Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
7tjt3u68PZ.exe

Overview

General Information

Sample name:7tjt3u68PZ.exe
renamed because original name is a hash value
Original sample name:02cefbda3396f784034e71616e52d67e.exe
Analysis ID:1509097
MD5:02cefbda3396f784034e71616e52d67e
SHA1:b38666d28beb902565260bf87d4f367911e94eda
SHA256:bb128ec75526887e8ebc2c1e4c0daf7b7ec1d41f039c0fb88e927b90fce6df9e
Tags:exenjratRAT
Infos:

Detection

Njrat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Njrat
.NET source code contains potential unpacker
AI detected suspicious sample
Contains functionality to disable the Task Manager (.Net Source)
Contains functionality to spread to USB devices (.Net source)
Creates autorun.inf (USB autostart)
Disables the Windows task manager (taskmgr)
Disables zone checking for all users
Drops PE files to the document folder of the user
Drops PE files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Uses netsh to modify the Windows network and firewall settings
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the program root directory (C:\Program Files)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 7tjt3u68PZ.exe (PID: 7108 cmdline: "C:\Users\user\Desktop\7tjt3u68PZ.exe" MD5: 02CEFBDA3396F784034E71616E52D67E)
    • netsh.exe (PID: 6376 cmdline: netsh firewall add allowedprogram "C:\Users\user\Desktop\7tjt3u68PZ.exe" "7tjt3u68PZ.exe" ENABLE MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
      • conhost.exe (PID: 6304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • Explower.exe (PID: 3064 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe" MD5: 02CEFBDA3396F784034E71616E52D67E)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
NjRATRedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.
  • AQUATIC PANDA
  • Earth Lusca
  • Operation C-Major
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

Malware Configuration

Threatname: Njrat

{"Campaign ID": "Victim", "Version": "0.7d", "Install Name": "06b22b2a8c6c511de75528741425ba83", "Install Dir": "Adobe Update", "Registry Value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Network Seprator": "|'|'|"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
7tjt3u68PZ.exeJoeSecurity_NjratYara detected NjratJoe Security
    7tjt3u68PZ.exeWindows_Trojan_Njrat_30f3c220unknownunknown
    • 0x115d2:$a1: get_Registry
    • 0x15a37:$a2: SEE_MASK_NOZONECHECKS
    • 0x156d9:$a3: Download ERROR
    • 0x15c89:$a4: cmd.exe /c ping 0 -n 2 & del "
    • 0x13c16:$a5: netsh firewall delete allowedprogram "
    7tjt3u68PZ.exeCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
    • 0x15c89:$x1: cmd.exe /c ping 0 -n 2 & del "
    • 0x137a2:$s1: winmgmts:\\.\root\SecurityCenter2
    • 0x156f7:$s3: Executed As
    • 0x124f0:$s5: Stub.exe
    • 0x156d9:$s6: Download ERROR
    • 0x13764:$s8: Select * From AntiVirusProduct
    7tjt3u68PZ.exeNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
    • 0x15a37:$reg: SEE_MASK_NOZONECHECKS
    • 0x156bd:$msg: Execute ERROR
    • 0x15711:$msg: Execute ERROR
    • 0x15c89:$ping: cmd.exe /c ping 0 -n 2 & del
    7tjt3u68PZ.exeMALWARE_Win_NjRATDetects NjRAT / BladabindiditekSHen
    • 0x13c16:$s1: netsh firewall delete allowedprogram
    • 0x13c68:$s2: netsh firewall add allowedprogram
    • 0x15c89:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67
    • 0x156bd:$s4: Execute ERROR
    • 0x15711:$s4: Execute ERROR
    • 0x156d9:$s5: Download ERROR

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Program Files (x86)\Explower.exeJoeSecurity_NjratYara detected NjratJoe Security
      C:\Program Files (x86)\Explower.exeWindows_Trojan_Njrat_30f3c220unknownunknown
      • 0x115d2:$a1: get_Registry
      • 0x15a37:$a2: SEE_MASK_NOZONECHECKS
      • 0x156d9:$a3: Download ERROR
      • 0x15c89:$a4: cmd.exe /c ping 0 -n 2 & del "
      • 0x13c16:$a5: netsh firewall delete allowedprogram "
      C:\Program Files (x86)\Explower.exeCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
      • 0x15c89:$x1: cmd.exe /c ping 0 -n 2 & del "
      • 0x137a2:$s1: winmgmts:\\.\root\SecurityCenter2
      • 0x156f7:$s3: Executed As
      • 0x124f0:$s5: Stub.exe
      • 0x156d9:$s6: Download ERROR
      • 0x13764:$s8: Select * From AntiVirusProduct
      C:\Program Files (x86)\Explower.exeNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
      • 0x15a37:$reg: SEE_MASK_NOZONECHECKS
      • 0x156bd:$msg: Execute ERROR
      • 0x15711:$msg: Execute ERROR
      • 0x15c89:$ping: cmd.exe /c ping 0 -n 2 & del
      C:\Program Files (x86)\Explower.exeMALWARE_Win_NjRATDetects NjRAT / BladabindiditekSHen
      • 0x13c16:$s1: netsh firewall delete allowedprogram
      • 0x13c68:$s2: netsh firewall add allowedprogram
      • 0x15c89:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67
      • 0x156bd:$s4: Execute ERROR
      • 0x15711:$s4: Execute ERROR
      • 0x156d9:$s5: Download ERROR
      Click to see the 60 entries

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000000.1664656287.00000000008B2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_NjratYara detected NjratJoe Security
        00000000.00000000.1664656287.00000000008B2000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_Njrat_30f3c220unknownunknown
        • 0x113d2:$a1: get_Registry
        • 0x15837:$a2: SEE_MASK_NOZONECHECKS
        • 0x154d9:$a3: Download ERROR
        • 0x15a89:$a4: cmd.exe /c ping 0 -n 2 & del "
        • 0x13a16:$a5: netsh firewall delete allowedprogram "
        00000000.00000000.1664656287.00000000008B2000.00000002.00000001.01000000.00000003.sdmpNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
        • 0x15837:$reg: SEE_MASK_NOZONECHECKS
        • 0x154bd:$msg: Execute ERROR
        • 0x15511:$msg: Execute ERROR
        • 0x15a89:$ping: cmd.exe /c ping 0 -n 2 & del
        00000000.00000002.4123213231.0000000002F11000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_NjratYara detected NjratJoe Security
          Process Memory Space: 7tjt3u68PZ.exe PID: 7108JoeSecurity_NjratYara detected NjratJoe Security

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.0.7tjt3u68PZ.exe.8b0000.0.unpackJoeSecurity_NjratYara detected NjratJoe Security
              0.0.7tjt3u68PZ.exe.8b0000.0.unpackWindows_Trojan_Njrat_30f3c220unknownunknown
              • 0x115d2:$a1: get_Registry
              • 0x15a37:$a2: SEE_MASK_NOZONECHECKS
              • 0x156d9:$a3: Download ERROR
              • 0x15c89:$a4: cmd.exe /c ping 0 -n 2 & del "
              • 0x13c16:$a5: netsh firewall delete allowedprogram "
              0.0.7tjt3u68PZ.exe.8b0000.0.unpackCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
              • 0x15c89:$x1: cmd.exe /c ping 0 -n 2 & del "
              • 0x137a2:$s1: winmgmts:\\.\root\SecurityCenter2
              • 0x156f7:$s3: Executed As
              • 0x124f0:$s5: Stub.exe
              • 0x156d9:$s6: Download ERROR
              • 0x13764:$s8: Select * From AntiVirusProduct
              0.0.7tjt3u68PZ.exe.8b0000.0.unpackNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
              • 0x15a37:$reg: SEE_MASK_NOZONECHECKS
              • 0x156bd:$msg: Execute ERROR
              • 0x15711:$msg: Execute ERROR
              • 0x15c89:$ping: cmd.exe /c ping 0 -n 2 & del
              0.0.7tjt3u68PZ.exe.8b0000.0.unpackMALWARE_Win_NjRATDetects NjRAT / BladabindiditekSHen
              • 0x13c16:$s1: netsh firewall delete allowedprogram
              • 0x13c68:$s2: netsh firewall add allowedprogram
              • 0x15c89:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67
              • 0x156bd:$s4: Execute ERROR
              • 0x15711:$s4: Execute ERROR
              • 0x156d9:$s5: Download ERROR

