Joe Sandbox Cloud Basic Analysis Report
Create Interactive Tour

Windows Analysis Report
NjRat.exe

Overview

General Information

Sample Name:NjRat.exe
Analysis ID:770271
MD5:4dfda9644efa02d836dbb422936b4fe8
SHA1:521fa18a06ad42431014dd870a721bcb1e9318de
SHA256:6bddb592e3b006a2e526bf7d3ff8f94f03b3e25897cea915960e648ef48869b3
Infos:

Detection

Njrat
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Njrat
C2 URLs / IPs found in malware configuration
.NET source code references suspicious native API functions
Contains functionality to log keystrokes (.Net Source)
Machine Learning detection for sample
.NET source code contains potential unpacker
Uses 32bit PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Antivirus or Machine Learning detection for unpacked file
Sample file is different than original file name gathered from version info
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Enables debug privileges

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • NjRat.exe (PID: 5420 cmdline: C:\Users\user\Desktop\NjRat.exe MD5: 4DFDA9644EFA02D836DBB422936B4FE8)
  • cleanup

Malware Configuration

Threatname: Njrat

{
  "Host": "javaoracle.hopto.org",
  "Port": "5552",
  "Mutex Name": "49829bdae88c",
  "Network Seprator": "@!#&^%$",
  "Campaign ID": "NYAN CAT",
  "Version": "0.7NC"
}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
NjRat.exeJoeSecurity_NjratYara detected NjratJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000000.232319489.0000000000B92000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_NjratYara detected NjratJoe Security
      Process Memory Space: NjRat.exe PID: 5420JoeSecurity_NjratYara detected NjratJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.0.NjRat.exe.b90000.0.unpackJoeSecurity_NjratYara detected NjratJoe Security

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          No Snort rule has matched

          Joe Sandbox Signatures

          • AV Detection
          • Compliance
          • Networking
          • Key, Mouse, Clipboard, Microphone and Screen Capturing
          • E-Banking Fraud
          • System Summary
          • Data Obfuscation
          • Hooking and other Techniques for Hiding and Protection
          • Malware Analysis System Evasion
          • Anti Debugging
          • HIPS / PFW / Operating System Protection Evasion
          • Language, Device and Operating System Detection
          • Stealing of Sensitive Information
          • Remote Access Functionality

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Source: NjRat.exeAvira: detected
          Source: NjRat.exeVirustotal: Detection: 80%Perma Link
          Source: Yara matchFile source: NjRat.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.NjRat.exe.b90000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000000.232319489.0000000000B92000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: NjRat.exe PID: 5420, type: MEMORYSTR
          Source: NjRat.exeJoe Sandbox ML: detected
          Source: 0.0.NjRat.exe.b90000.0.unpackAvira: Label: TR/Dropper.Gen7
          Source: 0.0.NjRat.exe.b90000.0.unpackMalware Configuration Extractor: Njrat {"Host": "javaoracle.hopto.org", "Port": "5552", "Mutex Name": "49829bdae88c", "Network Seprator": "@!#&^%$", "Campaign ID": "NYAN CAT", "Version": "0.7NC"}
          Source: NjRat.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: C:\Users\user\Desktop\NjRat.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
          Source: NjRat.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

          Networking

          barindex
          Source: Malware configuration extractorURLs: javaoracle.hopto.org
          Source: unknownDNS traffic detected: queries for: javaoracle.hopto.org

          Key, Mouse, Clipboard, Microphone and Screen Capturing

          barindex
          Source: NjRat.exe, Keylogger.cs.Net Code: VKCodeToUnicode
          Source: 0.0.NjRat.exe.b90000.0.unpack, Keylogger.cs.Net Code: VKCodeToUnicode

          E-Banking Fraud

          barindex
          Source: Yara matchFile source: NjRat.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.NjRat.exe.b90000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000000.232319489.0000000000B92000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: NjRat.exe PID: 5420, type: MEMORYSTR
          Source: NjRat.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: NjRat.exe, 00000000.00000000.232326276.0000000000B98000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameClient.exe4 vs NjRat.exe
          Source: NjRat.exeBinary or memory string: OriginalFilenameClient.exe4 vs NjRat.exe
          Source: NjRat.exeVirustotal: Detection: 80%
          Source: NjRat.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\NjRat.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: NjRat.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%
          Source: C:\Users\user\Desktop\NjRat.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\NjRat.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
          Source: C:\Users\user\Desktop\NjRat.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
          Source: C:\Users\user\Desktop\NjRat.exeCode function: 0_2_054C10A6 AdjustTokenPrivileges,0_2_054C10A6
          Source: C:\Users\user\Desktop\NjRat.exeCode function: 0_2_054C106F AdjustTokenPrivileges,0_2_054C106F
          Source: C:\Users\user\Desktop\NjRat.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
          Source: C:\Users\user\Desktop\NjRat.exeMutant created: \Sessions\1\BaseNamedObjects\49829bdae88c
          Source: classification engineClassification label: mal84.troj.spyw.evad.winEXE@1/0@58/0
          Source: C:\Users\user\Desktop\NjRat.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\NjRat.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: NjRat.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: C:\Users\user\Desktop\NjRat.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
          Source: NjRat.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

          Data Obfuscation

          barindex
          Source: NjRat.exe, Program.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.0.NjRat.exe.b90000.0.unpack, Program.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\NjRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NjRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NjRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NjRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NjRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NjRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NjRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NjRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NjRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NjRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NjRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NjRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NjRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NjRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NjRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NjRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NjRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NjRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NjRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NjRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NjRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NjRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NjRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NjRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NjRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NjRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NjRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NjRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NjRat.exeWindow / User API: threadDelayed 6670Jump to behavior
          Source: C:\Users\user\Desktop\NjRat.exe TID: 5232Thread sleep count: 6670 > 30Jump to behavior
          Source: C:\Users\user\Desktop\NjRat.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\NjRat.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\NjRat.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\NjRat.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Source: NjRat.exe, Program.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
          Source: NjRat.exe, Keylogger.csReference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
          Source: 0.0.NjRat.exe.b90000.0.unpack, Program.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
          Source: 0.0.NjRat.exe.b90000.0.unpack, Keylogger.csReference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
          Source: NjRat.exe, 00000000.00000002.499171132.0000000003250000.00000004.00000800.00020000.00000000.sdmp, NjRat.exe, 00000000.00000002.499082624.00000000031C5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
          Source: NjRat.exe, 00000000.00000002.499171132.0000000003250000.00000004.00000800.00020000.00000000.sdmp, NjRat.exe, 00000000.00000002.499082624.00000000031C5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager|9
          Source: NjRat.exe, 00000000.00000002.499171132.0000000003250000.00000004.00000800.00020000.00000000.sdmp, NjRat.exe, 00000000.00000002.499082624.00000000031C5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager<
          Source: C:\Users\user\Desktop\NjRat.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Source: Yara matchFile source: NjRat.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.NjRat.exe.b90000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000000.232319489.0000000000B92000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: NjRat.exe PID: 5420, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Source: Yara matchFile source: NjRat.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.NjRat.exe.b90000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000000.232319489.0000000000B92000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: NjRat.exe PID: 5420, type: MEMORYSTR

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts1
          Native API          		Path Interception1
          Access Token Manipulation          		1
          Virtualization/Sandbox Evasion          		1
          Input Capture          		1
          Virtualization/Sandbox Evasion          		Remote Services1
          Input Capture          		Exfiltration Over Other Network Medium1
          Non-Application Layer Protocol          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
          Process Injection          		1
          Disable or Modify Tools          		LSASS Memory1
          Process Discovery          		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth11
          Application Layer Protocol          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
          Access Token Manipulation          		Security Account Manager1
          Application Window Discovery          		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)11
          Software Packing          		NTDS2
          System Information Discovery          		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
          Process Injection          		LSA Secrets1
          Remote System Discovery          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 770271 Sample: NjRat.exe Startdate: 19/12/2022 Architecture: WINDOWS Score: 84 9 javaoracle.hopto.org 2->9 13 Antivirus / Scanner detection for submitted sample 2->13 15 Multi AV Scanner detection for submitted file 2->15 17 Yara detected Njrat 2->17 19 5 other signatures 2->19 6 NjRat.exe 2 4 2->6         started        signatures3 process4 dnsIp5 11 javaoracle.hopto.org 6->11

          Screenshots

          Download Video

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          NjRat.exe81%VirustotalBrowse
          NjRat.exe100%AviraTR/Dropper.Gen7
          NjRat.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          0.0.NjRat.exe.b90000.0.unpack100%AviraTR/Dropper.Gen7Download File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          javaoracle.hopto.org0%Avira URL Cloudsafe

          Domains and IPs

          Download Network PCAP: filteredfull

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          javaoracle.hopto.org
          		unknown
          		unknowntrue
            		unknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            javaoracle.hopto.orgtrue
            • Avira URL Cloud: safe
            		unknown

            World Map of Contacted IPs

            No contacted IP infos

            General Information

            Joe Sandbox Version:36.0.0 Rainbow Opal
            Analysis ID:770271
            Start date and time:2022-12-19 23:02:06 +01:00
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 4m 11s
            Hypervisor based Inspection enabled:false
            Report type:full
            Sample file name:NjRat.exe
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
            Number of analysed new started processes analysed:12
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal84.troj.spyw.evad.winEXE@1/0@58/0
            EGA Information:
            • Successful, ratio: 100%
            HDC Information:Failed
            HCA Information:
            • Successful, ratio: 100%
            • Number of executed functions: 64
            • Number of non-executed functions: 0
            Cookbook Comments:
            • Found application associated with file extension: .exe
            • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
            • Excluded domains from analysis (whitelisted): fs.microsoft.com
            • Not all processes where analyzed, report is missing behavior information

            Simulations

            Behavior and APIs

            No simulations

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASNs

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            No created / dropped files found

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Entropy (8bit):3.7989998190116143
            TrID:
            • Win32 Executable (generic) Net Framework (10011505/4) 49.79%
            • Win32 Executable (generic) a (10002005/4) 49.75%
            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
            • Windows Screen Saver (13104/52) 0.07%
            • Win16/32 Executable Delphi generic (2074/23) 0.01%
            File name:NjRat.exe
            File size:32768
            MD5:4dfda9644efa02d836dbb422936b4fe8
            SHA1:521fa18a06ad42431014dd870a721bcb1e9318de
            SHA256:6bddb592e3b006a2e526bf7d3ff8f94f03b3e25897cea915960e648ef48869b3
            SHA512:2c9e919830939b686e6a2fec576da33197c4fcfb95fe2f685ca1ec1106a8f1719986bf1903dcc8922b9310bb36d1e023fb06613be5c28ace78bdb4e76c4a592a
            SSDEEP:384:00bUe5XB4e0X7OVcsw0Q0mS03AWTxtTUFQqzFGObbR:RT9BuC6555d4bR
            TLSH:3CE208067BF98215D6BC5AF88CB313214772E3838532EB6F5CDC98CA4B676D00645EE9
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C.sc.................P... ......ng... ........@.. ....................................@................................

