Edit tour

Windows Analysis Report
HOrW5twCLd.exe

Overview

General Information

Sample name:	HOrW5twCLd.exe renamed because original name is a hash value
Original sample name:	1A82EBD26769009CFA116D6C722D7AF2.exe
Analysis ID:	1581009
MD5:	1a82ebd26769009cfa116d6c722d7af2
SHA1:	dfbeb5e3a3e83ae8daaf388f4ef6de430f6e0fa6
SHA256:	eb9dc118872152800b1bc901fee1162be82ccb6772e0a1706b56fed261255037
Tags:	exeXenoRATuser-abuse_ch
Infos:

Detection

XenoRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected XenoRAT

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Potentially Suspicious Malware Callback Communication

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Yara signature match

Classification

Process Tree

System is w10x64

HOrW5twCLd.exe (PID: 5960 cmdline: "C:\Users\user\Desktop\HOrW5twCLd.exe" MD5: 1A82EBD26769009CFA116D6C722D7AF2)

HOrW5twCLd.exe (PID: 2188 cmdline: "C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe" MD5: 1A82EBD26769009CFA116D6C722D7AF2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XenoRAT		No Attribution	https://axmahr.github.io/posts/xenorat-detection/ https://blog.talosintelligence.com/moonpeak-malware-infrastructure-north-korea/ https://github.com/moom825/xeno-rat https://hunt.io/blog/good-game-gone-bad-xeno-rat-spread-via-gg-domains-and-github https://hunt.io/blog/xenorat-excel-xll-confuserex-as-access-method	https://malpedia.caad.fkie.fraunhofer.de/details/win.xenorat

Malware Configuration

Threatname: XenoRAT

{"C2 url": "147.45.69.75", "Mutex Name": "Xeno_rat_nd8912d", "Install Folder": "temp"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
HOrW5twCLd.exe	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security
HOrW5twCLd.exe	rat_win_xeno_rat	Xeno RAT is an open-source RAT, used by Kimsuky in January 2024	Sekoia.io	0xb15c:$: Xeno-manager 0x250:$: moom825

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security
C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	rat_win_xeno_rat	Xeno RAT is an open-source RAT, used by Kimsuky in January 2024	Sekoia.io	0xb15c:$: Xeno-manager 0x250:$: moom825

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1649524028.0000000000402000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security
Process Memory Space: HOrW5twCLd.exe PID: 5960	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.HOrW5twCLd.exe.400000.0.unpack	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security
0.0.HOrW5twCLd.exe.400000.0.unpack	rat_win_xeno_rat	Xeno RAT is an open-source RAT, used by Kimsuky in January 2024	Sekoia.io	0xb15c:$: Xeno-manager 0x250:$: moom825

Sigma Signatures

System Summary

Sigma detected: Potentially Suspicious Malware Callback Communication

Source: Network Connection

Author: Florian Roth (Nextron Systems): Data: DestinationIp: 147.45.69.75, DestinationIsIpv6: false, DestinationPort: 4444, EventID: 3, Image: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe, Initiated: true, ProcessId: 2188, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49730

Suricata Signatures

ET MALWARE Xenorat Default Handshake Inbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T16:37:02.457048+0100	2058419	1	A Network Trojan was detected	147.45.69.75	4444	192.168.2.4	49730	TCP
2024-12-26T16:37:05.594864+0100	2058419	1	A Network Trojan was detected	147.45.69.75	4444	192.168.2.4	49731	TCP
2024-12-26T16:37:08.930806+0100	2058419	1	A Network Trojan was detected	147.45.69.75	4444	192.168.2.4	49732	TCP

ET MALWARE [ANY.RUN] Xeno-RAT TCP Check-In

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T16:36:59.853815+0100	2050110	1	Malware Command and Control Activity Detected	147.45.69.75	4444	192.168.2.4	49732	TCP

ET MALWARE [ANY.RUN] Xeno-RAT TCP Keep-Alive

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T16:37:49.469089+0100	2050111	1	Malware Command and Control Activity Detected	192.168.2.4	49731	147.45.69.75	4444	TCP
2024-12-26T16:38:17.767066+0100	2050111	1	Malware Command and Control Activity Detected	192.168.2.4	49731	147.45.69.75	4444	TCP
2024-12-26T16:38:55.235188+0100	2050111	1	Malware Command and Control Activity Detected	192.168.2.4	49731	147.45.69.75	4444	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: HOrW5twCLd.exe

Malware Configuration Extractor: XenoRAT {"C2 url": "147.45.69.75", "Mutex Name": "Xeno_rat_nd8912d", "Install Folder": "temp"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe

ReversingLabs: Detection: 76%

Multi AV Scanner detection for submitted file

Source: HOrW5twCLd.exe	Virustotal: Detection: 69%			Perma Link
Source: HOrW5twCLd.exe	ReversingLabs: Detection: 76%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: HOrW5twCLd.exe

Joe Sandbox ML: detected

Source: HOrW5twCLd.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2058419 - Severity 1 - ET MALWARE Xenorat Default Handshake Inbound : 147.45.69.75:4444 -> 192.168.2.4:49731
Source: Network traffic	Suricata IDS: 2058419 - Severity 1 - ET MALWARE Xenorat Default Handshake Inbound : 147.45.69.75:4444 -> 192.168.2.4:49730
Source: Network traffic	Suricata IDS: 2058419 - Severity 1 - ET MALWARE Xenorat Default Handshake Inbound : 147.45.69.75:4444 -> 192.168.2.4:49732
Source: Network traffic	Suricata IDS: 2050111 - Severity 1 - ET MALWARE [ANY.RUN] Xeno-RAT TCP Keep-Alive : 192.168.2.4:49731 -> 147.45.69.75:4444
Source: Network traffic	Suricata IDS: 2050110 - Severity 1 - ET MALWARE [ANY.RUN] Xeno-RAT TCP Check-In : 147.45.69.75:4444 -> 192.168.2.4:49732

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 147.45.69.75

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 147.45.69.75:4444

Source: Joe Sandbox View

ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU

Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.69.75
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.69.75
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.69.75
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.69.75
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.69.75
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.69.75
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.69.75
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.69.75
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.69.75
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.69.75
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.69.75
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.69.75
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.69.75
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.69.75
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.69.75
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.69.75
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.69.75
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.69.75
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.69.75
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.69.75
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.69.75
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.69.75
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.69.75
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.69.75
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.69.75
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.69.75
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.69.75
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.69.75
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.69.75
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.69.75
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.69.75
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.69.75
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.69.75
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.69.75
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.69.75
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.69.75
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.69.75
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.69.75
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.69.75
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.69.75
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.69.75
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.69.75
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.69.75
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.69.75
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.69.75
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.69.75
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.69.75
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.69.75
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.69.75
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.69.75

Source: HOrW5twCLd.exe, 00000001.00000002.2903031561.00000000030CE000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

System Summary

Malicious sample detected (through community Yara rule)

Source: HOrW5twCLd.exe, type: SAMPLE	Matched rule: Xeno RAT is an open-source RAT, used by Kimsuky in January 2024 Author: Sekoia.io
Source: 0.0.HOrW5twCLd.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Xeno RAT is an open-source RAT, used by Kimsuky in January 2024 Author: Sekoia.io
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe, type: DROPPED	Matched rule: Xeno RAT is an open-source RAT, used by Kimsuky in January 2024 Author: Sekoia.io

Source: C:\Users\user\Desktop\HOrW5twCLd.exe	Code function: 0_2_02610B13	0_2_02610B13
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Code function: 1_2_01709918	1_2_01709918
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Code function: 1_2_01709048	1_2_01709048
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Code function: 1_2_01702321	1_2_01702321
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Code function: 1_2_01700B15	1_2_01700B15
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Code function: 1_2_01708D00	1_2_01708D00

Source: HOrW5twCLd.exe, 00000000.00000002.1653083753.00000000009A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXeno_manager.exe: vs HOrW5twCLd.exe
Source: HOrW5twCLd.exe, 00000000.00000000.1649540470.000000000040E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameXeno_manager.exe: vs HOrW5twCLd.exe
Source: HOrW5twCLd.exe, 00000000.00000002.1653083753.00000000008FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs HOrW5twCLd.exe
Source: HOrW5twCLd.exe, 00000001.00000002.2901634706.000000000125E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs HOrW5twCLd.exe
Source: HOrW5twCLd.exe	Binary or memory string: OriginalFilenameXeno_manager.exe: vs HOrW5twCLd.exe
Source: HOrW5twCLd.exe.0.dr	Binary or memory string: OriginalFilenameXeno_manager.exe: vs HOrW5twCLd.exe

Source: HOrW5twCLd.exe, type: SAMPLE	Matched rule: rat_win_xeno_rat author = Sekoia.io, description = Xeno RAT is an open-source RAT, used by Kimsuky in January 2024, creation_date = 2024-02-09, classification = TLP:CLEAR, version = 1.0, reference = https://github.com/moom825/xeno-rat/tree/main/xeno%20rat%20client, id = 4be1ff07-8180-42a8-9f51-b5e17bf23442
Source: 0.0.HOrW5twCLd.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_xeno_rat author = Sekoia.io, description = Xeno RAT is an open-source RAT, used by Kimsuky in January 2024, creation_date = 2024-02-09, classification = TLP:CLEAR, version = 1.0, reference = https://github.com/moom825/xeno-rat/tree/main/xeno%20rat%20client, id = 4be1ff07-8180-42a8-9f51-b5e17bf23442
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe, type: DROPPED	Matched rule: rat_win_xeno_rat author = Sekoia.io, description = Xeno RAT is an open-source RAT, used by Kimsuky in January 2024, creation_date = 2024-02-09, classification = TLP:CLEAR, version = 1.0, reference = https://github.com/moom825/xeno-rat/tree/main/xeno%20rat%20client, id = 4be1ff07-8180-42a8-9f51-b5e17bf23442

Source: HOrW5twCLd.exe, Encryption.cs	Cryptographic APIs: 'CreateDecryptor'
Source: HOrW5twCLd.exe.0.dr, Encryption.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@3/3@0/1

Source: C:\Users\user\Desktop\HOrW5twCLd.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\HOrW5twCLd.exe.log

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Mutant created: \Sessions\1\BaseNamedObjects\Xeno_rat_nd8912d-admin

Source: C:\Users\user\Desktop\HOrW5twCLd.exe

File created: C:\Users\user\AppData\Local\Temp\XenoManager

Jump to behavior

Source: HOrW5twCLd.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: HOrW5twCLd.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\HOrW5twCLd.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\HOrW5twCLd.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: HOrW5twCLd.exe	Virustotal: Detection: 69%
Source: HOrW5twCLd.exe	ReversingLabs: Detection: 76%

Source: C:\Users\user\Desktop\HOrW5twCLd.exe

File read: C:\Users\user\Desktop\HOrW5twCLd.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\HOrW5twCLd.exe "C:\Users\user\Desktop\HOrW5twCLd.exe"
Source: C:\Users\user\Desktop\HOrW5twCLd.exe	Process created: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe "C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe"
Source: C:\Users\user\Desktop\HOrW5twCLd.exe	Process created: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe "C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe"	Jump to behavior

Source: C:\Users\user\Desktop\HOrW5twCLd.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\HOrW5twCLd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HOrW5twCLd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\HOrW5twCLd.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\HOrW5twCLd.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\HOrW5twCLd.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\HOrW5twCLd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\HOrW5twCLd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\HOrW5twCLd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\HOrW5twCLd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HOrW5twCLd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\HOrW5twCLd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HOrW5twCLd.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\HOrW5twCLd.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\HOrW5twCLd.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\HOrW5twCLd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\HOrW5twCLd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\HOrW5twCLd.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\HOrW5twCLd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\HOrW5twCLd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\HOrW5twCLd.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\HOrW5twCLd.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\HOrW5twCLd.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\HOrW5twCLd.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\HOrW5twCLd.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\HOrW5twCLd.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\HOrW5twCLd.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Section loaded: userenv.dll	Jump to behavior

Source: C:\Users\user\Desktop\HOrW5twCLd.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: HOrW5twCLd.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: HOrW5twCLd.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: HOrW5twCLd.exe, DllHandler.cs	.Net Code: DllNodeHandler System.Reflection.Assembly.Load(byte[])
Source: HOrW5twCLd.exe, DllHandler.cs	.Net Code: DllNodeHandler
Source: HOrW5twCLd.exe.0.dr, DllHandler.cs	.Net Code: DllNodeHandler System.Reflection.Assembly.Load(byte[])
Source: HOrW5twCLd.exe.0.dr, DllHandler.cs	.Net Code: DllNodeHandler

Source: HOrW5twCLd.exe

Static PE information: 0xB6F61BA2 [Sat Apr 9 13:44:02 2067 UTC]

Source: C:\Users\user\Desktop\HOrW5twCLd.exe

File created: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe

Jump to dropped file

Source: C:\Users\user\Desktop\HOrW5twCLd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HOrW5twCLd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HOrW5twCLd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HOrW5twCLd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HOrW5twCLd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HOrW5twCLd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HOrW5twCLd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HOrW5twCLd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HOrW5twCLd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HOrW5twCLd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HOrW5twCLd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HOrW5twCLd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HOrW5twCLd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HOrW5twCLd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HOrW5twCLd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\HOrW5twCLd.exe	Memory allocated: 2530000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\HOrW5twCLd.exe	Memory allocated: 27B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\HOrW5twCLd.exe	Memory allocated: 2530000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Memory allocated: 1700000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Memory allocated: 30C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Memory allocated: 50C0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\HOrW5twCLd.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Window / User API: threadDelayed 4059			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Window / User API: threadDelayed 5768			Jump to behavior

Source: C:\Users\user\Desktop\HOrW5twCLd.exe TID: 2008	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe TID: 6024	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe TID: 5080	Thread sleep count: 4059 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe TID: 6008	Thread sleep count: 5768 > 30	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\HOrW5twCLd.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: HOrW5twCLd.exe, 00000001.00000002.2901634706.00000000012D3000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\HOrW5twCLd.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\HOrW5twCLd.exe

Process created: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe "C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe"

Jump to behavior

Source: HOrW5twCLd.exe, 00000001.00000002.2903031561.00000000030CE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: explorer - Program Manager`
Source: HOrW5twCLd.exe, 00000001.00000002.2903031561.00000000030CE000.00000004.00000800.00020000.00000000.sdmp, HOrW5twCLd.exe, 00000001.00000002.2903031561.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, HOrW5twCLd.exe, 00000001.00000002.2903031561.00000000032C2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: HOrW5twCLd.exe, 00000001.00000002.2903031561.00000000030CE000.00000004.00000800.00020000.00000000.sdmp, HOrW5twCLd.exe, 00000001.00000002.2903031561.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, HOrW5twCLd.exe, 00000001.00000002.2903031561.00000000032C2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: explorer - Prog@\^q explorer - Program Manager
Source: HOrW5twCLd.exe, 00000001.00000002.2903031561.00000000030CE000.00000004.00000800.00020000.00000000.sdmp, HOrW5twCLd.exe, 00000001.00000002.2903031561.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, HOrW5twCLd.exe, 00000001.00000002.2903031561.00000000032C2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: explorer - Program Manager
Source: HOrW5twCLd.exe, 00000001.00000002.2903031561.00000000030CE000.00000004.00000800.00020000.00000000.sdmp, HOrW5twCLd.exe, 00000001.00000002.2903031561.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, HOrW5twCLd.exe, 00000001.00000002.2903031561.00000000032C2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerlB^q
Source: HOrW5twCLd.exe, 00000001.00000002.2903031561.00000000032C2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ,@\^q explorer - Program Manager

