16E53104B5F40DB8581CE1E7E60E080AC323

Function 00B30606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2446690759.0000000000B30000.00000040.00000020.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 828592c51e80a56ff1303eabe3b5e5c92e8002b78cffc55e6bee834595dd446a
Instruction ID: f7cb20359172f6f4ac49f784b03023becaab356c5561f07aaff5b71ba8bad576
Opcode Fuzzy Hash: 828592c51e80a56ff1303eabe3b5e5c92e8002b78cffc55e6bee834595dd446a
Instruction Fuzzy Hash: F2E012B66046445F9750DF0BFC45452F7E8EB84630718C47FDC0D8BB11D675B909CAA5

Function 00A623F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2446358751.0000000000A62000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A62000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e68369b0af3616730d07cbd3a726766d501bb35ee9b1fa1a8ec3d5a727c850c3
Instruction ID: 5e676b918e873a366deb68c8374276f3f60cad8c00a94f43b6465d09be7e9eac
Opcode Fuzzy Hash: e68369b0af3616730d07cbd3a726766d501bb35ee9b1fa1a8ec3d5a727c850c3
Instruction Fuzzy Hash: 18D05E79245AC14FD316DB1CC1ACFA537E4AF61718F4A44F9A8008BB63CB68D985D600

Function 00A623BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2446358751.0000000000A62000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A62000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0b64d37259a502dbed9d922b58d2bff0f3e9ed4804bcf037fbb6077edbdc4b7
Instruction ID: 86390551eae109b9e88e2f79ea13b2501b71ef2e5e05d3b999776fcb6d56aeb3
Opcode Fuzzy Hash: c0b64d37259a502dbed9d922b58d2bff0f3e9ed4804bcf037fbb6077edbdc4b7
Instruction Fuzzy Hash: 10D05E342006814FD725DB0CC6D4F5937E4AF50B14F0644E9AC108F762C7A8D8C0CA00

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Server.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Njrat

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Server.exe.log

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\73e4ea7af59bea49b79c8c5f799f272d.exe

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\73e4ea7af59bea49b79c8c5f799f272d.exe:Zone.Identifier

C:\Users\user\AppData\Roaming\server.exe

C:\Users\user\AppData\Roaming\server.exe:Zone.Identifier

\Device\ConDrv

Static File Info

Windows Analysis Report
Server.exe