Edit tour

Windows Analysis Report
EjNEMp1NTE.exe

Overview

General Information

Sample Name:	EjNEMp1NTE.exe
Analysis ID:	595258
MD5:	c32236e62a5f3e063ab9a58dacae12df
SHA1:	aafd28e4ec78bf445acd1086662b1b03249ed5cc
SHA256:	7cf948f69d8a5ab76b2b35078ccc8ab8e91660b608509a8e6c6db52baec6281c
Tags:	exeRedLineStealer
Infos:

Detection

RedLine

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected RedLine Stealer

Antivirus / Scanner detection for submitted sample

Found malware configuration

Multi AV Scanner detection for submitted file

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Machine Learning detection for sample

Creates a DirectInput object (often for capturing keystrokes)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Sample file is different than original file name gathered from version info

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to detect virtual machines (STR)

Internet Provider seen in connection with other malware

Binary contains a suspicious time stamp

Detected potential crypto function

Yara detected Credential Stealer

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Enables debug privileges

Classification

Process Tree

System is w10x64

EjNEMp1NTE.exe (PID: 6376 cmdline: "C:\Users\user\Desktop\EjNEMp1NTE.exe" MD5: C32236E62A5F3E063AB9A58DACAE12DF)

conhost.exe (PID: 3600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: RedLine

{"C2 url": ["54ea-20-124-134-110.ngrok.io:80"], "Bot Id": "fondi"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
EjNEMp1NTE.exe	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
EjNEMp1NTE.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
EjNEMp1NTE.exe	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x16602:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165e3:$v2_6: GetUpdates

Memory Dumps

Source	Rule	Description	Author
00000000.00000000.414194654.0000000000A42000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000000.414194654.0000000000A42000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.681750043.0000000000A42000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.681750043.0000000000A42000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: EjNEMp1NTE.exe PID: 6376	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: EjNEMp1NTE.exe PID: 6376	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.EjNEMp1NTE.exe.a40000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.EjNEMp1NTE.exe.a40000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.EjNEMp1NTE.exe.a40000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x16602:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165e3:$v2_6: GetUpdates
0.0.EjNEMp1NTE.exe.a40000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.0.EjNEMp1NTE.exe.a40000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.0.EjNEMp1NTE.exe.a40000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x16602:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165e3:$v2_6: GetUpdates
Click to see the 1 entries

HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 54ea-20-124-134-110.ngrok.ioContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: 54ea-20-124-134-110.ngrok.io

Source: EjNEMp1NTE.exe, 00000000.00000002.682517362.00000000010EA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

Malicious sample detected (through community Yara rule)

Source: EjNEMp1NTE.exe, type: SAMPLE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.EjNEMp1NTE.exe.a40000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.0.EjNEMp1NTE.exe.a40000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen

Source: EjNEMp1NTE.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: EjNEMp1NTE.exe, type: SAMPLE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.EjNEMp1NTE.exe.a40000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.0.EjNEMp1NTE.exe.a40000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073

Source: EjNEMp1NTE.exe	Binary or memory string: OriginalFilename vs EjNEMp1NTE.exe
Source: EjNEMp1NTE.exe, 00000000.00000000.414194654.0000000000A42000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameImplosions.exe4 vs EjNEMp1NTE.exe
Source: EjNEMp1NTE.exe, 00000000.00000002.682517362.00000000010EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs EjNEMp1NTE.exe
Source: EjNEMp1NTE.exe	Binary or memory string: OriginalFilenameImplosions.exe4 vs EjNEMp1NTE.exe

Source: C:\Users\user\Desktop\EjNEMp1NTE.exe	Code function: 0_2_0108DE10	0_2_0108DE10
Source: C:\Users\user\Desktop\EjNEMp1NTE.exe	Code function: 0_2_0108D2F0	0_2_0108D2F0
Source: C:\Users\user\Desktop\EjNEMp1NTE.exe	Code function: 0_2_02E521D8	0_2_02E521D8
Source: C:\Users\user\Desktop\EjNEMp1NTE.exe	Code function: 0_2_02E568F8	0_2_02E568F8
Source: C:\Users\user\Desktop\EjNEMp1NTE.exe	Code function: 0_2_02E5BE80	0_2_02E5BE80
Source: C:\Users\user\Desktop\EjNEMp1NTE.exe	Code function: 0_2_02E51D98	0_2_02E51D98
Source: C:\Users\user\Desktop\EjNEMp1NTE.exe	Code function: 0_2_02E50190	0_2_02E50190
Source: C:\Users\user\Desktop\EjNEMp1NTE.exe	Code function: 0_2_02E52610	0_2_02E52610

Source: EjNEMp1NTE.exe	Virustotal: Detection: 68%
Source: EjNEMp1NTE.exe	ReversingLabs: Detection: 92%

Source: EjNEMp1NTE.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\EjNEMp1NTE.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\EjNEMp1NTE.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\EjNEMp1NTE.exe "C:\Users\user\Desktop\EjNEMp1NTE.exe"
Source: C:\Users\user\Desktop\EjNEMp1NTE.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\EjNEMp1NTE.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3600:120:WilError_01

Source: classification engine

Classification label: mal92.troj.winEXE@2/0@1/1

Source: C:\Users\user\Desktop\EjNEMp1NTE.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\EjNEMp1NTE.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: EjNEMp1NTE.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: EjNEMp1NTE.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb source: EjNEMp1NTE.exe, 00000000.00000002.682736877.00000000011A5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: EjNEMp1NTE.exe, 00000000.00000002.682736877.00000000011A5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb~U source: EjNEMp1NTE.exe, 00000000.00000002.682736877.00000000011A5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdbH source: EjNEMp1NTE.exe, 00000000.00000002.682641665.000000000113D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb source: EjNEMp1NTE.exe, 00000000.00000002.682641665.000000000113D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mHC:\Windows\System.ServiceModel.pdb source: EjNEMp1NTE.exe, 00000000.00000002.681859898.0000000000BE8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: EjNEMp1NTE.exe, 00000000.00000002.682736877.00000000011A5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: EjNEMp1NTE.exe, 00000000.00000002.682698994.0000000001179000.00000004.00000020.00020000.00000000.sdmp

Source: EjNEMp1NTE.exe

Static PE information: 0xF00CA9A2 [Wed Aug 14 23:34:58 2097 UTC]

Source: C:\Users\user\Desktop\EjNEMp1NTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EjNEMp1NTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EjNEMp1NTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EjNEMp1NTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EjNEMp1NTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EjNEMp1NTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EjNEMp1NTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EjNEMp1NTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EjNEMp1NTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EjNEMp1NTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EjNEMp1NTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EjNEMp1NTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EjNEMp1NTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EjNEMp1NTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EjNEMp1NTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EjNEMp1NTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EjNEMp1NTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EjNEMp1NTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EjNEMp1NTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EjNEMp1NTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EjNEMp1NTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EjNEMp1NTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EjNEMp1NTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EjNEMp1NTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EjNEMp1NTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EjNEMp1NTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EjNEMp1NTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EjNEMp1NTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EjNEMp1NTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EjNEMp1NTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EjNEMp1NTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EjNEMp1NTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EjNEMp1NTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EjNEMp1NTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EjNEMp1NTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EjNEMp1NTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EjNEMp1NTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EjNEMp1NTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EjNEMp1NTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EjNEMp1NTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EjNEMp1NTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EjNEMp1NTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EjNEMp1NTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EjNEMp1NTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\EjNEMp1NTE.exe TID: 6432

Thread sleep time: -45000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\EjNEMp1NTE.exe

Code function: 0_2_00A47EF8 str word ptr [edi]

0_2_00A47EF8

Source: EjNEMp1NTE.exe, 00000000.00000002.682736877.00000000011A5000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\EjNEMp1NTE.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\EjNEMp1NTE.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\EjNEMp1NTE.exe	Queries volume information: C:\Users\user\Desktop\EjNEMp1NTE.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EjNEMp1NTE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EjNEMp1NTE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EjNEMp1NTE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EjNEMp1NTE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EjNEMp1NTE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EjNEMp1NTE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EjNEMp1NTE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\EjNEMp1NTE.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: EjNEMp1NTE.exe, type: SAMPLE
Source: Yara match	File source: 0.2.EjNEMp1NTE.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.EjNEMp1NTE.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.414194654.0000000000A42000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.681750043.0000000000A42000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: EjNEMp1NTE.exe PID: 6376, type: MEMORYSTR

Source: Yara match	File source: EjNEMp1NTE.exe, type: SAMPLE
Source: Yara match	File source: 0.2.EjNEMp1NTE.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.EjNEMp1NTE.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.414194654.0000000000A42000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.681750043.0000000000A42000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: EjNEMp1NTE.exe PID: 6376, type: MEMORYSTR