Source: C:\Users\user\Desktop\HOrW5twCLd.exe	Queries volume information: C:\Users\user\Desktop\HOrW5twCLd.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe VolumeInformation			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: HOrW5twCLd.exe, 00000001.00000002.2901634706.0000000001293000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct

Stealing of Sensitive Information

Yara detected XenoRAT

Source: Yara match	File source: HOrW5twCLd.exe, type: SAMPLE
Source: Yara match	File source: 0.0.HOrW5twCLd.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1649524028.0000000000402000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HOrW5twCLd.exe PID: 5960, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe, type: DROPPED

Remote Access Functionality

Yara detected XenoRAT

Source: Yara match	File source: HOrW5twCLd.exe, type: SAMPLE
Source: Yara match	File source: 0.0.HOrW5twCLd.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1649524028.0000000000402000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HOrW5twCLd.exe PID: 5960, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	12 Process Injection	1 Masquerading	OS Credential Dumping	121 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
HOrW5twCLd.exe	69%	Virustotal		Browse
HOrW5twCLd.exe	76%	ReversingLabs	ByteCode-MSIL.Backdoor.XenoRAT
HOrW5twCLd.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe	76%	ReversingLabs	ByteCode-MSIL.Backdoor.XenoRAT

Source	Detection	Scanner	Label	Link
147.45.69.75	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
147.45.69.75	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	HOrW5twCLd.exe, 00000001.00000002.2903031561.00000000030CE000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
147.45.69.75	unknown	Russian Federation		2895	FREE-NET-ASFREEnetEU	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581009
Start date and time:	2024-12-26 16:36:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	HOrW5twCLd.exe renamed because original name is a hash value
Original Sample Name:	1A82EBD26769009CFA116D6C722D7AF2.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@3/3@0/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 99% Number of executed functions: 147 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target HOrW5twCLd.exe, PID 2188 because it is empty
Execution Graph export aborted for target HOrW5twCLd.exe, PID 5960 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:37:52	API Interceptor	891565x Sleep call for process: HOrW5twCLd.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FREE-NET-ASFREEnetEU	cMTqzvmx9u.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine	Browse	147.45.44.224
	qoqD1RxV0F.exe	Get hash	malicious	LummaC	Browse	147.45.44.131
	iviewers.dll	Get hash	malicious	LummaC	Browse	147.45.44.131
	Collapse.exe	Get hash	malicious	LummaC	Browse	147.45.47.81
	nTyPEbq9wQ.lnk	Get hash	malicious	Unknown	Browse	147.45.49.155
	7A2lfjTYNf.lnk	Get hash	malicious	Unknown	Browse	147.45.49.155
	6fW0guYpsH.lnk	Get hash	malicious	Unknown	Browse	147.45.49.155
	FzmtNV0vnG.lnk	Get hash	malicious	Unknown	Browse	147.45.49.155
	lKin1m7Pf2.lnk	Get hash	malicious	Unknown	Browse	147.45.49.155
	jqplot.hta	Get hash	malicious	Unknown	Browse	147.45.112.248

Process:	C:\Users\user\Desktop\HOrW5twCLd.exe
File Type:	CSV text
Category:	modified
Size (bytes):	226
Entropy (8bit):	5.360398796477698
Encrypted:	false
SSDEEP:	6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
MD5:	3A8957C6382192B71471BD14359D0B12
SHA1:	71B96C965B65A051E7E7D10F61BEBD8CCBB88587
SHA-256:	282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
SHA-512:	76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe

Download File

Process:	C:\Users\user\Desktop\HOrW5twCLd.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	46592
Entropy (8bit):	5.642062716726581
Encrypted:	false
SSDEEP:	768:SdhO/poiiUcjlJIn/lH9Xqk5nWEZ5SbTDabWI7CPW5h:0w+jjgn9H9XqcnW85SbTSWI5
MD5:	1A82EBD26769009CFA116D6C722D7AF2
SHA1:	DFBEB5E3A3E83AE8DAAF388F4EF6DE430F6E0FA6
SHA-256:	EB9DC118872152800B1BC901FEE1162BE82CCB6772E0A1706B56FED261255037
SHA-512:	940E9EBFCA92940F6E471A3001DDD958AEF933178B29F424F9D4C1E2F964915AE1369E6C690CB6024E92B8E5B5DE51B98B74F762365F91FDCE3B38E4204DD65F
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XenoRAT, Description: Yara detected XenoRAT, Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe, Author: Joe Security Rule: rat_win_xeno_rat, Description: Xeno RAT is an open-source RAT, used by Kimsuky in January 2024, Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe, Author: Sekoia.io
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 76%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.................. ........@.. ....................... ............`.....................................O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......,l...^......^...................................................moom825...gB...\v...U.g.6#...E...x..F...(......s....}.....r...p}.....(....(...........s....o......o....s....( ...r...p(!...,.("....6.\|.....(?...V.(......}......}.....6.\|.....(?...6.\|.....(?...6.\|"....(?...6.\|&....(?...6.\|-....(?...6.\|2....(?...6.\|;....(?...6.\|A....(?.....sl...}F.....}I.....}J.....}K....(......}G.....}E...6.{F....om...f..i..i3.....ij(+.......6.{G....oL...2.{G...oM...*

C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\HOrW5twCLd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.642062716726581
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	HOrW5twCLd.exe
File size:	46'592 bytes
MD5:	1a82ebd26769009cfa116d6c722d7af2
SHA1:	dfbeb5e3a3e83ae8daaf388f4ef6de430f6e0fa6
SHA256:	eb9dc118872152800b1bc901fee1162be82ccb6772e0a1706b56fed261255037
SHA512:	940e9ebfca92940f6e471a3001ddd958aef933178b29f424f9d4c1e2f964915ae1369e6c690cb6024e92b8e5b5de51b98b74f762365f91fdce3b38e4204dd65f
SSDEEP:	768:SdhO/poiiUcjlJIn/lH9Xqk5nWEZ5SbTDabWI7CPW5h:0w+jjgn9H9XqcnW85SbTSWI5
TLSH:	DE23E84C5BAC8923E6AF5ABD9432426387B3F3669532E38F08CCD4E9379339554053A7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.................. ........@.. ....................... ............`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x40cb0e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xB6F61BA2 [Sat Apr 9 13:44:02 2067 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xcabc	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe000	0x5d0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x10000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xab14	0xac00	f3915cc02e405c1dab264f4e6a60d98c	False	0.44958212209302323	data	5.726046595646266	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xe000	0x5d0	0x600	413d41ad2a0da7fe255f98970731f053	False	0.453125	data	4.404307394530879	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x10000	0xc	0x200	01acd2af66a5901a5067e09bcf43dbb2	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xe0a0	0x344	data			0.4533492822966507
RT_MANIFEST	0xe3e4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-26T16:36:59.853815+0100	2050110	ET MALWARE [ANY.RUN] Xeno-RAT TCP Check-In	1	147.45.69.75	4444	192.168.2.4	49732	TCP
2024-12-26T16:37:02.457048+0100	2058419	ET MALWARE Xenorat Default Handshake Inbound	1	147.45.69.75	4444	192.168.2.4	49730	TCP
2024-12-26T16:37:05.594864+0100	2058419	ET MALWARE Xenorat Default Handshake Inbound	1	147.45.69.75	4444	192.168.2.4	49731	TCP
2024-12-26T16:37:08.930806+0100	2058419	ET MALWARE Xenorat Default Handshake Inbound	1	147.45.69.75	4444	192.168.2.4	49732	TCP
2024-12-26T16:37:49.469089+0100	2050111	ET MALWARE [ANY.RUN] Xeno-RAT TCP Keep-Alive	1	192.168.2.4	49731	147.45.69.75	4444	TCP
2024-12-26T16:38:17.767066+0100	2050111	ET MALWARE [ANY.RUN] Xeno-RAT TCP Keep-Alive	1	192.168.2.4	49731	147.45.69.75	4444	TCP
2024-12-26T16:38:55.235188+0100	2050111	ET MALWARE [ANY.RUN] Xeno-RAT TCP Keep-Alive	1	192.168.2.4	49731	147.45.69.75	4444	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 26, 2024 16:37:01.019654036 CET	49730	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:01.139525890 CET	4444	49730	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:01.139614105 CET	49730	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:02.457047939 CET	4444	49730	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:02.478647947 CET	49730	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:02.598243952 CET	4444	49730	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:02.905951977 CET	4444	49730	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:02.908004999 CET	49730	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:03.027596951 CET	4444	49730	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:03.334444046 CET	4444	49730	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:03.385056019 CET	49730	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:03.546621084 CET	4444	49730	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:03.588179111 CET	49730	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:03.728734970 CET	49730	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:03.852597952 CET	4444	49730	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:04.161086082 CET	4444	49730	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:04.164901018 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:04.213184118 CET	49730	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:04.285247087 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:04.285331011 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:05.594863892 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:05.595973969 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:05.715691090 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:06.050466061 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:06.057648897 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:06.061182976 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:06.064749002 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:06.068274021 CET	49730	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:06.177401066 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:06.180797100 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:06.184380054 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:06.187830925 CET	4444	49730	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:07.499500036 CET	4444	49730	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:07.499963045 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:07.500478029 CET	49732	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:07.501384020 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:07.541305065 CET	49730	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:07.620265007 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:07.620352983 CET	49732	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:07.620902061 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:08.922313929 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:08.930805922 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:08.933712006 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:08.941184998 CET	49732	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:09.053366899 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:09.060749054 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:09.362471104 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:09.363922119 CET	49732	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:09.364345074 CET	49732	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:09.364717007 CET	49732	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:09.365098953 CET	49730	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:09.483652115 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:09.484029055 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:09.484397888 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:09.485034943 CET	4444	49730	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:10.375487089 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:10.377114058 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:10.496925116 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:10.780282021 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:10.793214083 CET	49732	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:10.912992954 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:11.974900007 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:11.976258039 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:12.095866919 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:13.208580017 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:13.213205099 CET	49732	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:13.333159924 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:13.406213999 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:13.407222986 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:13.526861906 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:14.829190969 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:14.836038113 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:14.955650091 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:15.643738985 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:15.649983883 CET	49732	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:15.770648003 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:16.265564919 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:16.266722918 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:16.386488914 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:17.686777115 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:17.688086987 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:17.807856083 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:18.076719046 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:18.081022024 CET	49732	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:18.200644970 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:19.125252008 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:19.126442909 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:19.246115923 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:20.514897108 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:20.520339012 CET	49732	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:20.558296919 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:20.559185028 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:20.640054941 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:20.678952932 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:21.998577118 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:22.000003099 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:22.119834900 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:22.952228069 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:22.956777096 CET	49732	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:23.076462030 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:23.437026978 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:23.456063986 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:23.575746059 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:24.889520884 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:24.890966892 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:25.010670900 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:25.373884916 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:25.378129959 CET	49732	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:25.497960091 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:26.330935001 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:26.336113930 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:26.455765963 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:27.750510931 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:27.751722097 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:27.797665119 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:27.802607059 CET	49732	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:27.872935057 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:27.922477007 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:29.187699080 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:29.189027071 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:29.308840990 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:30.217432976 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:30.221667051 CET	49732	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:30.341366053 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:30.623733044 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:30.625005960 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:30.744935036 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:32.059624910 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:32.060992002 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:32.180860043 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:32.654747963 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:32.659569025 CET	49732	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:32.779237032 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:33.501197100 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:33.502594948 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:33.622209072 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:34.922486067 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:34.925841093 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:35.045408964 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:35.092461109 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:35.096999884 CET	49732	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:35.216689110 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:36.342832088 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:36.344208002 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:36.464078903 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:37.529580116 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:37.557857037 CET	49732	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:37.677508116 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:37.766458988 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:37.771106005 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:37.891763926 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:39.189698935 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:39.191245079 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:39.310906887 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:39.984157085 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:39.989108086 CET	49732	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:40.108741999 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:40.640028954 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:40.641578913 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:40.761147976 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:42.076785088 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:42.078027964 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:42.197611094 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:42.420197010 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:42.424992085 CET	49732	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:42.544589996 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:43.531725883 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:43.533004045 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:43.653415918 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:44.857681036 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:44.867732048 CET	49732	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:44.969744921 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:44.971350908 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:45.182095051 CET	49732	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:45.275855064 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:45.286330938 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:45.286343098 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:45.286351919 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:45.286521912 CET	49732	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:45.302037954 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:45.395806074 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:46.592750072 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:46.593988895 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:46.713679075 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:47.592874050 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:47.597739935 CET	49732	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:47.718523979 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:48.031563997 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:48.033041954 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:48.152795076 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:49.467406988 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:49.469089031 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:49.589556932 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:50.027592897 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:50.035706997 CET	49732	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:50.155438900 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:50.907238007 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:50.908601046 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:51.213273048 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:51.478518963 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:51.478581905 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:51.478617907 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:51.478718042 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:52.467408895 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:52.472234011 CET	49732	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:52.591840029 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:52.783695936 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:52.784979105 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:52.905039072 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:54.218117952 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:54.219780922 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:54.339471102 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:54.919364929 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:54.924238920 CET	49732	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:55.043915033 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:55.655165911 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:55.697658062 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:55.722634077 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:55.842536926 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:57.327236891 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:57.328948975 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:57.358302116 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:57.364479065 CET	49732	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:57.448798895 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:57.484174967 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:58.764256001 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:37:58.781487942 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:37:58.902895927 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:00.178219080 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:00.178270102 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:00.178404093 CET	49732	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:38:00.182665110 CET	49732	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:38:00.201864004 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:00.202883005 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:38:00.302273035 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:00.322624922 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:01.640095949 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:01.649415970 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:38:01.769042015 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:02.607726097 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:02.612651110 CET	49732	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:38:02.732517004 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:03.238329887 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:03.239826918 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:38:03.360070944 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:04.657588959 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:04.659522057 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:38:04.779299974 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:05.141869068 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:05.158565998 CET	49732	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:38:05.278219938 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:06.076888084 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:06.078056097 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:38:06.197845936 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:07.561661005 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:07.563905001 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:38:07.594212055 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:07.599029064 CET	49732	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:38:07.683696032 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:07.718807936 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:09.077307940 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:09.078366041 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:38:09.198177099 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:10.029783964 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:10.034368038 CET	49732	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:38:10.154145002 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:10.500212908 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:10.501336098 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:38:10.620951891 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:12.035175085 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:12.036729097 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:38:12.156379938 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:12.451390982 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:12.455851078 CET	49732	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:38:12.575468063 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:13.468121052 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:13.469244003 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:38:13.589498997 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:14.925215006 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:14.929692030 CET	49732	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:38:14.930413008 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:14.931318045 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:38:15.049808979 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:15.051112890 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:16.342633009 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:16.343781948 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:38:16.466917992 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:17.359143972 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:17.363051891 CET	49732	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:38:17.482779980 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:17.765552998 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:17.767066002 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:38:17.886619091 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:19.202112913 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:19.203319073 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:38:19.323719025 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:19.795814991 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:19.799642086 CET	49732	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:38:19.919245958 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:20.639560938 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:20.640721083 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:38:20.761883974 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:22.155458927 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:22.156461954 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:38:22.220436096 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:22.225578070 CET	49732	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:38:22.276137114 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:22.345395088 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:23.592385054 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:23.595099926 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:38:23.714735031 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:24.654652119 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:24.687891006 CET	49732	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:38:24.994584084 CET	49732	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:38:25.029292107 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:25.029333115 CET	49732	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:38:25.029985905 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:25.030339956 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:25.031668901 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:38:25.114521980 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:25.151365995 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:26.451509953 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:26.452625990 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:38:26.572249889 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:27.526473999 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:27.548111916 CET	49732	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:38:27.704482079 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:27.704533100 CET	49732	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:38:27.765003920 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:27.906686068 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:27.907963037 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:38:28.027637959 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:29.344167948 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:29.345331907 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:38:29.465272903 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:30.077944994 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:30.081938028 CET	49732	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:38:30.201482058 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:30.831310034 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:30.832741976 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:38:30.952285051 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:32.248816013 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:32.249947071 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:38:32.369616985 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:32.514249086 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:32.519002914 CET	49732	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:38:32.638672113 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:33.686352968 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:33.687454939 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:38:33.807044983 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:34.951590061 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:34.957247019 CET	49732	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:38:35.076773882 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:35.123577118 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:35.124751091 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:38:35.244592905 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:36.561144114 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:36.562319994 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:38:36.681847095 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:37.388808012 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:37.393568993 CET	49732	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:38:37.513051033 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:38.016237974 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:38.019438028 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:38:38.139523029 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:39.453100920 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:39.456139088 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:38:39.575741053 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:39.827792883 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:39.832412004 CET	49732	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:38:39.952663898 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:40.891695023 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:40.892914057 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:38:41.012552023 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:42.264281034 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:42.268779993 CET	49732	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:38:42.329432011 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:42.330609083 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:38:42.388895035 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:42.450190067 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:43.765034914 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:43.766695976 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:38:43.886706114 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:44.702212095 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:44.707216978 CET	49732	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:38:44.826734066 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:45.202091932 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:45.203299046 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:38:45.322962046 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:46.623725891 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:46.625057936 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:38:46.744738102 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:47.124762058 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:47.130274057 CET	49732	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:38:47.251637936 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:48.061503887 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:48.062922955 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:38:48.182629108 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:49.499646902 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:49.501024008 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:38:49.560471058 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:49.565202951 CET	49732	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:38:49.620718002 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:49.685273886 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:50.922056913 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:50.925946951 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:38:51.045932055 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:51.999963045 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:52.007209063 CET	49732	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:38:52.132569075 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:52.376877069 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:52.379046917 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:38:52.498714924 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:53.811327934 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:53.812454939 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:38:53.932343960 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:54.435600996 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:54.440258980 CET	49732	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:38:54.566653967 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:55.234014034 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:55.235188007 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:38:55.355966091 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:56.654959917 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:56.656128883 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:38:56.779079914 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:56.858886957 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:56.862556934 CET	49732	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:38:56.982285023 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:58.096106052 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:58.098959923 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:38:58.218600988 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:59.296709061 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:59.302484989 CET	49732	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:38:59.422123909 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:59.530539989 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:38:59.532202959 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:38:59.651966095 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:39:00.965894938 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:39:01.010327101 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:39:01.070564985 CET	49731	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:39:01.190203905 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:39:01.734658003 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:39:01.738432884 CET	49732	4444	192.168.2.4	147.45.69.75
Dec 26, 2024 16:39:01.858088017 CET	4444	49732	147.45.69.75	192.168.2.4
Dec 26, 2024 16:39:02.498501062 CET	4444	49731	147.45.69.75	192.168.2.4
Dec 26, 2024 16:39:02.541538000 CET	49731	4444	192.168.2.4	147.45.69.75