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Startup Folder File Write
              Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\7tjt3u68PZ.exe, ProcessId: 7108, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-09-11T02:02:02.603963+020020211761Malware Command and Control Activity Detected192.168.2.4497303.125.209.9411348TCP
              2024-09-11T02:03:06.370956+020020211761Malware Command and Control Activity Detected192.168.2.4507763.125.209.9411348TCP
              2024-09-11T02:04:18.274738+020020211761Malware Command and Control Activity Detected192.168.2.45077718.192.31.16511348TCP
              2024-09-11T02:05:23.300184+020020211761Malware Command and Control Activity Detected192.168.2.45077818.158.249.7511348TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-09-11T02:02:02.603963+020020331321Malware Command and Control Activity Detected192.168.2.4497303.125.209.9411348TCP
              2024-09-11T02:03:06.370956+020020331321Malware Command and Control Activity Detected192.168.2.4507763.125.209.9411348TCP
              2024-09-11T02:04:18.274738+020020331321Malware Command and Control Activity Detected192.168.2.45077718.192.31.16511348TCP
              2024-09-11T02:05:23.300184+020020331321Malware Command and Control Activity Detected192.168.2.45077818.158.249.7511348TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-09-11T02:02:08.278941+020028255641Malware Command and Control Activity Detected192.168.2.4497303.125.209.9411348TCP
              2024-09-11T02:03:11.011982+020028255641Malware Command and Control Activity Detected192.168.2.4507763.125.209.9411348TCP
              2024-09-11T02:04:25.276660+020028255641Malware Command and Control Activity Detected192.168.2.45077718.192.31.16511348TCP
              2024-09-11T02:05:26.867195+020028255641Malware Command and Control Activity Detected192.168.2.45077818.158.249.7511348TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: 7tjt3u68PZ.exeAvira: detected
              Antivirus detection for dropped file
              Source: C:\system.exeAvira: detection malicious, Label: TR/Dropper.Gen
              Source: C:\Program Files (x86)\Explower.exeAvira: detection malicious, Label: TR/Dropper.Gen
              Source: C:\Umbrella.flv.exeAvira: detection malicious, Label: TR/Dropper.Gen
              Source: C:\Notepad.exeAvira: detection malicious, Label: TR/Dropper.Gen
              Source: C:\Program Files (x86)\Explower.exeAvira: detection malicious, Label: TR/Dropper.Gen
              Source: C:\Program Files (x86)\Explower.exeAvira: detection malicious, Label: TR/Dropper.Gen
              Source: C:\Program Files (x86)\Explower.exeAvira: detection malicious, Label: TR/Dropper.Gen
              Source: C:\Program Files (x86)\Explower.exeAvira: detection malicious, Label: TR/Dropper.Gen
              Source: C:\Program Files (x86)\Explower.exeAvira: detection malicious, Label: TR/Dropper.Gen
              Source: C:\Program Files (x86)\Explower.exeAvira: detection malicious, Label: TR/Dropper.Gen
              Source: C:\Program Files (x86)\Explower.exeAvira: detection malicious, Label: TR/Dropper.Gen
              Source: C:\Program Files (x86)\Explower.exeAvira: detection malicious, Label: TR/Dropper.Gen
              Source: C:\Program Files (x86)\Explower.exeAvira: detection malicious, Label: TR/Dropper.Gen
              Found malware configuration
              Source: 0.0.7tjt3u68PZ.exe.8b0000.0.unpackMalware Configuration Extractor: Njrat {"Campaign ID": "Victim", "Version": "0.7d", "Install Name": "06b22b2a8c6c511de75528741425ba83", "Install Dir": "Adobe Update", "Registry Value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Network Seprator": "|'|'|"}
              Multi AV Scanner detection for domain / URL
              Source: 0.tcp.eu.ngrok.ioVirustotal: Detection: 12%Perma Link
              Multi AV Scanner detection for dropped file
              Source: C:\Notepad.exeReversingLabs: Detection: 84%
              Source: C:\Notepad.exeVirustotal: Detection: 71%Perma Link
              Source: C:\Program Files (x86)\Explower.exeReversingLabs: Detection: 84%
              Source: C:\Program Files (x86)\Explower.exeVirustotal: Detection: 71%Perma Link
              Source: C:\Umbrella.flv.exeReversingLabs: Detection: 84%
              Source: C:\Umbrella.flv.exeVirustotal: Detection: 71%Perma Link
              Source: C:\Users\user\AppData\Local\Explower.exeReversingLabs: Detection: 84%
              Source: C:\Users\user\AppData\Local\Explower.exeVirustotal: Detection: 71%Perma Link
              Source: C:\Users\user\AppData\Local\Microsoft\Windows\History\Explower.exeReversingLabs: Detection: 84%
              Source: C:\Users\user\AppData\Local\Microsoft\Windows\History\Explower.exeVirustotal: Detection: 71%Perma Link
              Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Explower.exeReversingLabs: Detection: 84%
              Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Explower.exeVirustotal: Detection: 71%Perma Link
              Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\Explower.exeReversingLabs: Detection: 84%
              Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\Explower.exeVirustotal: Detection: 71%Perma Link
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeReversingLabs: Detection: 84%
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeVirustotal: Detection: 71%Perma Link
              Source: C:\Users\user\Desktop\Explower.exeReversingLabs: Detection: 84%
              Source: C:\Users\user\Desktop\Explower.exeVirustotal: Detection: 71%Perma Link
              Source: C:\Users\user\Documents\Explower.exeReversingLabs: Detection: 84%
              Source: C:\Users\user\Documents\Explower.exeVirustotal: Detection: 71%Perma Link
              Source: C:\Users\user\Favorites\Explower.exeReversingLabs: Detection: 84%
              Source: C:\Users\user\Favorites\Explower.exeVirustotal: Detection: 71%Perma Link
              Source: C:\Windows\SysWOW64\Explower.exeReversingLabs: Detection: 84%
              Source: C:\Windows\SysWOW64\Explower.exeVirustotal: Detection: 71%Perma Link
              Source: C:\system.exeReversingLabs: Detection: 84%
              Source: C:\system.exeVirustotal: Detection: 71%Perma Link
              Multi AV Scanner detection for submitted file
              Source: 7tjt3u68PZ.exeReversingLabs: Detection: 84%
              Source: 7tjt3u68PZ.exeVirustotal: Detection: 71%Perma Link
              Yara detected Njrat
              Source: Yara matchFile source: 7tjt3u68PZ.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.7tjt3u68PZ.exe.8b0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000000.1664656287.00000000008B2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.4123213231.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: 7tjt3u68PZ.exe PID: 7108, type: MEMORYSTR
              Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
              Source: Yara matchFile source: C:\Notepad.exe, type: DROPPED
              Source: Yara matchFile source: C:\system.exe, type: DROPPED
              Source: Yara matchFile source: C:\Umbrella.flv.exe, type: DROPPED
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for dropped file
              Source: C:\system.exeJoe Sandbox ML: detected
              Source: C:\Program Files (x86)\Explower.exeJoe Sandbox ML: detected
              Source: C:\Umbrella.flv.exeJoe Sandbox ML: detected
              Source: C:\Notepad.exeJoe Sandbox ML: detected
              Source: C:\Program Files (x86)\Explower.exeJoe Sandbox ML: detected
              Source: C:\Program Files (x86)\Explower.exeJoe Sandbox ML: detected
              Source: C:\Program Files (x86)\Explower.exeJoe Sandbox ML: detected
              Source: C:\Program Files (x86)\Explower.exeJoe Sandbox ML: detected
              Source: C:\Program Files (x86)\Explower.exeJoe Sandbox ML: detected
              Source: C:\Program Files (x86)\Explower.exeJoe Sandbox ML: detected
              Source: C:\Program Files (x86)\Explower.exeJoe Sandbox ML: detected
              Source: C:\Program Files (x86)\Explower.exeJoe Sandbox ML: detected
              Source: C:\Program Files (x86)\Explower.exeJoe Sandbox ML: detected
              Machine Learning detection for sample
              Source: 7tjt3u68PZ.exeJoe Sandbox ML: detected
              Source: 7tjt3u68PZ.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
              Source: 7tjt3u68PZ.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

              Spreading

              barindex
              Contains functionality to spread to USB devices (.Net source)
              Source: 7tjt3u68PZ.exe, Usb1.cs.Net Code: infect
              Source: Explower.exe.0.dr, Usb1.cs.Net Code: infect
              Source: Explower.exe0.0.dr, Usb1.cs.Net Code: infect
              Source: system.exe.0.dr, Usb1.cs.Net Code: infect
              Source: Notepad.exe.0.dr, Usb1.cs.Net Code: infect
              Source: Explower.exe1.0.dr, Usb1.cs.Net Code: infect
              Source: Explower.exe2.0.dr, Usb1.cs.Net Code: infect
              Source: Explower.exe3.0.dr, Usb1.cs.Net Code: infect
              Source: Explower.exe4.0.dr, Usb1.cs.Net Code: infect
              Source: Explower.exe5.0.dr, Usb1.cs.Net Code: infect
              Creates autorun.inf (USB autostart)
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeFile created: C:\autorun.infJump to behavior
              Source: 7tjt3u68PZ.exe, 00000000.00000000.1664656287.00000000008B2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: \autorun.inf
              Source: 7tjt3u68PZ.exe, 00000000.00000000.1664656287.00000000008B2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: [autorun]
              Source: 7tjt3u68PZ.exe, 00000000.00000000.1664656287.00000000008B2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: autorun.inf
              Source: 7tjt3u68PZ.exe, 00000000.00000002.4123213231.0000000002F11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \autorun.inf
              Source: 7tjt3u68PZ.exe, 00000000.00000002.4123213231.0000000002F11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: [autorun]
              Source: 7tjt3u68PZ.exe, 00000000.00000002.4123213231.0000000002F11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: autorun.inf$O]k
              Source: 7tjt3u68PZ.exeBinary or memory string: \autorun.inf
              Source: 7tjt3u68PZ.exeBinary or memory string: [autorun]
              Source: 7tjt3u68PZ.exeBinary or memory string: autorun.inf
              Source: system.exe.0.drBinary or memory string: \autorun.inf
              Source: system.exe.0.drBinary or memory string: [autorun]
              Source: system.exe.0.drBinary or memory string: autorun.inf
              Source: Explower.exe2.0.drBinary or memory string: \autorun.inf
              Source: Explower.exe2.0.drBinary or memory string: [autorun]
              Source: Explower.exe2.0.drBinary or memory string: autorun.inf
              Source: Umbrella.flv.exe.0.drBinary or memory string: \autorun.inf
              Source: Umbrella.flv.exe.0.drBinary or memory string: [autorun]
              Source: Umbrella.flv.exe.0.drBinary or memory string: autorun.inf
              Source: Notepad.exe.0.drBinary or memory string: \autorun.inf
              Source: Notepad.exe.0.drBinary or memory string: [autorun]
              Source: Notepad.exe.0.drBinary or memory string: autorun.inf
              Source: Explower.exe8.0.drBinary or memory string: \autorun.inf
              Source: Explower.exe8.0.drBinary or memory string: [autorun]
              Source: Explower.exe8.0.drBinary or memory string: autorun.inf
              Source: Explower.exe.0.drBinary or memory string: \autorun.inf
              Source: Explower.exe.0.drBinary or memory string: [autorun]
              Source: Explower.exe.0.drBinary or memory string: autorun.inf
              Source: Explower.exe1.0.drBinary or memory string: \autorun.inf
              Source: Explower.exe1.0.drBinary or memory string: [autorun]
              Source: Explower.exe1.0.drBinary or memory string: autorun.inf
              Source: Explower.exe4.0.drBinary or memory string: \autorun.inf
              Source: Explower.exe4.0.drBinary or memory string: [autorun]
              Source: Explower.exe4.0.drBinary or memory string: autorun.inf
              Source: Explower.exe3.0.drBinary or memory string: \autorun.inf
              Source: Explower.exe3.0.drBinary or memory string: [autorun]
              Source: Explower.exe3.0.drBinary or memory string: autorun.inf
              Source: Explower.exe7.0.drBinary or memory string: \autorun.inf
              Source: Explower.exe7.0.drBinary or memory string: [autorun]
              Source: Explower.exe7.0.drBinary or memory string: autorun.inf
              Source: Explower.exe6.0.drBinary or memory string: \autorun.inf
              Source: Explower.exe6.0.drBinary or memory string: [autorun]
              Source: Explower.exe6.0.drBinary or memory string: autorun.inf
              Source: Explower.exe0.0.drBinary or memory string: \autorun.inf
              Source: Explower.exe0.0.drBinary or memory string: [autorun]
              Source: Explower.exe0.0.drBinary or memory string: autorun.inf
              Source: Explower.exe5.0.drBinary or memory string: \autorun.inf
              Source: Explower.exe5.0.drBinary or memory string: [autorun]
              Source: Explower.exe5.0.drBinary or memory string: autorun.inf
              Source: autorun.inf.0.drBinary or memory string: [autorun]
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeFile opened: C:\Users\user\AppData\Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeFile opened: C:\Users\user\Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49730 -> 3.125.209.94:11348
              Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:50776 -> 3.125.209.94:11348
              Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49730 -> 3.125.209.94:11348
              Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:50777 -> 18.192.31.165:11348
              Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:50776 -> 3.125.209.94:11348
              Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:50777 -> 18.192.31.165:11348
              Source: Network trafficSuricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.4:50776 -> 3.125.209.94:11348
              Source: Network trafficSuricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.4:50777 -> 18.192.31.165:11348
              Source: Network trafficSuricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.4:49730 -> 3.125.209.94:11348
              Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:50778 -> 18.158.249.75:11348
              Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:50778 -> 18.158.249.75:11348
              Source: Network trafficSuricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.4:50778 -> 18.158.249.75:11348
              Source: global trafficTCP traffic: 192.168.2.4:49730 -> 3.125.209.94:11348
              Source: global trafficTCP traffic: 192.168.2.4:50777 -> 18.192.31.165:11348
              Source: global trafficTCP traffic: 192.168.2.4:50778 -> 18.158.249.75:11348
              Source: Joe Sandbox ViewIP Address: 3.125.209.94 3.125.209.94
              Source: Joe Sandbox ViewIP Address: 18.192.31.165 18.192.31.165
              Source: Joe Sandbox ViewIP Address: 18.158.249.75 18.158.249.75
              Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
              Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
              Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficDNS traffic detected: DNS query: 0.tcp.eu.ngrok.io
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