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: EjNEMp1NTE.exe, type: SAMPLE
Source: Yara match	File source: 0.2.EjNEMp1NTE.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.EjNEMp1NTE.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.414194654.0000000000A42000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.681750043.0000000000A42000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: EjNEMp1NTE.exe PID: 6376, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	1 Process Injection	2 Virtualization/Sandbox Evasion	1 Input Capture	1 Security Software Discovery	Remote Services	1 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	2 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	12 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Timestomp	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
EjNEMp1NTE.exe	68%	Virustotal		Browse
EjNEMp1NTE.exe	92%	ReversingLabs	ByteCode-MSIL.Infostealer.RedLine
EjNEMp1NTE.exe	100%	Avira	HEUR/AGEN.1234943
EjNEMp1NTE.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.2.EjNEMp1NTE.exe.a40000.0.unpack	100%	Avira	HEUR/AGEN.1234943		Download File
0.0.EjNEMp1NTE.exe.a40000.0.unpack	100%	Avira	HEUR/AGEN.1234943		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://54ea-20-124-134-110.ngrok.io4	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/CheckConnectResponse	0%	URL Reputation	safe
http://tempuri.org/Endpoint/EnvironmentSettings	0%	URL Reputation	safe
https://api.ip.sb/geoip%USERPEnvironmentROFILE%	0%	URL Reputation	safe
http://tempuri.org/	0%	URL Reputation	safe
http://tempuri.org/Endpoint/CheckConnect	0%	URL Reputation	safe
http://54ea-20-124-134-110.ngrok.io:80/	100%	Avira URL Cloud	phishing
http://tempuri.org/Endpoint/VerifyUpdateResponse	0%	URL Reputation	safe
http://tempuri.org/Endpoint/SetEnvironment	0%	URL Reputation	safe
http://tempuri.org/Endpoint/SetEnvironmentResponse	0%	URL Reputation	safe
http://54ea-20-124-134-110.ngrok.io/	100%	Avira URL Cloud	phishing
http://tempuri.org/Endpoint/GetUpdates	0%	URL Reputation	safe
http://54ea-20-124-134-110.ngrok.	0%	Avira URL Cloud	safe
https://api.ip.sb/geoip%USERPEnvironmentROFILE	0%	Avira URL Cloud	safe
https://api.ipify.orgcookies//settinString.Removeg	0%	URL Reputation	safe
http://54ea-20-124-134-110.ngrok.io	100%	Avira URL Cloud	phishing
https://api.ipify.orgcookies//setti	0%	URL Reputation	safe
http://tempuri.org/Endpoint/GetUpdatesResponse	0%	URL Reputation	safe
http://tempuri.org/Endpoint/	0%	URL Reputation	safe
http://tempuri.org/Endpoint/EnvironmentSettingsResponse	0%	URL Reputation	safe
http://tempuri.org/Endpoint/VerifyUpdate	0%	URL Reputation	safe
http://tempuri.org/0	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
54ea-20-124-134-110.ngrok.io	3.13.191.225	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://54ea-20-124-134-110.ngrok.io/	true	Avira URL Cloud: phishing	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ipinfo.io/ip%appdata%	EjNEMp1NTE.exe	false		high
http://54ea-20-124-134-110.ngrok.io4	EjNEMp1NTE.exe, 00000000.00000002.683168689.0000000002E81000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	EjNEMp1NTE.exe, 00000000.00000002.683168689.0000000002E81000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/CheckConnectResponse	EjNEMp1NTE.exe, 00000000.00000002.683415843.0000000002F22000.00000004.00000800.00020000.00000000.sdmp, EjNEMp1NTE.exe, 00000000.00000002.683168689.0000000002E81000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/EnvironmentSettings	EjNEMp1NTE.exe, 00000000.00000002.683415843.0000000002F22000.00000004.00000800.00020000.00000000.sdmp, EjNEMp1NTE.exe, 00000000.00000002.683168689.0000000002E81000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ip.sb/geoip%USERPEnvironmentROFILE%	EjNEMp1NTE.exe	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/envelope/	EjNEMp1NTE.exe, 00000000.00000002.683415843.0000000002F22000.00000004.00000800.00020000.00000000.sdmp, EjNEMp1NTE.exe, 00000000.00000002.683168689.0000000002E81000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/	EjNEMp1NTE.exe, 00000000.00000002.683415843.0000000002F22000.00000004.00000800.00020000.00000000.sdmp, EjNEMp1NTE.exe, 00000000.00000002.683168689.0000000002E81000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/CheckConnect	EjNEMp1NTE.exe, 00000000.00000002.683168689.0000000002E81000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://54ea-20-124-134-110.ngrok.io:80/	EjNEMp1NTE.exe, 00000000.00000002.683415843.0000000002F22000.00000004.00000800.00020000.00000000.sdmp, EjNEMp1NTE.exe, 00000000.00000002.683168689.0000000002E81000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://tempuri.org/Endpoint/VerifyUpdateResponse	EjNEMp1NTE.exe, 00000000.00000002.683415843.0000000002F22000.00000004.00000800.00020000.00000000.sdmp, EjNEMp1NTE.exe, 00000000.00000002.683168689.0000000002E81000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/SetEnvironment	EjNEMp1NTE.exe, 00000000.00000002.683415843.0000000002F22000.00000004.00000800.00020000.00000000.sdmp, EjNEMp1NTE.exe, 00000000.00000002.683168689.0000000002E81000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/SetEnvironmentResponse	EjNEMp1NTE.exe, 00000000.00000002.683415843.0000000002F22000.00000004.00000800.00020000.00000000.sdmp, EjNEMp1NTE.exe, 00000000.00000002.683168689.0000000002E81000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/GetUpdates	EjNEMp1NTE.exe, 00000000.00000002.683415843.0000000002F22000.00000004.00000800.00020000.00000000.sdmp, EjNEMp1NTE.exe, 00000000.00000002.683168689.0000000002E81000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://54ea-20-124-134-110.ngrok.	EjNEMp1NTE.exe, 00000000.00000002.683415843.0000000002F22000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.ip.sb/geoip%USERPEnvironmentROFILE	EjNEMp1NTE.exe	false	Avira URL Cloud: safe	unknown
https://api.ipify.orgcookies//settinString.Removeg	EjNEMp1NTE.exe	false	URL Reputation: safe	unknown
http://54ea-20-124-134-110.ngrok.io	EjNEMp1NTE.exe, 00000000.00000002.683415843.0000000002F22000.00000004.00000800.00020000.00000000.sdmp, EjNEMp1NTE.exe, 00000000.00000002.683168689.0000000002E81000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing	EjNEMp1NTE.exe, 00000000.00000002.683168689.0000000002E81000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/fault	EjNEMp1NTE.exe, 00000000.00000002.683168689.0000000002E81000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ipify.orgcookies//setti	EjNEMp1NTE.exe	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/GetUpdatesResponse	EjNEMp1NTE.exe, 00000000.00000002.683415843.0000000002F22000.00000004.00000800.00020000.00000000.sdmp, EjNEMp1NTE.exe, 00000000.00000002.683168689.0000000002E81000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/	EjNEMp1NTE.exe, 00000000.00000002.683168689.0000000002E81000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/EnvironmentSettingsResponse	EjNEMp1NTE.exe, 00000000.00000002.683415843.0000000002F22000.00000004.00000800.00020000.00000000.sdmp, EjNEMp1NTE.exe, 00000000.00000002.683168689.0000000002E81000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/VerifyUpdate	EjNEMp1NTE.exe, 00000000.00000002.683415843.0000000002F22000.00000004.00000800.00020000.00000000.sdmp, EjNEMp1NTE.exe, 00000000.00000002.683168689.0000000002E81000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/0	EjNEMp1NTE.exe, 00000000.00000002.683374138.0000000002F1C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	EjNEMp1NTE.exe, 00000000.00000002.683168689.0000000002E81000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/actor/next	EjNEMp1NTE.exe, 00000000.00000002.683168689.0000000002E81000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
3.13.191.225	54ea-20-124-134-110.ngrok.io	United States		16509	AMAZON-02US	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	595258
Start date and time:	2022-03-23 13:55:56 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	EjNEMp1NTE.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal92.troj.winEXE@2/0@1/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 99% Number of executed functions: 66 Number of non-executed functions: 4
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.152.110.14, 40.125.122.176, 52.242.101.226, 20.54.110.249
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, sls.update.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
3.13.191.225	RnT6mMyI7d.exe	Get hash	malicious	Browse	6ce0-2001-1bb0-e000-1e-00-c3c.ngrok.io/aa.exe
3.13.191.225	eQDy6dGVwQ.exe	Get hash	malicious	Browse	63e2e5290bcf.ngrok.io/dump.exe

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AMAZON-02US	arm6-20220323-0742	Get hash	malicious	Browse	34.223.10.74
	RewAXOCv01.exe	Get hash	malicious	Browse	3.138.45.170
	arm7-20220323-0742	Get hash	malicious	Browse	108.152.25.33
	Nueva carpeta.dll	Get hash	malicious	Browse	18.220.165.27
	https://www.evernote.com/shard/s596/sh/5d550225-e9fc-bc76-3ac2-7380d04febe3/25537fb88744f3dd2d188f736373db8c	Get hash	malicious	Browse	54.201.148.147
	mips-20220323-0742	Get hash	malicious	Browse	18.249.114.153
	Nueva carpeta.dll	Get hash	malicious	Browse	18.220.165.27
	walbecgroup.com.htm	Get hash	malicious	Browse	108.128.72.205
	arm-20220323-0742	Get hash	malicious	Browse	18.252.179.126
	PO-768902839.xlsx	Get hash	malicious	Browse	3.140.13.188
	rQWCmgylBA	Get hash	malicious	Browse	54.183.101.65
	http://outlook.office365.certifiedsafepages.net/landing/form/e02bd2c6-cde6-4796-b4ab-952aa099a1c9	Get hash	malicious	Browse	18.203.132.49
	https://app.twilead.com/v2/preview/kEVIB7zuWdsnsikPYeXd?notrack=true	Get hash	malicious	Browse	52.10.86.168
	Fax-53820_kontsumobide.eus.html	Get hash	malicious	Browse	65.9.66.11
	wQHIfaB9eM	Get hash	malicious	Browse	63.34.86.52
	https://ciri-02bditr1x1.hello9037.workers.dev/#info@mypropertygroup.com.au	Get hash	malicious	Browse	99.84.152.63
	68316070.exe	Get hash	malicious	Browse	18.198.4.253
	quNyIeE16H.exe	Get hash	malicious	Browse	3.142.167.54
	INVCC.EXE	Get hash	malicious	Browse	99.84.152.121
	FzBwl3E6is	Get hash	malicious	Browse	18.193.62.156

File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.9606506489207
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	EjNEMp1NTE.exe
File size:	97797
MD5:	c32236e62a5f3e063ab9a58dacae12df
SHA1:	aafd28e4ec78bf445acd1086662b1b03249ed5cc
SHA256:	7cf948f69d8a5ab76b2b35078ccc8ab8e91660b608509a8e6c6db52baec6281c
SHA512:	df3814aaa6dc0f9e798a134e8bbde4beb9083c2ebb4317d9d67d8e50f821ca94b230df054e33efeecb59b9716953fdb0bc4efe11cf5bcc2f24b59ac72ba73b0f
SSDEEP:	1536:VqsQLq+8lbG6jejoigI843Ywzi0Zb78ivombfexv0ujXyyed28teulgS6pA:TuZkY8+zi0ZbYe1g0ujyzdcA
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..t..........N.... ........@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x41934e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0xF00CA9A2 [Wed Aug 14 23:34:58 2097 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x192f8	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1a000	0x4de	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x17354	0x17400	False	0.448819724462	data	6.01592588145	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x1a000	0x4de	0x600	False	0.375651041667	data	3.72394010022	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x1c000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x1a0a0	0x254	data
RT_MANIFEST	0x1a2f4	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright
Assembly Version	0.0.0.0
InternalName	Implosions.exe
FileVersion	0.0.0.0
ProductVersion	0.0.0.0
FileDescription
OriginalFilename	Implosions.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
03/23/22-14:57:52.184555	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	62929	8.8.8.8	192.168.2.5