Target ID:	0
Start time:	10:36:55
Start date:	26/12/2024
Path:	C:\Users\user\Desktop\HOrW5twCLd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\HOrW5twCLd.exe"
Imagebase:	0x400000
File size:	46'592 bytes
MD5 hash:	1A82EBD26769009CFA116D6C722D7AF2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XenoRAT, Description: Yara detected XenoRAT, Source: 00000000.00000000.1649524028.0000000000402000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	10:36:55
Start date:	26/12/2024
Path:	C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe"
Imagebase:	0xda0000
File size:	46'592 bytes
MD5 hash:	1A82EBD26769009CFA116D6C722D7AF2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XenoRAT, Description: Yara detected XenoRAT, Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe, Author: Joe Security Rule: rat_win_xeno_rat, Description: Xeno RAT is an open-source RAT, used by Kimsuky in January 2024, Source: C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe, Author: Sekoia.io
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 76%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Function 02610B13 Relevance: 1.8, Strings: 1, Instructions: 574COMMON

Download Yara Rule

Strings

dbq, xrefs: 02610CA2

Memory Dump Source

Source File: 00000000.00000002.1653638761.0000000002610000.00000040.00000800.00020000.00000000.sdmp, Offset: 02610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2610000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID: dbq
API String ID: 0-1887291361
Opcode ID: e9183f09ff292410090efed12e10c9bddaaaf4cfb0f84ae66edd436e9d847524
Instruction ID: 7ec93a9acb2026bd223a10a12001c0cf9933199ceda75dca0ea10580f0fe9dc5
Opcode Fuzzy Hash: e9183f09ff292410090efed12e10c9bddaaaf4cfb0f84ae66edd436e9d847524
Instruction Fuzzy Hash: BF421B74A002498FCB05DFA8C584A9DBBF2BF89314F1585A9E805EF369DB30AD85CF50

Function 02610981 Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

LR^q, xrefs: 02610A64

Memory Dump Source

Source File: 00000000.00000002.1653638761.0000000002610000.00000040.00000800.00020000.00000000.sdmp, Offset: 02610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2610000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 52f547972cb9bd72e4024a8f77e516f5ec865c2b7470eb2026cbcbc479f433d9
Instruction ID: 888ade1d39a790d132a07696a36d8c993c5c25d8854f283a91cbdfaa6a907ac2
Opcode Fuzzy Hash: 52f547972cb9bd72e4024a8f77e516f5ec865c2b7470eb2026cbcbc479f433d9
Instruction Fuzzy Hash: 3E211574910209DFDB01EFA8E984A9DBBB1FF45304B009AA9D014DB36AFB745E49CF91

Function 02610990 Relevance: 1.3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

LR^q, xrefs: 02610A64

Memory Dump Source

Source File: 00000000.00000002.1653638761.0000000002610000.00000040.00000800.00020000.00000000.sdmp, Offset: 02610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2610000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 19ead47e6170bb180845825e7c8e14515b9e1bb47efccf7267a8d47c55eba4f8
Instruction ID: 919dc6910b2765855d8e001b57f14cc41a9a9c4312050d56ab25c656f04caf17
Opcode Fuzzy Hash: 19ead47e6170bb180845825e7c8e14515b9e1bb47efccf7267a8d47c55eba4f8
Instruction Fuzzy Hash: 2A2100749102099FDB01EFA8E984A9DBBB1FF44304B109A69D0189B369EB746A49CF81

Function 02610877 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653638761.0000000002610000.00000040.00000800.00020000.00000000.sdmp, Offset: 02610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2610000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63da92231108e09204ea5f7e04893b05c3f518a2acb9f69a1c329d2060751d5f
Instruction ID: 704ee03edc88e8abb3ffc6e4c7630145e6a28bd2d4ccc58d7b71a4281909c7e7
Opcode Fuzzy Hash: 63da92231108e09204ea5f7e04893b05c3f518a2acb9f69a1c329d2060751d5f
Instruction Fuzzy Hash: 45018F32D1065A97CB009BB4CC445CDBB76FFCA310F5A0655D101BB160EBB0298AC790

Function 026108F9 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653638761.0000000002610000.00000040.00000800.00020000.00000000.sdmp, Offset: 02610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2610000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da0795afcdef7de7f85bfbdfa75325287bc12d9cbbb2229003c0feb9d387ef62
Instruction ID: 2dda99aa9ad47763a43476ec242405f2c9cfadfd70b7a10cb76e08e9a66bdc44
Opcode Fuzzy Hash: da0795afcdef7de7f85bfbdfa75325287bc12d9cbbb2229003c0feb9d387ef62
Instruction Fuzzy Hash: FFF0C272910549ABEF15DB64C8A5AEFBBB9AF84300F04486AD442AB254DE706906CBD2

Function 02610908 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653638761.0000000002610000.00000040.00000800.00020000.00000000.sdmp, Offset: 02610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2610000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e125504539f2c19e57f19125a73e413ef26a79c73d47b2b110c08320349a779b
Instruction ID: 555ae11cd12474378f8b0b2fcbdc9fce4b5a3fb0128cc6dabd189b20bbd86e27
Opcode Fuzzy Hash: e125504539f2c19e57f19125a73e413ef26a79c73d47b2b110c08320349a779b
Instruction Fuzzy Hash: A0F0E232E101099BEF04DB74C4659EFBFBA9F84300F048926D402BB244DEB069068AD2

Function 026113A1 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653638761.0000000002610000.00000040.00000800.00020000.00000000.sdmp, Offset: 02610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2610000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81fb5938b7f5f0f5b3e66b8126bdf226a2883f9e1a15df0de316c651d27c08d2
Instruction ID: 99fbd2d2059b91d861e0b38088ef30e07561cca98e8b13f5a3c5c3e60171f17d
Opcode Fuzzy Hash: 81fb5938b7f5f0f5b3e66b8126bdf226a2883f9e1a15df0de316c651d27c08d2
Instruction Fuzzy Hash: 3DF090B5D0024A8BCF10EFB489421BEBFB1AF06600F5846E9C65DE7619FA322542CBC0

Function 02610839 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653638761.0000000002610000.00000040.00000800.00020000.00000000.sdmp, Offset: 02610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2610000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56c59299ab10bfe942c2cc92fd565031283754757057181e4462fc6200911552
Instruction ID: f13a97395e82f1a6ea5f264bad6650d4ad037736c2365aaa2c2798aeccce9afe
Opcode Fuzzy Hash: 56c59299ab10bfe942c2cc92fd565031283754757057181e4462fc6200911552
Instruction Fuzzy Hash: B8E09AA08083889FDB01CFB485157997BB4EF0A241F2408D9E888CF212DB319A00C385

Function 02610848 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653638761.0000000002610000.00000040.00000800.00020000.00000000.sdmp, Offset: 02610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2610000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84c2569f449b4657fedd8866ebc74caaaea5ac6cf3608ec5730bbf7e6ef4fbf8
Instruction ID: 1b38d88175e27c542d5fd768aab64ef84343508fe95e41540035beaa2b0667ae
Opcode Fuzzy Hash: 84c2569f449b4657fedd8866ebc74caaaea5ac6cf3608ec5730bbf7e6ef4fbf8
Instruction Fuzzy Hash: 8FD01771905248AFDB41CFB4C94575D7BB8AB05240F644496E848CB215DB319E50C791

Function 026113B0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653638761.0000000002610000.00000040.00000800.00020000.00000000.sdmp, Offset: 02610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2610000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fef043d575c0f54f122b0501c9fa8b484036c79d8b33f2a125a1e09fb6ee5efe
Instruction ID: f096f704ec28eb50e66b1b0733bfbf9766c124849d10dce6e6082685a408bb19
Opcode Fuzzy Hash: fef043d575c0f54f122b0501c9fa8b484036c79d8b33f2a125a1e09fb6ee5efe
Instruction Fuzzy Hash: D2E042B4D0530E9F8F44EFBA88421AEBFF5AB49200F5485AA8A08E3204E67066518FD1

Analysis Process: HOrW5twCLd.exePID: 2188, Parent PID: 5960COMMON

Executed Functions

Function 01700B15 Relevance: 1.8, Strings: 1, Instructions: 576COMMON

Download Yara Rule

Strings

dbq, xrefs: 01700CA2

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID: dbq
API String ID: 0-1887291361
Opcode ID: 23f1b77a76a3930b3350ec074b51be89ff8f9a3d1ef5da2e6f4b77bff0eeef2b
Instruction ID: 67a3d5b9fdfc40a972e92ea11c65f2dcd75c6112d7270b3d4050b88777693226
Opcode Fuzzy Hash: 23f1b77a76a3930b3350ec074b51be89ff8f9a3d1ef5da2e6f4b77bff0eeef2b
Instruction Fuzzy Hash: 36421970A00245CFCB15DFA8C584A9DBBF2BF89314F5581A9E405EB3AADB34AD85CF50

Function 01709048 Relevance: 1.5, Strings: 1, Instructions: 281COMMON

Download Yara Rule

Strings

\VFm, xrefs: 017092FF

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID: \VFm
API String ID: 0-1569638498
Opcode ID: 724d99586a19d80500d17f7e55e820a4852a646ad1a80abb1f55f26dddaaa357
Instruction ID: 4486a61688274f921546b0cf70ec888ed185cc91fb89a4d6c3f68cd4107b265f
Opcode Fuzzy Hash: 724d99586a19d80500d17f7e55e820a4852a646ad1a80abb1f55f26dddaaa357
Instruction Fuzzy Hash: 9FB13C70E04309CFDB15CFA9C88579EFBF2AF88718F148129E919A7295EB749845CF81

Function 01702321 Relevance: .4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4537ad56aeacf6ab426adce99cd6fb1c7b522b0568205ae441a73243f14ecf50
Instruction ID: d89fa6118149a9190bb3c302012de82e4a8ac0a1c6a8fb521044fc12462c8d72
Opcode Fuzzy Hash: 4537ad56aeacf6ab426adce99cd6fb1c7b522b0568205ae441a73243f14ecf50
Instruction Fuzzy Hash: 0002F275A01209DFDB06CF68D484A9DBBF6BF49320F5981A5E805AB3A6D730E885CF50

Function 01709918 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d659a0d2f5731bc8c9fd29414fccfedb1107c224b52db8f6ec6b2574294f623d
Instruction ID: 7b78bc0ffabdbdce771c8e0a797a4f7677b6e6e4db71c3ae996500e06fdfda59
Opcode Fuzzy Hash: d659a0d2f5731bc8c9fd29414fccfedb1107c224b52db8f6ec6b2574294f623d
Instruction Fuzzy Hash: F4B15070E00309CFDF15CFA9D88579EFBF1AF88318F148529E519A7295EB749885CB81