            File Icon

            Icon Hash:00828e8e8686b000

            Static PE Info

            General

            Entrypoint:0x40676e
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Time Stamp:0x6373F043 [Tue Nov 15 20:02:11 2022 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:4
            OS Version Minor:0
            File Version Major:4
            File Version Minor:0
            Subsystem Version Major:4
            Subsystem Version Minor:0
            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
            Instruction
            jmp dword ptr [00402000h]
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0x67180x53.text
            IMAGE_DIRECTORY_ENTRY_RESOURCE0x80000x2a0.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0xa0000xc.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x20000x47740x5000False0.4748046875data5.289775354614074IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            .rsrc0x80000x2a00x1000False0.07666015625data0.6655850551657312IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .reloc0xa0000xc0x1000False0.0087890625data0.013126943721219527IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
            NameRVASizeTypeLanguageCountry
            RT_VERSION0x80580x244data
            DLLImport
            mscoree.dll_CorExeMain

            Network Behavior

            Download Network PCAP: filteredfull

            TimestampSource PortDest PortSource IPDest IP
            Dec 19, 2022 23:03:01.135204077 CET4997753192.168.2.38.8.8.8
            Dec 19, 2022 23:03:01.155674934 CET53499778.8.8.8192.168.2.3
            Dec 19, 2022 23:03:03.180324078 CET5784053192.168.2.38.8.8.8
            Dec 19, 2022 23:03:03.199692965 CET53578408.8.8.8192.168.2.3
            Dec 19, 2022 23:03:05.213258982 CET5799053192.168.2.38.8.8.8
            Dec 19, 2022 23:03:05.236181974 CET53579908.8.8.8192.168.2.3
            Dec 19, 2022 23:03:07.264019012 CET5692453192.168.2.38.8.8.8
            Dec 19, 2022 23:03:07.288095951 CET53569248.8.8.8192.168.2.3
            Dec 19, 2022 23:03:09.307188034 CET6062553192.168.2.38.8.8.8
            Dec 19, 2022 23:03:09.326510906 CET53606258.8.8.8192.168.2.3
            Dec 19, 2022 23:03:11.362128973 CET4930253192.168.2.38.8.8.8
            Dec 19, 2022 23:03:11.380264997 CET53493028.8.8.8192.168.2.3
            Dec 19, 2022 23:03:13.451940060 CET5397553192.168.2.38.8.8.8
            Dec 19, 2022 23:03:13.470891953 CET53539758.8.8.8192.168.2.3
            Dec 19, 2022 23:03:15.499706030 CET5113953192.168.2.38.8.8.8
            Dec 19, 2022 23:03:15.519515038 CET53511398.8.8.8192.168.2.3
            Dec 19, 2022 23:03:17.602252007 CET5295553192.168.2.38.8.8.8
            Dec 19, 2022 23:03:17.620395899 CET53529558.8.8.8192.168.2.3
            Dec 19, 2022 23:03:19.651704073 CET6058253192.168.2.38.8.8.8
            Dec 19, 2022 23:03:19.669816017 CET53605828.8.8.8192.168.2.3
            Dec 19, 2022 23:03:21.689243078 CET5713453192.168.2.38.8.8.8
            Dec 19, 2022 23:03:21.708992958 CET53571348.8.8.8192.168.2.3
            Dec 19, 2022 23:03:23.728792906 CET6205053192.168.2.38.8.8.8
            Dec 19, 2022 23:03:23.747059107 CET53620508.8.8.8192.168.2.3
            Dec 19, 2022 23:03:25.770757914 CET5604253192.168.2.38.8.8.8
            Dec 19, 2022 23:03:25.791280985 CET53560428.8.8.8192.168.2.3
            Dec 19, 2022 23:03:28.065093040 CET5963653192.168.2.38.8.8.8
            Dec 19, 2022 23:03:28.083154917 CET53596368.8.8.8192.168.2.3
            Dec 19, 2022 23:03:30.138931036 CET5563853192.168.2.38.8.8.8
            Dec 19, 2022 23:03:30.157114983 CET53556388.8.8.8192.168.2.3
            Dec 19, 2022 23:03:32.202222109 CET5770453192.168.2.38.8.8.8
            Dec 19, 2022 23:03:32.220282078 CET53577048.8.8.8192.168.2.3
            Dec 19, 2022 23:03:34.231417894 CET6532053192.168.2.38.8.8.8
            Dec 19, 2022 23:03:34.251072884 CET53653208.8.8.8192.168.2.3
            Dec 19, 2022 23:03:36.263711929 CET6076753192.168.2.38.8.8.8
            Dec 19, 2022 23:03:36.281912088 CET53607678.8.8.8192.168.2.3
            Dec 19, 2022 23:03:38.295089960 CET6510753192.168.2.38.8.8.8
            Dec 19, 2022 23:03:38.312933922 CET53651078.8.8.8192.168.2.3
            Dec 19, 2022 23:03:40.325378895 CET5384853192.168.2.38.8.8.8
            Dec 19, 2022 23:03:40.343202114 CET53538488.8.8.8192.168.2.3
            Dec 19, 2022 23:03:42.361660004 CET5757153192.168.2.38.8.8.8
            Dec 19, 2022 23:03:42.381429911 CET53575718.8.8.8192.168.2.3
            Dec 19, 2022 23:03:44.401216030 CET5869153192.168.2.38.8.8.8
            Dec 19, 2022 23:03:44.421427011 CET53586918.8.8.8192.168.2.3
            Dec 19, 2022 23:03:46.434865952 CET5330553192.168.2.38.8.8.8
            Dec 19, 2022 23:03:46.455352068 CET53533058.8.8.8192.168.2.3
            Dec 19, 2022 23:03:48.498076916 CET5943353192.168.2.38.8.8.8
            Dec 19, 2022 23:03:48.519148111 CET53594338.8.8.8192.168.2.3
            Dec 19, 2022 23:03:50.527416945 CET6074953192.168.2.38.8.8.8
            Dec 19, 2022 23:03:50.545219898 CET53607498.8.8.8192.168.2.3
            Dec 19, 2022 23:03:52.563286066 CET5694953192.168.2.38.8.8.8
            Dec 19, 2022 23:03:52.581445932 CET53569498.8.8.8192.168.2.3
            Dec 19, 2022 23:03:54.591330051 CET5254753192.168.2.38.8.8.8
            Dec 19, 2022 23:03:54.609739065 CET53525478.8.8.8192.168.2.3
            Dec 19, 2022 23:03:56.630789995 CET5384453192.168.2.38.8.8.8
            Dec 19, 2022 23:03:56.650423050 CET53538448.8.8.8192.168.2.3
            Dec 19, 2022 23:03:58.707082987 CET6501753192.168.2.38.8.8.8
            Dec 19, 2022 23:03:58.727535009 CET53650178.8.8.8192.168.2.3
            Dec 19, 2022 23:04:00.749882936 CET5346653192.168.2.38.8.8.8
            Dec 19, 2022 23:04:00.768559933 CET53534668.8.8.8192.168.2.3
            Dec 19, 2022 23:04:02.840859890 CET5774353192.168.2.38.8.8.8
            Dec 19, 2022 23:04:02.858617067 CET53577438.8.8.8192.168.2.3
            Dec 19, 2022 23:04:04.936908960 CET5362353192.168.2.38.8.8.8
            Dec 19, 2022 23:04:04.957174063 CET53536238.8.8.8192.168.2.3
            Dec 19, 2022 23:04:06.965876102 CET6141653192.168.2.38.8.8.8
            Dec 19, 2022 23:04:06.983719110 CET53614168.8.8.8192.168.2.3
            Dec 19, 2022 23:04:09.003112078 CET6519653192.168.2.38.8.8.8
            Dec 19, 2022 23:04:09.023678064 CET53651968.8.8.8192.168.2.3
            Dec 19, 2022 23:04:11.052040100 CET5870853192.168.2.38.8.8.8
            Dec 19, 2022 23:04:11.074887991 CET53587088.8.8.8192.168.2.3
            Dec 19, 2022 23:04:13.092600107 CET5958153192.168.2.38.8.8.8
            Dec 19, 2022 23:04:13.121436119 CET53595818.8.8.8192.168.2.3
            Dec 19, 2022 23:04:15.138598919 CET5304953192.168.2.38.8.8.8
            Dec 19, 2022 23:04:15.159041882 CET53530498.8.8.8192.168.2.3
            Dec 19, 2022 23:04:17.176152945 CET6008853192.168.2.38.8.8.8
            Dec 19, 2022 23:04:17.197258949 CET53600888.8.8.8192.168.2.3
            Dec 19, 2022 23:04:19.218736887 CET6356253192.168.2.38.8.8.8
            Dec 19, 2022 23:04:19.237216949 CET53635628.8.8.8192.168.2.3
            Dec 19, 2022 23:04:21.301671982 CET5342853192.168.2.38.8.8.8
            Dec 19, 2022 23:04:21.321234941 CET53534288.8.8.8192.168.2.3
            Dec 19, 2022 23:04:23.343063116 CET6551153192.168.2.38.8.8.8
            Dec 19, 2022 23:04:23.362637043 CET53655118.8.8.8192.168.2.3
            Dec 19, 2022 23:04:25.375946045 CET5982053192.168.2.38.8.8.8
            Dec 19, 2022 23:04:25.396213055 CET53598208.8.8.8192.168.2.3
            Dec 19, 2022 23:04:27.406435013 CET6459553192.168.2.38.8.8.8
            Dec 19, 2022 23:04:27.424422979 CET53645958.8.8.8192.168.2.3
            Dec 19, 2022 23:04:29.437721968 CET5207953192.168.2.38.8.8.8
            Dec 19, 2022 23:04:29.455574989 CET53520798.8.8.8192.168.2.3
            Dec 19, 2022 23:04:31.474884033 CET6482353192.168.2.38.8.8.8
            Dec 19, 2022 23:04:31.495091915 CET53648238.8.8.8192.168.2.3
            Dec 19, 2022 23:04:33.520098925 CET5199253192.168.2.38.8.8.8
            Dec 19, 2022 23:04:33.538078070 CET53519928.8.8.8192.168.2.3
            Dec 19, 2022 23:04:35.549333096 CET5811953192.168.2.38.8.8.8
            Dec 19, 2022 23:04:35.572043896 CET53581198.8.8.8192.168.2.3
            Dec 19, 2022 23:04:37.635499954 CET4916653192.168.2.38.8.8.8
            Dec 19, 2022 23:04:37.653634071 CET53491668.8.8.8192.168.2.3
            Dec 19, 2022 23:04:39.679414034 CET5830153192.168.2.38.8.8.8
            Dec 19, 2022 23:04:39.697695017 CET53583018.8.8.8192.168.2.3
            Dec 19, 2022 23:04:41.718868017 CET6344653192.168.2.38.8.8.8
            Dec 19, 2022 23:04:41.738656044 CET53634468.8.8.8192.168.2.3
            Dec 19, 2022 23:04:43.754101992 CET4987453192.168.2.38.8.8.8
            Dec 19, 2022 23:04:43.775408030 CET53498748.8.8.8192.168.2.3
            Dec 19, 2022 23:04:45.804409027 CET6545953192.168.2.38.8.8.8
            Dec 19, 2022 23:04:45.824541092 CET53654598.8.8.8192.168.2.3
            Dec 19, 2022 23:04:47.844623089 CET6538553192.168.2.38.8.8.8
            Dec 19, 2022 23:04:47.864533901 CET53653858.8.8.8192.168.2.3
            Dec 19, 2022 23:04:49.877428055 CET5415353192.168.2.38.8.8.8
            Dec 19, 2022 23:04:49.897413015 CET53541538.8.8.8192.168.2.3
            Dec 19, 2022 23:04:51.962511063 CET6460253192.168.2.38.8.8.8
            Dec 19, 2022 23:04:51.982722044 CET53646028.8.8.8192.168.2.3
            Dec 19, 2022 23:04:54.002010107 CET5078453192.168.2.38.8.8.8
            Dec 19, 2022 23:04:54.022227049 CET53507848.8.8.8192.168.2.3
            Dec 19, 2022 23:04:56.034060955 CET6412153192.168.2.38.8.8.8
            Dec 19, 2022 23:04:56.056148052 CET53641218.8.8.8192.168.2.3
            Dec 19, 2022 23:04:58.060647964 CET6496753192.168.2.38.8.8.8
            Dec 19, 2022 23:04:58.078546047 CET53649678.8.8.8192.168.2.3