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 23, 2022 14:57:52.203104019 CET	49781	80	192.168.2.5	3.13.191.225
Mar 23, 2022 14:57:52.352550030 CET	80	49781	3.13.191.225	192.168.2.5
Mar 23, 2022 14:57:52.352735043 CET	49781	80	192.168.2.5	3.13.191.225
Mar 23, 2022 14:57:53.079691887 CET	49781	80	192.168.2.5	3.13.191.225
Mar 23, 2022 14:57:53.228703976 CET	80	49781	3.13.191.225	192.168.2.5
Mar 23, 2022 14:57:53.424510002 CET	49781	80	192.168.2.5	3.13.191.225
Mar 23, 2022 14:57:53.573462009 CET	80	49781	3.13.191.225	192.168.2.5
Mar 23, 2022 14:57:53.573896885 CET	80	49781	3.13.191.225	192.168.2.5
Mar 23, 2022 14:57:53.627427101 CET	49781	80	192.168.2.5	3.13.191.225
Mar 23, 2022 14:57:54.892437935 CET	80	49781	3.13.191.225	192.168.2.5
Mar 23, 2022 14:57:54.892514944 CET	80	49781	3.13.191.225	192.168.2.5
Mar 23, 2022 14:57:54.892544031 CET	80	49781	3.13.191.225	192.168.2.5
Mar 23, 2022 14:57:54.892687082 CET	49781	80	192.168.2.5	3.13.191.225
Mar 23, 2022 14:58:03.607213020 CET	49781	80	192.168.2.5	3.13.191.225
Mar 23, 2022 14:58:03.757137060 CET	80	49781	3.13.191.225	192.168.2.5
Mar 23, 2022 14:58:03.757601023 CET	49781	80	192.168.2.5	3.13.191.225
Mar 23, 2022 14:58:03.948492050 CET	80	49781	3.13.191.225	192.168.2.5
Mar 23, 2022 14:58:05.074214935 CET	80	49781	3.13.191.225	192.168.2.5
Mar 23, 2022 14:58:05.074244976 CET	80	49781	3.13.191.225	192.168.2.5
Mar 23, 2022 14:58:05.074258089 CET	80	49781	3.13.191.225	192.168.2.5
Mar 23, 2022 14:58:05.074402094 CET	49781	80	192.168.2.5	3.13.191.225
Mar 23, 2022 14:58:10.086709023 CET	49781	80	192.168.2.5	3.13.191.225
Mar 23, 2022 14:58:10.235687971 CET	80	49781	3.13.191.225	192.168.2.5
Mar 23, 2022 14:58:10.236038923 CET	80	49781	3.13.191.225	192.168.2.5
Mar 23, 2022 14:58:10.236499071 CET	49781	80	192.168.2.5	3.13.191.225
Mar 23, 2022 14:58:10.427243948 CET	80	49781	3.13.191.225	192.168.2.5
Mar 23, 2022 14:58:11.552788019 CET	80	49781	3.13.191.225	192.168.2.5
Mar 23, 2022 14:58:11.552824020 CET	80	49781	3.13.191.225	192.168.2.5
Mar 23, 2022 14:58:11.552841902 CET	80	49781	3.13.191.225	192.168.2.5
Mar 23, 2022 14:58:11.563761950 CET	49781	80	192.168.2.5	3.13.191.225
Mar 23, 2022 14:58:16.717583895 CET	49781	80	192.168.2.5	3.13.191.225
Mar 23, 2022 14:58:16.866539955 CET	80	49781	3.13.191.225	192.168.2.5
Mar 23, 2022 14:58:16.866950035 CET	80	49781	3.13.191.225	192.168.2.5
Mar 23, 2022 14:58:16.911957979 CET	49781	80	192.168.2.5	3.13.191.225
Mar 23, 2022 14:58:17.103245974 CET	80	49781	3.13.191.225	192.168.2.5
Mar 23, 2022 14:58:18.187202930 CET	80	49781	3.13.191.225	192.168.2.5
Mar 23, 2022 14:58:18.187236071 CET	80	49781	3.13.191.225	192.168.2.5
Mar 23, 2022 14:58:18.187248945 CET	80	49781	3.13.191.225	192.168.2.5
Mar 23, 2022 14:58:18.187397957 CET	49781	80	192.168.2.5	3.13.191.225
Mar 23, 2022 14:58:24.097490072 CET	49781	80	192.168.2.5	3.13.191.225
Mar 23, 2022 14:58:24.248399019 CET	80	49781	3.13.191.225	192.168.2.5
Mar 23, 2022 14:58:24.248451948 CET	80	49781	3.13.191.225	192.168.2.5
Mar 23, 2022 14:58:24.249300003 CET	49781	80	192.168.2.5	3.13.191.225
Mar 23, 2022 14:58:24.439352989 CET	80	49781	3.13.191.225	192.168.2.5
Mar 23, 2022 14:58:25.565027952 CET	80	49781	3.13.191.225	192.168.2.5
Mar 23, 2022 14:58:25.565056086 CET	80	49781	3.13.191.225	192.168.2.5
Mar 23, 2022 14:58:25.565069914 CET	80	49781	3.13.191.225	192.168.2.5
Mar 23, 2022 14:58:25.565248966 CET	49781	80	192.168.2.5	3.13.191.225
Mar 23, 2022 14:58:30.578756094 CET	49781	80	192.168.2.5	3.13.191.225
Mar 23, 2022 14:58:30.727823973 CET	80	49781	3.13.191.225	192.168.2.5
Mar 23, 2022 14:58:30.728236914 CET	80	49781	3.13.191.225	192.168.2.5
Mar 23, 2022 14:58:30.728679895 CET	49781	80	192.168.2.5	3.13.191.225
Mar 23, 2022 14:58:30.919338942 CET	80	49781	3.13.191.225	192.168.2.5
Mar 23, 2022 14:58:32.044815063 CET	80	49781	3.13.191.225	192.168.2.5
Mar 23, 2022 14:58:32.044842958 CET	80	49781	3.13.191.225	192.168.2.5
Mar 23, 2022 14:58:32.044856071 CET	80	49781	3.13.191.225	192.168.2.5
Mar 23, 2022 14:58:32.044959068 CET	49781	80	192.168.2.5	3.13.191.225
Mar 23, 2022 14:58:32.091370106 CET	49781	80	192.168.2.5	3.13.191.225
Mar 23, 2022 14:58:37.062261105 CET	49781	80	192.168.2.5	3.13.191.225
Mar 23, 2022 14:58:37.213167906 CET	80	49781	3.13.191.225	192.168.2.5
Mar 23, 2022 14:58:37.213479996 CET	80	49781	3.13.191.225	192.168.2.5
Mar 23, 2022 14:58:37.213898897 CET	49781	80	192.168.2.5	3.13.191.225
Mar 23, 2022 14:58:37.403204918 CET	80	49781	3.13.191.225	192.168.2.5
Mar 23, 2022 14:58:38.532414913 CET	80	49781	3.13.191.225	192.168.2.5
Mar 23, 2022 14:58:38.532681942 CET	80	49781	3.13.191.225	192.168.2.5
Mar 23, 2022 14:58:38.532701969 CET	80	49781	3.13.191.225	192.168.2.5
Mar 23, 2022 14:58:38.532759905 CET	49781	80	192.168.2.5	3.13.191.225
Mar 23, 2022 14:58:38.576186895 CET	49781	80	192.168.2.5	3.13.191.225
Mar 23, 2022 14:58:43.547168016 CET	49781	80	192.168.2.5	3.13.191.225
Mar 23, 2022 14:58:43.696321011 CET	80	49781	3.13.191.225	192.168.2.5
Mar 23, 2022 14:58:43.696639061 CET	80	49781	3.13.191.225	192.168.2.5
Mar 23, 2022 14:58:43.697036982 CET	49781	80	192.168.2.5	3.13.191.225
Mar 23, 2022 14:58:43.887185097 CET	80	49781	3.13.191.225	192.168.2.5
Mar 23, 2022 14:58:45.012464046 CET	80	49781	3.13.191.225	192.168.2.5
Mar 23, 2022 14:58:45.012510061 CET	80	49781	3.13.191.225	192.168.2.5
Mar 23, 2022 14:58:45.012531042 CET	80	49781	3.13.191.225	192.168.2.5
Mar 23, 2022 14:58:45.012630939 CET	49781	80	192.168.2.5	3.13.191.225
Mar 23, 2022 14:58:45.100697041 CET	49781	80	192.168.2.5	3.13.191.225
Mar 23, 2022 14:58:50.032310963 CET	49781	80	192.168.2.5	3.13.191.225
Mar 23, 2022 14:58:50.181309938 CET	80	49781	3.13.191.225	192.168.2.5
Mar 23, 2022 14:58:50.181790113 CET	80	49781	3.13.191.225	192.168.2.5
Mar 23, 2022 14:58:50.263561964 CET	49781	80	192.168.2.5	3.13.191.225
Mar 23, 2022 14:58:50.455238104 CET	80	49781	3.13.191.225	192.168.2.5
Mar 23, 2022 14:58:51.502727985 CET	80	49781	3.13.191.225	192.168.2.5
Mar 23, 2022 14:58:51.502765894 CET	80	49781	3.13.191.225	192.168.2.5
Mar 23, 2022 14:58:51.502780914 CET	80	49781	3.13.191.225	192.168.2.5
Mar 23, 2022 14:58:51.502863884 CET	49781	80	192.168.2.5	3.13.191.225
Mar 23, 2022 14:58:56.517169952 CET	49781	80	192.168.2.5	3.13.191.225
Mar 23, 2022 14:58:56.667521954 CET	80	49781	3.13.191.225	192.168.2.5
Mar 23, 2022 14:58:56.667829990 CET	80	49781	3.13.191.225	192.168.2.5
Mar 23, 2022 14:58:56.668188095 CET	49781	80	192.168.2.5	3.13.191.225
Mar 23, 2022 14:58:56.863274097 CET	80	49781	3.13.191.225	192.168.2.5
Mar 23, 2022 14:58:57.984390974 CET	80	49781	3.13.191.225	192.168.2.5
Mar 23, 2022 14:58:57.984436989 CET	80	49781	3.13.191.225	192.168.2.5
Mar 23, 2022 14:58:57.984457016 CET	80	49781	3.13.191.225	192.168.2.5
Mar 23, 2022 14:58:57.984561920 CET	49781	80	192.168.2.5	3.13.191.225
Mar 23, 2022 14:59:03.002013922 CET	49781	80	192.168.2.5	3.13.191.225
Mar 23, 2022 14:59:03.152105093 CET	80	49781	3.13.191.225	192.168.2.5
Mar 23, 2022 14:59:03.152137995 CET	80	49781	3.13.191.225	192.168.2.5
Mar 23, 2022 14:59:03.152514935 CET	49781	80	192.168.2.5	3.13.191.225
Mar 23, 2022 14:59:03.349399090 CET	80	49781	3.13.191.225	192.168.2.5
Mar 23, 2022 14:59:04.469626904 CET	80	49781	3.13.191.225	192.168.2.5
Mar 23, 2022 14:59:04.469671965 CET	80	49781	3.13.191.225	192.168.2.5
Mar 23, 2022 14:59:04.469686985 CET	80	49781	3.13.191.225	192.168.2.5
Mar 23, 2022 14:59:04.469805956 CET	49781	80	192.168.2.5	3.13.191.225
Mar 23, 2022 14:59:09.486396074 CET	49781	80	192.168.2.5	3.13.191.225
Mar 23, 2022 14:59:09.635484934 CET	80	49781	3.13.191.225	192.168.2.5
Mar 23, 2022 14:59:09.635858059 CET	80	49781	3.13.191.225	192.168.2.5
Mar 23, 2022 14:59:09.636045933 CET	49781	80	192.168.2.5	3.13.191.225
Mar 23, 2022 14:59:09.827263117 CET	80	49781	3.13.191.225	192.168.2.5
Mar 23, 2022 14:59:10.953403950 CET	80	49781	3.13.191.225	192.168.2.5
Mar 23, 2022 14:59:10.953469038 CET	80	49781	3.13.191.225	192.168.2.5
Mar 23, 2022 14:59:10.953497887 CET	80	49781	3.13.191.225	192.168.2.5
Mar 23, 2022 14:59:10.953676939 CET	49781	80	192.168.2.5	3.13.191.225
Mar 23, 2022 14:59:10.954145908 CET	49781	80	192.168.2.5	3.13.191.225
Mar 23, 2022 14:59:11.103300095 CET	80	49781	3.13.191.225	192.168.2.5
Mar 23, 2022 14:59:11.103451014 CET	49781	80	192.168.2.5	3.13.191.225

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 23, 2022 14:57:52.155126095 CET	62929	53	192.168.2.5	8.8.8.8
Mar 23, 2022 14:57:52.184555054 CET	53	62929	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Mar 23, 2022 14:57:52.155126095 CET	192.168.2.5	8.8.8.8	0x88d9	Standard query (0)	54ea-20-124-134-110.ngrok.io	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Mar 23, 2022 14:57:52.184555054 CET	8.8.8.8	192.168.2.5	0x88d9	No error (0)	54ea-20-124-134-110.ngrok.io		3.13.191.225	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

54ea-20-124-134-110.ngrok.io

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49781	3.13.191.225	80	C:\Users\user\Desktop\EjNEMp1NTE.exe