              E-Banking Fraud

              barindex
              Yara detected Njrat
              Source: Yara matchFile source: 7tjt3u68PZ.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.7tjt3u68PZ.exe.8b0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000000.1664656287.00000000008B2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.4123213231.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: 7tjt3u68PZ.exe PID: 7108, type: MEMORYSTR
              Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
              Source: Yara matchFile source: C:\Notepad.exe, type: DROPPED
              Source: Yara matchFile source: C:\system.exe, type: DROPPED
              Source: Yara matchFile source: C:\Umbrella.flv.exe, type: DROPPED

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 7tjt3u68PZ.exe, type: SAMPLEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
              Source: 7tjt3u68PZ.exe, type: SAMPLEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: 7tjt3u68PZ.exe, type: SAMPLEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: 7tjt3u68PZ.exe, type: SAMPLEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: 0.0.7tjt3u68PZ.exe.8b0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
              Source: 0.0.7tjt3u68PZ.exe.8b0000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: 0.0.7tjt3u68PZ.exe.8b0000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: 0.0.7tjt3u68PZ.exe.8b0000.0.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: 00000000.00000000.1664656287.00000000008B2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
              Source: 00000000.00000000.1664656287.00000000008B2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\Notepad.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
              Source: C:\Notepad.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: C:\Notepad.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: C:\Notepad.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\Notepad.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\Notepad.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\Notepad.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\Notepad.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\Notepad.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\system.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
              Source: C:\system.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: C:\system.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: C:\system.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: C:\system.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: C:\system.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\system.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeProcess Stats: CPU usage > 49%
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeCode function: 0_2_011CBEFE NtQuerySystemInformation,0_2_011CBEFE
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeCode function: 0_2_011CBECD NtQuerySystemInformation,0_2_011CBECD
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeFile created: C:\Windows\SysWOW64\Explower.exeJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeFile created: C:\Windows\SysWOW64\Explower.exe:Zone.Identifier:$DATAJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeCode function: 0_2_050874180_2_05087418
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeCode function: 0_2_050842900_2_05084290
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeCode function: 0_2_050847070_2_05084707
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeCode function: 0_2_050846280_2_05084628
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeCode function: 0_2_0508492E0_2_0508492E
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeCode function: 0_2_05084F270_2_05084F27
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeCode function: 0_2_0508453C0_2_0508453C
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeCode function: 0_2_050854510_2_05085451
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeCode function: 0_2_05084B530_2_05084B53
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeCode function: 0_2_050850550_2_05085055
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeCode function: 0_2_050853670_2_05085367
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeCode function: 0_2_0508427F0_2_0508427F
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeCode function: 0_2_05084C870_2_05084C87
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeCode function: 0_2_050849950_2_05084995
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeCode function: 0_2_05084F950_2_05084F95
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeCode function: 0_2_050847CC0_2_050847CC
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeCode function: 0_2_050850DB0_2_050850DB
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeCode function: 0_2_050844E90_2_050844E9
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeCode function: 0_2_05084FF80_2_05084FF8
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeCode function: 0_2_050873FE0_2_050873FE
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeCode function: 0_2_050849F10_2_050849F1
              Source: 7tjt3u68PZ.exe, 00000000.00000002.4122220390.0000000000EBE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs 7tjt3u68PZ.exe
              Source: 7tjt3u68PZ.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: 7tjt3u68PZ.exe, type: SAMPLEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
              Source: 7tjt3u68PZ.exe, type: SAMPLEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 7tjt3u68PZ.exe, type: SAMPLEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: 7tjt3u68PZ.exe, type: SAMPLEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: 0.0.7tjt3u68PZ.exe.8b0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
              Source: 0.0.7tjt3u68PZ.exe.8b0000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.0.7tjt3u68PZ.exe.8b0000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: 0.0.7tjt3u68PZ.exe.8b0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: 00000000.00000000.1664656287.00000000008B2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
              Source: 00000000.00000000.1664656287.00000000008B2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\Notepad.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
              Source: C:\Notepad.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: C:\Notepad.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: C:\Notepad.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\Notepad.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\Notepad.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\Notepad.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\Notepad.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\Notepad.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\system.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
              Source: C:\system.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: C:\system.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: C:\system.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: C:\system.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: C:\system.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\system.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: classification engineClassification label: mal100.spre.phis.troj.adwa.evad.winEXE@5/30@4/3
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeCode function: 0_2_011CBD82 AdjustTokenPrivileges,0_2_011CBD82
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeCode function: 0_2_011CBD4B AdjustTokenPrivileges,0_2_011CBD4B
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeFile created: C:\Program Files (x86)\Explower.exeJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeFile created: C:\Users\user\AppData\Roaming\appJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeMutant created: NULL
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6304:120:WilError_03
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMutant created: \Sessions\1\BaseNamedObjects\06b22b2a8c6c511de75528741425ba83
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeFile created: C:\Users\user\AppData\Local\Temp\FransescoPast.txtJump to behavior
              Source: 7tjt3u68PZ.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: 7tjt3u68PZ.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: 7tjt3u68PZ.exeReversingLabs: Detection: 84%
              Source: 7tjt3u68PZ.exeVirustotal: Detection: 71%
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeFile read: C:\Users\user\Desktop\7tjt3u68PZ.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\7tjt3u68PZ.exe "C:\Users\user\Desktop\7tjt3u68PZ.exe"
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\Desktop\7tjt3u68PZ.exe" "7tjt3u68PZ.exe" ENABLE
              Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe"
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\Desktop\7tjt3u68PZ.exe" "7tjt3u68PZ.exe" ENABLEJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeSection loaded: shfolder.dllJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeSection loaded: shfolder.dllJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\InprocServer32Jump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
              Source: 7tjt3u68PZ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
              Source: 7tjt3u68PZ.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

              Data Obfuscation

              barindex
              .NET source code contains potential unpacker
              Source: 7tjt3u68PZ.exe, Fransesco.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
              Source: Explower.exe.0.dr, Fransesco.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
              Source: Explower.exe0.0.dr, Fransesco.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
              Source: system.exe.0.dr, Fransesco.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
              Source: Notepad.exe.0.dr, Fransesco.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
              Source: Explower.exe1.0.dr, Fransesco.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
              Source: Explower.exe2.0.dr, Fransesco.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
              Source: Explower.exe3.0.dr, Fransesco.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
              Source: Explower.exe4.0.dr, Fransesco.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
              Source: Explower.exe5.0.dr, Fransesco.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeCode function: 0_2_05083141 push ebx; ret 0_2_05083154

              Persistence and Installation Behavior

              barindex
              Drops PE files to the document folder of the user
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeFile created: C:\Users\user\Documents\Explower.exeJump to dropped file
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeFile created: C:\system.exeJump to dropped file
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\Explower.exeJump to dropped file
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeJump to dropped file
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeFile created: C:\Notepad.exeJump to dropped file
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeFile created: C:\Windows\SysWOW64\Explower.exeJump to dropped file
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeFile created: C:\Users\user\Desktop\Explower.exeJump to dropped file
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeFile created: C:\Users\user\AppData\Local\Explower.exeJump to dropped file
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeFile created: C:\Program Files (x86)\Explower.exeJump to dropped file
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeFile created: C:\Umbrella.flv.exeJump to dropped file
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\History\Explower.exeJump to dropped file
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Explower.exeJump to dropped file
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeFile created: C:\Users\user\Documents\Explower.exeJump to dropped file
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeFile created: C:\Users\user\Favorites\Explower.exeJump to dropped file
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeFile created: C:\Program Files (x86)\Explower.exeJump to dropped file
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeFile created: C:\Windows\SysWOW64\Explower.exeJump to dropped file