            DNS Queries

            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
            Dec 19, 2022 23:03:01.135204077 CET192.168.2.38.8.8.80xa00cStandard query (0)javaoracle.hopto.orgA (IP address)IN (0x0001)false
            Dec 19, 2022 23:03:03.180324078 CET192.168.2.38.8.8.80xdc47Standard query (0)javaoracle.hopto.orgA (IP address)IN (0x0001)false
            Dec 19, 2022 23:03:05.213258982 CET192.168.2.38.8.8.80xbf97Standard query (0)javaoracle.hopto.orgA (IP address)IN (0x0001)false
            Dec 19, 2022 23:03:07.264019012 CET192.168.2.38.8.8.80x7194Standard query (0)javaoracle.hopto.orgA (IP address)IN (0x0001)false
            Dec 19, 2022 23:03:09.307188034 CET192.168.2.38.8.8.80xc917Standard query (0)javaoracle.hopto.orgA (IP address)IN (0x0001)false
            Dec 19, 2022 23:03:11.362128973 CET192.168.2.38.8.8.80xf3bbStandard query (0)javaoracle.hopto.orgA (IP address)IN (0x0001)false
            Dec 19, 2022 23:03:13.451940060 CET192.168.2.38.8.8.80xbed9Standard query (0)javaoracle.hopto.orgA (IP address)IN (0x0001)false
            Dec 19, 2022 23:03:15.499706030 CET192.168.2.38.8.8.80x23e0Standard query (0)javaoracle.hopto.orgA (IP address)IN (0x0001)false
            Dec 19, 2022 23:03:17.602252007 CET192.168.2.38.8.8.80x82b5Standard query (0)javaoracle.hopto.orgA (IP address)IN (0x0001)false
            Dec 19, 2022 23:03:19.651704073 CET192.168.2.38.8.8.80x27ecStandard query (0)javaoracle.hopto.orgA (IP address)IN (0x0001)false
            Dec 19, 2022 23:03:21.689243078 CET192.168.2.38.8.8.80xfe64Standard query (0)javaoracle.hopto.orgA (IP address)IN (0x0001)false
            Dec 19, 2022 23:03:23.728792906 CET192.168.2.38.8.8.80x2bf6Standard query (0)javaoracle.hopto.orgA (IP address)IN (0x0001)false
            Dec 19, 2022 23:03:25.770757914 CET192.168.2.38.8.8.80x219fStandard query (0)javaoracle.hopto.orgA (IP address)IN (0x0001)false
            Dec 19, 2022 23:03:28.065093040 CET192.168.2.38.8.8.80x32Standard query (0)javaoracle.hopto.orgA (IP address)IN (0x0001)false
            Dec 19, 2022 23:03:30.138931036 CET192.168.2.38.8.8.80x8b67Standard query (0)javaoracle.hopto.orgA (IP address)IN (0x0001)false
            Dec 19, 2022 23:03:32.202222109 CET192.168.2.38.8.8.80x565cStandard query (0)javaoracle.hopto.orgA (IP address)IN (0x0001)false
            Dec 19, 2022 23:03:34.231417894 CET192.168.2.38.8.8.80xbe98Standard query (0)javaoracle.hopto.orgA (IP address)IN (0x0001)false
            Dec 19, 2022 23:03:36.263711929 CET192.168.2.38.8.8.80xf1e6Standard query (0)javaoracle.hopto.orgA (IP address)IN (0x0001)false
            Dec 19, 2022 23:03:38.295089960 CET192.168.2.38.8.8.80x5a28Standard query (0)javaoracle.hopto.orgA (IP address)IN (0x0001)false
            Dec 19, 2022 23:03:40.325378895 CET192.168.2.38.8.8.80xfe48Standard query (0)javaoracle.hopto.orgA (IP address)IN (0x0001)false
            Dec 19, 2022 23:03:42.361660004 CET192.168.2.38.8.8.80xa2c7Standard query (0)javaoracle.hopto.orgA (IP address)IN (0x0001)false
            Dec 19, 2022 23:03:44.401216030 CET192.168.2.38.8.8.80x8e65Standard query (0)javaoracle.hopto.orgA (IP address)IN (0x0001)false
            Dec 19, 2022 23:03:46.434865952 CET192.168.2.38.8.8.80x4d80Standard query (0)javaoracle.hopto.orgA (IP address)IN (0x0001)false
            Dec 19, 2022 23:03:48.498076916 CET192.168.2.38.8.8.80xa1d2Standard query (0)javaoracle.hopto.orgA (IP address)IN (0x0001)false
            Dec 19, 2022 23:03:50.527416945 CET192.168.2.38.8.8.80xee00Standard query (0)javaoracle.hopto.orgA (IP address)IN (0x0001)false
            Dec 19, 2022 23:03:52.563286066 CET192.168.2.38.8.8.80x4e93Standard query (0)javaoracle.hopto.orgA (IP address)IN (0x0001)false
            Dec 19, 2022 23:03:54.591330051 CET192.168.2.38.8.8.80x92c7Standard query (0)javaoracle.hopto.orgA (IP address)IN (0x0001)false
            Dec 19, 2022 23:03:56.630789995 CET192.168.2.38.8.8.80xa9d9Standard query (0)javaoracle.hopto.orgA (IP address)IN (0x0001)false
            Dec 19, 2022 23:03:58.707082987 CET192.168.2.38.8.8.80x40bStandard query (0)javaoracle.hopto.orgA (IP address)IN (0x0001)false
            Dec 19, 2022 23:04:00.749882936 CET192.168.2.38.8.8.80x1aefStandard query (0)javaoracle.hopto.orgA (IP address)IN (0x0001)false
            Dec 19, 2022 23:04:02.840859890 CET192.168.2.38.8.8.80xa236Standard query (0)javaoracle.hopto.orgA (IP address)IN (0x0001)false
            Dec 19, 2022 23:04:04.936908960 CET192.168.2.38.8.8.80x5a65Standard query (0)javaoracle.hopto.orgA (IP address)IN (0x0001)false
            Dec 19, 2022 23:04:06.965876102 CET192.168.2.38.8.8.80xe35bStandard query (0)javaoracle.hopto.orgA (IP address)IN (0x0001)false
            Dec 19, 2022 23:04:09.003112078 CET192.168.2.38.8.8.80x47a5Standard query (0)javaoracle.hopto.orgA (IP address)IN (0x0001)false
            Dec 19, 2022 23:04:11.052040100 CET192.168.2.38.8.8.80x8a75Standard query (0)javaoracle.hopto.orgA (IP address)IN (0x0001)false
            Dec 19, 2022 23:04:13.092600107 CET192.168.2.38.8.8.80x89abStandard query (0)javaoracle.hopto.orgA (IP address)IN (0x0001)false
            Dec 19, 2022 23:04:15.138598919 CET192.168.2.38.8.8.80xb877Standard query (0)javaoracle.hopto.orgA (IP address)IN (0x0001)false
            Dec 19, 2022 23:04:17.176152945 CET192.168.2.38.8.8.80xbd5aStandard query (0)javaoracle.hopto.orgA (IP address)IN (0x0001)false
            Dec 19, 2022 23:04:19.218736887 CET192.168.2.38.8.8.80x177Standard query (0)javaoracle.hopto.orgA (IP address)IN (0x0001)false
            Dec 19, 2022 23:04:21.301671982 CET192.168.2.38.8.8.80xdb96Standard query (0)javaoracle.hopto.orgA (IP address)IN (0x0001)false
            Dec 19, 2022 23:04:23.343063116 CET192.168.2.38.8.8.80x5a63Standard query (0)javaoracle.hopto.orgA (IP address)IN (0x0001)false
            Dec 19, 2022 23:04:25.375946045 CET192.168.2.38.8.8.80xc88fStandard query (0)javaoracle.hopto.orgA (IP address)IN (0x0001)false
            Dec 19, 2022 23:04:27.406435013 CET192.168.2.38.8.8.80xc3e0Standard query (0)javaoracle.hopto.orgA (IP address)IN (0x0001)false
            Dec 19, 2022 23:04:29.437721968 CET192.168.2.38.8.8.80x7fcbStandard query (0)javaoracle.hopto.orgA (IP address)IN (0x0001)false
            Dec 19, 2022 23:04:31.474884033 CET192.168.2.38.8.8.80x4965Standard query (0)javaoracle.hopto.orgA (IP address)IN (0x0001)false
            Dec 19, 2022 23:04:33.520098925 CET192.168.2.38.8.8.80x4abcStandard query (0)javaoracle.hopto.orgA (IP address)IN (0x0001)false
            Dec 19, 2022 23:04:35.549333096 CET192.168.2.38.8.8.80xece8Standard query (0)javaoracle.hopto.orgA (IP address)IN (0x0001)false
            Dec 19, 2022 23:04:37.635499954 CET192.168.2.38.8.8.80xd2bcStandard query (0)javaoracle.hopto.orgA (IP address)IN (0x0001)false
            Dec 19, 2022 23:04:39.679414034 CET192.168.2.38.8.8.80xeb27Standard query (0)javaoracle.hopto.orgA (IP address)IN (0x0001)false
            Dec 19, 2022 23:04:41.718868017 CET192.168.2.38.8.8.80x7d30Standard query (0)javaoracle.hopto.orgA (IP address)IN (0x0001)false
            Dec 19, 2022 23:04:43.754101992 CET192.168.2.38.8.8.80x4964Standard query (0)javaoracle.hopto.orgA (IP address)IN (0x0001)false
            Dec 19, 2022 23:04:45.804409027 CET192.168.2.38.8.8.80x27d5Standard query (0)javaoracle.hopto.orgA (IP address)IN (0x0001)false
            Dec 19, 2022 23:04:47.844623089 CET192.168.2.38.8.8.80xe7adStandard query (0)javaoracle.hopto.orgA (IP address)IN (0x0001)false
            Dec 19, 2022 23:04:49.877428055 CET192.168.2.38.8.8.80xf820Standard query (0)javaoracle.hopto.orgA (IP address)IN (0x0001)false
            Dec 19, 2022 23:04:51.962511063 CET192.168.2.38.8.8.80xf94dStandard query (0)javaoracle.hopto.orgA (IP address)IN (0x0001)false
            Dec 19, 2022 23:04:54.002010107 CET192.168.2.38.8.8.80x5a24Standard query (0)javaoracle.hopto.orgA (IP address)IN (0x0001)false
            Dec 19, 2022 23:04:56.034060955 CET192.168.2.38.8.8.80xf734Standard query (0)javaoracle.hopto.orgA (IP address)IN (0x0001)false
            Dec 19, 2022 23:04:58.060647964 CET192.168.2.38.8.8.80x3226Standard query (0)javaoracle.hopto.orgA (IP address)IN (0x0001)false

            Statistics

            CPU Usage

            050100s020406080100

            Click to jump to process

            Memory Usage

            050100s0.0051015MB

            Click to jump to process

            High Level Behavior Distribution

            • File
            • Registry

            Click to dive into process behavior distribution

            System Behavior

            General

            Target ID:0
            Start time:23:02:53
            Start date:19/12/2022
            Path:C:\Users\user\Desktop\NjRat.exe
            Wow64 process (32bit):true
            Commandline:C:\Users\user\Desktop\NjRat.exe
            Imagebase:0xb90000
            File size:32768 bytes
            MD5 hash:4DFDA9644EFA02D836DBB422936B4FE8
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:.Net C# or VB.NET
            Yara matches:
            • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000000.232319489.0000000000B92000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
            Reputation:low
            Show Windows behavior

            File Activities

            Show Windows behavior

            Section Activities

            Show Windows behavior

            Registry Activities

            Show Windows behavior

            Mutex Activities

            Show Windows behavior

            Process Activities

            Show Windows behavior

            Thread Activities

            Show Windows behavior

            Memory Activities

            Show Windows behavior

            System Activities

            Show Windows behavior

            Windows UI Activities

            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
            Show Windows behavior