Timestamp	kBytes transferred	Direction	Data
Mar 23, 2022 14:57:53.079691887 CET	6568	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/CheckConnect" Host: 54ea-20-124-134-110.ngrok.io Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive
Mar 23, 2022 14:57:53.424510002 CET	6568	OUT	Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 43 68 65 63 6b 43 6f 6e 6e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><CheckConnect xmlns="http://tempuri.org/"/></s:Body></s:Envelope>
Mar 23, 2022 14:57:53.573896885 CET	6568	IN	HTTP/1.1 100 Continue
Mar 23, 2022 14:57:54.892437935 CET	6569	IN	HTTP/1.1 502 Bad Gateway Content-Length: 1677 Content-Type: text/html Date: Wed, 23 Mar 2022 13:57:54 GMT
Mar 23, 2022 14:57:54.892514944 CET	6570	IN	Data Raw: 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 35 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 Data Ascii: <!doctype html5><html> <head> <style type="text/css"> strong { font-weight: bold; } hr { -moz-box-sizing: content-box; box-sizing: content-box; height: 0; } html { font-family: sans-serif; -ms-
Mar 23, 2022 14:57:54.892544031 CET	6570	IN	Data Raw: 72 6f 6e 67 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6c 6f 63 61 6c 68 6f 73 74 3a 38 30 38 30 22 3e 6c 6f 63 61 6c 68 6f 73 74 3a 38 30 38 30 3c 2f 61 3e 3c 2f 73 74 72 6f 6e 67 3e 20 61 6e 64 20 74 68 61 74 20 69 74 20 69 73 20 61 20 Data Ascii: rong><a href="http://localhost:8080">localhost:8080</a></strong> and that it is a valid address.</p><p> The error encountered was: <strong style="color: #9E2929">dial tcp [::1]:8080: connectex: No connection could be made because the tar
Mar 23, 2022 14:58:03.607213020 CET	7203	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/CheckConnect" Host: 54ea-20-124-134-110.ngrok.io Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate
Mar 23, 2022 14:58:03.757137060 CET	7203	IN	HTTP/1.1 100 Continue
Mar 23, 2022 14:58:03.757601023 CET	7203	OUT	Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 43 68 65 63 6b 43 6f 6e 6e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><CheckConnect xmlns="http://tempuri.org/"/></s:Body></s:Envelope>
Mar 23, 2022 14:58:05.074214935 CET	7203	IN	HTTP/1.1 502 Bad Gateway Content-Length: 1677 Content-Type: text/html Date: Wed, 23 Mar 2022 13:58:04 GMT
Mar 23, 2022 14:58:05.074244976 CET	7205	IN	Data Raw: 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 35 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 Data Ascii: <!doctype html5><html> <head> <style type="text/css"> strong { font-weight: bold; } hr { -moz-box-sizing: content-box; box-sizing: content-box; height: 0; } html { font-family: sans-serif; -ms-
Mar 23, 2022 14:58:05.074258089 CET	7205	IN	Data Raw: 72 6f 6e 67 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6c 6f 63 61 6c 68 6f 73 74 3a 38 30 38 30 22 3e 6c 6f 63 61 6c 68 6f 73 74 3a 38 30 38 30 3c 2f 61 3e 3c 2f 73 74 72 6f 6e 67 3e 20 61 6e 64 20 74 68 61 74 20 69 74 20 69 73 20 61 20 Data Ascii: rong><a href="http://localhost:8080">localhost:8080</a></strong> and that it is a valid address.</p><p> The error encountered was: <strong style="color: #9E2929">dial tcp [::1]:8080: connectex: No connection could be made because the tar
Mar 23, 2022 14:58:10.086709023 CET	7212	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/CheckConnect" Host: 54ea-20-124-134-110.ngrok.io Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate
Mar 23, 2022 14:58:10.236038923 CET	7212	IN	HTTP/1.1 100 Continue
Mar 23, 2022 14:58:10.236499071 CET	7213	OUT	Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 43 68 65 63 6b 43 6f 6e 6e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><CheckConnect xmlns="http://tempuri.org/"/></s:Body></s:Envelope>
Mar 23, 2022 14:58:11.552788019 CET	7213	IN	HTTP/1.1 502 Bad Gateway Content-Length: 1677 Content-Type: text/html Date: Wed, 23 Mar 2022 13:58:11 GMT
Mar 23, 2022 14:58:11.552824020 CET	7214	IN	Data Raw: 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 35 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 Data Ascii: <!doctype html5><html> <head> <style type="text/css"> strong { font-weight: bold; } hr { -moz-box-sizing: content-box; box-sizing: content-box; height: 0; } html { font-family: sans-serif; -ms-
Mar 23, 2022 14:58:11.552841902 CET	7214	IN	Data Raw: 72 6f 6e 67 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6c 6f 63 61 6c 68 6f 73 74 3a 38 30 38 30 22 3e 6c 6f 63 61 6c 68 6f 73 74 3a 38 30 38 30 3c 2f 61 3e 3c 2f 73 74 72 6f 6e 67 3e 20 61 6e 64 20 74 68 61 74 20 69 74 20 69 73 20 61 20 Data Ascii: rong><a href="http://localhost:8080">localhost:8080</a></strong> and that it is a valid address.</p><p> The error encountered was: <strong style="color: #9E2929">dial tcp [::1]:8080: connectex: No connection could be made because the tar
Mar 23, 2022 14:58:16.717583895 CET	7215	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/CheckConnect" Host: 54ea-20-124-134-110.ngrok.io Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate
Mar 23, 2022 14:58:16.866950035 CET	7215	IN	HTTP/1.1 100 Continue
Mar 23, 2022 14:58:16.911957979 CET	7215	OUT	Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 43 68 65 63 6b 43 6f 6e 6e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><CheckConnect xmlns="http://tempuri.org/"/></s:Body></s:Envelope>
Mar 23, 2022 14:58:18.187202930 CET	7215	IN	HTTP/1.1 502 Bad Gateway Content-Length: 1677 Content-Type: text/html Date: Wed, 23 Mar 2022 13:58:18 GMT
Mar 23, 2022 14:58:18.187236071 CET	7217	IN	Data Raw: 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 35 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 Data Ascii: <!doctype html5><html> <head> <style type="text/css"> strong { font-weight: bold; } hr { -moz-box-sizing: content-box; box-sizing: content-box; height: 0; } html { font-family: sans-serif; -ms-
Mar 23, 2022 14:58:18.187248945 CET	7217	IN	Data Raw: 72 6f 6e 67 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6c 6f 63 61 6c 68 6f 73 74 3a 38 30 38 30 22 3e 6c 6f 63 61 6c 68 6f 73 74 3a 38 30 38 30 3c 2f 61 3e 3c 2f 73 74 72 6f 6e 67 3e 20 61 6e 64 20 74 68 61 74 20 69 74 20 69 73 20 61 20 Data Ascii: rong><a href="http://localhost:8080">localhost:8080</a></strong> and that it is a valid address.</p><p> The error encountered was: <strong style="color: #9E2929">dial tcp [::1]:8080: connectex: No connection could be made because the tar
Mar 23, 2022 14:58:24.097490072 CET	7224	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/CheckConnect" Host: 54ea-20-124-134-110.ngrok.io Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate
Mar 23, 2022 14:58:24.248451948 CET	7224	IN	HTTP/1.1 100 Continue
Mar 23, 2022 14:58:24.249300003 CET	7224	OUT	Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 43 68 65 63 6b 43 6f 6e 6e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><CheckConnect xmlns="http://tempuri.org/"/></s:Body></s:Envelope>
Mar 23, 2022 14:58:25.565027952 CET	7224	IN	HTTP/1.1 502 Bad Gateway Content-Length: 1677 Content-Type: text/html Date: Wed, 23 Mar 2022 13:58:25 GMT
Mar 23, 2022 14:58:25.565056086 CET	7226	IN	Data Raw: 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 35 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 Data Ascii: <!doctype html5><html> <head> <style type="text/css"> strong { font-weight: bold; } hr { -moz-box-sizing: content-box; box-sizing: content-box; height: 0; } html { font-family: sans-serif; -ms-
Mar 23, 2022 14:58:25.565069914 CET	7226	IN	Data Raw: 72 6f 6e 67 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6c 6f 63 61 6c 68 6f 73 74 3a 38 30 38 30 22 3e 6c 6f 63 61 6c 68 6f 73 74 3a 38 30 38 30 3c 2f 61 3e 3c 2f 73 74 72 6f 6e 67 3e 20 61 6e 64 20 74 68 61 74 20 69 74 20 69 73 20 61 20 Data Ascii: rong><a href="http://localhost:8080">localhost:8080</a></strong> and that it is a valid address.</p><p> The error encountered was: <strong style="color: #9E2929">dial tcp [::1]:8080: connectex: No connection could be made because the tar
Mar 23, 2022 14:58:30.578756094 CET	7233	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/CheckConnect" Host: 54ea-20-124-134-110.ngrok.io Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate
Mar 23, 2022 14:58:30.728236914 CET	7233	IN	HTTP/1.1 100 Continue
Mar 23, 2022 14:58:30.728679895 CET	7233	OUT	Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 43 68 65 63 6b 43 6f 6e 6e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><CheckConnect xmlns="http://tempuri.org/"/></s:Body></s:Envelope>
Mar 23, 2022 14:58:32.044815063 CET	7234	IN	HTTP/1.1 502 Bad Gateway Content-Length: 1677 Content-Type: text/html Date: Wed, 23 Mar 2022 13:58:31 GMT
Mar 23, 2022 14:58:37.062261105 CET	7236	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/CheckConnect" Host: 54ea-20-124-134-110.ngrok.io Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate
Mar 23, 2022 14:58:37.213479996 CET	7236	IN	HTTP/1.1 100 Continue
Mar 23, 2022 14:58:37.213898897 CET	7236	OUT	Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 43 68 65 63 6b 43 6f 6e 6e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><CheckConnect xmlns="http://tempuri.org/"/></s:Body></s:Envelope>
Mar 23, 2022 14:58:38.532414913 CET	7236	IN	HTTP/1.1 502 Bad Gateway Content-Length: 1677 Content-Type: text/html Date: Wed, 23 Mar 2022 13:58:38 GMT
Mar 23, 2022 14:58:43.547168016 CET	7245	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/CheckConnect" Host: 54ea-20-124-134-110.ngrok.io Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate
Mar 23, 2022 14:58:43.696639061 CET	7245	IN	HTTP/1.1 100 Continue
Mar 23, 2022 14:58:43.697036982 CET	7245	OUT	Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 43 68 65 63 6b 43 6f 6e 6e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><CheckConnect xmlns="http://tempuri.org/"/></s:Body></s:Envelope>
Mar 23, 2022 14:58:45.012464046 CET	7245	IN	HTTP/1.1 502 Bad Gateway Content-Length: 1677 Content-Type: text/html Date: Wed, 23 Mar 2022 13:58:44 GMT
Mar 23, 2022 14:58:50.032310963 CET	7249	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/CheckConnect" Host: 54ea-20-124-134-110.ngrok.io Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate
Mar 23, 2022 14:58:50.181790113 CET	7249	IN	HTTP/1.1 100 Continue
Mar 23, 2022 14:58:50.263561964 CET	7249	OUT	Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 43 68 65 63 6b 43 6f 6e 6e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><CheckConnect xmlns="http://tempuri.org/"/></s:Body></s:Envelope>
Mar 23, 2022 14:58:51.502727985 CET	7250	IN	HTTP/1.1 502 Bad Gateway Content-Length: 1677 Content-Type: text/html Date: Wed, 23 Mar 2022 13:58:51 GMT
Mar 23, 2022 14:58:56.517169952 CET	7252	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/CheckConnect" Host: 54ea-20-124-134-110.ngrok.io Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate
Mar 23, 2022 14:58:56.667829990 CET	7252	IN	HTTP/1.1 100 Continue
Mar 23, 2022 14:58:56.668188095 CET	7252	OUT	Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 43 68 65 63 6b 43 6f 6e 6e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><CheckConnect xmlns="http://tempuri.org/"/></s:Body></s:Envelope>
Mar 23, 2022 14:58:57.984390974 CET	7252	IN	HTTP/1.1 502 Bad Gateway Content-Length: 1677 Content-Type: text/html Date: Wed, 23 Mar 2022 13:58:57 GMT
Mar 23, 2022 14:59:03.002013922 CET	7261	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/CheckConnect" Host: 54ea-20-124-134-110.ngrok.io Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate
Mar 23, 2022 14:59:03.152137995 CET	7262	IN	HTTP/1.1 100 Continue
Mar 23, 2022 14:59:04.469626904 CET	7262	IN	HTTP/1.1 502 Bad Gateway Content-Length: 1677 Content-Type: text/html Date: Wed, 23 Mar 2022 13:59:04 GMT
Mar 23, 2022 14:59:09.486396074 CET	7265	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/CheckConnect" Host: 54ea-20-124-134-110.ngrok.io Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate
Mar 23, 2022 14:59:09.635858059 CET	7269	IN	HTTP/1.1 100 Continue
Mar 23, 2022 14:59:10.953403950 CET	7306	IN	HTTP/1.1 502 Bad Gateway Content-Length: 1677 Content-Type: text/html Date: Wed, 23 Mar 2022 13:59:10 GMT

Target ID:	0
Start time:	14:57:01
Start date:	23/03/2022
Path:	C:\Users\user\Desktop\EjNEMp1NTE.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\EjNEMp1NTE.exe"
Imagebase:	0xa40000
File size:	97797 bytes
MD5 hash:	C32236E62A5F3E063AB9A58DACAE12DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000000.414194654.0000000000A42000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000000.414194654.0000000000A42000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.681750043.0000000000A42000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.681750043.0000000000A42000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Target ID:	1
Start time:	14:57:02
Start date:	23/03/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff77f440000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Execution Graph

Execution Coverage:	11.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	16
Total number of Limit Nodes:	0

Executed Functions

Function 0108DE10 Relevance: 2.2, Strings: 1, Instructions: 938
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

m0Q, xrefs: 0108E009

Memory Dump Source

Source File: 00000000.00000002.682281301.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1080000_EjNEMp1NTE.jbxd

Similarity

API ID:
String ID: m0Q
API String ID: 0-3834743095
Opcode ID: 074eafd02d5ba931c8351f30ae3943353cfcac9040b4dd15fe99d2e4468cd578
Instruction ID: 007f064ed597e6be0787b415a7c80c9fc2c6515d44bd9b9a019e6a6c81b8583a
Opcode Fuzzy Hash: 074eafd02d5ba931c8351f30ae3943353cfcac9040b4dd15fe99d2e4468cd578
Instruction Fuzzy Hash: 55823C34B402148FCB54EF64D898BADB7F2BF88310F5089A9E58A9B395DB349D85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02E568F8 Relevance: 1.2, Instructions: 1232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.683087272.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e50000_EjNEMp1NTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8fb42672b04e73448dbecbe7f4c99697a7c9249e70d058096269308caf81320
Instruction ID: 686b808eb757b4205929f9bb97ba3b3ae963ca8d056d5503ec636f5c8f41f864
Opcode Fuzzy Hash: d8fb42672b04e73448dbecbe7f4c99697a7c9249e70d058096269308caf81320
Instruction Fuzzy Hash: E292DF34B502108FCB15ABB4D4687BE76E7AFC8218B64897EE846DB385DF74CC428791