              Boot Survival

              barindex
              Drops PE files to the startup folder
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeJump to dropped file
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe\:Zone.Identifier:$DATAJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 1270000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 2F10000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 1270000 memory commit | memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 5F10000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 6F10000 memory commit | memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 7140000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 8140000 memory commit | memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 8490000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: AD50000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: BD50000 memory commit | memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: C1E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: D1E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: E1E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: F1E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 101E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 111E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: F2E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 121E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 102E0000 memory commit | memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 131E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 141E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 151E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 161E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 171E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 181E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 191E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 1A1E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 1B1E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 1C1E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 1D1E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 1E1E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 1F1E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 201E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: C350000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 10BF0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 11BF0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 12BF0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 13BF0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 14BF0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 15BF0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 16BF0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 211E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 221E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 231E0000 memory commit | memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 243F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 253F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 263F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 273F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 283F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 293F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 2A3F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 2B3F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 2C3F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 2D3F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 2E3F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 2F3F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 303F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 313F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 323F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 333F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: D350000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: D450000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 102E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 112E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 122E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 132E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 142E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 152E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 162E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 172E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 182E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 192E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 1A2E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 1B2E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 1C2E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 1D2E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 1E2E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 1F2E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 202E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 212E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: FA60000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 10A60000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 11A60000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 12A60000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 13A60000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 14A60000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 15A60000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 16A60000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 17A60000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 18A60000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 19A60000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 10AA0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 11AA0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 12AA0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 13AA0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 14AA0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 18AA0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 19AA0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 17AA0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 12BE0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 15AA0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 16AA0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: 13BE0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeMemory allocated: 9B0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeMemory allocated: 26D0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeMemory allocated: 9B0000 memory commit | memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeWindow / User API: threadDelayed 1761Jump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeWindow / User API: threadDelayed 2863Jump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeWindow / User API: foregroundWindowGot 431Jump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeWindow / User API: foregroundWindowGot 416Jump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exe TID: 796Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exe TID: 796Thread sleep count: 227 > 30Jump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exe TID: 2992Thread sleep count: 1761 > 30Jump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exe TID: 2992Thread sleep time: -880500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exe TID: 6096Thread sleep count: 173 > 30Jump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exe TID: 2992Thread sleep count: 2863 > 30Jump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exe TID: 2992Thread sleep time: -1431500s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe TID: 5796Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeFile opened: C:\Users\user\AppData\Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeFile opened: C:\Users\user\Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
              Source: netsh.exe, 00000001.00000002.1688238328.000000000113A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll[
              Source: 7tjt3u68PZ.exe, 00000000.00000002.4122220390.0000000000EBE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWngElementExten4
              Source: 7tjt3u68PZ.exe, 00000000.00000002.4122220390.0000000000EBE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeMemory allocated: page read and write | page guardJump to behavior
              Source: 7tjt3u68PZ.exe, 00000000.00000002.4123213231.0000000002F11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/10 | 20:02:31 - Program Manager
              Source: 7tjt3u68PZ.exe, 00000000.00000002.4123213231.0000000002F11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/10 | 21:59:13 - Program Manager
              Source: 7tjt3u68PZ.exe, 00000000.00000002.4123213231.0000000002F11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/10 | 20:02:44 - Program Manager
              Source: 7tjt3u68PZ.exe, 00000000.00000002.4123213231.0000000002F11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/11 | 03:22:09 - Program Manager
              Source: 7tjt3u68PZ.exe, 00000000.00000002.4123213231.0000000002F11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/10 | 20:02:43 - Program Manager
              Source: 7tjt3u68PZ.exe, 00000000.00000002.4123213231.0000000002F11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/10 | 20:02:23 - Program Manager
              Source: 7tjt3u68PZ.exe, 00000000.00000002.4123213231.0000000002F11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/10 | 20:14:40 - Program Manager
              Source: 7tjt3u68PZ.exe, 00000000.00000002.4123213231.0000000002F11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/10 | 20:01:57 - Program Manager
              Source: 7tjt3u68PZ.exe, 00000000.00000002.4123213231.0000000002F11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/11 | 06:06:21 - Program Manager
              Source: 7tjt3u68PZ.exe, 00000000.00000002.4123213231.0000000002F11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/11 | 00:52:47 - Program Manager
              Source: 7tjt3u68PZ.exe, 00000000.00000002.4123213231.0000000002F11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/10 | 20:02:25 - Program Manager
              Source: 7tjt3u68PZ.exe, 00000000.00000002.4123213231.0000000002F11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/10 | 20:02:35 - Program Manager
              Source: 7tjt3u68PZ.exe, 00000000.00000002.4123213231.0000000002F11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/11 | 04:59:23 - Program Manager
              Source: 7tjt3u68PZ.exe, 00000000.00000002.4123213231.0000000002F11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/10 | 20:37:10 - Program Manager
              Source: 7tjt3u68PZ.exe, 00000000.00000002.4123213231.0000000002F11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/10 | 20:03:41 - Program Manager
              Source: 7tjt3u68PZ.exe, 00000000.00000002.4123213231.0000000002F11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/10 | 20:03:47 - Program Manager
              Source: 7tjt3u68PZ.exe, 00000000.00000002.4123213231.0000000002F11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/11 | 01:16:46 - Program Manager
              Source: 7tjt3u68PZ.exe, 00000000.00000002.4123213231.0000000002F11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/10 | 20:02:05 - Program Manager
              Source: 7tjt3u68PZ.exe, 00000000.00000002.4123213231.0000000002F11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/10 | 20:03:36 - Program Manager
              Source: 7tjt3u68PZ.exe, 00000000.00000002.4123213231.0000000002F11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/10 | 20:03:00 - Program Manager
              Source: 7tjt3u68PZ.exe, 00000000.00000002.4123213231.0000000002F11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/10 | 23:36:34 - Program Manager
              Source: 7tjt3u68PZ.exe, 00000000.00000002.4123213231.0000000002F11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/10 | 20:02:34 - Program Manager
              Source: 7tjt3u68PZ.exe, 00000000.00000002.4123213231.0000000002F11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/10 | 20:01:59 - Program Manager
              Source: 7tjt3u68PZ.exe, 00000000.00000002.4123213231.0000000002F11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/10 | 20:04:18 - Program Manager
              Source: 7tjt3u68PZ.exe, 00000000.00000002.4123213231.0000000002F11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/10 | 20:03:10 - Program Manager
              Source: 7tjt3u68PZ.exe, 00000000.00000002.4123213231.0000000002F11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/10 | 20:03:16 - Program Manager
              Source: 7tjt3u68PZ.exe, 00000000.00000002.4123213231.0000000002F11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/10 | 20:07:07 - Program Manager
              Source: 7tjt3u68PZ.exe, 00000000.00000002.4123213231.0000000002F11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/10 | 20:02:41 - Program Manager
              Source: 7tjt3u68PZ.exe, 00000000.00000002.4123213231.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, Explower.exe, 00000003.00000002.1820164575.00000000026D1000.00000004.00000800.00020000.00000000.sdmp, Explower.exe, 00000003.00000002.1823617634.0000000004ACB000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: Program Manager
              Source: 7tjt3u68PZ.exe, system.exe.0.dr, Explower.exe2.0.dr, Umbrella.flv.exe.0.dr, Notepad.exe.0.dr, Explower.exe8.0.dr, Explower.exe.0.dr, Explower.exe1.0.dr, Explower.exe4.0.dr, Explower.exe3.0.dr, Explower.exe7.0.dr, Explower.exe6.0.dr, Explower.exe0.0.drBinary or memory string: ProgMan
              Source: 7tjt3u68PZ.exe, 00000000.00000002.4123213231.0000000002F11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/10 | 20:03:32 - Program Manager
              Source: 7tjt3u68PZ.exe, 00000000.00000002.4123213231.0000000002F11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/11 | 03:49:43 - Program Manager
              Source: 7tjt3u68PZ.exe, 00000000.00000002.4123213231.0000000002F11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/11 | 05:05:09 - Program Manager
              Source: 7tjt3u68PZ.exe, 00000000.00000002.4123213231.0000000002F11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/10 | 20:02:40 - Program Manager
              Source: 7tjt3u68PZ.exe, 00000000.00000002.4123213231.0000000002F11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/10 | 21:53:57 - Program Manager
              Source: 7tjt3u68PZ.exe, 00000000.00000002.4123213231.0000000002F11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/10 | 20:05:08 - Program Manager
              Source: 7tjt3u68PZ.exe, 00000000.00000002.4123213231.0000000002F11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/10 | 20:32:37 - Program Manager
              Source: 7tjt3u68PZ.exe, system.exe.0.dr, Explower.exe2.0.dr, Umbrella.flv.exe.0.dr, Notepad.exe.0.dr, Explower.exe8.0.dr, Explower.exe.0.dr, Explower.exe1.0.dr, Explower.exe4.0.dr, Explower.exe3.0.dr, Explower.exe7.0.dr, Explower.exe6.0.dr, Explower.exe0.0.drBinary or memory string: Shell_traywnd+MostrarBarraDeTarefas
              Source: 7tjt3u68PZ.exe, 00000000.00000002.4123213231.0000000002F11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/10 | 20:02:48 - Program Manager
              Source: 7tjt3u68PZ.exe, 00000000.00000002.4123213231.0000000002F11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/11 | 09:09:59 - Program Manager
              Source: Explower.exe, 00000003.00000002.1823617634.0000000004ACB000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: dProgram Manager
              Source: 7tjt3u68PZ.exe, 00000000.00000002.4123213231.0000000002F11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/10 | 20:03:24 - Program Manager
              Source: 7tjt3u68PZ.exe, system.exe.0.dr, Explower.exe2.0.dr, Umbrella.flv.exe.0.dr, Notepad.exe.0.dr, Explower.exe8.0.dr, Explower.exe.0.dr, Explower.exe1.0.dr, Explower.exe4.0.dr, Explower.exe3.0.dr, Explower.exe7.0.dr, Explower.exe6.0.dr, Explower.exe0.0.drBinary or memory string: Shell_TrayWnd
              Source: 7tjt3u68PZ.exe, 00000000.00000002.4123213231.0000000002F11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/10 | 20:04:56 - Program Manager
              Source: 7tjt3u68PZ.exe, 00000000.00000002.4123213231.0000000002F11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/10 | 20:02:42 - Program Manager
              Source: 7tjt3u68PZ.exe, 00000000.00000002.4123213231.0000000002F11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/10 | 20:02:08 - Program Manager
              Source: 7tjt3u68PZ.exe, 00000000.00000002.4123213231.0000000002F11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/10 | 20:03:13 - Program Manager
              Source: 7tjt3u68PZ.exe, 00000000.00000002.4123213231.0000000002F11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/10 | 20:02:07 - Program Manager
              Source: 7tjt3u68PZ.exe, 00000000.00000002.4123213231.0000000002F11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/10 | 20:02:37 - Program Manager
              Source: 7tjt3u68PZ.exe, 00000000.00000002.4123213231.0000000002F11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/10 | 20:02:17 - Program Manager
              Source: Explower.exe, 00000003.00000002.1820164575.00000000026D1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ledProgram Manager
              Source: 7tjt3u68PZ.exe, 00000000.00000002.4123213231.0000000002F11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/10 | 20:02:11 - Program Manager
              Source: 7tjt3u68PZ.exe, 00000000.00000002.4123213231.0000000002F11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/10 | 20:02:21 - Program Manager
              Source: 7tjt3u68PZ.exe, 00000000.00000002.4123213231.0000000002F11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/10 | 20:03:29 - Program Manager
              Source: 7tjt3u68PZ.exe, 00000000.00000002.4123213231.0000000002F11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/10 | 20:03:09 - Program Manager
              Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Lowering of HIPS / PFW / Operating System Security Settings

              barindex
              Contains functionality to disable the Task Manager (.Net Source)
              Source: 7tjt3u68PZ.exe, Fransesco.cs.Net Code: INS
              Source: Explower.exe.0.dr, Fransesco.cs.Net Code: INS
              Source: Explower.exe0.0.dr, Fransesco.cs.Net Code: INS
              Source: system.exe.0.dr, Fransesco.cs.Net Code: INS
              Source: Notepad.exe.0.dr, Fransesco.cs.Net Code: INS
              Source: Explower.exe1.0.dr, Fransesco.cs.Net Code: INS
              Source: Explower.exe2.0.dr, Fransesco.cs.Net Code: INS
              Source: Explower.exe3.0.dr, Fransesco.cs.Net Code: INS
              Source: Explower.exe4.0.dr, Fransesco.cs.Net Code: INS
              Source: Explower.exe5.0.dr, Fransesco.cs.Net Code: INS
              Disables the Windows task manager (taskmgr)
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeRegistry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System DisableTaskMgrJump to behavior
              Disables zone checking for all users
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeRegistry value created: HKEY_CURRENT_USER\Environment SEE_MASK_NOZONECHECKSJump to behavior
              Modifies the windows firewall
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\Desktop\7tjt3u68PZ.exe" "7tjt3u68PZ.exe" ENABLE
              Uses netsh to modify the Windows network and firewall settings
              Source: C:\Users\user\Desktop\7tjt3u68PZ.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\Desktop\7tjt3u68PZ.exe" "7tjt3u68PZ.exe" ENABLE