            Process Token Activities

            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

            Disassembly

            Execution Graph

            Execution Coverage

            Dynamic/Packed Code Coverage

            Signature Coverage

            Execution Coverage:16.5%
            Dynamic/Decrypted Code Coverage:100%
            Signature Coverage:5.3%
            Total number of Nodes:114
            Total number of Limit Nodes:4
            Show Legend
            Hide Nodes/Edges
            execution_graph 3114 147a7c7 3115 147a7fa RegOpenKeyExW 3114->3115 3117 147a888 3115->3117 2938 147a646 2939 147a67e CreateMutexW 2938->2939 2941 147a6c1 2939->2941 3050 147ab43 3051 147ab6a DuplicateHandle 3050->3051 3053 147abb6 3051->3053 3054 2d40ad3 3056 2d40ad8 KiUserExceptionDispatcher 3054->3056 3057 2d40b1c 3056->3057 2950 147a74e 2951 147a77a FindCloseChangeNotification 2950->2951 2952 147a7b9 2950->2952 2953 147a788 2951->2953 2952->2951 3118 54c02c1 3119 54c02cc OpenFileMappingW 3118->3119 3121 54c03d9 3119->3121 3122 147b9d6 3123 147b9f6 ReadFile 3122->3123 3125 147ba5d 3123->3125 3126 54c12db 3127 54c12fe GetProcessWorkingSetSize 3126->3127 3129 54c135f 3127->3129 3130 147acdf 3131 147ad0e OleInitialize 3130->3131 3133 147ad48 3131->3133 2966 147a2da 2967 147a306 SetErrorMode 2966->2967 2968 147a32f 2966->2968 2969 147a31b 2967->2969 2968->2967 3134 147b5e7 3136 147b61e CreateFileW 3134->3136 3137 147b6a5 3136->3137 3062 54c106f 3063 54c1079 AdjustTokenPrivileges 3062->3063 3065 54c10f7 3063->3065 2994 147ab6a 2995 147abe0 2994->2995 2996 147aba8 DuplicateHandle 2994->2996 2995->2996 2997 147abb6 2996->2997 3010 147b9f6 3012 147ba2b ReadFile 3010->3012 3013 147ba5d 3012->3013 3138 147b6f4 3139 147b736 GetFileType 3138->3139 3141 147b798 3139->3141 3037 54c02f6 3038 54c032b OpenFileMappingW 3037->3038 3040 54c03d9 3038->3040 3041 2d40ae8 KiUserExceptionDispatcher 3042 2d40b1c 3041->3042 3142 54c11f1 3143 54c1222 GetExitCodeProcess 3142->3143 3145 54c1280 3143->3145 3070 54c0f04 3072 54c0f26 LookupPrivilegeValueW 3070->3072 3073 54c0f76 3072->3073 2954 147ad0e 2955 147ad70 2954->2955 2956 147ad3a OleInitialize 2954->2956 2955->2956 2957 147ad48 2956->2957 3074 54c0006 3075 54c0032 GetComputerNameW 3074->3075 3077 54c0090 3075->3077 3078 54c161c 3079 54c163e RegCreateKeyExW 3078->3079 3081 54c16e8 3079->3081 3146 54c099c 3148 54c09be getaddrinfo 3146->3148 3149 54c0a6b 3148->3149 3082 147a612 3084 147a646 CreateMutexW 3082->3084 3085 147a6c1 3084->3085 3086 147a710 3088 147a71b FindCloseChangeNotification 3086->3088 3089 147a788 3088->3089 3150 54c0894 3152 54c08a1 GetProcessTimes 3150->3152 3153 54c0939 3152->3153 2962 147b61e 2963 147b656 CreateFileW 2962->2963 2965 147b6a5 2963->2965 3154 54c0190 3155 54c01b6 ConvertStringSecurityDescriptorToSecurityDescriptorW 3154->3155 3157 54c022f 3155->3157 3090 54c0e2c 3091 54c0e4c FormatMessageW 3090->3091 3093 54c0ed6 3091->3093 3094 54c0428 3097 54c0466 MapViewOfFile 3094->3097 3096 54c04ed 3097->3096 3162 147a2ae 3164 147a2b2 SetErrorMode 3162->3164 3165 147a31b 3164->3165 2990 54c10a6 2991 54c10d5 AdjustTokenPrivileges 2990->2991 2993 54c10f7 2991->2993 3166 54c13bf 3168 54c13e2 SetProcessWorkingSetSize 3166->3168 3169 54c1443 3168->3169 3102 147a43e 3105 147a462 RegSetValueExW 3102->3105 3104 147a4e3 3105->3104 3106 147bc3e 3107 147bc5e WSASocketW 3106->3107 3109 147bcd2 3107->3109 3110 147a33d 3111 147a36e RegQueryValueExW 3110->3111 3113 147a3f7 3111->3113 3047 54c0032 3048 54c0082 GetComputerNameW 3047->3048 3049 54c0090 3048->3049