Uniqueness

Uniqueness Score: -1.00%

Function 02E5BE80 Relevance: .6, Instructions: 602
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.683087272.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e50000_EjNEMp1NTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9502dcc326f273f3bdc2ca6d66dabd9b452fc90a71b860a8f73e69f7253623d7
Instruction ID: 54ef921da69e8dbf99f4cab9765b25ee8f3b161848c75e7f6db9d124defa51f9
Opcode Fuzzy Hash: 9502dcc326f273f3bdc2ca6d66dabd9b452fc90a71b860a8f73e69f7253623d7
Instruction Fuzzy Hash: 2D22DD34B402509FC715EB74D865BAEBBE6AF85214F24C8AAE846CB385DF34DC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02E521D8 Relevance: .4, Instructions: 354
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.683087272.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e50000_EjNEMp1NTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b86edbdf0db09c5d483da157c427bc86518ffd43a3937d1e66af73d4670fe7e6
Instruction ID: 327181fb6333074d63e5bc5c011da0e5a828496c2ccf2eb2215fd811ada7dc04
Opcode Fuzzy Hash: b86edbdf0db09c5d483da157c427bc86518ffd43a3937d1e66af73d4670fe7e6
Instruction Fuzzy Hash: EAC1D135B00244DFCB05DFB4D854AAEBBB6EF89214B14C4AADA09DB365DB35CC46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02E51D98 Relevance: .3, Instructions: 339COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.683087272.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e50000_EjNEMp1NTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebad3ba047ba04385c1c3f93369333520141bf77fdf848a09877ed9f675e71cf
Instruction ID: ea49dabd414def49fc0de327766e054513f01b6a326a4b53fb83a2cc908d3f06
Opcode Fuzzy Hash: ebad3ba047ba04385c1c3f93369333520141bf77fdf848a09877ed9f675e71cf
Instruction Fuzzy Hash: C0D19D34B802158FCB18DF69D594AAEB7F2FF88214B54D468E80ADB351DB35EC82CB50

Uniqueness

Uniqueness Score: -1.00%

Function 010808E0 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleWindow.KERNELBASE ref: 01080947

Memory Dump Source

Source File: 00000000.00000002.682281301.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1080000_EjNEMp1NTE.jbxd

Similarity

API ID: ConsoleWindow
String ID:
API String ID: 2863861424-0
Opcode ID: 4473da0bec35ee8a1a0a4b7b98c136e1d5dca0640982def52edb1402394c2c93
Instruction ID: db07a0e306f1bd927e9d6e36f912e096da2c34b2a0a47e999f864492c6e5a1e9
Opcode Fuzzy Hash: 4473da0bec35ee8a1a0a4b7b98c136e1d5dca0640982def52edb1402394c2c93
Instruction Fuzzy Hash: C1116D719043088FCB10DFAAD8547EFBBF8EF49224F14881ED099A7240C7359945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 010808E8 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleWindow.KERNELBASE ref: 01080947

Memory Dump Source

Source File: 00000000.00000002.682281301.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1080000_EjNEMp1NTE.jbxd

Similarity

API ID: ConsoleWindow
String ID:
API String ID: 2863861424-0
Opcode ID: c719757c756a019bdeeb8ce12e3c80488c600f7d129ff851ccc2c9be70665e7a
Instruction ID: be9b8c7e586327b2c4f6bb74c473232e250a4b922470ef77531251ad688b5aaf
Opcode Fuzzy Hash: c719757c756a019bdeeb8ce12e3c80488c600f7d129ff851ccc2c9be70665e7a
Instruction Fuzzy Hash: D9114871D043098FDB20DFAAD444BEFBBF9AF48224F14882EC599A7240C739A944CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02E58170 Relevance: 1.5, Strings: 1, Instructions: 234
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

{kLk^, xrefs: 02E58445, 02E5844A

Memory Dump Source

Source File: 00000000.00000002.683087272.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e50000_EjNEMp1NTE.jbxd

Similarity

API ID:
String ID: {kLk^
API String ID: 0-1589955745
Opcode ID: beb88d295a6031f9d61a15de6b7b6e274bdf8801d55623adfb9ec72705c7d3d2
Instruction ID: 57c7b92c20f15efe31c3b30aefde7a6c11e5e0e1c6ad6ba43348f8ce043fb2d9
Opcode Fuzzy Hash: beb88d295a6031f9d61a15de6b7b6e274bdf8801d55623adfb9ec72705c7d3d2
Instruction Fuzzy Hash: 1581E134F401559FCB14EBB8D4217AEB7B2EF85318F2089A9C949EB388DB34DD418B91

Uniqueness

Uniqueness Score: -1.00%

Function 02E567DD Relevance: 1.4, Strings: 1, Instructions: 197COMMON

Download Yara Rule

Strings

\, xrefs: 02E568B1

Memory Dump Source

Source File: 00000000.00000002.683087272.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e50000_EjNEMp1NTE.jbxd

Similarity

API ID:
String ID: \
API String ID: 0-2967466578
Opcode ID: fe80cc807f0391c9af7ade399d0e9072f4c47b4b0d1a4ef47592abbb17151f63
Instruction ID: 038fe8c67c282187808c690b62a849f06d71a88387612cd3d81cac7f43abba93
Opcode Fuzzy Hash: fe80cc807f0391c9af7ade399d0e9072f4c47b4b0d1a4ef47592abbb17151f63
Instruction Fuzzy Hash: 29616B32A082448FCB05EBB8D8A67DD7F76EF55318F18896BC446DB3E2CB3488418B51

Uniqueness

Uniqueness Score: -1.00%

Function 02E5D3C8 Relevance: .4, Instructions: 421
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.683087272.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e50000_EjNEMp1NTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ed7419f7e461d499e5f8803aff815a6bba91adc89c21a1b876333c38e6a7ccd
Instruction ID: d29fcc60f973a8310adc53126ab825bc44c62ef4b5d953a562d30df0966e4511
Opcode Fuzzy Hash: 4ed7419f7e461d499e5f8803aff815a6bba91adc89c21a1b876333c38e6a7ccd
Instruction Fuzzy Hash: EFE11434B402549FCB15AB78D8587AE7BE2AF85218F24C9BAD805DB385DF34CC46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02E5CDD3 Relevance: .4, Instructions: 353
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.683087272.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e50000_EjNEMp1NTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f479f3b1e9b3a586428b7fc6c1942d137340c97aba716af7ee094b85d7cf366c
Instruction ID: c28a55c06ad484e93cfe925297d2ddfc50e26cb9615169fdd46484a39cc47799
Opcode Fuzzy Hash: f479f3b1e9b3a586428b7fc6c1942d137340c97aba716af7ee094b85d7cf366c
Instruction Fuzzy Hash: 25E12B34A50215CFDB14DFA4D498AADBBF2EF45314F20D969E806AF3A4CB359C86CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02E5F150 Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.683087272.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e50000_EjNEMp1NTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c16ea077c0858e224c128568b5a425adddd5d32d19742d176f6eaf1458de222a
Instruction ID: 395caed4e4610c35467dd01e18e8e9351422cd4a8c9d9af7a2018efd91a08878
Opcode Fuzzy Hash: c16ea077c0858e224c128568b5a425adddd5d32d19742d176f6eaf1458de222a
Instruction Fuzzy Hash: 82A1F335B642218FDB28DF68D490BA9B7E6FF86228B15D469DC49CBB51CB35DC40CB80

Uniqueness

Uniqueness Score: -1.00%

Function 02E5CC00 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.683087272.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e50000_EjNEMp1NTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84b80674da5ab0fd621d7686c158ccb8b6486e14cef735cd95fec6d0325b6fe9
Instruction ID: a91e73355297ce989d5186dec40be957c5d6c0830205f03a3d17d856676959cc
Opcode Fuzzy Hash: 84b80674da5ab0fd621d7686c158ccb8b6486e14cef735cd95fec6d0325b6fe9
Instruction Fuzzy Hash: 99814974A51219CFDB14DFA8D498BADBBF1BF48304F24946AE806EB398DB349841CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02E5A370 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.683087272.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e50000_EjNEMp1NTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc548565a5b3c06efb263a9af67242784df8fcd0b33e37b076d893cbffa86a4d
Instruction ID: 232430371722c92512e8fe4d91cc2707e12491761361b5064f8862a4d4270dc2
Opcode Fuzzy Hash: bc548565a5b3c06efb263a9af67242784df8fcd0b33e37b076d893cbffa86a4d
Instruction Fuzzy Hash: F04126367582A08FC715DB69D45476ABBB5EF85228718C6BBDC08CB341DB31DC41C790

Uniqueness

Uniqueness Score: -1.00%

Function 02E53930 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.683087272.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e50000_EjNEMp1NTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 433aa92a8bf88763dc9ff4de1271003c71ac398273242b291b5a5e9dea595e7a
Instruction ID: 5126ef83402e36adf552f4230ae5181a353d6f5fd5fdecf7375b94cacfbdeafc
Opcode Fuzzy Hash: 433aa92a8bf88763dc9ff4de1271003c71ac398273242b291b5a5e9dea595e7a
Instruction Fuzzy Hash: 2B414630B043458FDB04DB75D8906EEBBA2EF81254F14C9AAD8458B391DF32DC0ACB80

Uniqueness

Uniqueness Score: -1.00%

Function 02E5A900 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.683087272.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e50000_EjNEMp1NTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f07744ce7944374b8fb70b69131f9517bd10548b04d7196a81e4460a1af7ea76
Instruction ID: f9fff1c8c709c2e3dbb72e799bcfed6fa6abd5f114f7ea777922b503beb78f3c
Opcode Fuzzy Hash: f07744ce7944374b8fb70b69131f9517bd10548b04d7196a81e4460a1af7ea76
Instruction Fuzzy Hash: 6B5178347015118FCB25DF24E99856EBBF6EF88201B148569F886CB399DF38DD02CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02E5CBF0 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.683087272.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e50000_EjNEMp1NTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5072cae3c601ee8b45f888edd45863f8c9721a86c44444354abfbaccfa21c938
Instruction ID: a8dceee598a5d2b0e491094c4bc5b0555c368d9d2fd940b09859fd22f5442fa8
Opcode Fuzzy Hash: 5072cae3c601ee8b45f888edd45863f8c9721a86c44444354abfbaccfa21c938
Instruction Fuzzy Hash: 5D516D74A11315CFCB14DFA4D4A86ADBBF6FF88304F14A469E846AB359CB359C41CB40

Uniqueness

Uniqueness Score: -1.00%

Function 02E5ED70 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.683087272.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e50000_EjNEMp1NTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd034a89ad807df294cf21e5d87bf4c9d1c80f3c11116d2f4612fff9646c1cb4
Instruction ID: 7b17919ab7f38aea75da51b0d61722f1f7172071d847fb5756e28609ed2819c0
Opcode Fuzzy Hash: fd034a89ad807df294cf21e5d87bf4c9d1c80f3c11116d2f4612fff9646c1cb4
Instruction Fuzzy Hash: D341AE34A10215CFCB14DF64D898AAEBBF6FF88310B548958E8069B394DF71ED41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02E55DF0 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.683087272.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e50000_EjNEMp1NTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48fe8d77d1527da477a6457dc01380c7eda7774b6cf3a197c40b90572b75fa25
Instruction ID: 9c6aaaa611574a2728be941e34172bb4c04897860dd071216876bb96fbe875c9
Opcode Fuzzy Hash: 48fe8d77d1527da477a6457dc01380c7eda7774b6cf3a197c40b90572b75fa25
Instruction Fuzzy Hash: BE413630B002508FC714EB78E4097AE7BE6EF89314F148969E84ACB384DF709C02CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02E55F80 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.683087272.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e50000_EjNEMp1NTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24cb09384405005a2046ca9dbdd4573eab9575c43ae922c4765383e73d968108
Instruction ID: e3e42a8967da922c20dd103978843d4bd23464f705b0ae5fae57ea27111b3a69
Opcode Fuzzy Hash: 24cb09384405005a2046ca9dbdd4573eab9575c43ae922c4765383e73d968108
Instruction Fuzzy Hash: 6C41F234F402909FDB14ABB4D4197AE77E2AF85214F6089AAD846DB7C5DF30CC45C792

Uniqueness

Uniqueness Score: -1.00%

Function 02E58C70 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.683087272.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e50000_EjNEMp1NTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 882976978f857379aec179aa827f70dfc1885a5a55e7bb239015273c78911449
Instruction ID: 4062774be06d555b342e31413e5c20a00e533de7a03f8f2aff75f6e83d626adb
Opcode Fuzzy Hash: 882976978f857379aec179aa827f70dfc1885a5a55e7bb239015273c78911449
Instruction Fuzzy Hash: 5A3166317422204BC724E779D459AAD77EAEFC522975489BDE80ACB344DF31DC42C790