              Stealing of Sensitive Information

              barindex
              Yara detected Njrat
              Source: Yara matchFile source: 7tjt3u68PZ.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.7tjt3u68PZ.exe.8b0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000000.1664656287.00000000008B2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.4123213231.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: 7tjt3u68PZ.exe PID: 7108, type: MEMORYSTR
              Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
              Source: Yara matchFile source: C:\Notepad.exe, type: DROPPED
              Source: Yara matchFile source: C:\system.exe, type: DROPPED
              Source: Yara matchFile source: C:\Umbrella.flv.exe, type: DROPPED

              Remote Access Functionality

              barindex
              Yara detected Njrat
              Source: Yara matchFile source: 7tjt3u68PZ.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.7tjt3u68PZ.exe.8b0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000000.1664656287.00000000008B2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.4123213231.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: 7tjt3u68PZ.exe PID: 7108, type: MEMORYSTR
              Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
              Source: Yara matchFile source: C:\Notepad.exe, type: DROPPED
              Source: Yara matchFile source: C:\system.exe, type: DROPPED
              Source: Yara matchFile source: C:\Umbrella.flv.exe, type: DROPPED

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire Infrastructure21
              Replication Through Removable Media              		Windows Management Instrumentation12
              Registry Run Keys / Startup Folder              		1
              Access Token Manipulation              		32
              Masquerading              		OS Credential Dumping11
              Security Software Discovery              		Remote Services1
              Archive Collected Data              		1
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault AccountsScheduled Task/Job1
              DLL Side-Loading              		2
              Process Injection              		51
              Disable or Modify Tools              		LSASS Memory2
              Process Discovery              		Remote Desktop Protocol1
              Clipboard Data              		1
              Non-Standard Port              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)12
              Registry Run Keys / Startup Folder              		31
              Virtualization/Sandbox Evasion              		Security Account Manager31
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive1
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
              DLL Side-Loading              		1
              Access Token Manipulation              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput Capture1
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
              Process Injection              		LSA Secrets1
              Peripheral Device Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              Obfuscated Files or Information              		Cached Domain Credentials1
              File and Directory Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              Software Packing              		DCSync12
              System Information Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              DLL Side-Loading              		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              7tjt3u68PZ.exe84%ReversingLabsByteCode-MSIL.Backdoor.njRAT
              7tjt3u68PZ.exe71%VirustotalBrowse
              7tjt3u68PZ.exe100%AviraTR/Dropper.Gen
              7tjt3u68PZ.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\system.exe100%AviraTR/Dropper.Gen
              C:\Program Files (x86)\Explower.exe100%AviraTR/Dropper.Gen
              C:\Umbrella.flv.exe100%AviraTR/Dropper.Gen
              C:\Notepad.exe100%AviraTR/Dropper.Gen
              C:\Program Files (x86)\Explower.exe100%AviraTR/Dropper.Gen
              C:\Program Files (x86)\Explower.exe100%AviraTR/Dropper.Gen
              C:\Program Files (x86)\Explower.exe100%AviraTR/Dropper.Gen
              C:\Program Files (x86)\Explower.exe100%AviraTR/Dropper.Gen
              C:\Program Files (x86)\Explower.exe100%AviraTR/Dropper.Gen
              C:\Program Files (x86)\Explower.exe100%AviraTR/Dropper.Gen
              C:\Program Files (x86)\Explower.exe100%AviraTR/Dropper.Gen
              C:\Program Files (x86)\Explower.exe100%AviraTR/Dropper.Gen
              C:\Program Files (x86)\Explower.exe100%AviraTR/Dropper.Gen
              C:\system.exe100%Joe Sandbox ML
              C:\Program Files (x86)\Explower.exe100%Joe Sandbox ML
              C:\Umbrella.flv.exe100%Joe Sandbox ML
              C:\Notepad.exe100%Joe Sandbox ML
              C:\Program Files (x86)\Explower.exe100%Joe Sandbox ML
              C:\Program Files (x86)\Explower.exe100%Joe Sandbox ML
              C:\Program Files (x86)\Explower.exe100%Joe Sandbox ML
              C:\Program Files (x86)\Explower.exe100%Joe Sandbox ML
              C:\Program Files (x86)\Explower.exe100%Joe Sandbox ML
              C:\Program Files (x86)\Explower.exe100%Joe Sandbox ML
              C:\Program Files (x86)\Explower.exe100%Joe Sandbox ML
              C:\Program Files (x86)\Explower.exe100%Joe Sandbox ML
              C:\Program Files (x86)\Explower.exe100%Joe Sandbox ML
              C:\Notepad.exe84%ReversingLabsByteCode-MSIL.Backdoor.njRAT
              C:\Notepad.exe71%VirustotalBrowse
              C:\Program Files (x86)\Explower.exe84%ReversingLabsByteCode-MSIL.Backdoor.njRAT
              C:\Program Files (x86)\Explower.exe71%VirustotalBrowse
              C:\Umbrella.flv.exe84%ReversingLabsByteCode-MSIL.Backdoor.njRAT
              C:\Umbrella.flv.exe71%VirustotalBrowse
              C:\Users\user\AppData\Local\Explower.exe84%ReversingLabsByteCode-MSIL.Backdoor.njRAT
              C:\Users\user\AppData\Local\Explower.exe71%VirustotalBrowse
              C:\Users\user\AppData\Local\Microsoft\Windows\History\Explower.exe84%ReversingLabsByteCode-MSIL.Backdoor.njRAT
              C:\Users\user\AppData\Local\Microsoft\Windows\History\Explower.exe71%VirustotalBrowse
              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Explower.exe84%ReversingLabsByteCode-MSIL.Backdoor.njRAT
              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Explower.exe71%VirustotalBrowse
              C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\Explower.exe84%ReversingLabsByteCode-MSIL.Backdoor.njRAT
              C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\Explower.exe71%VirustotalBrowse
              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe84%ReversingLabsByteCode-MSIL.Backdoor.njRAT
              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe71%VirustotalBrowse
              C:\Users\user\Desktop\Explower.exe84%ReversingLabsByteCode-MSIL.Backdoor.njRAT
              C:\Users\user\Desktop\Explower.exe71%VirustotalBrowse
              C:\Users\user\Documents\Explower.exe84%ReversingLabsByteCode-MSIL.Backdoor.njRAT
              C:\Users\user\Documents\Explower.exe71%VirustotalBrowse
              C:\Users\user\Favorites\Explower.exe84%ReversingLabsByteCode-MSIL.Backdoor.njRAT
              C:\Users\user\Favorites\Explower.exe71%VirustotalBrowse
              C:\Windows\SysWOW64\Explower.exe84%ReversingLabsByteCode-MSIL.Backdoor.njRAT
              C:\Windows\SysWOW64\Explower.exe71%VirustotalBrowse
              C:\system.exe84%ReversingLabsByteCode-MSIL.Backdoor.njRAT
              C:\system.exe71%VirustotalBrowse

              Unpacked PE Files

              No Antivirus matches

              Domains

              SourceDetectionScannerLabelLink
              0.tcp.eu.ngrok.io12%VirustotalBrowse

              URLs

              No Antivirus matches

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              0.tcp.eu.ngrok.io
              		3.125.209.94
              		truetrueunknown

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              3.125.209.94
              		0.tcp.eu.ngrok.ioUnited States
              		16509AMAZON-02UStrue
              18.192.31.165
              		unknownUnited States
              		16509AMAZON-02UStrue
              18.158.249.75
              		unknownUnited States
              		16509AMAZON-02UStrue

              General Information

              Joe Sandbox version:40.0.0 Tourmaline
              Analysis ID:1509097
              Start date and time:2024-09-11 02:01:05 +02:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 8m 26s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:8
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:7tjt3u68PZ.exe
              renamed because original name is a hash value
              Original Sample Name:02cefbda3396f784034e71616e52d67e.exe
              Detection:MAL
              Classification:mal100.spre.phis.troj.adwa.evad.winEXE@5/30@4/3
              EGA Information:
              • Successful, ratio: 100%
              HCA Information:
              • Successful, ratio: 97%
              • Number of executed functions: 194
              • Number of non-executed functions: 3
              Cookbook Comments:
              • Found application associated with file extension: .exe
              • Override analysis time to 240s for sample files taking high CPU consumption

              Warnings

              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
              • Not all processes where analyzed, report is missing behavior information
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.