            Executed Functions

            APIs
            • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 054C10EF
            Memory Dump Source
            • Source File: 00000000.00000002.499262515.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54c0000_NjRat.jbxd
            Similarity
            • API ID: AdjustPrivilegesToken
            • String ID:
            • API String ID: 2874748243-0
            • Opcode ID: 219d0bbf57c509960629cc1a48202d1915c589a5248983587b3aa458a4b5685d
            • Instruction ID: 01b99ec801126d2d7a27214d30ab544c45ea8a2707fbc4d27ab8ec47f3e9a82c
            • Opcode Fuzzy Hash: 219d0bbf57c509960629cc1a48202d1915c589a5248983587b3aa458a4b5685d
            • Instruction Fuzzy Hash: C221D175509780AFEB128F25DC44BA2BFF4EF46310F0885DBE9858F663D2349908CB62
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 054C10EF
            Memory Dump Source
            • Source File: 00000000.00000002.499262515.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54c0000_NjRat.jbxd
            Similarity
            • API ID: AdjustPrivilegesToken
            • String ID:
            • API String ID: 2874748243-0
            • Opcode ID: 43f97671902aae83fdebbd01a524c1a1abac18960dff99afa866601ddb7a0a5c
            • Instruction ID: 08bf0c59968b9b6a389809fa432876236ea8dd608e1f867aa1c3bfeecff2f942
            • Opcode Fuzzy Hash: 43f97671902aae83fdebbd01a524c1a1abac18960dff99afa866601ddb7a0a5c
            • Instruction Fuzzy Hash: 1211A0355006009FDB20CF56D884BA6FFE4FF48220F08C8AFDD858B612D675E418CB62
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 139 54c02c1-54c02ca 140 54c02cc-54c033b 139->140 141 54c033d-54c03b5 139->141 140->141 147 54c03ba-54c03c9 141->147 148 54c03b7 141->148 149 54c041a-54c041f 147->149 150 54c03cb-54c03ef OpenFileMappingW 147->150 148->147 149->150 153 54c0421-54c0426 150->153 154 54c03f1-54c0417 150->154 153->154
            APIs
            • OpenFileMappingW.KERNELBASE(?,?), ref: 054C03D1
            Memory Dump Source
            • Source File: 00000000.00000002.499262515.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54c0000_NjRat.jbxd
            Similarity
            • API ID: FileMappingOpen
            • String ID:
            • API String ID: 1680863896-0
            • Opcode ID: 9d0593ef971e96bbb2e7d46d2251bd114cbd8bac692b6f5667bd0d68f83cca62
            • Instruction ID: 7aee98f1ec3c9bdbdb169f3bee3348c8124ad44671ba2ac1de6900729570b5ab
            • Opcode Fuzzy Hash: 9d0593ef971e96bbb2e7d46d2251bd114cbd8bac692b6f5667bd0d68f83cca62
            • Instruction Fuzzy Hash: 8741B175549380AFE7128B25DC45FA6FFB8EF46220F1884DBE9849B293D265A408C762
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 157 147bb4b-147bb6b 158 147bb8d-147bbe1 157->158 159 147bb6d-147bb6f 157->159 160 147bbe2-147bc1a RegQueryValueExW 158->160 159->160 161 147bb71-147bb8c 159->161 167 147bc20-147bc36 160->167 161->158
            APIs
            • RegQueryValueExW.KERNELBASE(?,00000E2C,?,?), ref: 0147BC12
            Memory Dump Source
            • Source File: 00000000.00000002.498842477.000000000147A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147A000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_147a000_NjRat.jbxd
            Similarity
            • API ID: QueryValue
            • String ID:
            • API String ID: 3660427363-0
            • Opcode ID: 5807188fcdb2a516955248951be7cdb51c64e4eec0c358d3f33d25fa8fa425e2
            • Instruction ID: 3b97e9e8fed449de0b4bb134381acde748000f6a8bc581ba8857d183018f8694
            • Opcode Fuzzy Hash: 5807188fcdb2a516955248951be7cdb51c64e4eec0c358d3f33d25fa8fa425e2
            • Instruction Fuzzy Hash: 00318F6510E7C06FD3138B358C61A62BF74EF47610B0E85CBD8C48F5A3D1296919D7B2
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 168 54c161c-54c1696 172 54c1698 168->172 173 54c169b-54c16a7 168->173 172->173 174 54c16ac-54c16b5 173->174 175 54c16a9 173->175 176 54c16ba-54c16d1 174->176 177 54c16b7 174->177 175->174 179 54c1713-54c1718 176->179 180 54c16d3-54c16e6 RegCreateKeyExW 176->180 177->176 179->180 181 54c16e8-54c1710 180->181 182 54c171a-54c171f 180->182 182->181
            APIs
            • RegCreateKeyExW.KERNELBASE(?,00000E2C), ref: 054C16D9
            Memory Dump Source
            • Source File: 00000000.00000002.499262515.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54c0000_NjRat.jbxd
            Similarity
            • API ID: Create
            • String ID:
            • API String ID: 2289755597-0
            • Opcode ID: 169b6e8b955540bce00cf08d12e4a5fee58bb7590c7189181d9889f05346a3b2
            • Instruction ID: c303e50622921a98901ff59d2b5c01e47e3a497b6822a128b9bfd17b0301bb1a
            • Opcode Fuzzy Hash: 169b6e8b955540bce00cf08d12e4a5fee58bb7590c7189181d9889f05346a3b2
            • Instruction Fuzzy Hash: B9318E76504344AFEB218B25CC44FA7BFECEF49710F08899AE985DB652D220E508CB61
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 187 147b5e7-147b676 191 147b67b-147b687 187->191 192 147b678 187->192 193 147b68c-147b695 191->193 194 147b689 191->194 192->191 195 147b697-147b6bb CreateFileW 193->195 196 147b6e6-147b6eb 193->196 194->193 199 147b6ed-147b6f2 195->199 200 147b6bd-147b6e3 195->200 196->195 199->200
            APIs
            • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0147B69D
            Memory Dump Source
            • Source File: 00000000.00000002.498842477.000000000147A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147A000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_147a000_NjRat.jbxd
            Similarity
            • API ID: CreateFile
            • String ID:
            • API String ID: 823142352-0
            • Opcode ID: 3292f1924f645d2f9bcf7bece3fa1fe0fa3f85c171ba4a05891243a48628160e
            • Instruction ID: efcac4df8670298e9519d018e0b2bfd8c5a879b92eb5d8ea0cc6b327596db49c
            • Opcode Fuzzy Hash: 3292f1924f645d2f9bcf7bece3fa1fe0fa3f85c171ba4a05891243a48628160e
            • Instruction Fuzzy Hash: 943172B1505380AFE722CB65DD44F66BFE8EF06314F08849EE9849B262D375A509CB71
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 218 54c0894-54c0929 224 54c092b-54c0933 GetProcessTimes 218->224 225 54c0976-54c097b 218->225 227 54c0939-54c094b 224->227 225->224 228 54c097d-54c0982 227->228 229 54c094d-54c0973 227->229 228->229
            APIs
            • GetProcessTimes.KERNELBASE(?,00000E2C,6C002C1F,00000000,00000000,00000000,00000000), ref: 054C0931
            Memory Dump Source
            • Source File: 00000000.00000002.499262515.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54c0000_NjRat.jbxd
            Similarity
            • API ID: ProcessTimes
            • String ID:
            • API String ID: 1995159646-0
            • Opcode ID: 967e18be31eee25a24de4809ba469f2c8aa2c987e3a17c1e2514b3c2acd8e3e5
            • Instruction ID: 78fa29d2845c3b4dc8af3df5d3a873289a1425dc3742fae6aa783cb3421e2d76
            • Opcode Fuzzy Hash: 967e18be31eee25a24de4809ba469f2c8aa2c987e3a17c1e2514b3c2acd8e3e5
            • Instruction Fuzzy Hash: FE31E476009380AFEB128F24DC45FA6BFB8EF46310F0884DBE9859F193D225A509C771
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 203 147a7c7-147a855 207 147a857 203->207 208 147a85a-147a871 203->208 207->208 210 147a8b3-147a8b8 208->210 211 147a873-147a886 RegOpenKeyExW 208->211 210->211 212 147a8ba-147a8bf 211->212 213 147a888-147a8b0 211->213 212->213
            APIs
            • RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 0147A879
            Memory Dump Source
            • Source File: 00000000.00000002.498842477.000000000147A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147A000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_147a000_NjRat.jbxd
            Similarity
            • API ID: Open
            • String ID:
            • API String ID: 71445658-0
            • Opcode ID: 8e79f554adc10376e0a86fe26bb14ede772c07e6d2c34911ff4365fcee4db8b9
            • Instruction ID: 4fc03e23d279601f6947a4dd050d048d9f06c2c310fbe7ec9a727d212b34647b
            • Opcode Fuzzy Hash: 8e79f554adc10376e0a86fe26bb14ede772c07e6d2c34911ff4365fcee4db8b9
            • Instruction Fuzzy Hash: 2031C4724083806FE7228B65CC45FA7BFACEF06310F19849BE984DB253D224A509C771
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 232 54c099c-54c0a5b 238 54c0aad-54c0ab2 232->238 239 54c0a5d-54c0a65 getaddrinfo 232->239 238->239 240 54c0a6b-54c0a7d 239->240 242 54c0a7f-54c0aaa 240->242 243 54c0ab4-54c0ab9 240->243 243->242
            APIs
            • getaddrinfo.WS2_32(?,00000E2C), ref: 054C0A63
            Memory Dump Source
            • Source File: 00000000.00000002.499262515.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54c0000_NjRat.jbxd
            Similarity
            • API ID: getaddrinfo
            • String ID:
            • API String ID: 300660673-0
            • Opcode ID: 6f5385735fb45bcb64198250b924b3c2451eff553f9ff0beaff91acf10801f8c
            • Instruction ID: 303cbadbc9f01ec95a8b38d7c8ec6dbc353cc3e2b84b9b07d4ab75bc96d49155
            • Opcode Fuzzy Hash: 6f5385735fb45bcb64198250b924b3c2451eff553f9ff0beaff91acf10801f8c
            • Instruction Fuzzy Hash: 7431C471144340BFEB21CB65DC44FA7FBACEF44310F14889AFA859B292D275A948CB61
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 263 54c0190-54c0211 267 54c0216-54c021f 263->267 268 54c0213 263->268 269 54c0277-54c027c 267->269 270 54c0221-54c0229 ConvertStringSecurityDescriptorToSecurityDescriptorW 267->270 268->267 269->270 271 54c022f-54c0241 270->271 273 54c027e-54c0283 271->273 274 54c0243-54c0274 271->274 273->274
            APIs
            • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E2C), ref: 054C0227
            Memory Dump Source
            • Source File: 00000000.00000002.499262515.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54c0000_NjRat.jbxd
            Similarity
            • API ID: DescriptorSecurity$ConvertString
            • String ID:
            • API String ID: 3907675253-0
            • Opcode ID: 1935e985d1c2aa219fce058510ca5d1f86904bc29a8114c653e03d5d97ee26dd
            • Instruction ID: 2129d5e57160e605ce14b3201d20b11ac39f43b5d48e09ed1abd05e530865ef2
            • Opcode Fuzzy Hash: 1935e985d1c2aa219fce058510ca5d1f86904bc29a8114c653e03d5d97ee26dd
            • Instruction Fuzzy Hash: 79319571504345AFEB11CB65DC45FABFFACEF45310F0884AAE985DF252D224A948CB61
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 247 147a612-147a695 251 147a697 247->251 252 147a69a-147a6a3 247->252 251->252 253 147a6a5 252->253 254 147a6a8-147a6b1 252->254 253->254 255 147a6b3-147a6d7 CreateMutexW 254->255 256 147a702-147a707 254->256 259 147a709-147a70e 255->259 260 147a6d9-147a6ff 255->260 256->255 259->260
            APIs
            • CreateMutexW.KERNELBASE(?,?), ref: 0147A6B9
            Memory Dump Source
            • Source File: 00000000.00000002.498842477.000000000147A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147A000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_147a000_NjRat.jbxd
            Similarity
            • API ID: CreateMutex
            • String ID:
            • API String ID: 1964310414-0
            • Opcode ID: 47163ca41b4b37501d03e2335b4df865f9e3ae5906f92e356247018d9a8061f4
            • Instruction ID: b1709caa8df3f81c1256a52486b3086cc9ec04e20fe4962268ecca242f6d0c6a
            • Opcode Fuzzy Hash: 47163ca41b4b37501d03e2335b4df865f9e3ae5906f92e356247018d9a8061f4
            • Instruction Fuzzy Hash: 01318F755097806FE712CB65CC85B96FFF8EF06210F18849AE984CB2A3D375E909C761
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 278 54c0428-54c04d2 283 54c04d4-54c04eb MapViewOfFile 278->283 284 54c0516-54c051b 278->284 285 54c051d-54c0522 283->285 286 54c04ed-54c0513 283->286 284->283 285->286
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.499262515.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54c0000_NjRat.jbxd
            Similarity
            • API ID: FileView
            • String ID:
            • API String ID: 3314676101-0
            • Opcode ID: fb9c1ecf879884086cd797703e14b5cf5cf4dbaf0829e346d46a5918f016207c
            • Instruction ID: b017ef9d40a068c612c159bcb17e325004da48be577beca8c1173af249c7b425
            • Opcode Fuzzy Hash: fb9c1ecf879884086cd797703e14b5cf5cf4dbaf0829e346d46a5918f016207c
            • Instruction Fuzzy Hash: 9D31B372404780AFE722CB55DC45F96FFF8EF06324F08459EE9848B262D375A549CB61
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 290 54c163e-54c1696 293 54c1698 290->293 294 54c169b-54c16a7 290->294 293->294 295 54c16ac-54c16b5 294->295 296 54c16a9 294->296 297 54c16ba-54c16d1 295->297 298 54c16b7 295->298 296->295 300 54c1713-54c1718 297->300 301 54c16d3-54c16e6 RegCreateKeyExW 297->301 298->297 300->301 302 54c16e8-54c1710 301->302 303 54c171a-54c171f 301->303 303->302
            APIs
            • RegCreateKeyExW.KERNELBASE(?,00000E2C), ref: 054C16D9
            Memory Dump Source
            • Source File: 00000000.00000002.499262515.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54c0000_NjRat.jbxd
            Similarity
            • API ID: Create
            • String ID:
            • API String ID: 2289755597-0
            • Opcode ID: 0de847bcf78f4048abf5d567314f08b3968c06554f7d2f79fddd13805dbca30b
            • Instruction ID: 2d4c17edbb983ba8ff9579c49a3be4c8bce6fd601031b6c51425a6c781b5e0d4
            • Opcode Fuzzy Hash: 0de847bcf78f4048abf5d567314f08b3968c06554f7d2f79fddd13805dbca30b
            • Instruction Fuzzy Hash: 21218276600204AFEB21DF55CC84FA7FBECEF48710F18859AE945DB652D660E508CB71