Function 01709685 Relevance: 2.7, Strings: 2, Instructions: 181COMMON

Download Yara Rule

Strings

\VFm, xrefs: 01709852
\VFm, xrefs: 017096FF

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID: \VFm$\VFm
API String ID: 0-974954224
Opcode ID: 2e219e98722d60eaf9426bb32843ba8c5f0cb5c3c1e4b4e38227b34d06f6e860
Instruction ID: b0505d38ce2343117c96fe5a377785d3d91c3043daaea01120d7e545c14a6063
Opcode Fuzzy Hash: 2e219e98722d60eaf9426bb32843ba8c5f0cb5c3c1e4b4e38227b34d06f6e860
Instruction Fuzzy Hash: 06718BB1E00309DFDB15CFA9C88479EFBF1AF88718F188129E519A7295EB749841CF91

Function 01709690 Relevance: 2.7, Strings: 2, Instructions: 180COMMON

Download Yara Rule

Strings

\VFm, xrefs: 01709852
\VFm, xrefs: 017096FF

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID: \VFm$\VFm
API String ID: 0-974954224
Opcode ID: 1df8a5d4d9cddbf3f043540502de55f0c15314d1c23f6600c6fc97f51e99105a
Instruction ID: b55032d987597f1aa1dc33a60eeebee255d3a63de9086e39febd02351d39293b
Opcode Fuzzy Hash: 1df8a5d4d9cddbf3f043540502de55f0c15314d1c23f6600c6fc97f51e99105a
Instruction Fuzzy Hash: 5E715BB1E00309DFDB15CFA9C88079EFBF2AF88718F148129E519A7395EB749841CB91

Function 01704920 Relevance: 2.6, Strings: 2, Instructions: 98COMMON

Download Yara Rule

Strings

(bq, xrefs: 0170498D
(bq, xrefs: 01704961

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID: (bq$(bq
API String ID: 0-4224401849
Opcode ID: 7292cb7ec2d691504da8c54f954dee516e5f3fe8de81eaf087f9327497b6ada7
Instruction ID: 920b2784938e4c2ee084ed856ff369e0386f42dd05adb6c255668b6b65f64d31
Opcode Fuzzy Hash: 7292cb7ec2d691504da8c54f954dee516e5f3fe8de81eaf087f9327497b6ada7
Instruction Fuzzy Hash: B231F3317083504FC7569A2CC85090FBFE6EFC62A0315827AE50ADB395DE31DC06CBA4

Function 0170283D Relevance: 2.6, Strings: 2, Instructions: 63COMMON

Download Yara Rule

Strings

U, xrefs: 01702855
h_q, xrefs: 017028C3

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID: U$h_q
API String ID: 0-2676216259
Opcode ID: f8d42c885006c9bc451d15f6a382ccec523983f9317bf845e4b2e6c992ae7434
Instruction ID: 057f86d7692bd4d204c4607e45461373a6a86fa62acc2f702437319309574b98
Opcode Fuzzy Hash: f8d42c885006c9bc451d15f6a382ccec523983f9317bf845e4b2e6c992ae7434
Instruction Fuzzy Hash: 5111EB32D487868FCB068B749C444DDFFB5AFC6300F194597D510BB1A2E7701589C7A1

Function 01702C38 Relevance: 2.6, Strings: 2, Instructions: 54COMMON

Download Yara Rule

Strings

h_q, xrefs: 01702CB9
U, xrefs: 01702C45

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID: U$h_q
API String ID: 0-2676216259
Opcode ID: a3b517cdbd9a3f359734f205d170ed89e4caab287d9c7fead0adb99d02abdf5e
Instruction ID: 1f284c00b5a7884577eec625cd5b1791206925de0fce188b5f45f037dda43fa7
Opcode Fuzzy Hash: a3b517cdbd9a3f359734f205d170ed89e4caab287d9c7fead0adb99d02abdf5e
Instruction Fuzzy Hash: 40110631D0474A9ACB01CFA9CC841DEFFB6EFC6310B19829BD114BB262EA70184AC760

Function 0170903D Relevance: 1.5, Strings: 1, Instructions: 282COMMON

Download Yara Rule

Strings

\VFm, xrefs: 017092FF

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID: \VFm
API String ID: 0-1569638498
Opcode ID: 201fb0de90197834b4db08cbcb97d3a17c961da5e5d7a283d6b015454c0bf9a2
Instruction ID: dba95fc9c2133e47863c5c1b1493c231005d9db059acb69883d7c119af3fe4fa
Opcode Fuzzy Hash: 201fb0de90197834b4db08cbcb97d3a17c961da5e5d7a283d6b015454c0bf9a2
Instruction Fuzzy Hash: 0BB13970E04309CFDB11CFA8C88579EFBF1AF88718F148129E919A7296EB749845CF91

Function 01704190 Relevance: 1.5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

Strings

(bq, xrefs: 01704392

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: 429b27535d34ac666c5635867d0e74d6319c9a02722e6893d86b3b687f3f321a
Instruction ID: 56c98005fcd021ab5635a2d2e56f859fac87c508754f83f620b83b4eaf87a0fd
Opcode Fuzzy Hash: 429b27535d34ac666c5635867d0e74d6319c9a02722e6893d86b3b687f3f321a
Instruction Fuzzy Hash: D7812C34B01209DFDB15DF68D894A9DBBF6BF89310F158165E506AB3A5DB30EC82CB90

Function 01704A40 Relevance: 1.4, Strings: 1, Instructions: 158COMMON

Download Yara Rule

Strings

(bq, xrefs: 01704A87

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: ac5f43d05369faa7765041ac7c97d39c0bc4605de5252432172f7b1355c59f9f
Instruction ID: a0bea9880a6dd82c68dfb0f90b69859b557b2ad0270f99c1cc0eecf2e8da2ff9
Opcode Fuzzy Hash: ac5f43d05369faa7765041ac7c97d39c0bc4605de5252432172f7b1355c59f9f
Instruction Fuzzy Hash: 6A514B30E00219CFDB15DFA9D854AAEBBF2BF89310F148469E606A7294DB309D45CB90

Function 017065A0 Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

LR^q, xrefs: 017065F3

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 787249d7de6fc860804f93dcc5e4b462d104eecd277402b22a4997377dc88d97
Instruction ID: ead2482de9541af0ead48c983e6ca968df4d1b957c5653e6fffb7d6a31a7c9b6
Opcode Fuzzy Hash: 787249d7de6fc860804f93dcc5e4b462d104eecd277402b22a4997377dc88d97
Instruction Fuzzy Hash: A1319270F002168FCB45EB78C95196FBBF6AF89210B1441ADE145DB3A5DE34DC02C792

Function 01704F78 Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

Te^q, xrefs: 01705001

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: f0ad94997196b3735361cb066120ccb8105ab6cc4e704923e205fa98ab595de1
Instruction ID: 6b8d9fd890fded0b70d3e257dabfdc650b1453a791c8c06aea2fc9726a2133c3
Opcode Fuzzy Hash: f0ad94997196b3735361cb066120ccb8105ab6cc4e704923e205fa98ab595de1
Instruction Fuzzy Hash: 37313935B10204CFC745DF69C498AADBBF6BF8C720F2544A9E506EB3A1CA71AC05CB90

Function 01703AEB Relevance: 1.3, Strings: 1, Instructions: 91COMMON

Download Yara Rule

Strings

Te^q, xrefs: 01703B72

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: e1f52dc45eeb2b17f3fe3ce639a6709f5de526df9849bd3f9b0fc591e48232eb
Instruction ID: a86adba3f80b39feb54351ae1f6830d85aa567b40c4cf13e4f1cfa1d7f605bf7
Opcode Fuzzy Hash: e1f52dc45eeb2b17f3fe3ce639a6709f5de526df9849bd3f9b0fc591e48232eb
Instruction Fuzzy Hash: 00311434B00604DFCB04DF69C598A99BBF6BF8C720F258499E506EB3A5CA71DC01CB90

Function 0170C95C Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

LR^q, xrefs: 0170C9AF

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 1c63ac9af219bf8ef68c6d1f7d9742ef217d37df93a79a9709d67a642b7eea4a
Instruction ID: 04141f12516ef54c3243f452c7a16bea035c4f2674c1f0196fd75652ba3a4e64
Opcode Fuzzy Hash: 1c63ac9af219bf8ef68c6d1f7d9742ef217d37df93a79a9709d67a642b7eea4a
Instruction Fuzzy Hash: 6F31E971B04301CFC707EB78C89599DBBF5EF89614B1501E9E405EB3A2DA355E01C792

Function 0170C828 Relevance: 1.3, Strings: 1, Instructions: 84COMMON

Download Yara Rule

Strings

`_q, xrefs: 0170C85C

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID: `_q
API String ID: 0-2041170535
Opcode ID: 0734f6dfad38c5e831424b66327377c73a58c81a0656cd08906d4b68296f8edd
Instruction ID: 7cd219148ad1a2d81b49829fb990be85f105245a346d11ec62d52638963c6817
Opcode Fuzzy Hash: 0734f6dfad38c5e831424b66327377c73a58c81a0656cd08906d4b68296f8edd
Instruction Fuzzy Hash: 6A31A270A00305DFDB26DF69C940A9EFBF5FF88250B2446A9E495AB394DB31ED44CB60

Function 0170C7B7 Relevance: 1.3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

Strings

`_q, xrefs: 0170C85C

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID: `_q
API String ID: 0-2041170535
Opcode ID: 9d8b9064fac78b748a121be1629c4a055ce6e502ee2ba1e57663b07ad3299cc9
Instruction ID: 4ca469517d78f5e9a23d7e4984793e84acdc01860bdc5b395c83f409694f1128
Opcode Fuzzy Hash: 9d8b9064fac78b748a121be1629c4a055ce6e502ee2ba1e57663b07ad3299cc9
Instruction Fuzzy Hash: EB319331A40305DFCB16EFA8D9406AEFBF6EF4821071486AED445EB395EB31AE44CB51

Function 0170C800 Relevance: 1.3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

Strings

`_q, xrefs: 0170C85C

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID: `_q
API String ID: 0-2041170535
Opcode ID: cc8a7393806c91ba48220d61f1fbf9e4b9db7c98c118d1b9cf887f434fcb964a
Instruction ID: e6a92bdcde72f2e9fe47b5230ee3654f8ea8aee8d492cb592a4965e5465076ee
Opcode Fuzzy Hash: cc8a7393806c91ba48220d61f1fbf9e4b9db7c98c118d1b9cf887f434fcb964a
Instruction Fuzzy Hash: 2F21D531A44344CFCB27DF68C85099ABBF5EF46220B1846AAD4419B291E634ED45CB61

Function 0170C980 Relevance: 1.3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

LR^q, xrefs: 0170C9AF

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 4e0768f7fddb51c588d537061c0e25106817e8d09b45fba7e53e0e905503ed43
Instruction ID: e2a7c1bea9142992709e35657e3462da13b1f54248fe76ad5a17d441244136a4
Opcode Fuzzy Hash: 4e0768f7fddb51c588d537061c0e25106817e8d09b45fba7e53e0e905503ed43
Instruction Fuzzy Hash: C0217475B00205CFCB06EB78C4949ADBBF6FF8C610B1441A9E506E73A4DE359D41CB95

Function 01700981 Relevance: 1.3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

Strings

LR^q, xrefs: 01700A64

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 6c43339decfca00fb9d3fb652898f0268b993df5cfcfbd5e8ecf31e227146c4c
Instruction ID: 21cf7a0e2570a9234a2234ed4f27b65ed26e1b5915f85aabdb88e643296b774f
Opcode Fuzzy Hash: 6c43339decfca00fb9d3fb652898f0268b993df5cfcfbd5e8ecf31e227146c4c
Instruction Fuzzy Hash: 7221307091020ADFCB01FF68ED8469DBBB2FB45304B1095B9C005AB766EB785E49CF81

Function 01700C9A Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

dbq, xrefs: 01700CA2

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID: dbq
API String ID: 0-1887291361
Opcode ID: 38c8085ff9d74f98960ceb8e39d4e3319b0caa906782cb027c16b8a36a6dc6d0
Instruction ID: 4c8abc81c2b7efdb86233becdc5e104d39e673d650a42aa550204d0c067368fb
Opcode Fuzzy Hash: 38c8085ff9d74f98960ceb8e39d4e3319b0caa906782cb027c16b8a36a6dc6d0
Instruction Fuzzy Hash: CD21C575E00249CFDB06DFA9D4809DDBBF5EF89310B1580A6D805AB266E730A995CF50

Function 0170406A Relevance: 1.3, Strings: 1, Instructions: 57COMMON

Download Yara Rule

Strings

U, xrefs: 0170407D

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: 7667f63a86e4626cc665b7d144f2525ed7703d4d600d9ded93cf720f70a09e27
Instruction ID: 254ea969d72c078af651d714f385c7bd566165bbe461df4a9541f5525187cd94
Opcode Fuzzy Hash: 7667f63a86e4626cc665b7d144f2525ed7703d4d600d9ded93cf720f70a09e27
Instruction Fuzzy Hash: 0811A332D0574A9BCB01DFA4DD840DDFFB6AF9A310B190297D104BB1A1E775294AC751

Function 01700990 Relevance: 1.3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

LR^q, xrefs: 01700A64

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: cc345ebb711e1202279e77ef0efff3d1a31e24460d4c65fb041cb07d53cdbaa6
Instruction ID: 4e10882ad668107100291a91df9ca6287ae0e235be828ec28bcaaf3b22835421
Opcode Fuzzy Hash: cc345ebb711e1202279e77ef0efff3d1a31e24460d4c65fb041cb07d53cdbaa6
Instruction Fuzzy Hash: AF21ED70950209DFCB40EF68ED8469EBBB2FB44304B1095B9D405AB765EB786E49CF81

Function 01705CBF Relevance: 1.3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

h_q, xrefs: 01705D3B

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID: h_q
API String ID: 0-1834438436
Opcode ID: 33036acf8602384e567e22796cb9112fb324c791d043958c34a9acd1f3c4e97a
Instruction ID: 81c65b52df6958601623fa5550115c8184ab4b5116aac61f82339c31b11fcaeb
Opcode Fuzzy Hash: 33036acf8602384e567e22796cb9112fb324c791d043958c34a9acd1f3c4e97a
Instruction Fuzzy Hash: 3A11A332D0474A8BCB05DBB9D8405DDFBB5EFCA310F158697D111BB1A1E770268ACBA1

Function 01702858 Relevance: 1.3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

Strings

h_q, xrefs: 017028C3

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID: h_q
API String ID: 0-1834438436
Opcode ID: 3582c60e4a06d882b64f90727daf83d109322730cc93891ac63fc1c7bb1d463e
Instruction ID: 0771db29e46ccf89d90aa562916239926d0ee7933031040d2d95e4e96baff1a7
Opcode Fuzzy Hash: 3582c60e4a06d882b64f90727daf83d109322730cc93891ac63fc1c7bb1d463e
Instruction Fuzzy Hash: 53018B32E1060A97CB149BA9D8404DEF7BAEFCA310F258626D11177264EBB02589CBA1