              Simulations

              Behavior and APIs

              TimeTypeDescription
              01:02:01AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe
              20:02:32API Interceptor158177x Sleep call for process: 7tjt3u68PZ.exe modified

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              3.125.209.94xaa.doc.docxGet hashmaliciousCVE-2021-40444Browse
              • 259f-88-231-63-13.eu.ngrok.io/exploit.html
              18.192.31.165muyq8X8qXp.exeGet hashmaliciousUnknownBrowse
              • 3eae-79-191-34-149.eu.ngrok.io/sysvndump/send
              18.158.249.75http://18.158.249.75Get hashmaliciousUnknownBrowse
              • 18.158.249.75/
              xaa.doc.docxGet hashmaliciousCVE-2021-40444Browse
              • 259f-88-231-63-13.eu.ngrok.io/exploit.html

              Domains

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              0.tcp.eu.ngrok.iokOBRIUczY0.exeGet hashmaliciousNjratBrowse
              • 3.125.102.39
              QbkuoGa4nm.exeGet hashmaliciousNjratBrowse
              • 3.125.223.134
              SecuriteInfo.com.Trojan.Siggen29.14708.13579.16480.exeGet hashmaliciousStormKitty, XWormBrowse
              • 18.192.31.165
              Windows21.exeGet hashmaliciousZTratBrowse
              • 3.125.209.94
              1Md4DEEyQN.exeGet hashmaliciousNjratBrowse
              • 3.125.223.134
              TiXxNKsN4C.exeGet hashmaliciousNjratBrowse
              • 18.158.249.75
              tWBQ8JmsVy.exeGet hashmaliciousNjratBrowse
              • 3.125.209.94
              Sd5Q0qD0YF.exeGet hashmaliciousNjratBrowse
              • 3.125.223.134
              91023930344124.EXE.exeGet hashmaliciousUnknownBrowse
              • 3.125.209.94
              Rules.PDF.exeGet hashmaliciousUnknownBrowse
              • 3.125.102.39

              ASNs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              AMAZON-02UShttp://email.friendbuy-mail.com/ls/click?upn=u001.Co2kxTMQjRboSzmQnJiNfJfDFp41sCnK1-2F4GqfdgFHosGPrCRb0CThqJNa6cWHBvgrjifDH46pR-2BbuZdJue5kg-3D-3D7XOT_Yp4ydSxZWNatis3HtI6bBrJjg57JYwT6kbyY2f89Z-2FB52Try4MOHq686O5s6LlNJnyvDqjZhIM8lr-2B5-2FhjdU-2B0FZsEpNGatFvLJAJgBa8cfPD2IaqNaoFq4pPcLdLLAsUhJfD1RQ1spHQPv41nDNuUpAchGQGhh5dYNwlLvMcMm03nfeuUrCix5Vj9aXX-2BLK0Uu7yzw9XOsBx-2BleTiIISw-3D-3DGet hashmaliciousUnknownBrowse
              • 13.227.219.125
              https://bnbactwyap.cloud/Get hashmaliciousUnknownBrowse
              • 54.199.68.233
              https://spot-speckle-gardenia.glitch.me/public/rfyiyuki4342.htmlGet hashmaliciousUnknownBrowse
              • 13.227.219.35
              https://task4-seven-omega.vercel.app/registration.htmlGet hashmaliciousUnknownBrowse
              • 76.76.21.61
              https://coenbseeprolgiin.webflow.io/Get hashmaliciousHTMLPhisherBrowse
              • 52.222.232.47
              https://currentxfinitypages.weebly.com/Get hashmaliciousHTMLPhisherBrowse
              • 54.69.50.186
              https://ledgerliveofficialsite.gitbook.io/Get hashmaliciousUnknownBrowse
              • 34.252.37.84
              https://sso--cdn-coiinbasepro-cdn-auth.webflow.io/Get hashmaliciousHTMLPhisherBrowse
              • 35.166.92.226
              https://sso--coinbasepro--index.webflow.io/Get hashmaliciousHTMLPhisherBrowse
              • 108.156.61.211
              https://sso-auth-get--coinbase-pro.webflow.io/Get hashmaliciousHTMLPhisherBrowse
              • 52.222.232.47
              AMAZON-02UShttp://email.friendbuy-mail.com/ls/click?upn=u001.Co2kxTMQjRboSzmQnJiNfJfDFp41sCnK1-2F4GqfdgFHosGPrCRb0CThqJNa6cWHBvgrjifDH46pR-2BbuZdJue5kg-3D-3D7XOT_Yp4ydSxZWNatis3HtI6bBrJjg57JYwT6kbyY2f89Z-2FB52Try4MOHq686O5s6LlNJnyvDqjZhIM8lr-2B5-2FhjdU-2B0FZsEpNGatFvLJAJgBa8cfPD2IaqNaoFq4pPcLdLLAsUhJfD1RQ1spHQPv41nDNuUpAchGQGhh5dYNwlLvMcMm03nfeuUrCix5Vj9aXX-2BLK0Uu7yzw9XOsBx-2BleTiIISw-3D-3DGet hashmaliciousUnknownBrowse
              • 13.227.219.125
              https://bnbactwyap.cloud/Get hashmaliciousUnknownBrowse
              • 54.199.68.233
              https://spot-speckle-gardenia.glitch.me/public/rfyiyuki4342.htmlGet hashmaliciousUnknownBrowse
              • 13.227.219.35
              https://task4-seven-omega.vercel.app/registration.htmlGet hashmaliciousUnknownBrowse
              • 76.76.21.61
              https://coenbseeprolgiin.webflow.io/Get hashmaliciousHTMLPhisherBrowse
              • 52.222.232.47
              https://currentxfinitypages.weebly.com/Get hashmaliciousHTMLPhisherBrowse
              • 54.69.50.186
              https://ledgerliveofficialsite.gitbook.io/Get hashmaliciousUnknownBrowse
              • 34.252.37.84
              https://sso--cdn-coiinbasepro-cdn-auth.webflow.io/Get hashmaliciousHTMLPhisherBrowse
              • 35.166.92.226
              https://sso--coinbasepro--index.webflow.io/Get hashmaliciousHTMLPhisherBrowse
              • 108.156.61.211
              https://sso-auth-get--coinbase-pro.webflow.io/Get hashmaliciousHTMLPhisherBrowse
              • 52.222.232.47
              AMAZON-02UShttp://email.friendbuy-mail.com/ls/click?upn=u001.Co2kxTMQjRboSzmQnJiNfJfDFp41sCnK1-2F4GqfdgFHosGPrCRb0CThqJNa6cWHBvgrjifDH46pR-2BbuZdJue5kg-3D-3D7XOT_Yp4ydSxZWNatis3HtI6bBrJjg57JYwT6kbyY2f89Z-2FB52Try4MOHq686O5s6LlNJnyvDqjZhIM8lr-2B5-2FhjdU-2B0FZsEpNGatFvLJAJgBa8cfPD2IaqNaoFq4pPcLdLLAsUhJfD1RQ1spHQPv41nDNuUpAchGQGhh5dYNwlLvMcMm03nfeuUrCix5Vj9aXX-2BLK0Uu7yzw9XOsBx-2BleTiIISw-3D-3DGet hashmaliciousUnknownBrowse
              • 13.227.219.125
              https://bnbactwyap.cloud/Get hashmaliciousUnknownBrowse
              • 54.199.68.233
              https://spot-speckle-gardenia.glitch.me/public/rfyiyuki4342.htmlGet hashmaliciousUnknownBrowse
              • 13.227.219.35
              https://task4-seven-omega.vercel.app/registration.htmlGet hashmaliciousUnknownBrowse
              • 76.76.21.61
              https://coenbseeprolgiin.webflow.io/Get hashmaliciousHTMLPhisherBrowse
              • 52.222.232.47
              https://currentxfinitypages.weebly.com/Get hashmaliciousHTMLPhisherBrowse
              • 54.69.50.186
              https://ledgerliveofficialsite.gitbook.io/Get hashmaliciousUnknownBrowse
              • 34.252.37.84
              https://sso--cdn-coiinbasepro-cdn-auth.webflow.io/Get hashmaliciousHTMLPhisherBrowse
              • 35.166.92.226
              https://sso--coinbasepro--index.webflow.io/Get hashmaliciousHTMLPhisherBrowse
              • 108.156.61.211
              https://sso-auth-get--coinbase-pro.webflow.io/Get hashmaliciousHTMLPhisherBrowse
              • 52.222.232.47

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              C:\Notepad.exe

              Download File
              Process:C:\Users\user\Desktop\7tjt3u68PZ.exe
              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Category:dropped
              Size (bytes):95232
              Entropy (8bit):5.561764870808992
              Encrypted:false
              SSDEEP:1536:jy+C+xhUa9urgOBPmNvM4jEwzGi1dDVD/gS:jyIUa9urgOkdGi1dhY
              MD5:02CEFBDA3396F784034E71616E52D67E
              SHA1:B38666D28BEB902565260BF87D4F367911E94EDA
              SHA-256:BB128EC75526887E8EBC2C1E4C0DAF7B7EC1D41F039C0FB88E927B90FCE6DF9E
              SHA-512:4C17201E33A1C9FC6FF5CB476FE548447CDEEEA20F494EA1A77BDE704D97DE7826B6EC880274FED2071D29499F3DF09A8737770557F27D7D3134E16A8E80B92A
              Malicious:true
              Yara Hits:
              • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Notepad.exe, Author: Joe Security
              • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Notepad.exe, Author: unknown
              • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Notepad.exe, Author: Florian Roth
              • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Notepad.exe, Author: JPCERT/CC Incident Response Group
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Notepad.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Notepad.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Notepad.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Notepad.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Notepad.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Notepad.exe, Author: ditekSHen
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              • Antivirus: ReversingLabs, Detection: 84%
              • Antivirus: Virustotal, Detection: 71%, Browse
              Reputation:low
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f.................p............... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......**..(......*.s.........s ........s!........s".........*.0...........~....o#....+..*.0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

              C:\Notepad.exe:Zone.Identifier

              Download File
              Process:C:\Users\user\Desktop\7tjt3u68PZ.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):26
              Entropy (8bit):3.95006375643621
              Encrypted:false
              SSDEEP:3:ggPYV:rPYV
              MD5:187F488E27DB4AF347237FE461A079AD
              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
              Malicious:true
              Reputation:high, very likely benign file
              Preview:[ZoneTransfer]....ZoneId=0

              C:\Program Files (x86)\Explower.exe

              Download File
              Process:C:\Users\user\Desktop\7tjt3u68PZ.exe
              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Category:dropped
              Size (bytes):95232
              Entropy (8bit):5.561764870808992
              Encrypted:false
              SSDEEP:1536:jy+C+xhUa9urgOBPmNvM4jEwzGi1dDVD/gS:jyIUa9urgOkdGi1dhY
              MD5:02CEFBDA3396F784034E71616E52D67E
              SHA1:B38666D28BEB902565260BF87D4F367911E94EDA
              SHA-256:BB128EC75526887E8EBC2C1E4C0DAF7B7EC1D41F039C0FB88E927B90FCE6DF9E
              SHA-512:4C17201E33A1C9FC6FF5CB476FE548447CDEEEA20F494EA1A77BDE704D97DE7826B6EC880274FED2071D29499F3DF09A8737770557F27D7D3134E16A8E80B92A
              Malicious:true
              Yara Hits:
              • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Program Files (x86)\Explower.exe, Author: Joe Security
              • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Program Files (x86)\Explower.exe, Author: unknown
              • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Program Files (x86)\Explower.exe, Author: Florian Roth
              • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Program Files (x86)\Explower.exe, Author: JPCERT/CC Incident Response Group
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              • Antivirus: ReversingLabs, Detection: 84%
              • Antivirus: Virustotal, Detection: 71%, Browse
              Reputation:low
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f.................p............... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......**..(......*.s.........s ........s!........s".........*.0...........~....o#....+..*.0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