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 308 147a33d-147a3ab 311 147a3b0-147a3b9 308->311 312 147a3ad 308->312 313 147a3be-147a3c4 311->313 314 147a3bb 311->314 312->311 315 147a3c6 313->315 316 147a3c9-147a3e0 313->316 314->313 315->316 318 147a417-147a41c 316->318 319 147a3e2-147a3f5 RegQueryValueExW 316->319 318->319 320 147a3f7-147a414 319->320 321 147a41e-147a423 319->321 321->320
            APIs
            • RegQueryValueExW.KERNELBASE(?,00000E2C,6C002C1F,00000000,00000000,00000000,00000000), ref: 0147A3E8
            Memory Dump Source
            • Source File: 00000000.00000002.498842477.000000000147A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147A000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_147a000_NjRat.jbxd
            Similarity
            • API ID: QueryValue
            • String ID:
            • API String ID: 3660427363-0
            • Opcode ID: 11f185a78fed870a907b4fa18f5566c25d9dae6052b2ddd140b543957202b440
            • Instruction ID: 33d00d6ae289e3000ead9bbc9b2cb5a5d0e567adae8799d2237568b3870cd2d1
            • Opcode Fuzzy Hash: 11f185a78fed870a907b4fa18f5566c25d9dae6052b2ddd140b543957202b440
            • Instruction Fuzzy Hash: FC318075104380AFE722CF25CC45F97BFB8EF06310F18849BE945DB2A2D264E848CB61
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • getaddrinfo.WS2_32(?,00000E2C), ref: 054C0A63
            Memory Dump Source
            • Source File: 00000000.00000002.499262515.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54c0000_NjRat.jbxd
            Similarity
            • API ID: getaddrinfo
            • String ID:
            • API String ID: 300660673-0
            • Opcode ID: 342d89411b9af7dd5202246a77e81f3999c3f454d95390e2cb19fd9f1f341799
            • Instruction ID: 3832e4955d1c75f2ea2a2e88bb9324027bfb58b168c7a831e38d9c6fe1c88326
            • Opcode Fuzzy Hash: 342d89411b9af7dd5202246a77e81f3999c3f454d95390e2cb19fd9f1f341799
            • Instruction Fuzzy Hash: BC21E571100200AFFB20DB65DC89FABFBACEF44310F14889AFE499B281D675A548CB71
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • FormatMessageW.KERNELBASE(?,00000E2C,?,?), ref: 054C0ECE
            Memory Dump Source
            • Source File: 00000000.00000002.499262515.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54c0000_NjRat.jbxd
            Similarity
            • API ID: FormatMessage
            • String ID:
            • API String ID: 1306739567-0
            • Opcode ID: e05eabd56d9edc7b371c593acda3200d9db99d044db4812d705f803eb9078969
            • Instruction ID: 7c610c4280fe104aa0cf3c69549420dfa784cb3d2d5b9cc348e58a5f8ca5ab6e
            • Opcode Fuzzy Hash: e05eabd56d9edc7b371c593acda3200d9db99d044db4812d705f803eb9078969
            • Instruction Fuzzy Hash: 8E21D17154D3C06FD3028B65CC55B66BFB4EF87610F0980CBD8848F2A3D224A919C7A2
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • GetExitCodeProcess.KERNELBASE(?,00000E2C,6C002C1F,00000000,00000000,00000000,00000000), ref: 054C1278
            Memory Dump Source
            • Source File: 00000000.00000002.499262515.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54c0000_NjRat.jbxd
            Similarity
            • API ID: CodeExitProcess
            • String ID:
            • API String ID: 3861947596-0
            • Opcode ID: 3463f93f20cf8df089cd97798c84082c62c39deef2f0e4c584da285fbec5fd6f
            • Instruction ID: cbfdf5a77b3ecb081b4654e3490a88adf86ff0f743028db13f8960dccb1543ca
            • Opcode Fuzzy Hash: 3463f93f20cf8df089cd97798c84082c62c39deef2f0e4c584da285fbec5fd6f
            • Instruction Fuzzy Hash: 0121C1755093806FE712CB24DC95F96BFA8EF42314F0884EBE985DF293D264A908C762
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • GetFileType.KERNELBASE(?,00000E2C,6C002C1F,00000000,00000000,00000000,00000000), ref: 0147B789
            Memory Dump Source
            • Source File: 00000000.00000002.498842477.000000000147A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147A000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_147a000_NjRat.jbxd
            Similarity
            • API ID: FileType
            • String ID:
            • API String ID: 3081899298-0
            • Opcode ID: 8d039562ee618e0335497017aeb0ef00e23063ac76cc6511ade90041be27f05e
            • Instruction ID: 52799059bc0a4b0760f3c163bacbe268b83e4dbaf78282d65bc712a2e6f51465
            • Opcode Fuzzy Hash: 8d039562ee618e0335497017aeb0ef00e23063ac76cc6511ade90041be27f05e
            • Instruction Fuzzy Hash: DA2108754087806FE712CB259C50BA3BFA8EF42320F1880DBE9849B253D224A908C771
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • RegSetValueExW.KERNELBASE(?,00000E2C,6C002C1F,00000000,00000000,00000000,00000000), ref: 0147A4D4
            Memory Dump Source
            • Source File: 00000000.00000002.498842477.000000000147A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147A000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_147a000_NjRat.jbxd
            Similarity
            • API ID: Value
            • String ID:
            • API String ID: 3702945584-0
            • Opcode ID: 393e3c16996021e984da867a7a85fb13896a2bb5b223123cb0c7394b59098508
            • Instruction ID: 2fd4ad5d39fde24120d8efbe38e47c36a7fc51d0d438e1208511f196d085a252
            • Opcode Fuzzy Hash: 393e3c16996021e984da867a7a85fb13896a2bb5b223123cb0c7394b59098508
            • Instruction Fuzzy Hash: 3E2162725043806FE7228F25DC45FA7FFB8EF46720F18849BE9859B252D265E448C771
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • WSASocketW.WS2_32(?,?,?,?,?), ref: 0147BCCA
            Memory Dump Source
            • Source File: 00000000.00000002.498842477.000000000147A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147A000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_147a000_NjRat.jbxd
            Similarity
            • API ID: Socket
            • String ID:
            • API String ID: 38366605-0
            • Opcode ID: e209b2626548ddbb89d84d2b5f167a414f30a983e50e8b7d4c894231ab95c0fd
            • Instruction ID: 7af7c23833a2e140225d11fabacfcb056af550bce213a37f7ed98615fe610380
            • Opcode Fuzzy Hash: e209b2626548ddbb89d84d2b5f167a414f30a983e50e8b7d4c894231ab95c0fd
            • Instruction Fuzzy Hash: 5D21AD71508380AFE722CF65DC44F96FFB8EF05320F18889EE9858B652C375A408CB66
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E2C), ref: 054C0227
            Memory Dump Source
            • Source File: 00000000.00000002.499262515.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54c0000_NjRat.jbxd
            Similarity
            • API ID: DescriptorSecurity$ConvertString
            • String ID:
            • API String ID: 3907675253-0
            • Opcode ID: f65db46c66380bbb530a68aae7a7dcce9eb888a182ba93e66813d51cc387cfa6
            • Instruction ID: ac9bbcac6d12674e2c8cf4ad37dfb26cffbb5e38fcf75a1be3e6d86d3eaeb7d7
            • Opcode Fuzzy Hash: f65db46c66380bbb530a68aae7a7dcce9eb888a182ba93e66813d51cc387cfa6
            • Instruction Fuzzy Hash: 5221A775500204AFEB10DF69DC49FABFB9CEF44710F1488ABED49DB241D674A9088B71
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0147B69D
            Memory Dump Source
            • Source File: 00000000.00000002.498842477.000000000147A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147A000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_147a000_NjRat.jbxd
            Similarity
            • API ID: CreateFile
            • String ID:
            • API String ID: 823142352-0
            • Opcode ID: f47884456eae83446c381dcb7ed76a5df21234d915eacae353ae551d3339b327
            • Instruction ID: 3374083f1259a89f3d0532a934a5da6d03f94e3b445dfb2a1a209769f43fbd8f
            • Opcode Fuzzy Hash: f47884456eae83446c381dcb7ed76a5df21234d915eacae353ae551d3339b327
            • Instruction Fuzzy Hash: B7217C71504244AFE721CF69CD45BA7FBE8EF08310F18846EEA898B652D371E408CB62
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • RegQueryValueExW.KERNELBASE(?,00000E2C,6C002C1F,00000000,00000000,00000000,00000000), ref: 054C013C
            Memory Dump Source
            • Source File: 00000000.00000002.499262515.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54c0000_NjRat.jbxd
            Similarity
            • API ID: QueryValue
            • String ID:
            • API String ID: 3660427363-0
            • Opcode ID: 9f356e0cc8426ebc2690b9b5aa760911fb0c60a78db9386ab24d29944356cdce
            • Instruction ID: 5ee17d2d4644e5a1fbdafde1bb8c515f0649bc18e822a7d934d34b6afcfe10d4
            • Opcode Fuzzy Hash: 9f356e0cc8426ebc2690b9b5aa760911fb0c60a78db9386ab24d29944356cdce
            • Instruction Fuzzy Hash: AF21B076104340AFD721CB15CC44FA7FFF8EF45310F08849AE9499B252C225E548CB61
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 0147A879
            Memory Dump Source
            • Source File: 00000000.00000002.498842477.000000000147A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147A000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_147a000_NjRat.jbxd
            Similarity
            • API ID: Open
            • String ID:
            • API String ID: 71445658-0
            • Opcode ID: 4e1fca9f5b3c971342ada756072385ccfc76eddb39a9c6fa6bca25ceb86b212d
            • Instruction ID: 5e24b002a703f468ba538418ca9404ca81478ac752e211d2bc9ea2285750ffa3
            • Opcode Fuzzy Hash: 4e1fca9f5b3c971342ada756072385ccfc76eddb39a9c6fa6bca25ceb86b212d
            • Instruction Fuzzy Hash: 0821F072500204AFF7218B59CC84FABFBECEF04310F18881BEE459B251D670E5098BB2
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • GetProcessWorkingSetSize.KERNEL32(?,00000E2C,6C002C1F,00000000,00000000,00000000,00000000), ref: 054C1357
            Memory Dump Source
            • Source File: 00000000.00000002.499262515.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54c0000_NjRat.jbxd
            Similarity
            • API ID: ProcessSizeWorking
            • String ID:
            • API String ID: 3584180929-0
            • Opcode ID: 68134f5823cf18bba606f1b77f77bfa276e9f7799f698df2d338e98996b8a5fd
            • Instruction ID: b4f8e9ff60ed3767c097113372969dd11b1b4f89194f7feb411018204e949523
            • Opcode Fuzzy Hash: 68134f5823cf18bba606f1b77f77bfa276e9f7799f698df2d338e98996b8a5fd
            • Instruction Fuzzy Hash: B921C2715083806FE712CB25DC45FA7BFA8EF46314F0884AFE944DB252D264A408CB62
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • SetProcessWorkingSetSize.KERNEL32(?,00000E2C,6C002C1F,00000000,00000000,00000000,00000000), ref: 054C143B
            Memory Dump Source
            • Source File: 00000000.00000002.499262515.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54c0000_NjRat.jbxd
            Similarity
            • API ID: ProcessSizeWorking
            • String ID:
            • API String ID: 3584180929-0
            • Opcode ID: 68134f5823cf18bba606f1b77f77bfa276e9f7799f698df2d338e98996b8a5fd
            • Instruction ID: 8efe8f89ce894909cb1c198e278e4a2e15cc7454d4d88bfec4ddd58ba6ec2e97
            • Opcode Fuzzy Hash: 68134f5823cf18bba606f1b77f77bfa276e9f7799f698df2d338e98996b8a5fd
            • Instruction Fuzzy Hash: A421C2715093806FE712CB25DC55FA7BFA8EF46314F0884AFE944DB252D264A408CB66
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • CreateMutexW.KERNELBASE(?,?), ref: 0147A6B9
            Memory Dump Source
            • Source File: 00000000.00000002.498842477.000000000147A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147A000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_147a000_NjRat.jbxd
            Similarity
            • API ID: CreateMutex
            • String ID:
            • API String ID: 1964310414-0
            • Opcode ID: 47fc734aec57b57e14be6b805e3b2b848fe0287a3a727bae3760d36682eb765a
            • Instruction ID: 92261fc330030108cc89b37683730dea2dd7d6e0c8966e772a832e17fd46744c
            • Opcode Fuzzy Hash: 47fc734aec57b57e14be6b805e3b2b848fe0287a3a727bae3760d36682eb765a
            • Instruction Fuzzy Hash: 95219271600240AFE721DF69CD85BABFBE8EF04310F28846AED898B752D775E405CA71
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • ReadFile.KERNELBASE(?,00000E2C,6C002C1F,00000000,00000000,00000000,00000000), ref: 0147BA55
            Memory Dump Source
            • Source File: 00000000.00000002.498842477.000000000147A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147A000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_147a000_NjRat.jbxd
            Similarity
            • API ID: FileRead
            • String ID:
            • API String ID: 2738559852-0
            • Opcode ID: 1bbbe7da7dc34678963c4cfc92ed6a3fd3f046b02e79d6a4ee1256c8a30baa46
            • Instruction ID: b37b51cd1d34c7ace6ec787697d704540e915fb7fb54c8573c6adf223eed538b
            • Opcode Fuzzy Hash: 1bbbe7da7dc34678963c4cfc92ed6a3fd3f046b02e79d6a4ee1256c8a30baa46
            • Instruction Fuzzy Hash: 34218071405340AFEB22CF65DC44F97BFB8EF45310F08849AE9849B252C234A408CB62
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • RegQueryValueExW.KERNELBASE(?,00000E2C,6C002C1F,00000000,00000000,00000000,00000000), ref: 0147A3E8
            Memory Dump Source
            • Source File: 00000000.00000002.498842477.000000000147A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147A000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_147a000_NjRat.jbxd
            Similarity
            • API ID: QueryValue
            • String ID:
            • API String ID: 3660427363-0
            • Opcode ID: 7232ce1f372e42486e7212ed7157df240e6764a18e94cbc87467b9194dec23af
            • Instruction ID: bcb1c588ec7ffb25f0c823c91fbda91a9eebe17a8a3a48fab5cab1d40c1b993e
            • Opcode Fuzzy Hash: 7232ce1f372e42486e7212ed7157df240e6764a18e94cbc87467b9194dec23af
            • Instruction Fuzzy Hash: DE214F75500204AFE721CF59CC85FA7BBECEF04714F18856AE945DB652D670E448CA72