Uniqueness

Uniqueness Score: -1.00%

Function 02E5EF28 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.683087272.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e50000_EjNEMp1NTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec3f3c35b7cbd3b5e65db8f851b1271e9c497a45dee516c05cd5496652a55c3b
Instruction ID: 9d100b5180437eff26ca08bdf370cb1a62217d70a8bc49e305dc3d66d6903fa7
Opcode Fuzzy Hash: ec3f3c35b7cbd3b5e65db8f851b1271e9c497a45dee516c05cd5496652a55c3b
Instruction Fuzzy Hash: 04419C35B202258FCB04DFA6D9999AEBBB6FF84204B14C069E805DB794DF30DD01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02E55577 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.683087272.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e50000_EjNEMp1NTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 536ad1c7d615477433e825fc073de5628b9a7a09ee6d692915ef97a283577fc0
Instruction ID: 5818f954d7a8301d38f1bccc83e8ecf3a2bd975bc10a42ddb928253212ecf9c7
Opcode Fuzzy Hash: 536ad1c7d615477433e825fc073de5628b9a7a09ee6d692915ef97a283577fc0
Instruction Fuzzy Hash: B8412934A40144CFDB04EBA8C958BADBBF2FF48304F258569E506AB375DB74AD41CB40

Uniqueness

Uniqueness Score: -1.00%

Function 02E59E08 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.683087272.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e50000_EjNEMp1NTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2494c8a7468cabfce87d252680a70ee03b970d183c9a391108e9fdfe3d7b98d6
Instruction ID: da573eff080d7ca463eb76ef1a6a8f723740ef19dbf26a12daeab79352ba8c95
Opcode Fuzzy Hash: 2494c8a7468cabfce87d252680a70ee03b970d183c9a391108e9fdfe3d7b98d6
Instruction Fuzzy Hash: 0131E0347003119BCB24AB76E0547AA37E6AF84229F148E7EE84ACB385DF75DC4687C0

Uniqueness

Uniqueness Score: -1.00%

Function 02E589E0 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.683087272.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e50000_EjNEMp1NTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2433d03ced2bb149e66b4bb668cddbc164140e490d62f12842ae20c298c85fd
Instruction ID: 4c4469288d6d6389bbf3765ae878d5ea16e8980865b9b9e9e678240c58807529
Opcode Fuzzy Hash: a2433d03ced2bb149e66b4bb668cddbc164140e490d62f12842ae20c298c85fd
Instruction Fuzzy Hash: 50312E36745250CFC715DB74E0945B5FBE2FF8522532486AAE54AC7746C731EC42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02E5ABB1 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.683087272.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e50000_EjNEMp1NTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15930a69aa2faf44009e9a4cf278fcd9f1224396d4a6a8207b86d51f36f235af
Instruction ID: 208319f7ff1823a24d491bf6bd31bb4944bf6a64ecb82a3c8340aa95af66435f
Opcode Fuzzy Hash: 15930a69aa2faf44009e9a4cf278fcd9f1224396d4a6a8207b86d51f36f235af
Instruction Fuzzy Hash: 8B317E307111118FCB24EF25E999AAE7BFAEF89205B2441A8E842E73A4DF75DC01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02E57528 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.683087272.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e50000_EjNEMp1NTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6497cc96d6edc27e9c23ff44a890de8c865ef95070966546642e18a5e981d5b
Instruction ID: f0671b814d9d88bbcafdf989e91ad6c426098713e2fcfbe4f0501bd5669779ce
Opcode Fuzzy Hash: f6497cc96d6edc27e9c23ff44a890de8c865ef95070966546642e18a5e981d5b
Instruction Fuzzy Hash: 332134703112628FDB20DF75D89867EBBBABF843047008468E946CB354CB74DC14CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02E5ABC0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.683087272.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e50000_EjNEMp1NTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2df12e9c500e4c32818f5c3fe6be3f437cb4fe5c0353872f5991262204b1fa9
Instruction ID: a815d472ce0e01a3c97ac40e47ff04e62e5930e6f9549ce99d7903babf23a802
Opcode Fuzzy Hash: b2df12e9c500e4c32818f5c3fe6be3f437cb4fe5c0353872f5991262204b1fa9
Instruction Fuzzy Hash: 71216D347112158FCB24EF25E558AAE7BFAAF89305B1441A8E842EB3A4DF35DD01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02E584D0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.683087272.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e50000_EjNEMp1NTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54f211183d0ad477056e48c1943d5ac82108d4b8e4cf5f2727712e24334d8acd
Instruction ID: 0f0e6334a94edc92aa4430ac4ec186385eab03f87f3c0d3df72162be00872ec3
Opcode Fuzzy Hash: 54f211183d0ad477056e48c1943d5ac82108d4b8e4cf5f2727712e24334d8acd
Instruction Fuzzy Hash: A221E422A193A08FD702D77099627A83FB19F02554F0942D7D845DF2D3D7248A4DCB52

Uniqueness

Uniqueness Score: -1.00%

Function 0101D5E0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.682031296.000000000101D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0101D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_101d000_EjNEMp1NTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153a1344bf3390d9a4ff5f78f38ef2106f701c9466d4d032dad637db40ae6483
Instruction ID: 268585c7cb8d6a1b05a663e5d91ddf6110a7fa3cf57b976ab33f51209af5d023
Opcode Fuzzy Hash: 153a1344bf3390d9a4ff5f78f38ef2106f701c9466d4d032dad637db40ae6483
Instruction Fuzzy Hash: 3B2128B1504344DFDB05DF94D9C8F6ABFA5FB8C314F2489A9E8490B24AC33AD855C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0101D4F4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.682031296.000000000101D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0101D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_101d000_EjNEMp1NTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82924f2554bf944bbceefdd6f08b74fc5d217f6b66d4617346e84090021d1313
Instruction ID: 5b595216ff5841aca38fddd7687432549a6469daa53778021e83f5754e0cf419
Opcode Fuzzy Hash: 82924f2554bf944bbceefdd6f08b74fc5d217f6b66d4617346e84090021d1313
Instruction Fuzzy Hash: A8210A71504244DFDF05DF94D8C8F6ABFA5FB88328F2485ADE9450B24AC33AD455C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 02E5F141 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.683087272.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e50000_EjNEMp1NTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99e959fc4eefef518e766aa66d614cd86d2ad6f50451d8956bc6c7041a2a8c9f
Instruction ID: a67e5dfc4dbbd9bd14d205e0b0c6554146600c5734ccb1dca751a83c289aec8e
Opcode Fuzzy Hash: 99e959fc4eefef518e766aa66d614cd86d2ad6f50451d8956bc6c7041a2a8c9f
Instruction Fuzzy Hash: 35218035A152209FC714CF5DC580A99BBE5FF99220B19C0AAEC48DB322C771ED00CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02E58520 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.683087272.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e50000_EjNEMp1NTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cbf511f7d9fca1aea504055a0c5967c0e04b0bffb5cff084cda0ef74e28d3ca
Instruction ID: 8da0cb75e5e15955151399ca6f3e5acb8a4955147f0a44f8e4df3d8da3e022a9
Opcode Fuzzy Hash: 8cbf511f7d9fca1aea504055a0c5967c0e04b0bffb5cff084cda0ef74e28d3ca
Instruction Fuzzy Hash: 0B21D531F50234DBCF10DBA5A9457EE77E2EF40654F1082A6E909D7284DB30DA54CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02E53850 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.683087272.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e50000_EjNEMp1NTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d70f4541039e8849f07211c09686ddcd9d302276b0fe44e704cac2311528100f
Instruction ID: 1394d02bc7ccca1783a2a3bf0d6e1b07b8a10d4df2e750f1b0736a076d3275fa
Opcode Fuzzy Hash: d70f4541039e8849f07211c09686ddcd9d302276b0fe44e704cac2311528100f
Instruction Fuzzy Hash: 2B21D134E042849FC719EB74D86979DBBB2AF46310B1489EAD44ACB785CF38DC06CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02E5F068 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.683087272.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e50000_EjNEMp1NTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12724694d0e448ee0cae8e01c8b3696674f418c4f0a6e26d90a81e5d6ad21ee4
Instruction ID: 68294b3799ed33391aabf157f1887ce84e74acb41d447145ebc926fea76470b1
Opcode Fuzzy Hash: 12724694d0e448ee0cae8e01c8b3696674f418c4f0a6e26d90a81e5d6ad21ee4
Instruction Fuzzy Hash: F721F675B002015BC704E7A5D8A1AEEB7FAEFC4210F90852CD505AB344DF71AD0587E5

Uniqueness

Uniqueness Score: -1.00%

Function 02E5C6D0 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.683087272.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e50000_EjNEMp1NTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5a9e2fde36842de519658eb62c76e4832673676d514d9ea76038b4d0c673575
Instruction ID: 2bf1df290d51921a5e4d1c1c42bef18791da5484603c1152a56b0422bed0707e
Opcode Fuzzy Hash: c5a9e2fde36842de519658eb62c76e4832673676d514d9ea76038b4d0c673575
Instruction Fuzzy Hash: 51110432B002259F8715A7B9E4549AE7BEAEFC8268314897EE84DD7700DF32DC0287D0

Uniqueness

Uniqueness Score: -1.00%

Function 02E5F078 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.683087272.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e50000_EjNEMp1NTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63b4539e45de3c8e4e0b60e29cbbf44b8e8f60f334c0598f209f1ea666135c64
Instruction ID: dc48de0d230c242340fbb41833b1306de254680712fe721afdbd066a8b1b4ff8
Opcode Fuzzy Hash: 63b4539e45de3c8e4e0b60e29cbbf44b8e8f60f334c0598f209f1ea666135c64
Instruction Fuzzy Hash: E911E474B002015BCB08EBA5D4A0AFEB7FAEFC4264F90852CE605AB344DF71AD0587E1

Uniqueness

Uniqueness Score: -1.00%

Function 02E57CB0 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.683087272.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e50000_EjNEMp1NTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e60c04b85701bdd1b56b5b0d0c1f356f30140d058d68c935a6eba33a37f428a
Instruction ID: 5f277268d069cc0ba4331ac22061be3b29fefe34f31fb3f9db166a521dabe09b
Opcode Fuzzy Hash: 7e60c04b85701bdd1b56b5b0d0c1f356f30140d058d68c935a6eba33a37f428a
Instruction Fuzzy Hash: 371191303115108FC708AB25D56856DB7E6FF862157D05928E4068BB91CF35EC56CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0101D5DB Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.682031296.000000000101D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0101D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_101d000_EjNEMp1NTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89cab565afb9096415ec76201e3a3567f3b82aa6e5430c9b10a616fa3bee2fd6
Instruction ID: 012710bc85fb6892200ec14018fe9da64d807d4a67c5fc9082908224b7c0ec33
Opcode Fuzzy Hash: 89cab565afb9096415ec76201e3a3567f3b82aa6e5430c9b10a616fa3bee2fd6
Instruction Fuzzy Hash: 4611B476504280CFCB16CF54D5C4B16BFB1FB88324F24C5A9D8484B65BC33AD456CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0101D4EF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.682031296.000000000101D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0101D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_101d000_EjNEMp1NTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89cab565afb9096415ec76201e3a3567f3b82aa6e5430c9b10a616fa3bee2fd6
Instruction ID: 6fc81d9a1acc624014c0f53ea2f46e82f1979fa0eee5f1fa376c128b64870e8b
Opcode Fuzzy Hash: 89cab565afb9096415ec76201e3a3567f3b82aa6e5430c9b10a616fa3bee2fd6
Instruction Fuzzy Hash: DC11D676404280CFCF16CF54D5C4B16BFB1FB84324F24C6A9D8450B65AC33AD456CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02E54E18 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.683087272.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e50000_EjNEMp1NTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca3b9815f23d8ee548fcd9fb32a9b5579bd8f311acbd5d9dafd91abc1c4659f8
Instruction ID: 7326b130625682d8bbc59f4b207afd194a034e4a9c82a866fe09cfa54dd3ff3e
Opcode Fuzzy Hash: ca3b9815f23d8ee548fcd9fb32a9b5579bd8f311acbd5d9dafd91abc1c4659f8
Instruction Fuzzy Hash: B811B631E502288FCF18DFA9D4156DEBBF1AF89704F00856AD402B7290DF705988CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02E54BE9 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.683087272.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e50000_EjNEMp1NTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71eefb995ccaa8c3baf138731e400e2b96ac85fc4ce01aa8dbe498b824f0d720
Instruction ID: bacf3930853d06042dfd2d9c82b8dc99beedfd900fb5272347e2a4340df9604c
Opcode Fuzzy Hash: 71eefb995ccaa8c3baf138731e400e2b96ac85fc4ce01aa8dbe498b824f0d720
Instruction Fuzzy Hash: 4E118134605254CFD719CF68C4A4AEA7FF1EF8A314F1484A9D9529B3A2CB749841CF10