              C:\Program Files (x86)\Explower.exe:Zone.Identifier

              Download File
              Process:C:\Users\user\Desktop\7tjt3u68PZ.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):26
              Entropy (8bit):3.95006375643621
              Encrypted:false
              SSDEEP:3:ggPYV:rPYV
              MD5:187F488E27DB4AF347237FE461A079AD
              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
              Malicious:true
              Reputation:high, very likely benign file
              Preview:[ZoneTransfer]....ZoneId=0

              C:\Umbrella.flv.exe

              Download File
              Process:C:\Users\user\Desktop\7tjt3u68PZ.exe
              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Category:dropped
              Size (bytes):95232
              Entropy (8bit):5.561764870808992
              Encrypted:false
              SSDEEP:1536:jy+C+xhUa9urgOBPmNvM4jEwzGi1dDVD/gS:jyIUa9urgOkdGi1dhY
              MD5:02CEFBDA3396F784034E71616E52D67E
              SHA1:B38666D28BEB902565260BF87D4F367911E94EDA
              SHA-256:BB128EC75526887E8EBC2C1E4C0DAF7B7EC1D41F039C0FB88E927B90FCE6DF9E
              SHA-512:4C17201E33A1C9FC6FF5CB476FE548447CDEEEA20F494EA1A77BDE704D97DE7826B6EC880274FED2071D29499F3DF09A8737770557F27D7D3134E16A8E80B92A
              Malicious:true
              Yara Hits:
              • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Umbrella.flv.exe, Author: Joe Security
              • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Umbrella.flv.exe, Author: Joe Security
              • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Umbrella.flv.exe, Author: Joe Security
              • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Umbrella.flv.exe, Author: unknown
              • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Umbrella.flv.exe, Author: Florian Roth
              • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Umbrella.flv.exe, Author: JPCERT/CC Incident Response Group
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Umbrella.flv.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Umbrella.flv.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Umbrella.flv.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Umbrella.flv.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Umbrella.flv.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Umbrella.flv.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Umbrella.flv.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Umbrella.flv.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Umbrella.flv.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Umbrella.flv.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Umbrella.flv.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Umbrella.flv.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Umbrella.flv.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Umbrella.flv.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Umbrella.flv.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Umbrella.flv.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Umbrella.flv.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Umbrella.flv.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Umbrella.flv.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Umbrella.flv.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Umbrella.flv.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Umbrella.flv.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Umbrella.flv.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Umbrella.flv.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Umbrella.flv.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Umbrella.flv.exe, Author: ditekSHen
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              • Antivirus: ReversingLabs, Detection: 84%
              • Antivirus: Virustotal, Detection: 71%, Browse
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f.................p............... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......**..(......*.s.........s ........s!........s".........*.0...........~....o#....+..*.0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

              C:\Umbrella.flv.exe:Zone.Identifier

              Download File
              Process:C:\Users\user\Desktop\7tjt3u68PZ.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):26
              Entropy (8bit):3.95006375643621
              Encrypted:false
              SSDEEP:3:ggPYV:rPYV
              MD5:187F488E27DB4AF347237FE461A079AD
              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
              Malicious:true
              Preview:[ZoneTransfer]....ZoneId=0

              C:\Users\user\AppData\Local\Explower.exe

              Download File
              Process:C:\Users\user\Desktop\7tjt3u68PZ.exe
              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Category:dropped
              Size (bytes):95232
              Entropy (8bit):5.561764870808992
              Encrypted:false
              SSDEEP:1536:jy+C+xhUa9urgOBPmNvM4jEwzGi1dDVD/gS:jyIUa9urgOkdGi1dhY
              MD5:02CEFBDA3396F784034E71616E52D67E
              SHA1:B38666D28BEB902565260BF87D4F367911E94EDA
              SHA-256:BB128EC75526887E8EBC2C1E4C0DAF7B7EC1D41F039C0FB88E927B90FCE6DF9E
              SHA-512:4C17201E33A1C9FC6FF5CB476FE548447CDEEEA20F494EA1A77BDE704D97DE7826B6EC880274FED2071D29499F3DF09A8737770557F27D7D3134E16A8E80B92A
              Malicious:true
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 84%
              • Antivirus: Virustotal, Detection: 71%, Browse
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f.................p............... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......**..(......*.s.........s ........s!........s".........*.0...........~....o#....+..*.0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

              C:\Users\user\AppData\Local\Explower.exe:Zone.Identifier

              Download File
              Process:C:\Users\user\Desktop\7tjt3u68PZ.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):26
              Entropy (8bit):3.95006375643621
              Encrypted:false
              SSDEEP:3:ggPYV:rPYV
              MD5:187F488E27DB4AF347237FE461A079AD
              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
              Malicious:false
              Preview:[ZoneTransfer]....ZoneId=0

              C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Explower.exe.log

              Download File
              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):525
              Entropy (8bit):5.259753436570609
              Encrypted:false
              SSDEEP:12:Q3LaJU2C9XAn10Ug+9pfu9t0U29xtUz1B0U2uk71K6xhk7v:MLF2CpI3zffup29Iz52Ve
              MD5:260E01CC001F9C4643CA7A62F395D747
              SHA1:492AD0ACE3A9C8736909866EEA168962D418BE5A
              SHA-256:4BC52CCF866F489772A6919A0CC2C55B1432729D6BDF29E17E5853ABDFAB6030
              SHA-512:01AF7D75257E3DBD460E328F5C057D0367B83D3D9397E89CA3AE54AB9B2842D62352D8CCB4BE98ACE0C5667846759D32C199DE39ECCD0CF9CD6A83267D27E7C4
              Malicious:false
              Preview:1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7d443c6c007fe8696f9aa6ff1da53ef7\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..

              C:\Users\user\AppData\Local\Microsoft\Windows\History\Explower.exe

              Download File
              Process:C:\Users\user\Desktop\7tjt3u68PZ.exe
              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Category:dropped
              Size (bytes):95232
              Entropy (8bit):5.561764870808992
              Encrypted:false
              SSDEEP:1536:jy+C+xhUa9urgOBPmNvM4jEwzGi1dDVD/gS:jyIUa9urgOkdGi1dhY
              MD5:02CEFBDA3396F784034E71616E52D67E
              SHA1:B38666D28BEB902565260BF87D4F367911E94EDA
              SHA-256:BB128EC75526887E8EBC2C1E4C0DAF7B7EC1D41F039C0FB88E927B90FCE6DF9E
              SHA-512:4C17201E33A1C9FC6FF5CB476FE548447CDEEEA20F494EA1A77BDE704D97DE7826B6EC880274FED2071D29499F3DF09A8737770557F27D7D3134E16A8E80B92A
              Malicious:true
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 84%
              • Antivirus: Virustotal, Detection: 71%, Browse
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f.................p............... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......**..(......*.s.........s ........s!........s".........*.0...........~....o#....+..*.0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

              C:\Users\user\AppData\Local\Microsoft\Windows\History\Explower.exe:Zone.Identifier

              Download File
              Process:C:\Users\user\Desktop\7tjt3u68PZ.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):26
              Entropy (8bit):3.95006375643621
              Encrypted:false
              SSDEEP:3:ggPYV:rPYV
              MD5:187F488E27DB4AF347237FE461A079AD
              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
              Malicious:false
              Preview:[ZoneTransfer]....ZoneId=0

              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Explower.exe

              Download File
              Process:C:\Users\user\Desktop\7tjt3u68PZ.exe
              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Category:dropped
              Size (bytes):95232
              Entropy (8bit):5.561764870808992
              Encrypted:false
              SSDEEP:1536:jy+C+xhUa9urgOBPmNvM4jEwzGi1dDVD/gS:jyIUa9urgOkdGi1dhY
              MD5:02CEFBDA3396F784034E71616E52D67E
              SHA1:B38666D28BEB902565260BF87D4F367911E94EDA
              SHA-256:BB128EC75526887E8EBC2C1E4C0DAF7B7EC1D41F039C0FB88E927B90FCE6DF9E
              SHA-512:4C17201E33A1C9FC6FF5CB476FE548447CDEEEA20F494EA1A77BDE704D97DE7826B6EC880274FED2071D29499F3DF09A8737770557F27D7D3134E16A8E80B92A
              Malicious:true
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 84%
              • Antivirus: Virustotal, Detection: 71%, Browse
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f.................p............... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......**..(......*.s.........s ........s!........s".........*.0...........~....o#....+..*.0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Explower.exe:Zone.Identifier

              Download File
              Process:C:\Users\user\Desktop\7tjt3u68PZ.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):26
              Entropy (8bit):3.95006375643621
              Encrypted:false
              SSDEEP:3:ggPYV:rPYV
              MD5:187F488E27DB4AF347237FE461A079AD
              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
              Malicious:false
              Preview:[ZoneTransfer]....ZoneId=0

              C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\Explower.exe

              Download File
              Process:C:\Users\user\Desktop\7tjt3u68PZ.exe
              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Category:dropped
              Size (bytes):95232
              Entropy (8bit):5.561764870808992
              Encrypted:false
              SSDEEP:1536:jy+C+xhUa9urgOBPmNvM4jEwzGi1dDVD/gS:jyIUa9urgOkdGi1dhY
              MD5:02CEFBDA3396F784034E71616E52D67E
              SHA1:B38666D28BEB902565260BF87D4F367911E94EDA
              SHA-256:BB128EC75526887E8EBC2C1E4C0DAF7B7EC1D41F039C0FB88E927B90FCE6DF9E
              SHA-512:4C17201E33A1C9FC6FF5CB476FE548447CDEEEA20F494EA1A77BDE704D97DE7826B6EC880274FED2071D29499F3DF09A8737770557F27D7D3134E16A8E80B92A
              Malicious:true
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 84%
              • Antivirus: Virustotal, Detection: 71%, Browse
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f.................p............... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......**..(......*.s.........s ........s!........s".........*.0...........~....o#....+..*.0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

              C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\Explower.exe:Zone.Identifier

              Download File
              Process:C:\Users\user\Desktop\7tjt3u68PZ.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):26
              Entropy (8bit):3.95006375643621
              Encrypted:false
              SSDEEP:3:ggPYV:rPYV
              MD5:187F488E27DB4AF347237FE461A079AD
              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
              Malicious:false
              Preview:[ZoneTransfer]....ZoneId=0