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • OpenFileMappingW.KERNELBASE(?,?), ref: 054C03D1
            Memory Dump Source
            • Source File: 00000000.00000002.499262515.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54c0000_NjRat.jbxd
            Similarity
            • API ID: FileMappingOpen
            • String ID:
            • API String ID: 1680863896-0
            • Opcode ID: 477f850468a060c01dc1004563a135b7c5e8549655766d6d6d656e0c4550eee0
            • Instruction ID: c0a386ff1c2a9a9b0f0a065874256677922e0ec5c859d1e75ea3be2a4eb6c176
            • Opcode Fuzzy Hash: 477f850468a060c01dc1004563a135b7c5e8549655766d6d6d656e0c4550eee0
            • Instruction Fuzzy Hash: 0421A175504240EFE720DF65DD49BABFFE8EF44310F1884AEED498B251D275A408CA75
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • FindCloseChangeNotification.KERNELBASE(?), ref: 054C11A8
            Memory Dump Source
            • Source File: 00000000.00000002.499262515.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54c0000_NjRat.jbxd
            Similarity
            • API ID: ChangeCloseFindNotification
            • String ID:
            • API String ID: 2591292051-0
            • Opcode ID: 943b44b3f7d6ae713bd162b1ceb046da9c2a428738690d690202ffb5a13c63f3
            • Instruction ID: 8eec387258d81ef51eba7d421322b7923497e3088da8c7f425edb8144f6d2a68
            • Opcode Fuzzy Hash: 943b44b3f7d6ae713bd162b1ceb046da9c2a428738690d690202ffb5a13c63f3
            • Instruction Fuzzy Hash: CF21C3765093C05FDB038B25DC95B92BFB4AF47224F0D84DBEC858F663D6649908CB62
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.499262515.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54c0000_NjRat.jbxd
            Similarity
            • API ID: FileView
            • String ID:
            • API String ID: 3314676101-0
            • Opcode ID: e1e3b7714de702bcb8248324ff84158862ecca580bfd7f6d9c41f22c706ab981
            • Instruction ID: 3435853c9d2b5cf0931910a23249bed8564f1d7f67655c269c4d8afdeff36290
            • Opcode Fuzzy Hash: e1e3b7714de702bcb8248324ff84158862ecca580bfd7f6d9c41f22c706ab981
            • Instruction Fuzzy Hash: C121DE71500200EFEB21CF15DD49FABFFE8EF08324F14849EE9889B252D271A508CB62
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • WSASocketW.WS2_32(?,?,?,?,?), ref: 0147BCCA
            Memory Dump Source
            • Source File: 00000000.00000002.498842477.000000000147A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147A000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_147a000_NjRat.jbxd
            Similarity
            • API ID: Socket
            • String ID:
            • API String ID: 38366605-0
            • Opcode ID: cd17c44a8a29e72f51b5800264f4c8da1b57e3f81f5d9e959f1e99be95f7aae3
            • Instruction ID: b59321e437e21accefbe1ef8aa146974f2d90e5bc8ad22f029fb0f1db99ddf6e
            • Opcode Fuzzy Hash: cd17c44a8a29e72f51b5800264f4c8da1b57e3f81f5d9e959f1e99be95f7aae3
            • Instruction Fuzzy Hash: A121F371500240AFEB21CF65DD44BA6FBE8EF04320F18885EED858B652C371A408CB72
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • FindCloseChangeNotification.KERNELBASE(?), ref: 0147A780
            Memory Dump Source
            • Source File: 00000000.00000002.498842477.000000000147A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147A000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_147a000_NjRat.jbxd
            Similarity
            • API ID: ChangeCloseFindNotification
            • String ID:
            • API String ID: 2591292051-0
            • Opcode ID: ecf28a5cf2939ec936169c02966d6c034690a259d7325f2898299d5bb45a8b52
            • Instruction ID: ec759f205404e8336602fdd0bcb7ce99a8f21474b4815867e8a5f6a84efab88a
            • Opcode Fuzzy Hash: ecf28a5cf2939ec936169c02966d6c034690a259d7325f2898299d5bb45a8b52
            • Instruction Fuzzy Hash: 4921F3B54053809FD7128B14DC85B96BFB8EF42220F0980EBEC459F263D2349909CB61
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • KiUserExceptionDispatcher.NTDLL ref: 02D40B0F
            Memory Dump Source
            • Source File: 00000000.00000002.499031788.0000000002D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D40000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2d40000_NjRat.jbxd
            Similarity
            • API ID: DispatcherExceptionUser
            • String ID:
            • API String ID: 6842923-0
            • Opcode ID: ff9a5ec755bab128454f7fa605a3c010125205be992bbacc1a6d370a9de8d029
            • Instruction ID: 04f3391feaac45497abb3d30b3565a269f5517c959f59b75b936ae29641cf284
            • Opcode Fuzzy Hash: ff9a5ec755bab128454f7fa605a3c010125205be992bbacc1a6d370a9de8d029
            • Instruction Fuzzy Hash: 02211231A102048FCB54DF78C8855AEBBF2FF89214B58857AD845EB35ADB35DD42CBA0
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • RegQueryValueExW.KERNELBASE(?,00000E2C,6C002C1F,00000000,00000000,00000000,00000000), ref: 054C013C
            Memory Dump Source
            • Source File: 00000000.00000002.499262515.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54c0000_NjRat.jbxd
            Similarity
            • API ID: QueryValue
            • String ID:
            • API String ID: 3660427363-0
            • Opcode ID: 69f39c41b340608fff56a0829a022b844b0ece020d0d0c1ad31367d8401d4de4
            • Instruction ID: 746fb143436bb034ac7aad7137797f94c7f66f2549549a41bd44988e19649893
            • Opcode Fuzzy Hash: 69f39c41b340608fff56a0829a022b844b0ece020d0d0c1ad31367d8401d4de4
            • Instruction Fuzzy Hash: 4D11A275500604EFEB60CF15CC85FABFBE8EF44710F08849BEA499B252D661E548CA72
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • RegSetValueExW.KERNELBASE(?,00000E2C,6C002C1F,00000000,00000000,00000000,00000000), ref: 0147A4D4
            Memory Dump Source
            • Source File: 00000000.00000002.498842477.000000000147A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147A000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_147a000_NjRat.jbxd
            Similarity
            • API ID: Value
            • String ID:
            • API String ID: 3702945584-0
            • Opcode ID: a66069a26abbfd0af80043a6de302f3d01782dcb16c7fffbdc89fef1be453d5b
            • Instruction ID: b43e0ee907d4f9034e256273570e41e7317c03e16b5b8cbb6da0722e1426d481
            • Opcode Fuzzy Hash: a66069a26abbfd0af80043a6de302f3d01782dcb16c7fffbdc89fef1be453d5b
            • Instruction Fuzzy Hash: 56117F71500600AFEB218E19CC45BABFBA8EF04724F18856BEE459B652D675E4088A72
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • GetProcessTimes.KERNELBASE(?,00000E2C,6C002C1F,00000000,00000000,00000000,00000000), ref: 054C0931
            Memory Dump Source
            • Source File: 00000000.00000002.499262515.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54c0000_NjRat.jbxd
            Similarity
            • API ID: ProcessTimes
            • String ID:
            • API String ID: 1995159646-0
            • Opcode ID: f6dc395275111cb248e991479b5a3b6728836a8102d9d9c885d59391262818ac
            • Instruction ID: 301636cc463da862d4d4eb5ef53a1fb5462daeacfae5726c7733d319f2bdb625
            • Opcode Fuzzy Hash: f6dc395275111cb248e991479b5a3b6728836a8102d9d9c885d59391262818ac
            • Instruction Fuzzy Hash: DB118176500200EFEB218F65DC45FABBBA8EF44324F1884ABE9499B251D674A454CB72
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 054C0F6E
            Memory Dump Source
            • Source File: 00000000.00000002.499262515.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54c0000_NjRat.jbxd
            Similarity
            • API ID: LookupPrivilegeValue
            • String ID:
            • API String ID: 3899507212-0
            • Opcode ID: f540468f1ab4999d8f7803f11d10a33c9a54bd6ce08c1021dfe3ac95fa186aa7
            • Instruction ID: fc32875b50d2477c7fda84356afa824dd8d8a97f228064d427cd5f95e9eb077e
            • Opcode Fuzzy Hash: f540468f1ab4999d8f7803f11d10a33c9a54bd6ce08c1021dfe3ac95fa186aa7
            • Instruction Fuzzy Hash: 86119D755083809FD7218B25DC89B97BFE8AB46210F0884EEE949CB252D264E548CB61
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • SetProcessWorkingSetSize.KERNEL32(?,00000E2C,6C002C1F,00000000,00000000,00000000,00000000), ref: 054C143B
            Memory Dump Source
            • Source File: 00000000.00000002.499262515.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54c0000_NjRat.jbxd
            Similarity
            • API ID: ProcessSizeWorking
            • String ID:
            • API String ID: 3584180929-0
            • Opcode ID: 0be054a63fdcabc157092b2d18ff5911585419a1889040ca0eb74a9d7ce5bf5e
            • Instruction ID: 6392e0e524fa2f2c30feaa4a12c316edb194a041eebe674771e33426b00b96f6
            • Opcode Fuzzy Hash: 0be054a63fdcabc157092b2d18ff5911585419a1889040ca0eb74a9d7ce5bf5e
            • Instruction Fuzzy Hash: DC11B275500200AFEB10CF65DC45BA7BB98EF45324F1884ABED45DB242D674A404CB76
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • GetProcessWorkingSetSize.KERNEL32(?,00000E2C,6C002C1F,00000000,00000000,00000000,00000000), ref: 054C1357
            Memory Dump Source
            • Source File: 00000000.00000002.499262515.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54c0000_NjRat.jbxd
            Similarity
            • API ID: ProcessSizeWorking
            • String ID:
            • API String ID: 3584180929-0
            • Opcode ID: 0be054a63fdcabc157092b2d18ff5911585419a1889040ca0eb74a9d7ce5bf5e
            • Instruction ID: 54bfdc26e3b250f9f920e59b87b6cc58b885a9801bd1cb3bc697dea77410b597
            • Opcode Fuzzy Hash: 0be054a63fdcabc157092b2d18ff5911585419a1889040ca0eb74a9d7ce5bf5e
            • Instruction Fuzzy Hash: DD11C475500200AFEB10CF65DC45FABFB98EF44324F1884ABED45DB652D674A444CBB2
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • GetComputerNameW.KERNEL32(?,00000E2C,?,?), ref: 054C0082
            Memory Dump Source
            • Source File: 00000000.00000002.499262515.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54c0000_NjRat.jbxd
            Similarity
            • API ID: ComputerName
            • String ID:
            • API String ID: 3545744682-0
            • Opcode ID: 9a4f55fe0d4f4205790fb60ff0c5e3447aa71b624acf018a18fd187de7ccadd4
            • Instruction ID: e430bd189d53c35b1f863c38be5f27cb861743b5b79dc82f6b5ce0c65d85b7e5
            • Opcode Fuzzy Hash: 9a4f55fe0d4f4205790fb60ff0c5e3447aa71b624acf018a18fd187de7ccadd4
            • Instruction Fuzzy Hash: 8911C471544740AFD3118B16DC46F73FFB8EB86A20F19819AED488B642D274B915CBA2
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • GetExitCodeProcess.KERNELBASE(?,00000E2C,6C002C1F,00000000,00000000,00000000,00000000), ref: 054C1278
            Memory Dump Source
            • Source File: 00000000.00000002.499262515.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54c0000_NjRat.jbxd
            Similarity
            • API ID: CodeExitProcess
            • String ID:
            • API String ID: 3861947596-0
            • Opcode ID: 3d39a554715934bac525b1f71f2a7a4f2302c9efeb84365550fba3944fef1844
            • Instruction ID: 4b325466534d46b19dc671ac8cd34cf2b7cc14bfed22eb091aac697fbe317b2e
            • Opcode Fuzzy Hash: 3d39a554715934bac525b1f71f2a7a4f2302c9efeb84365550fba3944fef1844
            • Instruction Fuzzy Hash: 5A11A375504200AFEB10CF29DC85FABBB9CEF45324F1884ABED45DB246D674A444CBB2
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0147ABAE
            Memory Dump Source
            • Source File: 00000000.00000002.498842477.000000000147A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147A000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_147a000_NjRat.jbxd
            Similarity
            • API ID: DuplicateHandle
            • String ID:
            • API String ID: 3793708945-0
            • Opcode ID: ee77d8bd78cf4add10b9bcf09b2277a829804293f824e14c290d0b80dcac4e7b
            • Instruction ID: d3ae5b7345b2cf8b54bc919e72c7535c8669582db84275c9104cade926644ec3
            • Opcode Fuzzy Hash: ee77d8bd78cf4add10b9bcf09b2277a829804293f824e14c290d0b80dcac4e7b
            • Instruction Fuzzy Hash: 9E116071409380AFDB228F65DC44B62FFB4EF4A210F08889AEE858B563C275A558DB61
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • ReadFile.KERNELBASE(?,00000E2C,6C002C1F,00000000,00000000,00000000,00000000), ref: 0147BA55
            Memory Dump Source
            • Source File: 00000000.00000002.498842477.000000000147A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147A000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_147a000_NjRat.jbxd
            Similarity
            • API ID: FileRead
            • String ID:
            • API String ID: 2738559852-0
            • Opcode ID: 22ae75afbe20a21be8dacaed2bd82345e4b54920e0df9b364146afaf9e91ce28
            • Instruction ID: 355ecbae55039e7628b12d4b58ab36b02af3c2a2a0a16cbb2d4acbc9a3baba83
            • Opcode Fuzzy Hash: 22ae75afbe20a21be8dacaed2bd82345e4b54920e0df9b364146afaf9e91ce28
            • Instruction Fuzzy Hash: C011C471400200AFEB21DF55DC45FA7FBA8EF04314F18886BED499B251C275A408CB72
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • SetErrorMode.KERNELBASE(?), ref: 0147A30C
            Memory Dump Source
            • Source File: 00000000.00000002.498842477.000000000147A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147A000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_147a000_NjRat.jbxd
            Similarity
            • API ID: ErrorMode
            • String ID:
            • API String ID: 2340568224-0
            • Opcode ID: 00976b06152db2ef0dc97537b0ee92fcf358889b83fa8e2e9153d1139b498972
            • Instruction ID: 4ae0e6ab4f9ec9c9f87cf8325243fbf27812abb7d13fa4ac4152ed4695351553