Uniqueness

Uniqueness Score: -1.00%

Function 02E53371 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.683087272.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e50000_EjNEMp1NTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c34803e3af28c534de9652c231da58c3bbd3567916c8a7d8bd36484506cd185
Instruction ID: 37398f2064be266eee9185eefdebfa07988459965b0f7a6c1ea3b63d70f44318
Opcode Fuzzy Hash: 4c34803e3af28c534de9652c231da58c3bbd3567916c8a7d8bd36484506cd185
Instruction Fuzzy Hash: 0301D6313082514FC319EB59E4604DDBB97EFC6264354CFACD0A98F658DF36AD0687A2

Uniqueness

Uniqueness Score: -1.00%

Function 02E5CB58 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.683087272.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e50000_EjNEMp1NTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01b77f9996f1c4866142b89c07dbd373171250b1651c598285701d8781d63e9
Instruction ID: f3490c94d0a17d6ab53e25a4f7dc195c9b762e9c604781e080b53a2060be0c5a
Opcode Fuzzy Hash: f01b77f9996f1c4866142b89c07dbd373171250b1651c598285701d8781d63e9
Instruction Fuzzy Hash: 21111571250714CFDB25CF66E859A967BA5FF85365B10D86EF84A8F390CB32E840CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02E5D3B8 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.683087272.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e50000_EjNEMp1NTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fcb525028a0ca975e65f4f55a731c399ada0d5db95fc61747bb9ee61c4b17de
Instruction ID: 108927fa4b184be27a605b7e165b9730cbe7b22414dc37e05151740224273c78
Opcode Fuzzy Hash: 1fcb525028a0ca975e65f4f55a731c399ada0d5db95fc61747bb9ee61c4b17de
Instruction Fuzzy Hash: A60121317013105BC3159A3AE894B67BBA6EFC1268B24943DE90A8B701CF32EC8AC350

Uniqueness

Uniqueness Score: -1.00%

Function 02E5AB28 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.683087272.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e50000_EjNEMp1NTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afb4007408ddcb19b78b75d7ef03f3c7d5d9b5caa4988b02ad8ebee035461cb6
Instruction ID: 64001081eac6bb79852174d091764ea35a0decf1ca14aba8267f36ff0da72da4
Opcode Fuzzy Hash: afb4007408ddcb19b78b75d7ef03f3c7d5d9b5caa4988b02ad8ebee035461cb6
Instruction Fuzzy Hash: 3601B170619285CFC745EF74D4696A9BBF6EF46209B2889BED845C7381EF31C801CB52

Uniqueness

Uniqueness Score: -1.00%

Function 02E58ADB Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.683087272.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e50000_EjNEMp1NTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18561886c43be8e688507d2d1a673034962eb3664fae23021f1b2576fc24a022
Instruction ID: 5956f1173ec4f73b204e4864e2248118e47798fedc72a748705c43088f8e5b4e
Opcode Fuzzy Hash: 18561886c43be8e688507d2d1a673034962eb3664fae23021f1b2576fc24a022
Instruction Fuzzy Hash: DC0124347497A08FC345AB39D0182A97BE9AF8A2153148EFAD889C7751CB34CC06CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02E599A8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.683087272.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e50000_EjNEMp1NTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 152c812de417bfb4548e3ad0e3f7a753485b2af0795c4d5d4a56dbb659ddec43
Instruction ID: 8e0622c0421464aa798fe582baca3942b5959e61135960db18315a4d4fb08aa0
Opcode Fuzzy Hash: 152c812de417bfb4548e3ad0e3f7a753485b2af0795c4d5d4a56dbb659ddec43
Instruction Fuzzy Hash: 92018639710114AFD7049B59E899F7E7BEEEFC8660B558019F90ADB380DFB09D018794

Uniqueness

Uniqueness Score: -1.00%

Function 02E5A090 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.683087272.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e50000_EjNEMp1NTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9a68746c052d4af51ad4d1c05468a5833881e22d61a36202093ff102d6e10eb
Instruction ID: 09fed574c44fb4ad49c3dbcae2e7b6c7e924bd7a981947dae839924e037e9aa9
Opcode Fuzzy Hash: b9a68746c052d4af51ad4d1c05468a5833881e22d61a36202093ff102d6e10eb
Instruction Fuzzy Hash: E401D635B101248F8B149BB9E8089DEBBF9EFC8215700817AE90AD7340EF70ED048BD1

Uniqueness

Uniqueness Score: -1.00%

Function 02E5CADF Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.683087272.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e50000_EjNEMp1NTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d705f45af4e8fb21a9694101ac5a1c99a95ad29be687ba49fa255e90bdf1681
Instruction ID: 09d8f66c704e830d97e10d2ba4a47b462065c5e0f167b7ac51dacf2489fb2898
Opcode Fuzzy Hash: 9d705f45af4e8fb21a9694101ac5a1c99a95ad29be687ba49fa255e90bdf1681
Instruction Fuzzy Hash: 13016272E10118AFCB11DB999C19BEFBBFAEFC8211F04C426E518E7240D77055058B90

Uniqueness

Uniqueness Score: -1.00%

Function 02E5FDC7 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.683087272.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e50000_EjNEMp1NTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10d71543261ac0d70dca3704834211da0d969dbcffd5b0c2913923c46ccf0b08
Instruction ID: 7f5df5c81ad2b3c3f8530845c7ac11f5210124d30e5843ec587b9c3d4fc3d542
Opcode Fuzzy Hash: 10d71543261ac0d70dca3704834211da0d969dbcffd5b0c2913923c46ccf0b08
Instruction Fuzzy Hash: 15112A30A10119CFDB24DF65E958BEE77BABF49305F10C028E846B7695CB759804CF60

Uniqueness

Uniqueness Score: -1.00%

Function 02E53EC0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.683087272.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e50000_EjNEMp1NTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 437a5fbf718e2c39b10dfe9be7afb3a18b11c6f6c745d0303d447991cebce0e7
Instruction ID: 5493aa7621ab2d3096c0b44802369ce6549fb29298142c5fb67ba0508d0fd440
Opcode Fuzzy Hash: 437a5fbf718e2c39b10dfe9be7afb3a18b11c6f6c745d0303d447991cebce0e7
Instruction Fuzzy Hash: 38F02835B802009BDB259B66F8546FE77F7EBC0665B44886CF50687380DF3198068760

Uniqueness

Uniqueness Score: -1.00%

Function 02E58140 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.683087272.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e50000_EjNEMp1NTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b841a0aff8c2435a4f1f0a8c5edb57b3c0acd86fcfa6d4350d70719444f96528
Instruction ID: 57caf66f6e13a4288189b5cad2a9066b64c495f572d4a6b727dbcec2a925b296
Opcode Fuzzy Hash: b841a0aff8c2435a4f1f0a8c5edb57b3c0acd86fcfa6d4350d70719444f96528
Instruction Fuzzy Hash: 97F0622290E3D09FD717A67498222D93F319F0311CF1948DBC5C4CB593E719885DCB56

Uniqueness

Uniqueness Score: -1.00%

Function 02E53F40 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.683087272.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e50000_EjNEMp1NTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae39042adce9b93035084322797cc41fe9e689d25f978c7ffe518e82bc660901
Instruction ID: 555e35afbc8046555f080185fd0fdf61ac015dbbf7ff070185cff6b960e28f3a
Opcode Fuzzy Hash: ae39042adce9b93035084322797cc41fe9e689d25f978c7ffe518e82bc660901
Instruction Fuzzy Hash: 83F0BB31FD42245FD31577A2AC157FA3359D780699F1451A6E94B8B6C0CF619C41C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 02E5C8D0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.683087272.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e50000_EjNEMp1NTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fa4219922373d17ec645170c684100aad6105891c287ffbc9c54c372d3f6642
Instruction ID: 4df51b7bdd6fea563a9daf17f42b6643cfffe35b43b13ffc2b0b7836f0b4d67d
Opcode Fuzzy Hash: 8fa4219922373d17ec645170c684100aad6105891c287ffbc9c54c372d3f6642
Instruction Fuzzy Hash: B6F01236300114ABC7149A5AF888DDFBBAEFFD9276B548026F949CB350CB759C45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02E570F1 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.683087272.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e50000_EjNEMp1NTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6742979be69a45f2088cfd8ffc07890219e7b2d2118fab2b87f4729ef23caf4f
Instruction ID: 30b8e38e21f4bed1849b96ae472e13a44f652d0183be8171030aed9c79b2e0b7
Opcode Fuzzy Hash: 6742979be69a45f2088cfd8ffc07890219e7b2d2118fab2b87f4729ef23caf4f
Instruction Fuzzy Hash: 83F0AF35245350CFC329AB22D400AA6B7B5EF81329B14CC6DC8DA47761C731F896CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02E5CAF0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.683087272.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e50000_EjNEMp1NTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cecde91901c175f6e26c5a11a9e062402cb3528b729f5c7e883aecb6afca85b
Instruction ID: 31224046177340c87d350c709bcdbdf6e36e070b8d6755bcc115ae69e51b340a
Opcode Fuzzy Hash: 3cecde91901c175f6e26c5a11a9e062402cb3528b729f5c7e883aecb6afca85b
Instruction Fuzzy Hash: 81F01D72E10118AFCB05DBD99C09AFFBBFAEFC8611F048026E619E7240DB705A158B90

Uniqueness

Uniqueness Score: -1.00%

Function 02E5D3A1 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.683087272.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e50000_EjNEMp1NTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 739bd156c6fa55b719a8dbc1e64b66f3ea38b2694f2380304d3abf3e7f0bca2a
Instruction ID: e64e4270e4a10b05fb323f2dce2edd12207362d9dbdd9388834b1d5c3eff62a0
Opcode Fuzzy Hash: 739bd156c6fa55b719a8dbc1e64b66f3ea38b2694f2380304d3abf3e7f0bca2a
Instruction Fuzzy Hash: D6F090327403148FC705AB34E89571A73A2EF81229B249ABDD2198F795DB36A85BC740

Uniqueness

Uniqueness Score: -1.00%

Function 02E5CB48 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.683087272.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e50000_EjNEMp1NTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c325ac037a32698942f9c813fc2636ae258ea2b8fac0836a3c29aa29a1a5188
Instruction ID: a853381e5663ade0ec0890222ec3d253c255f8d300b50a6f0626ab2d95795e10
Opcode Fuzzy Hash: 8c325ac037a32698942f9c813fc2636ae258ea2b8fac0836a3c29aa29a1a5188
Instruction Fuzzy Hash: B8F0BE30220710CFC728CF72D81AB927BE2FF85358B14D868E9098A380CB32D801CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02E5C6C0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.683087272.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e50000_EjNEMp1NTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb8692c34cb2083d6236d30c42af26ae4cfb895a4d75a09bfa9f9b04c678b320
Instruction ID: 14db97625eff6be6959345afe69bdc3268befc81b005d1aede93a934d6839b09
Opcode Fuzzy Hash: bb8692c34cb2083d6236d30c42af26ae4cfb895a4d75a09bfa9f9b04c678b320
Instruction Fuzzy Hash: 51F020B3B042156F8716C6A8B85647A7BBAFF88234308452EE849D7245DB218C054790

Uniqueness

Uniqueness Score: -1.00%

Function 02E540D0 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.683087272.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e50000_EjNEMp1NTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0fb8c091ed79f212f1889d2f8c625a9bf6d9a503e750bd2227fe90446b65737
Instruction ID: 2ed902f3f1585358b4720cb46b728190b99a00fd7fcd2e05b0d01a5a37d4a3dc
Opcode Fuzzy Hash: d0fb8c091ed79f212f1889d2f8c625a9bf6d9a503e750bd2227fe90446b65737
Instruction Fuzzy Hash: ACE0E5303482148FD712EA6098500D32363AB85218392A9A2C448C7482DB2698498B93