Function 01705CD0 Relevance: 1.3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

Strings

h_q, xrefs: 01705D3B

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID: h_q
API String ID: 0-1834438436
Opcode ID: edb069375cf337c8d5cb040404062236856eef7e87770296ee2d4c033e654876
Instruction ID: d764fe12c9340c00138c017099b4f836ab68dc4880f5853be9fb68083856aa08
Opcode Fuzzy Hash: edb069375cf337c8d5cb040404062236856eef7e87770296ee2d4c033e654876
Instruction Fuzzy Hash: A0018B32E0060A97CB049BA9D8404DEF7B6EFCA310F258626D11177264EBB02589CBA1

Function 0170D2C0 Relevance: .6, Instructions: 554COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750615e5a100872baf0b29a9d2a1c6173a9b06b0b3d87d238f31e9717b33d185
Instruction ID: a7a703f3cdf885e744ef02b008e06be1dff73ad773fc064eda6898050c216d85
Opcode Fuzzy Hash: 750615e5a100872baf0b29a9d2a1c6173a9b06b0b3d87d238f31e9717b33d185
Instruction Fuzzy Hash: 2421BD31600385CFCB26DFE8C98069EFBF6EF89350B0845AAE455E7295EB34AC04CB50

Function 0170A830 Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d2bdd55903b183186c66e773b11ac0fbc04579e99210454018242682c6aa3a2
Instruction ID: b1a6da057e6b587e2b94132ebf7e6a868c30c9ebc9e05a955abeadf48027f0e2
Opcode Fuzzy Hash: 4d2bdd55903b183186c66e773b11ac0fbc04579e99210454018242682c6aa3a2
Instruction Fuzzy Hash: 4ED10475A003498FDB06DFA8C480ADDBBF2BF49310F158695E855AB3A6D730ED85CB60

Function 0170BE38 Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0719519d5171730e94cb257850ba7d26b7c043378972f953cfeb2edea175520c
Instruction ID: 91f74515fa5934f20e4278881b5c45c1df3e5c07cb9b71f8a083c42707c7b90d
Opcode Fuzzy Hash: 0719519d5171730e94cb257850ba7d26b7c043378972f953cfeb2edea175520c
Instruction Fuzzy Hash: 91D1F675A04349CFDB16CF68C580A9DBBF1BF49220F194295E845EB3A6D730AD85CF60

Function 0170B558 Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99fa39087a662904159df093cda791426970a5a6b363fc24e22bb42d60578d53
Instruction ID: 07d8767c63121847e19e2b625a3532e9535f7320c89cdc6959cc5fddc2b71a2c
Opcode Fuzzy Hash: 99fa39087a662904159df093cda791426970a5a6b363fc24e22bb42d60578d53
Instruction Fuzzy Hash: FAD11575A00349CFDB16CF68C480A9DBBF2AF49310F198599E855AB3A6C730ED85CF60

Function 0170BE29 Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ec5ed0dd6007d8b5b72fd7168e8c4d295f3ef77c7e2a08cdfe4c24c3f4e1808
Instruction ID: c491d0f387dd81f13db9bacb90f2a6610857285604fe05710bd7bb908571da9f
Opcode Fuzzy Hash: 6ec5ed0dd6007d8b5b72fd7168e8c4d295f3ef77c7e2a08cdfe4c24c3f4e1808
Instruction Fuzzy Hash: 49C12575A00349CFDB16CF68C580A9CBBF2BF49220F198195E445EB3A6D731AD85CF60

Function 0170990C Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 317c72e08f86e66fc06796f1ddb713a32d2e4faaee702b3f4b08151d5e93a268
Instruction ID: b71c120d42b8f8b307e55000ee1b183296f0d6cf16432dc113d0050f94bc8883
Opcode Fuzzy Hash: 317c72e08f86e66fc06796f1ddb713a32d2e4faaee702b3f4b08151d5e93a268
Instruction Fuzzy Hash: 78B16DB0E00309CFDF11CFA8C88579EFBF1AF88318F148129E519A7295EB749885CB81

Function 0170A3D8 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44209b575ae356be5a4b666565b66380322ac36389933f8ed502dd667f7b90dc
Instruction ID: b6a8a402850e925433e4f5f00cc0287a481ef4841bfe79662784d57be66292b3
Opcode Fuzzy Hash: 44209b575ae356be5a4b666565b66380322ac36389933f8ed502dd667f7b90dc
Instruction Fuzzy Hash: B1A14771A01355DFCB16CF68D88499DBBF2FF89310B1981A5E455AB3A6C730EC86CB50

Function 0170A81F Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 407e713914dfe9ba95a150c266c7225bb5ae614c122c39b93e3504dd662ddc85
Instruction ID: 96560d7df31e7a5f3401a25da0aa2297ebfbffadb53cfc1ed0ed0566c9b39d28
Opcode Fuzzy Hash: 407e713914dfe9ba95a150c266c7225bb5ae614c122c39b93e3504dd662ddc85
Instruction Fuzzy Hash: 92A10575A002498FDB06DF68C580ADDFBF2BF49310F198695E855AB3A6C730ED45CB60

Function 017012A3 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc4170369528929b2ec2636b872fc63adc2d2ed93812d5f755d3ba469f0cdb28
Instruction ID: b2328168776cfbbae99114385e883c1c9eaa97b4a48e800d8ec17a1aeb22c02f
Opcode Fuzzy Hash: bc4170369528929b2ec2636b872fc63adc2d2ed93812d5f755d3ba469f0cdb28
Instruction Fuzzy Hash: BBA1E570A01249CFCB15DFA9C58499CBBB2FF89324F5581A8E415AF3A9D734AC85CF50

Function 01702968 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8288923cd845dd6565a0af61961d378ffe09c5fbb905f9e6dc108c12c51f7da6
Instruction ID: 3924f122edf06dc301d3742856f7995e1a03b240d7c78764bbe78ee2a16ba8c4
Opcode Fuzzy Hash: 8288923cd845dd6565a0af61961d378ffe09c5fbb905f9e6dc108c12c51f7da6
Instruction Fuzzy Hash: 13818275A00615CFDB16DF68C988A9EFBF6BF88310F158195D845AB396DB30DC81CBA0

Function 017059C0 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b787bcafae5b5258c7a349c2488f7903a0b4003f9b107e54fbb3bb234863c98
Instruction ID: ebfa1a524734cee550f9b9550c966efdfce9cc7a1dcf7578e605254096b5b1dc
Opcode Fuzzy Hash: 5b787bcafae5b5258c7a349c2488f7903a0b4003f9b107e54fbb3bb234863c98
Instruction Fuzzy Hash: E781A070A01742CFDB26DF28C98469EFBF2BF89310B148699D0969B2A5C730E985CF51

Function 0170C460 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71784b4f2d19707223105eea77a65c0dba74cb5ad7e51275b3de88c1d927c9bd
Instruction ID: d30d1bdcddd2aae586e967ff466776fd29d3af9590929c55e88379c4da16e693
Opcode Fuzzy Hash: 71784b4f2d19707223105eea77a65c0dba74cb5ad7e51275b3de88c1d927c9bd
Instruction Fuzzy Hash: 40717370A00745CFDB26CF68C54459EFBF2BF89310B248A99E49AEB2A5D730EC45CB50

Function 01706278 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3c9ed81b166cb671875bb1a6f319497076b72c001e20f6648e32cd29e7c6278
Instruction ID: 2e568f760ce7fd7ec53551a55266d7f65b2d02b065b2d995e78d3cb46af513da
Opcode Fuzzy Hash: e3c9ed81b166cb671875bb1a6f319497076b72c001e20f6648e32cd29e7c6278
Instruction Fuzzy Hash: 10517C71A01304DFDB05DFA8D994A9EBBF6EF88310F158469E046EB3A5DA30DC85CB60

Function 01702D4F Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60315e5030037baa46eaca2822edcca6c9b1a4a739a7209458effd7a027e8804
Instruction ID: efb9628127053cac67a3487aa1f553c6b81adc5a869170a9eccf4b04f1a20cfc
Opcode Fuzzy Hash: 60315e5030037baa46eaca2822edcca6c9b1a4a739a7209458effd7a027e8804
Instruction Fuzzy Hash: 1D51AF31A00701CFDB26CF65C98499EFBF2BF88310B248A6DD49A972A5DB30AD45CB50

Function 01704180 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8cb238d54413cbc861776c318be0aca9d933d48f68e93985202b830287dece5
Instruction ID: 09e2af97fdb1d5af1131c0f4bc400b61419498bfc3a9f9492903c26cf3bd7ef6
Opcode Fuzzy Hash: a8cb238d54413cbc861776c318be0aca9d933d48f68e93985202b830287dece5
Instruction Fuzzy Hash: FC511D34B01205DFDB05DF68D894A9DFBFABF89310F198158E906AB365DB31AC85CB80

Function 0170441C Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 555eb894312c95e5f7999dc707221e7a9eaac99e4cc964e5176c688708d569ab
Instruction ID: a7253c0831bc5bd1235fb766838fd4f0f84e37d73c84263a00187906f51b2801
Opcode Fuzzy Hash: 555eb894312c95e5f7999dc707221e7a9eaac99e4cc964e5176c688708d569ab
Instruction Fuzzy Hash: A7515A71E00219DFCB05DFA9D844AEEFBF5FF88210F10816AE619E7290D7349641CBA1

Function 01701D68 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f44f0eb083273951e0048fd7315eb09b72e2836e1e80ea105111881eed442f8d
Instruction ID: c95015ec046f2cd6645b449d38f89ba917c0759f1183ae1783e56bf39a984be3
Opcode Fuzzy Hash: f44f0eb083273951e0048fd7315eb09b72e2836e1e80ea105111881eed442f8d
Instruction Fuzzy Hash: DA51ADB0C05389DFDB06DFA9C8906DDBFF0AF49314F18409AD844AB2A2D7359945CF91

Function 01702030 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2822143d08d75a2b168f61702eb2280658b54177f1882df205aeca99a91bf809
Instruction ID: 14dd3d9e5143b97619f3394547f423df723622f62a0d8293df9bc83164a0efd8
Opcode Fuzzy Hash: 2822143d08d75a2b168f61702eb2280658b54177f1882df205aeca99a91bf809
Instruction Fuzzy Hash: 0C513C35A003059FCB15DF68C8849DEBBF6EF89320F158698D415AB3A6D770ED85CBA0

Function 0170201F Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fa227bc16ab9cba4873c0722d5db62931b84d3694b1915b1c3b8b373105ee2b
Instruction ID: fb1f7a13fa9192e96946931a324f4956631c405ede5354620068ed4c274f33cb
Opcode Fuzzy Hash: 4fa227bc16ab9cba4873c0722d5db62931b84d3694b1915b1c3b8b373105ee2b
Instruction Fuzzy Hash: 3D418C31A003058FCB05DFA8C9849CEFBF6EF48320B048699D515AB3A6D731ED85CBA0

Function 01705DCF Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb024edfaecee6a0977f95d3aaea8148948964e14551c2792a39528de6bceb5
Instruction ID: 1b20cb690f644806fd9ff0bda7ad50acc53b4605455b1c38f7677b25331d8601
Opcode Fuzzy Hash: dbb024edfaecee6a0977f95d3aaea8148948964e14551c2792a39528de6bceb5
Instruction Fuzzy Hash: 1B312430905345CFDB26CF28C9445DAFBF2FF88350B14866ED496AB696C730A846CF51

Function 01707154 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8f96f1b8012c15b72f99d24000e474bcc2f88f98febbed8028874745c251928
Instruction ID: 062fec98d384de90a7ff15bde68c9d5fb66bdb5cc43b5b9d53e4693b3f097664
Opcode Fuzzy Hash: e8f96f1b8012c15b72f99d24000e474bcc2f88f98febbed8028874745c251928
Instruction Fuzzy Hash: E64112B1D00349DFDB14CFA9C984ADEBFF5BF48310F24802AE449AB294DB75A945CB90

Function 0170CB88 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 407b85965d59e7e962f9102784ba4cd3d6e4063bececf3f9a06f0c7e6d383a52
Instruction ID: 847076e40d058783ca5ca2942b41a45c3734cb11e29b98c92fdbeb5a978a7040
Opcode Fuzzy Hash: 407b85965d59e7e962f9102784ba4cd3d6e4063bececf3f9a06f0c7e6d383a52
Instruction Fuzzy Hash: AC411FB5900748CFCB20DF9AC988B9EFBF4EB48324F20856AD519A7350C774A944CFA4

Function 01709E09 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 863bf64835d070986c852c6c583d580cc572575a1963f90bb1d0bdeefcb005eb
Instruction ID: ecf8a502e179cd51a129421ab7f6eff9e04d00d2d0e1645d4d11bcad6fe9a869
Opcode Fuzzy Hash: 863bf64835d070986c852c6c583d580cc572575a1963f90bb1d0bdeefcb005eb
Instruction Fuzzy Hash: 3F31A031F00315CFCB0AAB78D8549AEB7F6AF89208B10447DD509AB3E2DE358C46CB95

Function 01707160 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80c80e6a3d0301fbb3ceae26deeb328b6760ab24fbc1a9fbb11c4b82831aeee0
Instruction ID: 5b4a244565f41ea470019379301fa8e82fbde34646b05a06d742ee56c6d22d62
Opcode Fuzzy Hash: 80c80e6a3d0301fbb3ceae26deeb328b6760ab24fbc1a9fbb11c4b82831aeee0
Instruction Fuzzy Hash: DF41EDB0D00349DFDB14DFA9C884ADEBFF5BF48314F24842AE819AB254DB75A945CB90

Function 017066A8 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c412e745abfbbac9af0cd8069df05ce71006a5391fcb49e457253a00bec6b2f
Instruction ID: 4260200db09ecb618f502e30fae40a0df612d60db868d924895a6e35ac0f8a16
Opcode Fuzzy Hash: 2c412e745abfbbac9af0cd8069df05ce71006a5391fcb49e457253a00bec6b2f
Instruction Fuzzy Hash: 38315E74A00205CFDB16DF78C568AADBBF2AB88240F105069E506E7394EB389C15CBA1

Function 01706699 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 695a9ffe636162558e75609065851a9531301534c26387dbe5de47cd4d95c1d9
Instruction ID: b9069730ff8dda830a8af215ed53c37218aa4df343342e0310be9b53968b61b8
Opcode Fuzzy Hash: 695a9ffe636162558e75609065851a9531301534c26387dbe5de47cd4d95c1d9
Instruction Fuzzy Hash: 12316174A00301CFDB16DF78C964AADBBF6AF89651B105069E506EB3A4DB389C11CFA1

Function 017064A0 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af933580cbae6e574a6c0ed0316da5ee13bbfdbe7abcc8226b38b96789b2a884
Instruction ID: 27bb7d1a3cf54df601556b6e660259cfcfd0731a9e9ac5506ad7a504f1790fb8
Opcode Fuzzy Hash: af933580cbae6e574a6c0ed0316da5ee13bbfdbe7abcc8226b38b96789b2a884
Instruction Fuzzy Hash: 4C210830B003159FCB48ABBD895831FBAEBEBC8610B11482DE00AD7395DD308D0647A1