            • Opcode Fuzzy Hash: 00976b06152db2ef0dc97537b0ee92fcf358889b83fa8e2e9153d1139b498972
            • Instruction Fuzzy Hash: 50118C75409380AFD7228B15DC44B62BFA4EF46224F0D80DBED848B263D265A808CB62
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 054C0F6E
            Memory Dump Source
            • Source File: 00000000.00000002.499262515.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54c0000_NjRat.jbxd
            Similarity
            • API ID: LookupPrivilegeValue
            • String ID:
            • API String ID: 3899507212-0
            • Opcode ID: 1a42e23adf593b19da021c325044f45f11058a04fa7632117f9097e342094e16
            • Instruction ID: 93f00b291ee07e0a6cebc87b6baf1c11d15db7f5bbcb28a6465f61f084cb3381
            • Opcode Fuzzy Hash: 1a42e23adf593b19da021c325044f45f11058a04fa7632117f9097e342094e16
            • Instruction Fuzzy Hash: 02113075604200DFDB60CF29D849BAAFBE8EB45210F0884AFDD49CB746D674D544CA61
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.498842477.000000000147A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147A000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_147a000_NjRat.jbxd
            Similarity
            • API ID: Initialize
            • String ID:
            • API String ID: 2538663250-0
            • Opcode ID: b38d828a7d0f5d42bc772acf866605862b706ef29932b53d8dade2aa6e846f16
            • Instruction ID: 1835cee22b9eaaf99c0c6283440bd3b574a1583f426ce2005a97de83f2759655
            • Opcode Fuzzy Hash: b38d828a7d0f5d42bc772acf866605862b706ef29932b53d8dade2aa6e846f16
            • Instruction Fuzzy Hash: 6911C171448380AFD712CF14DC45B92BFB4EF42220F1884DBED448F253C275A448CBA2
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • GetFileType.KERNELBASE(?,00000E2C,6C002C1F,00000000,00000000,00000000,00000000), ref: 0147B789
            Memory Dump Source
            • Source File: 00000000.00000002.498842477.000000000147A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147A000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_147a000_NjRat.jbxd
            Similarity
            • API ID: FileType
            • String ID:
            • API String ID: 3081899298-0
            • Opcode ID: bcf05b30fd97545cdd5c47c873ba2bc548242970680d6fdc5a2a4144b2268297
            • Instruction ID: a20615f59df227663b8e396eb1781cbaedb81dfd44fcd8905901f1404a006adf
            • Opcode Fuzzy Hash: bcf05b30fd97545cdd5c47c873ba2bc548242970680d6fdc5a2a4144b2268297
            • Instruction Fuzzy Hash: 2901DE71500200AFE720CB19DC85FA7FBACDF04724F18C4ABEE489B352D674A4488BB2
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • FormatMessageW.KERNELBASE(?,00000E2C,?,?), ref: 054C0ECE
            Memory Dump Source
            • Source File: 00000000.00000002.499262515.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54c0000_NjRat.jbxd
            Similarity
            • API ID: FormatMessage
            • String ID:
            • API String ID: 1306739567-0
            • Opcode ID: 51199c0876a8efdbf5d180c3694568ba4490258769c20bf458766beb0d4a0db4
            • Instruction ID: d7b74d1a188946a5c2cdccc3e731b1473828d280bc1d4e8231366b1fd27aacf6
            • Opcode Fuzzy Hash: 51199c0876a8efdbf5d180c3694568ba4490258769c20bf458766beb0d4a0db4
            • Instruction Fuzzy Hash: CF01B171540600ABD310DF16DC86B26FBA8EB88B20F14852AED088BB45D235B515CBE5
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0147ABAE
            Memory Dump Source
            • Source File: 00000000.00000002.498842477.000000000147A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147A000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_147a000_NjRat.jbxd
            Similarity
            • API ID: DuplicateHandle
            • String ID:
            • API String ID: 3793708945-0
            • Opcode ID: 0449e32d0b7ec670542cd8a6145835309d276290e2d580fdf543e5024f6c0f0d
            • Instruction ID: 637d000440cf0d59e9a5042511362adda69c778de0c6d3ae0aaccf72c4583d09
            • Opcode Fuzzy Hash: 0449e32d0b7ec670542cd8a6145835309d276290e2d580fdf543e5024f6c0f0d
            • Instruction Fuzzy Hash: 96016D31404700DFDB218F55D844B66FFE5EF48320F18899FDE494B626C275A058CF62
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • FindCloseChangeNotification.KERNELBASE(?), ref: 054C11A8
            Memory Dump Source
            • Source File: 00000000.00000002.499262515.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54c0000_NjRat.jbxd
            Similarity
            • API ID: ChangeCloseFindNotification
            • String ID:
            • API String ID: 2591292051-0
            • Opcode ID: a3742ab8137f7188074d70cecbbb04ae47030a0d38ae3f1647751ecc654478c7
            • Instruction ID: 72c7a1638e83bc840460207ba6c02e8883c23844fa12962dfa1a9fb2579e3405
            • Opcode Fuzzy Hash: a3742ab8137f7188074d70cecbbb04ae47030a0d38ae3f1647751ecc654478c7
            • Instruction Fuzzy Hash: F501B1355042408FD750CF59D8887A6FFE4EF44220F18C4AFDD498B746CA78A448CA62
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • GetComputerNameW.KERNEL32(?,00000E2C,?,?), ref: 054C0082
            Memory Dump Source
            • Source File: 00000000.00000002.499262515.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_54c0000_NjRat.jbxd
            Similarity
            • API ID: ComputerName
            • String ID:
            • API String ID: 3545744682-0
            • Opcode ID: f27b52e57b3146f69fd2b6276753d90d76da1a1ff80132c061754a36b1862c6b
            • Instruction ID: c547106a61b4f9a35f7cdc504985065ad0029f36f5fa629c9782aab6764acaa7
            • Opcode Fuzzy Hash: f27b52e57b3146f69fd2b6276753d90d76da1a1ff80132c061754a36b1862c6b
            • Instruction Fuzzy Hash: E001A271540600ABD210DF1ADC86B26FBE8FB88B20F14815AED084BB45D235F515CBE5
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • RegQueryValueExW.KERNELBASE(?,00000E2C,?,?), ref: 0147BC12
            Memory Dump Source
            • Source File: 00000000.00000002.498842477.000000000147A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147A000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_147a000_NjRat.jbxd
            Similarity
            • API ID: QueryValue
            • String ID:
            • API String ID: 3660427363-0
            • Opcode ID: 690f584d079843f13866a9f28e72f2a124318d1d15c3606327eec1be5cf645e1
            • Instruction ID: d5facb8470c8bee860a1cbef85666c39131681f01dcf88762adb4a1e15c853d3
            • Opcode Fuzzy Hash: 690f584d079843f13866a9f28e72f2a124318d1d15c3606327eec1be5cf645e1
            • Instruction Fuzzy Hash: D901A271540600ABD210DF1ADC86F26FBE8FB88B20F14811AED084BB45D371F515CBE5
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • FindCloseChangeNotification.KERNELBASE(?), ref: 0147A780
            Memory Dump Source
            • Source File: 00000000.00000002.498842477.000000000147A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147A000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_147a000_NjRat.jbxd
            Similarity
            • API ID: ChangeCloseFindNotification
            • String ID:
            • API String ID: 2591292051-0
            • Opcode ID: ba4f20397d637daa032192c8489a438676b9daca49e034ba0bbebb2027408ffc
            • Instruction ID: 3fea06375d28771b0e79ac8f2b0f48d04614f122ad8a0430668e229261f96c71
            • Opcode Fuzzy Hash: ba4f20397d637daa032192c8489a438676b9daca49e034ba0bbebb2027408ffc
            • Instruction Fuzzy Hash: 8701DF755002009FEB10CF29D8857AAFBA8DF00220F1CC4ABDD4A8F716D274E448CEA2
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.498842477.000000000147A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147A000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_147a000_NjRat.jbxd
            Similarity
            • API ID: Initialize
            • String ID:
            • API String ID: 2538663250-0
            • Opcode ID: 0f926c93a4bf5b30b44c4ff3f57fb2b5f7510ec0350cc22ce05c67fad6c67c7b
            • Instruction ID: ee17f6f0477b796f03f3d3d5bc6ecbd7c188535acbba89e82ef68e50360935ef
            • Opcode Fuzzy Hash: 0f926c93a4bf5b30b44c4ff3f57fb2b5f7510ec0350cc22ce05c67fad6c67c7b
            • Instruction Fuzzy Hash: B101A270504240DFDB10CF19D8847A6FBA4DF04321F1CC4ABDD488F226D279A449CAA2
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • SetErrorMode.KERNELBASE(?), ref: 0147A30C
            Memory Dump Source
            • Source File: 00000000.00000002.498842477.000000000147A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147A000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_147a000_NjRat.jbxd
            Similarity
            • API ID: ErrorMode
            • String ID:
            • API String ID: 2340568224-0
            • Opcode ID: f79363ea51eaae0b41f363dec3e2a4c27a3940dd1dd6cb0883fa252666e81439
            • Instruction ID: 03dd84eee6d0e4a9a5d93671060c635374e45d387ca8dd484752ddd31da27748
            • Opcode Fuzzy Hash: f79363ea51eaae0b41f363dec3e2a4c27a3940dd1dd6cb0883fa252666e81439
            • Instruction Fuzzy Hash: 16F0AF35504240DFDB208F09D8897AAFBA4EF04724F2CC49BDD494B766D3B5A448CA62
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • KiUserExceptionDispatcher.NTDLL ref: 02D40B0F
            Memory Dump Source
            • Source File: 00000000.00000002.499031788.0000000002D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D40000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2d40000_NjRat.jbxd
            Similarity
            • API ID: DispatcherExceptionUser
            • String ID:
            • API String ID: 6842923-0
            • Opcode ID: 0ad15034d9a134c11edc969f5831005e323363b6153b01322e029bc6b84711fe
            • Instruction ID: f0f4545d781df96f261a7577e4299d7f6acefeca3e7d447f302a755cdd76010e
            • Opcode Fuzzy Hash: 0ad15034d9a134c11edc969f5831005e323363b6153b01322e029bc6b84711fe
            • Instruction Fuzzy Hash: 01E0ED70E002098FCB84DFB9D98559FBFF5FB8D240B14817AD908E7209EB309901CBA0
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000000.00000002.498928051.00000000014A0000.00000040.00000020.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_14a0000_NjRat.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e27cc7ef59744aea0aa94814dcaa97756a0d1de2fead2111c5f7dcbc02276be7
            • Instruction ID: d19cfd2da84a6224aa8d10e27c4a91e2dfb72f42898d147ea73f42bb9a7921d9
            • Opcode Fuzzy Hash: e27cc7ef59744aea0aa94814dcaa97756a0d1de2fead2111c5f7dcbc02276be7
            • Instruction Fuzzy Hash: D8110634204240DFD316CB18C540B26BB95AB98B08F68C9AEF9491B363C777D853CA95
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000000.00000002.498825580.0000000001472000.00000040.00000800.00020000.00000000.sdmp, Offset: 01472000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1472000_NjRat.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2d307d288d5be2c080e869d341ee3df307d9e267ecd0ec6faca0bc4637c2666c
            • Instruction ID: cea3aa1391455f3320cc7f2ba607fe2fba37a0ab2f6b6cb493a599f934d8eb6b
            • Opcode Fuzzy Hash: 2d307d288d5be2c080e869d341ee3df307d9e267ecd0ec6faca0bc4637c2666c
            • Instruction Fuzzy Hash: 3911E36150E3C08FDB23877859249E83F75AF5363074A01EBD480DB5B3D5B5494AC762
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000000.00000002.498928051.00000000014A0000.00000040.00000020.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_14a0000_NjRat.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4f31cdc15a0f649daff20f31872962bb780f798d0e56f3ea77abe80ef86f6d48
            • Instruction ID: daf0dcb2fc3aa9975b92ba227385b600087b7170f841e100e2b2a57f06831061
            • Opcode Fuzzy Hash: 4f31cdc15a0f649daff20f31872962bb780f798d0e56f3ea77abe80ef86f6d48
            • Instruction Fuzzy Hash: 7CF03135104644DFC316CF04D540B16FBA2FB89718F24C6ADE9491B762C737D813DA81
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000000.00000002.498928051.00000000014A0000.00000040.00000020.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_14a0000_NjRat.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c5320466a596ae6c3d2f5675618e984386fe93314ca0f2b528ecbcacf265bec8
            • Instruction ID: 6608a5593e3b2022c3a70f51204f3b012bef0ce308d43ead7fefe6b6646fefa4
            • Opcode Fuzzy Hash: c5320466a596ae6c3d2f5675618e984386fe93314ca0f2b528ecbcacf265bec8
            • Instruction Fuzzy Hash: ADE092766046004BD650CF0BEC45452F7D8EB88630B18C47FDC0D8BB01E135B505CEA6
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000000.00000002.498825580.0000000001472000.00000040.00000800.00020000.00000000.sdmp, Offset: 01472000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1472000_NjRat.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6266a1655ad4c62f43762651af26004f181e14882436e3987b3c46778778f532
            • Instruction ID: 1f76bc7d716b79311d99c866d9d3b4fb913fb48291cb4ecf7c7fb883d9596275
            • Opcode Fuzzy Hash: 6266a1655ad4c62f43762651af26004f181e14882436e3987b3c46778778f532
            • Instruction Fuzzy Hash: CAD05E79215A918FE3268A1CC1A8F963FE4AB51B04F4A44FAE8408B773C3A8D981D200
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000000.00000002.498825580.0000000001472000.00000040.00000800.00020000.00000000.sdmp, Offset: 01472000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1472000_NjRat.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3c3b770d12b55321825b426d1f8f5c561d0621d2f86e360b5d4955a3b1d89cf6
            • Instruction ID: 2a6fb0ad64038be7766cfe6c45cf3190d59bcdf38b8fcd0340a68bf5a670e25a
            • Opcode Fuzzy Hash: 3c3b770d12b55321825b426d1f8f5c561d0621d2f86e360b5d4955a3b1d89cf6
            • Instruction Fuzzy Hash: A2D05E343006814BDB15DB2CC594F9A3BD4AB41B04F0644EDAC008B772C3B4D881C600
            Uniqueness

            Uniqueness Score: -1.00%