Uniqueness

Uniqueness Score: -1.00%

Function 02E54A78 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.683087272.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e50000_EjNEMp1NTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d59b65adc5b215877e8beb7e6c308b69e8b2d3480187e5ce34387d1ca357698
Instruction ID: db40b30fdbc0176298e1d7211c0af36175039322009bfbf061b9b133a2986240
Opcode Fuzzy Hash: 3d59b65adc5b215877e8beb7e6c308b69e8b2d3480187e5ce34387d1ca357698
Instruction Fuzzy Hash: 33E026303082848FC3059724E4559F43FB09F86210B1145D6E509C7762C6758C0BCF81

Uniqueness

Uniqueness Score: -1.00%

Function 02E58600 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.683087272.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e50000_EjNEMp1NTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d49e9c4a5d688867858589de2d5cbf093a612380c708f776b0fa6a66c3ac6a
Instruction ID: 3e4fd63e0fff6c96f61fbc8bc79e50f230cb9ea76667281a126873870d80d242
Opcode Fuzzy Hash: 67d49e9c4a5d688867858589de2d5cbf093a612380c708f776b0fa6a66c3ac6a
Instruction Fuzzy Hash: 8AD012223A0234173B80B1FA28012FB72CE4D800B57089572FE0CC3541F995C8D116D0

Uniqueness

Uniqueness Score: -1.00%

Function 02E58E60 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.683087272.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e50000_EjNEMp1NTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7918002e3584358bc2301f45c5f663481efdcf42e2cbd9db0c4f054d62a29004
Instruction ID: 444a46e7668e8644df0b8a118e3bbb6e9f0ae0b8d91d0f1b9920b09a269308b8
Opcode Fuzzy Hash: 7918002e3584358bc2301f45c5f663481efdcf42e2cbd9db0c4f054d62a29004
Instruction Fuzzy Hash: C2D0A92670003003C300626CF0663ED2792EBC82B0F7A05BAEA43C7349DD2A9C2B83C9

Uniqueness

Uniqueness Score: -1.00%

Function 02E54A88 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.683087272.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e50000_EjNEMp1NTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca26c2e2c5a5091b3684af9ab40aab99975979ec7389bc255fb749f9ca495f41
Instruction ID: 0d1eafe51ed274ac729bda90a158edf4cc91c753d705379358df954e97dd8044
Opcode Fuzzy Hash: ca26c2e2c5a5091b3684af9ab40aab99975979ec7389bc255fb749f9ca495f41
Instruction Fuzzy Hash: 99D0A7343401108FC204A718E418E9677E9EB48621B114096F905C7360CAB1EC0087C0

Uniqueness

Uniqueness Score: -1.00%

Function 02E53910 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.683087272.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e50000_EjNEMp1NTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d0cf479eb13c2f9ce63d47509ea7e8981f6d47068a744d8ac5eda2c590e9e90
Instruction ID: 955a09d463c6cbaca701e2db7e4413ce085908bf46cadd9227a9b2323db82d62
Opcode Fuzzy Hash: 1d0cf479eb13c2f9ce63d47509ea7e8981f6d47068a744d8ac5eda2c590e9e90
Instruction Fuzzy Hash: 00C02B6690C0C08FDB09A330C82D3C47F101F3230071447E0C00EC7A53C1040407CB11

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0108D2F0 Relevance: 1.6, Strings: 1, Instructions: 384COMMON

Download Yara Rule

Strings

kl, xrefs: 0108D693

Memory Dump Source

Source File: 00000000.00000002.682281301.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1080000_EjNEMp1NTE.jbxd

Similarity

API ID:
String ID: kl
API String ID: 0-3508525193
Opcode ID: 007a6e48e2d49eeaaa68ab18d80367d8cd976caf2b5e242f870745e60cd79138
Instruction ID: c68475b06189f542559ec39bf6599082a6d4978f1d495a719cc15cb7c27b530f
Opcode Fuzzy Hash: 007a6e48e2d49eeaaa68ab18d80367d8cd976caf2b5e242f870745e60cd79138
Instruction Fuzzy Hash: 2CD1F434B002548FC754EBB8D454AAEBBF6EF89314B1489A9D586DB395DF30DC02CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02E50190 Relevance: .9, Instructions: 866COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.683087272.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e50000_EjNEMp1NTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aaac203c4ebe8c7de5a76ae41ad02c06248682a06cc4a72e698e2af95cbe913
Instruction ID: e3db61f6e6b22e190b0eec247ae81f7928773c69f89abfee8ca975c184a9a8e6
Opcode Fuzzy Hash: 8aaac203c4ebe8c7de5a76ae41ad02c06248682a06cc4a72e698e2af95cbe913
Instruction Fuzzy Hash: F972BE34B402159FCB14DFA5C494AAEB7F2FF88314F148968E9469B3A5DB35EC42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02E52610 Relevance: .4, Instructions: 424COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.683087272.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e50000_EjNEMp1NTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a8e0a5cd074260da82f72bdfd1c21d0e6c0cadef6d153ef6a805b383403098a
Instruction ID: 3825aac5c377fb723d452aa1af71fb7be338f9bf3022d21519315900ee7006bf
Opcode Fuzzy Hash: 4a8e0a5cd074260da82f72bdfd1c21d0e6c0cadef6d153ef6a805b383403098a
Instruction Fuzzy Hash: 29E192357402159FD718DBB4C494BAAB3E6BF88318F108969D94ACBB95DF34EC42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A47EF8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.681750043.0000000000A42000.00000002.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.681737517.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_EjNEMp1NTE.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 002a55f2f594ad3d9d73ddaa7ca6ecbf810cf96d61bf07f33948c43ce3e1c28b
Instruction ID: 777c97103961fe601b0a7d5d67ac570985367fec4010743696646742d39b0ba2
Opcode Fuzzy Hash: 002a55f2f594ad3d9d73ddaa7ca6ecbf810cf96d61bf07f33948c43ce3e1c28b
Instruction Fuzzy Hash: 0FE0EC6700D2E28FC3234B348CA41857F60AE4B51473E08DFC0C58B0A3E25E89DED762

Uniqueness

Uniqueness Score: -1.00%

Source: http://54ea-20-124-134-110.ngrok.io:80/	Avira URL Cloud: Label: phishing
Source: http://54ea-20-124-134-110.ngrok.io/	Avira URL Cloud: Label: phishing
Source: http://54ea-20-124-134-110.ngrok.io	Avira URL Cloud: Label: phishing

Source: EjNEMp1NTE.exe, 00000000.00000002.683415843.0000000002F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://54ea-20-124-134-110.ngrok.
Source: EjNEMp1NTE.exe, 00000000.00000002.683415843.0000000002F22000.00000004.00000800.00020000.00000000.sdmp, EjNEMp1NTE.exe, 00000000.00000002.683168689.0000000002E81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://54ea-20-124-134-110.ngrok.io
Source: EjNEMp1NTE.exe, 00000000.00000002.683168689.0000000002E81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://54ea-20-124-134-110.ngrok.io/
Source: EjNEMp1NTE.exe, 00000000.00000002.683168689.0000000002E81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://54ea-20-124-134-110.ngrok.io4
Source: EjNEMp1NTE.exe, 00000000.00000002.683415843.0000000002F22000.00000004.00000800.00020000.00000000.sdmp, EjNEMp1NTE.exe, 00000000.00000002.683168689.0000000002E81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://54ea-20-124-134-110.ngrok.io:80/
Source: EjNEMp1NTE.exe, 00000000.00000002.683168689.0000000002E81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: EjNEMp1NTE.exe, 00000000.00000002.683415843.0000000002F22000.00000004.00000800.00020000.00000000.sdmp, EjNEMp1NTE.exe, 00000000.00000002.683168689.0000000002E81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: EjNEMp1NTE.exe, 00000000.00000002.683168689.0000000002E81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: EjNEMp1NTE.exe, 00000000.00000002.683168689.0000000002E81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: EjNEMp1NTE.exe, 00000000.00000002.683168689.0000000002E81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: EjNEMp1NTE.exe, 00000000.00000002.683168689.0000000002E81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: EjNEMp1NTE.exe, 00000000.00000002.683415843.0000000002F22000.00000004.00000800.00020000.00000000.sdmp, EjNEMp1NTE.exe, 00000000.00000002.683168689.0000000002E81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: EjNEMp1NTE.exe, 00000000.00000002.683374138.0000000002F1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/0
Source: EjNEMp1NTE.exe, 00000000.00000002.683168689.0000000002E81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/
Source: EjNEMp1NTE.exe, 00000000.00000002.683168689.0000000002E81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnect
Source: EjNEMp1NTE.exe, 00000000.00000002.683415843.0000000002F22000.00000004.00000800.00020000.00000000.sdmp, EjNEMp1NTE.exe, 00000000.00000002.683168689.0000000002E81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnectResponse
Source: EjNEMp1NTE.exe, 00000000.00000002.683415843.0000000002F22000.00000004.00000800.00020000.00000000.sdmp, EjNEMp1NTE.exe, 00000000.00000002.683168689.0000000002E81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettings
Source: EjNEMp1NTE.exe, 00000000.00000002.683415843.0000000002F22000.00000004.00000800.00020000.00000000.sdmp, EjNEMp1NTE.exe, 00000000.00000002.683168689.0000000002E81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
Source: EjNEMp1NTE.exe, 00000000.00000002.683415843.0000000002F22000.00000004.00000800.00020000.00000000.sdmp, EjNEMp1NTE.exe, 00000000.00000002.683168689.0000000002E81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
Source: EjNEMp1NTE.exe, 00000000.00000002.683415843.0000000002F22000.00000004.00000800.00020000.00000000.sdmp, EjNEMp1NTE.exe, 00000000.00000002.683168689.0000000002E81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
Source: EjNEMp1NTE.exe, 00000000.00000002.683415843.0000000002F22000.00000004.00000800.00020000.00000000.sdmp, EjNEMp1NTE.exe, 00000000.00000002.683168689.0000000002E81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironment
Source: EjNEMp1NTE.exe, 00000000.00000002.683415843.0000000002F22000.00000004.00000800.00020000.00000000.sdmp, EjNEMp1NTE.exe, 00000000.00000002.683168689.0000000002E81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
Source: EjNEMp1NTE.exe, 00000000.00000002.683415843.0000000002F22000.00000004.00000800.00020000.00000000.sdmp, EjNEMp1NTE.exe, 00000000.00000002.683168689.0000000002E81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
Source: EjNEMp1NTE.exe, 00000000.00000002.683415843.0000000002F22000.00000004.00000800.00020000.00000000.sdmp, EjNEMp1NTE.exe, 00000000.00000002.683168689.0000000002E81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
Source: EjNEMp1NTE.exe	String found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE
Source: EjNEMp1NTE.exe	String found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
Source: EjNEMp1NTE.exe	String found in binary or memory: https://api.ipify.orgcookies//setti
Source: EjNEMp1NTE.exe	String found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
Source: EjNEMp1NTE.exe	String found in binary or memory: https://ipinfo.io/ip%appdata%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Source: EjNEMp1NTE.exe	Virustotal: Detection: 68%			Perma Link
Source: EjNEMp1NTE.exe	ReversingLabs: Detection: 92%

Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 54ea-20-124-134-110.ngrok.ioContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 54ea-20-124-134-110.ngrok.ioContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 54ea-20-124-134-110.ngrok.ioContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 54ea-20-124-134-110.ngrok.ioContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 54ea-20-124-134-110.ngrok.ioContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 54ea-20-124-134-110.ngrok.ioContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 54ea-20-124-134-110.ngrok.ioContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 54ea-20-124-134-110.ngrok.ioContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 54ea-20-124-134-110.ngrok.ioContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 54ea-20-124-134-110.ngrok.ioContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 54ea-20-124-134-110.ngrok.ioContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 54ea-20-124-134-110.ngrok.ioContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report EjNEMp1NTE.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: RedLine

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

Windows Analysis Report
EjNEMp1NTE.exe

Function 0108DE10 Relevance: 2.2, Strings: 1, Instructions: 938
COMMON

Function 02E5BE80 Relevance: .6, Instructions: 602
COMMON

Function 02E521D8 Relevance: .4, Instructions: 354
COMMON

Function 010808E0 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Function 010808E8 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Function 02E58170 Relevance: 1.5, Strings: 1, Instructions: 234
COMMON

Function 02E5D3C8 Relevance: .4, Instructions: 421
COMMON

Function 02E5CDD3 Relevance: .4, Instructions: 353
COMMON