Function 01701DC0 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72e9071bf07b3e31e7f87d5e7370df3de0f15175e5dfa3064019ecdcbb063986
Instruction ID: 05644c9c7eae91943316fcd2f1ecb49d5bb19c64d46a9ef918a08f703a7b6284
Opcode Fuzzy Hash: 72e9071bf07b3e31e7f87d5e7370df3de0f15175e5dfa3064019ecdcbb063986
Instruction Fuzzy Hash: 143105B0D00259DFDB14DFAAC980ADEFFF5AF48354F248429E919AB290DB349945CF90

Function 0170D6A8 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5746bbab5f2befc23b10f410b4e72e8abee2fb19e3935a7a4436370616da2925
Instruction ID: 29905cfa41dcbe456cd327f457b484aacde5820f1aca5be456a38a7edc89903c
Opcode Fuzzy Hash: 5746bbab5f2befc23b10f410b4e72e8abee2fb19e3935a7a4436370616da2925
Instruction Fuzzy Hash: D331AE71A00345CFDB22DFA8C94069EFBF2FF88310B144A69E495AB395DB30AD44CB90

Function 01709E18 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0cfaf931aac09682918e942851788f72caa5db3d52198e1fb9523e9db328281
Instruction ID: a042dc36830d72ce0fd8528716144b5baf401e245138f72d0fd6132c89541a61
Opcode Fuzzy Hash: c0cfaf931aac09682918e942851788f72caa5db3d52198e1fb9523e9db328281
Instruction Fuzzy Hash: 50216D30B00315CBDB1AAB78D454AAEB7F6AF88208F10443DD50AAB3D5DF759C06CB95

Function 01701890 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29a0b3331bdaa3b6d49578855afb4827e2149d2fd66f22a02de063dff3f0317e
Instruction ID: 2a1b845f82a8cbd22e605d4a4399507a3f442568e9496cfe606592f8eadf20e2
Opcode Fuzzy Hash: 29a0b3331bdaa3b6d49578855afb4827e2149d2fd66f22a02de063dff3f0317e
Instruction Fuzzy Hash: D8215E71E05359EFCB05DBA4E9805DDBFF6AF89310F5880A7D801AB295D6309E44CB51

Function 016AD6DC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902496033.00000000016AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_16ad000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e9a9d61fdeb226ac12cf55db2c63641f7b85c2fc590432412df6c29504c24d2
Instruction ID: 63401cfd4dffdf87ba7d12e162096226c4f1d7600aa8a4dcc4cae8c0c4e1c8d9
Opcode Fuzzy Hash: 7e9a9d61fdeb226ac12cf55db2c63641f7b85c2fc590432412df6c29504c24d2
Instruction Fuzzy Hash: 6E214575100280DFCB09EF58CDC0B2BBFA6FB98314F60C169E8090B756C336D846CAA1

Function 017064B0 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14d29f87af0af52f0b6b953f1108f78cdf6640f0fbdd6796abce2200fdaa4ac7
Instruction ID: dab27014d660bda12a473742ccf3ab7d5dbaf158eda4cd2982294fb2af434cc8
Opcode Fuzzy Hash: 14d29f87af0af52f0b6b953f1108f78cdf6640f0fbdd6796abce2200fdaa4ac7
Instruction Fuzzy Hash: 03119671B402159FCB48BBBD495836FBAEEFFC8650B10482DD10AD7394DE359C058BA5

Function 0170A0D0 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 441a7ee1c2cde26936cec86e06af3d2b10b9bc12b54b7be1ee221714fe8f5fda
Instruction ID: b11b3c8ca25b2e0d823c0b9462f5c6b4aace019f03e51138a8a8ebfc6ec53790
Opcode Fuzzy Hash: 441a7ee1c2cde26936cec86e06af3d2b10b9bc12b54b7be1ee221714fe8f5fda
Instruction Fuzzy Hash: C2219F71A00715CFDB26CF69C840A9EFBF2FF88250F148669D496A72A5D734A885CB50

Function 017018A0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cebc9100aed1092250fa329dddf2a5aa14bf903e18e2e2b43501029b9f60721d
Instruction ID: 879b683d1587e54968f29e25ec7e546d5ebad235fb4485ac1e3b56d2f030113f
Opcode Fuzzy Hash: cebc9100aed1092250fa329dddf2a5aa14bf903e18e2e2b43501029b9f60721d
Instruction Fuzzy Hash: E5219331E01258EFCF05DFA5D9805DEBFF6AF89310F5480A6E402A7255DA305E44CB50

Function 01704840 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e51f2a888d726fa06877f78f5f199e43ffca56798ad40d4cef52aa018ae651b
Instruction ID: 5a841cf3958b494b6c6e504217be8a69849553a65b3fd7a1492cc8115d05aa13
Opcode Fuzzy Hash: 0e51f2a888d726fa06877f78f5f199e43ffca56798ad40d4cef52aa018ae651b
Instruction Fuzzy Hash: 1511B7317483815FC707AB799C6416BBFA7BBC510070544AED559CB386DE649C05C792

Function 0170A6F9 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0197e1d094e3d63f5c35be370e6af07d793b24e508d0f14ac1ce50ac2aa8e70c
Instruction ID: 4616a10318efec40e626e665dbae78dc907a458c2a1f452b3b5ce46c990a38fc
Opcode Fuzzy Hash: 0197e1d094e3d63f5c35be370e6af07d793b24e508d0f14ac1ce50ac2aa8e70c
Instruction Fuzzy Hash: D5215E71D047499FCB01DFA9C8404CDFFF6AFCA310B258296E514B7261E771294ACB51

Function 01702957 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f4318a94e4e44f02bac7aa2fc7b7ec0f6fc7416e92975792569fac219dbafee
Instruction ID: b4c559388aa7150f07b88a9c10820c4d3b8f203a9c83a39586a0e9969a2d1376
Opcode Fuzzy Hash: 7f4318a94e4e44f02bac7aa2fc7b7ec0f6fc7416e92975792569fac219dbafee
Instruction Fuzzy Hash: BD117232A042448FDB16CF59C8849CABFFAAF89250B5880A5E505AB756C6319D44CB60

Function 01701EF8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff629ca53f9fac367b2a48fe944fae5ff16119a056bbdadade3d7fc1ef8cf594
Instruction ID: 7a73cc0702474a8feed03a90d5beaa034194479a2024662976e5a5d8bb1e76b8
Opcode Fuzzy Hash: ff629ca53f9fac367b2a48fe944fae5ff16119a056bbdadade3d7fc1ef8cf594
Instruction Fuzzy Hash: EC118F31D1174AABCB01CFA8DD804CDFBBAEF9A310F254656F414B7260E7706A96CB60

Function 0170D910 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dac9768ba32184c3efe8365e249258a8ca2661c1f7bbff02f6316ef33a8cde02
Instruction ID: 5ff1192220666ba99dd50aeee907242921657509c0e7be85c6770d14f7637b50
Opcode Fuzzy Hash: dac9768ba32184c3efe8365e249258a8ca2661c1f7bbff02f6316ef33a8cde02
Instruction Fuzzy Hash: A8118E718193968FC703DBF4C814899FFF1AE9721070A85DBC050EB1B3E2709A09CB92

Function 0170A2C8 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 903429598cf3b09f10ac329e4e297d895f34799094809057040024af2e4b63b8
Instruction ID: 71fdeb8540dc66c8649621e5e54b5cd1f47d93ec18f7f1101c9cd759b4807c33
Opcode Fuzzy Hash: 903429598cf3b09f10ac329e4e297d895f34799094809057040024af2e4b63b8
Instruction Fuzzy Hash: E3116032D1531A9BCB05DFA8D9404CCFFB6EF89320F1946A6D110B71A1E671258ACB61

Function 016AD6D7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902496033.00000000016AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_16ad000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 968141d48dfd05fd822a7da8e6f2c5127017b2ffc79d19d02d7a1115437dc756
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 3411AF76504284CFDB06CF54D9C4B2ABF62FB94314F24C6A9D9090B656C336D85ACBA2

Function 01704868 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e757f9d42b602759f7e251c4ca9d53a3661772de975f0b36e33eb8304d516a70
Instruction ID: e4d7ccf429b77396d6dd5ae76f8efa9853b663fbb0a0e35c498da18a41e5ed18
Opcode Fuzzy Hash: e757f9d42b602759f7e251c4ca9d53a3661772de975f0b36e33eb8304d516a70
Instruction Fuzzy Hash: 7501D4317803069B8706ABBEAC9456FB6CBFBC8650315843DD51ACB388EE74DC0687D1

Function 01709FB0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1511f2c86be016adb1032bc6bcf39d9de7afc986480214bdd8ffd79fcff29b33
Instruction ID: 3efa9b8e6e8b4c08fa58da0c10c6dab59d7b2ae8bd7d12c0a005ccbdd98fced6
Opcode Fuzzy Hash: 1511f2c86be016adb1032bc6bcf39d9de7afc986480214bdd8ffd79fcff29b33
Instruction Fuzzy Hash: 4311E532D1234AABCB01CFA5D8400DDFFBAEFCA310B294297E110B71A1EB74294AC751

Function 0170A0C1 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d928c08aaca04b29cb4980ef207d1e067f30a8e305307597b269e6bde5d93d
Instruction ID: 7d3737d76d5edf826e5240f23279997b699fabae6e65718962aa517e96ccb881
Opcode Fuzzy Hash: 67d928c08aaca04b29cb4980ef207d1e067f30a8e305307597b269e6bde5d93d
Instruction Fuzzy Hash: D8118E36A00719CFCB26CF58D8408DAFBF6FF88360F14856AD546A7255E731AD45CB50

Function 01702201 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fdb565635245f0322d304729863c82f3a82354c70310e435ad7ebb7113c0a3d
Instruction ID: f06eee413a9ea7f2901e12b9aa482f7bf1170017d8bd3363aecf538dbd36e116
Opcode Fuzzy Hash: 6fdb565635245f0322d304729863c82f3a82354c70310e435ad7ebb7113c0a3d
Instruction Fuzzy Hash: B8118232D0565A9BCB01DFA9CC404CDFBBAFFCA310B1982A7E114B7161E7712946CBA1

Function 0170B038 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4596294c6bd8c1a54c0b2a84db184f1b4c3a7f154353a57726b404f02d8b182
Instruction ID: 5a0a4a3d2c862f975534d02bdba10530f863a15e41418b1242464a30440a50b8
Opcode Fuzzy Hash: e4596294c6bd8c1a54c0b2a84db184f1b4c3a7f154353a57726b404f02d8b182
Instruction Fuzzy Hash: A9116132D1074A9BCB05DFA4DA400DDFBBAEFD6310F2606A7E115B7161E7702A46CB60

Function 01701F08 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e031846760fa5f49cb5b6ae4d4f6ebcb6156e3274a59ee0ed285deb225cccae8
Instruction ID: c3ec6814e54ac8a8a349ee79e9cedcb77a7aeef5988220ea877557707f995f08
Opcode Fuzzy Hash: e031846760fa5f49cb5b6ae4d4f6ebcb6156e3274a59ee0ed285deb225cccae8
Instruction Fuzzy Hash: FA115231D1060E9BCF00DFA9D9805CDFBB9EF99310F254616E414B7250E7707A86CB60

Function 0170BD17 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a23597b53fc815b8355cba4aa0ff292886fd2ed6c1d71fa2b615f24261b6cc6f
Instruction ID: a1e8cc562e36141c57a490c2b9e67de69998dfb7e0463fe092e00f19ed5deaca
Opcode Fuzzy Hash: a23597b53fc815b8355cba4aa0ff292886fd2ed6c1d71fa2b615f24261b6cc6f
Instruction Fuzzy Hash: AC11C632D1434A9BCB02DFB8D9500DCFFB6EE89310F194A97D000B71A1E7342589C765

Function 0170A708 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f35e8543e3eba1784f24fdb6a346c482ef08ce946b35ac773ec50a4b0cb2cc9b
Instruction ID: 4273f915dfe579470f30a42435b01b12682d37e1ddae9538aaa792aaeb2fe233
Opcode Fuzzy Hash: f35e8543e3eba1784f24fdb6a346c482ef08ce946b35ac773ec50a4b0cb2cc9b
Instruction Fuzzy Hash: A6115E32E1060E9BCB00DFA9C8804CDFBB6EFC9310F258656E514B7264EB70394ACB50

Function 01706170 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 650ad0e4dee1f36f9da4c552a1ccb2c0ef3727617c375b7e239cf7a208a974c1
Instruction ID: aa95b9320ecc0705c62f2081476f47fe8176bb86a419828bfef3b431037af54e
Opcode Fuzzy Hash: 650ad0e4dee1f36f9da4c552a1ccb2c0ef3727617c375b7e239cf7a208a974c1
Instruction Fuzzy Hash: 25118232C0474A9BCB01DBB8D8005DDFFB6AFC6310F158696D101B70A1E774259AC7A1

Function 0170C358 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9e129b06a63ccff32e445dc0f726328d01cf7708b9c4c7dc06e85fe70d2be9a
Instruction ID: 5b68c925517ccadb4955f022c9db54204adbf7fc08d6a7d46860d358d190b060
Opcode Fuzzy Hash: c9e129b06a63ccff32e445dc0f726328d01cf7708b9c4c7dc06e85fe70d2be9a
Instruction Fuzzy Hash: 18118432D1574A9BCB06DBB4D8040DDFFB2EFC6320F1A4696E101B71A1E774258AC791

Function 017054A0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38ce4b060310978c462c33c15e77a236b00184008d5ba61052ac46d555aeae68
Instruction ID: 07613284e71a32571df059782f6dacee8d7335d707d45ec98e33b327adea71d0
Opcode Fuzzy Hash: 38ce4b060310978c462c33c15e77a236b00184008d5ba61052ac46d555aeae68
Instruction Fuzzy Hash: F401D632D1071A9BCB05CFA4DD800DCFBB6EF86320F1A4692D111B71A5E774254AC751

Function 01708B7A Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84608a33149fce58ec436619e817bc7d2861228c6e80c4cebebf4b6bc3110897
Instruction ID: 5d8891d36c22770b682b16ed554f6ab1c3ac4f272944d224fa077511b7f2604b
Opcode Fuzzy Hash: 84608a33149fce58ec436619e817bc7d2861228c6e80c4cebebf4b6bc3110897
Instruction Fuzzy Hash: 141125B5900749CFDB20DF9AD584BDEFBF4EB48324F208459D459A7250C734A940CFA4

Function 01708B7C Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f280ac4d545018941c26bbb75b422ceb9d08190d9f89e26c6a266ad17bfbb87
Instruction ID: 3519a61efcb7cc0080cd71441abb4a0b4a31efe9726b86086751c0b2af1f62f4
Opcode Fuzzy Hash: 3f280ac4d545018941c26bbb75b422ceb9d08190d9f89e26c6a266ad17bfbb87
Instruction Fuzzy Hash: 9A1122B5900748CFDB20DF9AC888BDEFBF4EB48324F208459D519A7250C374A940CFA4

Function 017061F0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7818cbe948dc3640a0eb03a0453353f7927320c66ea4efe328e2916e7c54eb14
Instruction ID: 45f6a284ea187fc81eafa20123a654a6b92b137fd4170925664e0bc29badc903
Opcode Fuzzy Hash: 7818cbe948dc3640a0eb03a0453353f7927320c66ea4efe328e2916e7c54eb14
Instruction Fuzzy Hash: 0001D671D00309DBDB15EB68C8665EFFFF6AF84310F054529D502AB291EE705A178BC2

Function 0170C32F Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8744f0094ed27f07bf764c36e40880a32fab74aaef3f262b3f61799ae715446
Instruction ID: ff4fb17270cbc5755b69e0eb31739a5180754ee9d5d13d1e3617bb0fb3759cae
Opcode Fuzzy Hash: d8744f0094ed27f07bf764c36e40880a32fab74aaef3f262b3f61799ae715446
Instruction Fuzzy Hash: DF01BC36D0034ACBDF028BA4D9001DCBFB5EF96360B4A02D2D001A75A0EA386946CB61

Function 01700877 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb7f086116bbbb7d047b9dd15e378da5a1444564002ccf0c4e26b70fb580325f
Instruction ID: f3183358106fe1d12bf8a1a6b0113ab2fbaae3a55140f70eb10f4980c0b3e974
Opcode Fuzzy Hash: eb7f086116bbbb7d047b9dd15e378da5a1444564002ccf0c4e26b70fb580325f
Instruction Fuzzy Hash: 3B019E32D1065A9BCB01DFB4CD801CCBB76EFC6310F6A0692D001BB1A0E6702A8AC7A1

Function 016AD149 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902496033.00000000016AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_16ad000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b8a8501f62fa62895768373a5855fd224ff69c2b3b273858543c851ccd9f1eb
Instruction ID: 5f383d47f6fb135bbf13f26add0cd2155228ae1bc4bf2def88e6a8ac5a103609
Opcode Fuzzy Hash: 8b8a8501f62fa62895768373a5855fd224ff69c2b3b273858543c851ccd9f1eb
Instruction Fuzzy Hash: F301F7711083009AE7109A6ACDC4767BFA8DF41321F18C52AED080A696C339EC41CEB1

Function 01705528 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c90993868e000d5c7b9c5707e7cc4ecfd810bbdacf80a59b1f17f5bc6b66f94e
Instruction ID: 65897e1d65527ed8a947801d5774e7b34449aaad14f4199e78b5f30287b3457c
Opcode Fuzzy Hash: c90993868e000d5c7b9c5707e7cc4ecfd810bbdacf80a59b1f17f5bc6b66f94e
Instruction Fuzzy Hash: 1F01F47290030A9BCB019F64C8565EFFFAB9B44710F648426C503EB285EE72A5078BD2

Function 0170B048 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ad3504add4e9f059d236c8e3d590a431218d28395aff447f1bb83e1007bc68e
Instruction ID: 28d44db57b1fdf3862d62355655f596f59487a7d9b227a3e04462795698e5397
Opcode Fuzzy Hash: 9ad3504add4e9f059d236c8e3d590a431218d28395aff447f1bb83e1007bc68e
Instruction Fuzzy Hash: BF014432D1060A97CB04DFA9D9405CDFBB6EFD9310F650666E10577160EB703A46C750

Function 01704080 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 658edd4c2c7ad626def99c967956fcedadf143a7d36827610d1d123fde25446c
Instruction ID: eabed4465606b09ff42f0db8d944b323e7a6d1d644da9736730080521c544243
Opcode Fuzzy Hash: 658edd4c2c7ad626def99c967956fcedadf143a7d36827610d1d123fde25446c
Instruction Fuzzy Hash: 2C018F32D0160EA7CB00DBA9DD800DDFBBAEFC9310F654666E11173150EB742A8AC790

Function 0170A34F Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75ee47571a8d8459500127da2d22f05d68b305449e391514c7bed16395b12278
Instruction ID: e8ae1a9e1f01517555f0cead010cf62fd43249ec9ced3462cdd46c540fa941e4
Opcode Fuzzy Hash: 75ee47571a8d8459500127da2d22f05d68b305449e391514c7bed16395b12278
Instruction Fuzzy Hash: 8401D672900305DBCB059B68C5156EFFFE35B84720F058526D512BB680DEB0664687C2

Function 01705D51 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5fcd3a44512449966dc2ee00e1d8fbacf1d6735a33f78e1aac3b8f47cb51423
Instruction ID: 4906f1f1d3103ec2a30337228788796702fbdcca81e29ef423482dba55a734ad
Opcode Fuzzy Hash: a5fcd3a44512449966dc2ee00e1d8fbacf1d6735a33f78e1aac3b8f47cb51423
Instruction Fuzzy Hash: 1E01817690130AEBCB0A9B60C4999DEFFF69B44310F15482EC512AB291EE7156478BC1

Function 0170BD28 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 027361fb8bf6f4c5d90eefac32af0353477b7b135b9a0e7b7f5caef963278cb9
Instruction ID: f6555afc9106dc0c1798e75815f6d949508ed5ee4495c690e872d89bf752fded
Opcode Fuzzy Hash: 027361fb8bf6f4c5d90eefac32af0353477b7b135b9a0e7b7f5caef963278cb9
Instruction Fuzzy Hash: B6014F32D1061AA7CF00DFA9D8404CDFBB6EFC9320F154666E111B7160EB70258ACBA0

Function 01709FC0 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84a0d235ebaa2c1a863dfd1b209258b3873754d5ccffaeb4305510e85b091387
Instruction ID: 92fa1fc34b703473dc5ea65ece0fceb7d5c71fed93dd279ff116270590ea28c8
Opcode Fuzzy Hash: 84a0d235ebaa2c1a863dfd1b209258b3873754d5ccffaeb4305510e85b091387
Instruction Fuzzy Hash: A0016232D1160EA7CF00DFA9D9404DDFBBAEFD9310F654666E11177160EB702A8AC751

Function 0170A037 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3d88124333781783dc1c7331caa2cf2cd9c8e5e92520044ae9eaaff9eb8297c
Instruction ID: 900a77cb299e170414393f571f8f1efffc209ab7fb47ee626178f7c2c03f55a7
Opcode Fuzzy Hash: b3d88124333781783dc1c7331caa2cf2cd9c8e5e92520044ae9eaaff9eb8297c
Instruction Fuzzy Hash: 09F0F472A1030ACBCB15DB60C6556DFFFF6AB84310F14882AD00267280EEB5268B8782

Function 017040F8 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7153128ab40787c6e6aa85d224eb9ab3312bed5d2a1a75cec0da0aa2c7e49c7d
Instruction ID: f802a625304a2d085907044a1ca3c8175df48159fd623189a5a9f5ddf3c45996
Opcode Fuzzy Hash: 7153128ab40787c6e6aa85d224eb9ab3312bed5d2a1a75cec0da0aa2c7e49c7d
Instruction Fuzzy Hash: 7A01F971A10345ABCB06DB34C45959FFFB79F44310F19859AD102AB291DEB15506C7D2

Function 0170A7A0 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98c0f3f259257fb30bd02a8bb7cc30e60587da2a25c22abc3efaaf855f6d79a2
Instruction ID: a877b4abcf938d6fedd8669a0b6b58b279680fdf8eeb21bef6be2e15c29434c2
Opcode Fuzzy Hash: 98c0f3f259257fb30bd02a8bb7cc30e60587da2a25c22abc3efaaf855f6d79a2
Instruction Fuzzy Hash: 4901F472A10305EBEB06DB64C115AEFFFF65B94321F05846AD112BB291EEB15A07CB81

Function 01704910 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fa8608b2f010b96b7a66439717533e6320fc10d10fd8927aee0a17f6b65b0ba
Instruction ID: b25d4128df43172d4c5a3af63502cd98fc2da5fd65e33fd50a700c613ecca23c
Opcode Fuzzy Hash: 7fa8608b2f010b96b7a66439717533e6320fc10d10fd8927aee0a17f6b65b0ba
Instruction Fuzzy Hash: E8F0C8727083909FC7138A1C984495AFFF59EC626031980BBE949CB3A7C6359801C761

Function 017028D8 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b4b1973fcb244025ae6d5624f4ea201a3caa3669d402f0348c1d645eeaa91d3
Instruction ID: bd844da61f98a5842f6285e9ac4b044eab6e8d82aa12713cd160e32ab7a4469b
Opcode Fuzzy Hash: 6b4b1973fcb244025ae6d5624f4ea201a3caa3669d402f0348c1d645eeaa91d3
Instruction Fuzzy Hash: 67F0C232950319E7DF16DB24C8299DFFFFA9F44314F448829E842BB391DEB259468782

Function 01702298 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 964ed979dabea38d0021ee318b22022fa9094821d06258424e7405a79c672c99
Instruction ID: a9fb3c8aa36e30752f454d5102999b5a3d165d39fa491e6ec06aebd32b037a08
Opcode Fuzzy Hash: 964ed979dabea38d0021ee318b22022fa9094821d06258424e7405a79c672c99
Instruction Fuzzy Hash: E801D13291030997CB15DFA4C4546DFFFBAAF44710F14866AC412AB291DE71660687D2

Function 0170BD9F Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39c6d0877cefbc537ae4ad643be0a5c25edfae024398b46c91e91de4eed5a2be
Instruction ID: e00658396320778d04d49fd94b53bb249ad2cdad281ee85081e134c953df9675
Opcode Fuzzy Hash: 39c6d0877cefbc537ae4ad643be0a5c25edfae024398b46c91e91de4eed5a2be
Instruction Fuzzy Hash: 5DF0FF7A9103088BDB019B68C5256EFFFF35B88300F08482AD102B7390CE706A4786C2

Function 01702CD0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb9dc9dac3fd62724305b3791ace73e5065186d545784fedccc63cac30be4744
Instruction ID: 177535c507b110813acf1168f2bc970d8759de53e5e218197cd546fa6a01d9eb
Opcode Fuzzy Hash: eb9dc9dac3fd62724305b3791ace73e5065186d545784fedccc63cac30be4744
Instruction Fuzzy Hash: C5F02273910209DBCB1ACB70C4699DFFFF69B89310F04856AC102AB291DF719A8387C2

Function 017054B0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d03475fe8a82561fc33b67dcb6db6e3548c5c2840693b07febe314d685bdda7e
Instruction ID: d68e67e6f4e7cf800d005d45ec891605037ae21a1bfeb537174c6010428aa00d
Opcode Fuzzy Hash: d03475fe8a82561fc33b67dcb6db6e3548c5c2840693b07febe314d685bdda7e
Instruction Fuzzy Hash: 8F01D132E1061AABCB00DBA9DC404DDF7BAEFC9310F154662E011B7160EB70298AC790

Function 01701FA0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87b55b12f190ea44f07f8d6cbce062e408d0b940a9d1169a4538d156cbdfb18d
Instruction ID: 0b3279141d9e96371bc23b4097cd7df452dc5055b127dad515ecfa2d579a27c0
Opcode Fuzzy Hash: 87b55b12f190ea44f07f8d6cbce062e408d0b940a9d1169a4538d156cbdfb18d
Instruction Fuzzy Hash: F0F0F4B6D11305DBDB16CBB0D5956EEFBE65F48320F4C88298106BB286DF709906C7A2

Function 0170C3DC Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ea2489dbeab220bf0ea7ce336ecc006bc695173c57ebe6f1b7a83d2ba58cd18
Instruction ID: 9d7766ff26a7462b9dbb8d68e24ca36fbe35370de40846ae78a722db79d5ae96
Opcode Fuzzy Hash: 9ea2489dbeab220bf0ea7ce336ecc006bc695173c57ebe6f1b7a83d2ba58cd18
Instruction Fuzzy Hash: 7CF0F4B2910205CBCB06DB74C5556AEFFB6AF80310F0586A6E512BB295DF706506C7D2

Function 0170C6BC Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ba7bb4a7e60d5ee7290753c68192d8fa86f1f861d79d90a944b05fb51a6b83b
Instruction ID: 5285d4d0ee0acadc51a8e845685a1866926ddc2c13d27c01598ef028a1fcf0b9
Opcode Fuzzy Hash: 0ba7bb4a7e60d5ee7290753c68192d8fa86f1f861d79d90a944b05fb51a6b83b
Instruction Fuzzy Hash: DC018136D1060F96CB00DBA5C8414EEFBB6EFCA320F295651E110771A4EB70328ACBA1

Function 017008F9 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc32dca060405a8491fea6a45b6a7507262cae391c123893e0f625e60c82276d
Instruction ID: 664fa886851da9dfacc9e8cdb6309c1b3f6baf06a7b0a0c6a811263948e87f8e
Opcode Fuzzy Hash: cc32dca060405a8491fea6a45b6a7507262cae391c123893e0f625e60c82276d
Instruction Fuzzy Hash: 60F0C8719102099BDF05EF64C9A55EFFFB69F44300F048425D416AF294DE705A06C7D1

Function 0170D8CF Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1617ed82457c5adadb31a13b650de3aa2e13004486d708998cd144f8f4293d02
Instruction ID: a7f4f89a33fb1236f5946a2bc7e344bfe31836b532eb1ff6dbcc109e10572806
Opcode Fuzzy Hash: 1617ed82457c5adadb31a13b650de3aa2e13004486d708998cd144f8f4293d02
Instruction Fuzzy Hash: 5DF03176D1022A9ECB01EFE8D8444DEFBB5FE94724B048666C514A7204E7706659CB91

Function 0170C6C0 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9524c045c3c879f8a03af4cee103262f7784504afc1d49a613137de605d2c71b
Instruction ID: d68014d9189deecce97dda7c454ed76eff587d4828aab44243ee257626b49e30
Opcode Fuzzy Hash: 9524c045c3c879f8a03af4cee103262f7784504afc1d49a613137de605d2c71b
Instruction Fuzzy Hash: 4AF03136D5060F96CB009BA5C8414EEFBB6EFC9320F695651E51077164EB70318ACBA1

Function 0170B0C0 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d39619f1b2f56b13a813d3dc22861abfae7cbb9dc0e41d1f2c081e58a03f19
Instruction ID: 8b49089e1210f61de96b8a8254203db7ec50cfab6c2934e7df2d9bb152682a92
Opcode Fuzzy Hash: 09d39619f1b2f56b13a813d3dc22861abfae7cbb9dc0e41d1f2c081e58a03f19
Instruction Fuzzy Hash: 43F0F031E1020A8BDF169B68C5695EFBFA34F44300F04852AE012FB284EF70AA07C7C2

Function 01702782 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8fc02f6989b436c4fa2353f4b0a924f15ebcb40fb2ea722fdcd0b6538518723
Instruction ID: 931c8a5ac0c09a609fdf36588dfa203dc5936602a635167448677a47d6c09368
Opcode Fuzzy Hash: a8fc02f6989b436c4fa2353f4b0a924f15ebcb40fb2ea722fdcd0b6538518723
Instruction Fuzzy Hash: 27014671A002458FDB06CFACD584A9CFBF1BF89220F5582A5E029EB2A2C730D881CB10

Function 016AD148 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902496033.00000000016AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_16ad000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e23a9a256c764f6b3718283165126a0396b88be8235b85db613ff6a16155e2d
Instruction ID: 292546ed63fba7eaacca27e6512a7098022eb094ae060f8ce8aca552d38840fe
Opcode Fuzzy Hash: 0e23a9a256c764f6b3718283165126a0396b88be8235b85db613ff6a16155e2d
Instruction Fuzzy Hash: A1F062715043449AE7119A1ADCC4B62FFA8EF41635F18C45AED084A797C379AC44CAB1

Function 0170C73B Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9e9e35e8434c1971d609947207a2376083f475553549efb2ab4154ea3aed404
Instruction ID: 96a29ac701d832b162b19681c884ee5edd15388dc404e552b029e91359077ddb
Opcode Fuzzy Hash: f9e9e35e8434c1971d609947207a2376083f475553549efb2ab4154ea3aed404
Instruction Fuzzy Hash: A0F09075A10605D7DB169B64C5559EFFBF69B84300F05496AD002BB380EF70590687D2

Function 01704A31 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17b8e09aadd7f5b471320b631a7a1f6b3d918882d75e02e3f70d5c62d3c66494
Instruction ID: 092a69d90788921694f4b4c3384b71670e33fdf5d4bce248d5467d4b23a0ba82
Opcode Fuzzy Hash: 17b8e09aadd7f5b471320b631a7a1f6b3d918882d75e02e3f70d5c62d3c66494
Instruction Fuzzy Hash: 1CF03271D1031B8FCBA1EFA8D8455EFBBB1FE96320B11896AD114B7050E7701A8ACB90

Function 01700908 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80e9cfee0b005ddf7b9eaf7296b42b5799a1b3430f320ca6ab74810aa7f4c3a9
Instruction ID: 42ce4a59a4cbabf67d36921185287204a2153aee9f63265e10893ef978342eac
Opcode Fuzzy Hash: 80e9cfee0b005ddf7b9eaf7296b42b5799a1b3430f320ca6ab74810aa7f4c3a9
Instruction Fuzzy Hash: 55F0E972D2010997DF15DB74C4656EFFFF69F84310F004525D002B7284DE70690687D2

Function 0170A360 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34093caa53f1854888a6b7da311b43c14a83d9492b75bf3f7be5575adfc6129b
Instruction ID: ce1f27e20b85fea4b39686a509e66974bbee84caa175ad9a980ec8c7fc348569
Opcode Fuzzy Hash: 34093caa53f1854888a6b7da311b43c14a83d9492b75bf3f7be5575adfc6129b
Instruction Fuzzy Hash: B8F0B471D1020997CB159B64C8559EFFFE69B44310F018425C102B7280DEB0690687D2

Function 01705351 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 265b847a5a5614aa0624665b212d12e08361cb5f79c1caf4a95d76cac4ca7a79
Instruction ID: 9216392f2a92841613c8bbdbfcd29eedac3faa1898ffbdfdf5c025cf5055d146
Opcode Fuzzy Hash: 265b847a5a5614aa0624665b212d12e08361cb5f79c1caf4a95d76cac4ca7a79
Instruction Fuzzy Hash: 57F082721093519FC307E7289850456FFF97F9222070EC49BE184DB0E3D510ED45CBA5

Function 0170C3E8 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1156e711bba6a3ee9cbba8c8dd795a607801214e6f666acbc104ef4554e5084
Instruction ID: c5973a170eacd8232b03d6289e6d977aa6947b2fdb314e5a634ed8dd1d4b8b0c
Opcode Fuzzy Hash: a1156e711bba6a3ee9cbba8c8dd795a607801214e6f666acbc104ef4554e5084
Instruction Fuzzy Hash: 27F08272E102099BDF15DB64C4659EFFFFAAF84300F15892AD512BB280DEB0690686D2

Function 01706200 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a28dc431e907b2641419fe8e9b021a87a7da9f509d3b5174a1766248c5492b7
Instruction ID: d042e5d06f7394a7faa85f85f7ce6006c6440f6bd04e5f471c5d79c73876bf3d
Opcode Fuzzy Hash: 8a28dc431e907b2641419fe8e9b021a87a7da9f509d3b5174a1766248c5492b7
Instruction Fuzzy Hash: 32F08971D1020997DF15DB64C8655EFFFF65F84300F054525D412B7284DEB0690687D2

Function 017022A8 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0264e79e25a42921e27b8f5d8d5cc70e0b6c5e301623b0fc052f6d33b067a61e
Instruction ID: 411b588c8486bbd3efe72dba6ce6dac31b155083183a23b525129235ac9dc028
Opcode Fuzzy Hash: 0264e79e25a42921e27b8f5d8d5cc70e0b6c5e301623b0fc052f6d33b067a61e
Instruction Fuzzy Hash: D1F08972E1020997DF15DB64C4655EFFFFA9F44300F454526D412B7384DE70690697D2

Function 01705D60 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52e5da336c670de8153d9cbff7dd9488b0c03b39466e18315d2fa6d74cfe4956
Instruction ID: 8d2a29233154831fb3a4d456b6da87d98cd7bc9e1580de785ac5c521e3d49302
Opcode Fuzzy Hash: 52e5da336c670de8153d9cbff7dd9488b0c03b39466e18315d2fa6d74cfe4956
Instruction Fuzzy Hash: FAF08272A10209E7DF15DB64C8699EFFFF69B84300F05892AD512B7280EE7069478BC2

Function 01702CE0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc337b0af2effa34f13cc12a8362109a42fe0f657cefbd063c6eb42beaae2ed4
Instruction ID: 4c0770e70702fa9eed6900973a89d211f83b915b68a78955205f67bac092b550
Opcode Fuzzy Hash: dc337b0af2effa34f13cc12a8362109a42fe0f657cefbd063c6eb42beaae2ed4
Instruction Fuzzy Hash: E7F08272E10209D7DF15DB64C8699EFFBF69B84310F05892AD512BB380DFB0594687D2

Function 0170D940 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 032e245693c6986204affa25f450770b0905bd4d56906a7e57995d80ccd33330
Instruction ID: c4878db9a8962025af817fe2a4d87728a78cd8752fefa3d16b9ce6db7d8d5c52
Opcode Fuzzy Hash: 032e245693c6986204affa25f450770b0905bd4d56906a7e57995d80ccd33330
Instruction Fuzzy Hash: BAF01D71D1022B9FCB01EFA5C8444DEFBB5FE95610B058A96C514AB204EB70AA49CBD1

Function 017013A1 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a84d0005e9a29f4de9f259907dbf671c0f38d4950ca217c5ca7c29b6a001554
Instruction ID: 7307673008b86a68698fbdacaa8dbb0535486194378c1dae62e49ac24c3ef6f9
Opcode Fuzzy Hash: 1a84d0005e9a29f4de9f259907dbf671c0f38d4950ca217c5ca7c29b6a001554
Instruction Fuzzy Hash: 2EF09A70C0430A8BCB02EF6488421ADFFF1BB06210B9882AAC908F7256E631A6418BC1

Function 01700839 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c6c8d9a2ad7fea108fa3a5022e2e876957ee3ae74f0db28bea5adc25ad0ec1e
Instruction ID: 5d951a90bf256840e57be05a5d7179675268060ed534cb3d725e9f51cbafb20c
Opcode Fuzzy Hash: 1c6c8d9a2ad7fea108fa3a5022e2e876957ee3ae74f0db28bea5adc25ad0ec1e
Instruction Fuzzy Hash: A8F0157180A3849FD703CFB88995358BFB5BB82284F6940D6E488CF1ABD6368A51D751

Function 01702195 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e76b1ff22b668a866b276185f0ea3761962b813269549a1464276d846e21a49
Instruction ID: 405aa5d738304eabd7f81baf21f0069600f2485d9b759ba219cb122d80ac80c9
Opcode Fuzzy Hash: 5e76b1ff22b668a866b276185f0ea3761962b813269549a1464276d846e21a49
Instruction Fuzzy Hash: DCD02B36F443288FC7059F69DC000DCFBA2EBC053071482A6C01557267C7B4C6434BA1

Function 017021A6 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee7c40bdfa2efb5cc6d0d9d0c9cddfb9a12a4db8192faf39533caf9712accb40
Instruction ID: b758ff67f5874de0ea8b152931607c14116051f8370e77b406442f5f74a26101
Opcode Fuzzy Hash: ee7c40bdfa2efb5cc6d0d9d0c9cddfb9a12a4db8192faf39533caf9712accb40
Instruction Fuzzy Hash: FBD05B75B543199FCB449FADE8144DCBBE0DBC413071441AAD12AD7297D770C5514B21

Function 01702EB2 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7dfa02c8d27ff7a6a0e4975a4ad8808ec888fd29abad8489aa52cfcac5063d6
Instruction ID: d6186249400a95a5bed0344eacb7f82d0a631d804d5c0547ba3285e38120563e
Opcode Fuzzy Hash: f7dfa02c8d27ff7a6a0e4975a4ad8808ec888fd29abad8489aa52cfcac5063d6
Instruction Fuzzy Hash: 6FD05B72B442458ECB549FACA90459CBBE0DFC513075581ABD459D72A3D7308552C721

Function 01700848 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c6a93e68071cdb454ab6f1a624d24cc883f10987840605cda0cd71b9fc70ca4
Instruction ID: 99d5c98f357ebe680f2fb3505de075427d9973cd99a703bb6699dbf3aa863618
Opcode Fuzzy Hash: 5c6a93e68071cdb454ab6f1a624d24cc883f10987840605cda0cd71b9fc70ca4
Instruction Fuzzy Hash: 57D01771905348AFEB12CFB8C94975DBBF8AB45280F604496E449C7245DA31DE50D791

Function 017013B0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fef043d575c0f54f122b0501c9fa8b484036c79d8b33f2a125a1e09fb6ee5efe
Instruction ID: 97433b8f75f0f6a7477fdde275d5c148662a37fffeece299bf7d96c65633db0c
Opcode Fuzzy Hash: fef043d575c0f54f122b0501c9fa8b484036c79d8b33f2a125a1e09fb6ee5efe
Instruction Fuzzy Hash: 77E042B4D0534E9F8B40EFB998421AEFFF5AB48210F5085AA9908E3244E67456518BD1

Function 017027E0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 775a03903eee25d3e79f0daea74d8927753a038885c1e8f95f78985b99202441
Instruction ID: 6e618fba2a6a64b0d020644893ab2de72d5b17a2af84dc10741499c4f650a5f7
Opcode Fuzzy Hash: 775a03903eee25d3e79f0daea74d8927753a038885c1e8f95f78985b99202441
Instruction Fuzzy Hash: 52D05E36B493098FCB099FACE40409CBBE0DA84230715C1BBD11AC72E6D630C5558721

Function 017027D7 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92c25a95ba2be14e2df503d1b0dbdaed249db26a88e50f111ef327d9a7cdc5ed
Instruction ID: 80a0304c22090e94d889ddd9c8e324ac2c432bd66620a7dc0dbf98b4ae196adc
Opcode Fuzzy Hash: 92c25a95ba2be14e2df503d1b0dbdaed249db26a88e50f111ef327d9a7cdc5ed
Instruction Fuzzy Hash: C8D05E76A552058ECB08CBA8E8444ACBBA0EBC023075581BAD11A8B2A2D67085528710

Function 01702BEE Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed5f6243ca5de345f7457f982e86a0672874c8ac847111bafc1a1d8789cf73cf
Instruction ID: cf0d84b73796fe7c6ca26751f6893fbe00764d5f7b526fc1d4cba9d1215e32ff
Opcode Fuzzy Hash: ed5f6243ca5de345f7457f982e86a0672874c8ac847111bafc1a1d8789cf73cf
Instruction Fuzzy Hash: 86D0A932B452098F8B219FECA9005DCBBF0EAC513170482A7C569A72A6DB208495C732

Function 0170AC13 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71b018413b0f11a5787018858aa4a5bbd6f9725aca8c0730734d4f3b0be78683
Instruction ID: 415ff340a2dbbc36d5c5d8efbffbafb4287c6f18cb5f15e34e42818bde470345
Opcode Fuzzy Hash: 71b018413b0f11a5787018858aa4a5bbd6f9725aca8c0730734d4f3b0be78683
Instruction Fuzzy Hash: 32D0A721B443098F8F109FBCD8000DCBBE09AC4130B0001A6D026931A6C760C5928732

Function 0170D782 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c53547a4d57696c93c318ac4b469d586a47ff51e4292839af5508a24b7b7da7
Instruction ID: cc4bb25f9e45fe71630d09709e16fa681087c84af38735c73e6ca5f4362d0e71
Opcode Fuzzy Hash: 4c53547a4d57696c93c318ac4b469d586a47ff51e4292839af5508a24b7b7da7
Instruction Fuzzy Hash: 7ED0A932B462088FAB219AE8A8000DCBBA0DA8523470002A2C226932A1D62098928722

Function 01705E93 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 946bcc08458132fad124983797f37a4a89e5c18a6bc8238c0c80358353e002b3
Instruction ID: c1a7727df81d88964b82ec143af745b89e35aa7e4624409715f14581cfdaad66
Opcode Fuzzy Hash: 946bcc08458132fad124983797f37a4a89e5c18a6bc8238c0c80358353e002b3
Instruction Fuzzy Hash: 03D0A732B402098F8B109FAC99001DC7BE0DAC513170081A2C555A71A1D730C951C732

Function 0170A180 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c9cb93a118131d38687dc0aef7ef2add803a71b21938a934c9c3b8eb1f9799f
Instruction ID: 57dadef695ca53858cfa8ec8a2526a091f944236ec728822de32ccd23b884e70
Opcode Fuzzy Hash: 4c9cb93a118131d38687dc0aef7ef2add803a71b21938a934c9c3b8eb1f9799f
Instruction Fuzzy Hash: F4D0A932B003098FCB119BE8E4000DCBBE0CAC4131B1001A2C11A832A0C6208E9A8722

Function 0170D294 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2902734579.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1700000_HOrW5twCLd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9f491b04a33843fae25ae0fe9bbfb9df65faae8b47af773fc03fa1001013541
Instruction ID: 0f73fba0d6ea021acce91e456e3e0be3e0de93e57465c9fa2e6c534ae4e2c226
Opcode Fuzzy Hash: a9f491b04a33843fae25ae0fe9bbfb9df65faae8b47af773fc03fa1001013541
Instruction Fuzzy Hash: 3DB0012091D3C0DFCF635BE499A96B47FE9DD4720130A28D2D1868B0A6D51614A6D722

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report HOrW5twCLd.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: XenoRAT

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\HOrW5twCLd.exe.log

C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe

C:\Users\user\AppData\Local\Temp\XenoManager\HOrW5twCLd.exe:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Windows Analysis Report
HOrW5twCLd.exe