              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe

              Download File
              Process:C:\Users\user\Desktop\7tjt3u68PZ.exe
              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Category:dropped
              Size (bytes):95232
              Entropy (8bit):5.561764870808992
              Encrypted:false
              SSDEEP:1536:jy+C+xhUa9urgOBPmNvM4jEwzGi1dDVD/gS:jyIUa9urgOkdGi1dhY
              MD5:02CEFBDA3396F784034E71616E52D67E
              SHA1:B38666D28BEB902565260BF87D4F367911E94EDA
              SHA-256:BB128EC75526887E8EBC2C1E4C0DAF7B7EC1D41F039C0FB88E927B90FCE6DF9E
              SHA-512:4C17201E33A1C9FC6FF5CB476FE548447CDEEEA20F494EA1A77BDE704D97DE7826B6EC880274FED2071D29499F3DF09A8737770557F27D7D3134E16A8E80B92A
              Malicious:true
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 84%
              • Antivirus: Virustotal, Detection: 71%, Browse
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f.................p............... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......**..(......*.s.........s ........s!........s".........*.0...........~....o#....+..*.0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe:Zone.Identifier

              Download File
              Process:C:\Users\user\Desktop\7tjt3u68PZ.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):26
              Entropy (8bit):3.95006375643621
              Encrypted:false
              SSDEEP:3:ggPYV:rPYV
              MD5:187F488E27DB4AF347237FE461A079AD
              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
              Malicious:false
              Preview:[ZoneTransfer]....ZoneId=0

              C:\Users\user\AppData\Roaming\app

              Download File
              Process:C:\Users\user\Desktop\7tjt3u68PZ.exe
              File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
              Category:dropped
              Size (bytes):5
              Entropy (8bit):2.321928094887362
              Encrypted:false
              SSDEEP:3:zn:z
              MD5:A65A8CC18C0FDCAC3B78ED8F032E2F98
              SHA1:9087F7AAF4EDF3B132348B1E5DFA7A678D57D40E
              SHA-256:CA1C5C735384C64968C987E3E608CB48A3CBD73E870F1BC6D60F2B24F9445E3A
              SHA-512:8E56C9AA0C90FB30B488FA72A0B9D40E69C357E32D8E6F9D5A299DFBF9DF8C896C28684D7163972019AB53DFCFE35DC75E9B305E07C81B9984A410E04B96186D
              Malicious:false
              Preview:.10

              C:\Users\user\Desktop\Explower.exe

              Download File
              Process:C:\Users\user\Desktop\7tjt3u68PZ.exe
              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Category:dropped
              Size (bytes):95232
              Entropy (8bit):5.561764870808992
              Encrypted:false
              SSDEEP:1536:jy+C+xhUa9urgOBPmNvM4jEwzGi1dDVD/gS:jyIUa9urgOkdGi1dhY
              MD5:02CEFBDA3396F784034E71616E52D67E
              SHA1:B38666D28BEB902565260BF87D4F367911E94EDA
              SHA-256:BB128EC75526887E8EBC2C1E4C0DAF7B7EC1D41F039C0FB88E927B90FCE6DF9E
              SHA-512:4C17201E33A1C9FC6FF5CB476FE548447CDEEEA20F494EA1A77BDE704D97DE7826B6EC880274FED2071D29499F3DF09A8737770557F27D7D3134E16A8E80B92A
              Malicious:true
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 84%
              • Antivirus: Virustotal, Detection: 71%, Browse
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f.................p............... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......**..(......*.s.........s ........s!........s".........*.0...........~....o#....+..*.0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

              C:\Users\user\Desktop\Explower.exe:Zone.Identifier

              Download File
              Process:C:\Users\user\Desktop\7tjt3u68PZ.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):26
              Entropy (8bit):3.95006375643621
              Encrypted:false
              SSDEEP:3:ggPYV:rPYV
              MD5:187F488E27DB4AF347237FE461A079AD
              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
              Malicious:false
              Preview:[ZoneTransfer]....ZoneId=0

              C:\Users\user\Documents\Explower.exe

              Download File
              Process:C:\Users\user\Desktop\7tjt3u68PZ.exe
              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Category:dropped
              Size (bytes):95232
              Entropy (8bit):5.561764870808992
              Encrypted:false
              SSDEEP:1536:jy+C+xhUa9urgOBPmNvM4jEwzGi1dDVD/gS:jyIUa9urgOkdGi1dhY
              MD5:02CEFBDA3396F784034E71616E52D67E
              SHA1:B38666D28BEB902565260BF87D4F367911E94EDA
              SHA-256:BB128EC75526887E8EBC2C1E4C0DAF7B7EC1D41F039C0FB88E927B90FCE6DF9E
              SHA-512:4C17201E33A1C9FC6FF5CB476FE548447CDEEEA20F494EA1A77BDE704D97DE7826B6EC880274FED2071D29499F3DF09A8737770557F27D7D3134E16A8E80B92A
              Malicious:true
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 84%
              • Antivirus: Virustotal, Detection: 71%, Browse
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f.................p............... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......**..(......*.s.........s ........s!........s".........*.0...........~....o#....+..*.0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

              C:\Users\user\Documents\Explower.exe:Zone.Identifier

              Download File
              Process:C:\Users\user\Desktop\7tjt3u68PZ.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):26
              Entropy (8bit):3.95006375643621
              Encrypted:false
              SSDEEP:3:ggPYV:rPYV
              MD5:187F488E27DB4AF347237FE461A079AD
              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
              Malicious:false
              Preview:[ZoneTransfer]....ZoneId=0

              C:\Users\user\Favorites\Explower.exe

              Download File
              Process:C:\Users\user\Desktop\7tjt3u68PZ.exe
              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Category:dropped
              Size (bytes):95232
              Entropy (8bit):5.561764870808992
              Encrypted:false
              SSDEEP:1536:jy+C+xhUa9urgOBPmNvM4jEwzGi1dDVD/gS:jyIUa9urgOkdGi1dhY
              MD5:02CEFBDA3396F784034E71616E52D67E
              SHA1:B38666D28BEB902565260BF87D4F367911E94EDA
              SHA-256:BB128EC75526887E8EBC2C1E4C0DAF7B7EC1D41F039C0FB88E927B90FCE6DF9E
              SHA-512:4C17201E33A1C9FC6FF5CB476FE548447CDEEEA20F494EA1A77BDE704D97DE7826B6EC880274FED2071D29499F3DF09A8737770557F27D7D3134E16A8E80B92A
              Malicious:true
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 84%
              • Antivirus: Virustotal, Detection: 71%, Browse
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f.................p............... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......**..(......*.s.........s ........s!........s".........*.0...........~....o#....+..*.0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

              C:\Users\user\Favorites\Explower.exe:Zone.Identifier

              Download File
              Process:C:\Users\user\Desktop\7tjt3u68PZ.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):26
              Entropy (8bit):3.95006375643621
              Encrypted:false
              SSDEEP:3:ggPYV:rPYV
              MD5:187F488E27DB4AF347237FE461A079AD
              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
              Malicious:false
              Preview:[ZoneTransfer]....ZoneId=0

              C:\Windows\SysWOW64\Explower.exe

              Download File
              Process:C:\Users\user\Desktop\7tjt3u68PZ.exe
              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Category:dropped
              Size (bytes):95232
              Entropy (8bit):5.561764870808992
              Encrypted:false
              SSDEEP:1536:jy+C+xhUa9urgOBPmNvM4jEwzGi1dDVD/gS:jyIUa9urgOkdGi1dhY
              MD5:02CEFBDA3396F784034E71616E52D67E
              SHA1:B38666D28BEB902565260BF87D4F367911E94EDA
              SHA-256:BB128EC75526887E8EBC2C1E4C0DAF7B7EC1D41F039C0FB88E927B90FCE6DF9E
              SHA-512:4C17201E33A1C9FC6FF5CB476FE548447CDEEEA20F494EA1A77BDE704D97DE7826B6EC880274FED2071D29499F3DF09A8737770557F27D7D3134E16A8E80B92A
              Malicious:true
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 84%
              • Antivirus: Virustotal, Detection: 71%, Browse
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f.................p............... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......**..(......*.s.........s ........s!........s".........*.0...........~....o#....+..*.0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

              C:\Windows\SysWOW64\Explower.exe:Zone.Identifier

              Download File
              Process:C:\Users\user\Desktop\7tjt3u68PZ.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):26
              Entropy (8bit):3.95006375643621
              Encrypted:false
              SSDEEP:3:ggPYV:rPYV
              MD5:187F488E27DB4AF347237FE461A079AD
              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
              Malicious:false
              Preview:[ZoneTransfer]....ZoneId=0

              C:\autorun.inf

              Download File
              Process:C:\Users\user\Desktop\7tjt3u68PZ.exe
              File Type:Microsoft Windows Autorun file
              Category:dropped
              Size (bytes):55
              Entropy (8bit):4.474554204780528
              Encrypted:false
              SSDEEP:3:It1KV2PHQCyK0x:e1KAwCyD
              MD5:40B1630BE21F39CB17BD1963CAE5A207
              SHA1:63C14BD151D42820DD45C033363FA5B9E1D34124
              SHA-256:F87E55F1A423B65FD639146F71F6027DBD4D6E69B65D9A17F1744774AA6589E1
              SHA-512:833112ED4A9A3C621D2FFFC78F83502B2937B82A2CF9BC692D75D907CE2AA46C2D97CFE23C402DB3292B2DD2655FF8692C3CD00D5BA4D792C3D8AF24958E1926
              Malicious:true
              Preview:[autorun]..open=C:\Umbrella.flv.exe..shellexecute=C:\..

              C:\system.exe

              Download File
              Process:C:\Users\user\Desktop\7tjt3u68PZ.exe
              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Category:dropped
              Size (bytes):95232
              Entropy (8bit):5.561764870808992
              Encrypted:false
              SSDEEP:1536:jy+C+xhUa9urgOBPmNvM4jEwzGi1dDVD/gS:jyIUa9urgOkdGi1dhY
              MD5:02CEFBDA3396F784034E71616E52D67E
              SHA1:B38666D28BEB902565260BF87D4F367911E94EDA
              SHA-256:BB128EC75526887E8EBC2C1E4C0DAF7B7EC1D41F039C0FB88E927B90FCE6DF9E
              SHA-512:4C17201E33A1C9FC6FF5CB476FE548447CDEEEA20F494EA1A77BDE704D97DE7826B6EC880274FED2071D29499F3DF09A8737770557F27D7D3134E16A8E80B92A
              Malicious:true
              Yara Hits:
              • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\system.exe, Author: Joe Security
              • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\system.exe, Author: unknown
              • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\system.exe, Author: Florian Roth
              • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\system.exe, Author: Florian Roth
              • Rule: Njrat, Description: detect njRAT in memory, Source: C:\system.exe, Author: JPCERT/CC Incident Response Group
              • Rule: Njrat, Description: detect njRAT in memory, Source: C:\system.exe, Author: JPCERT/CC Incident Response Group
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\system.exe, Author: ditekSHen
              • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\system.exe, Author: ditekSHen
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              • Antivirus: ReversingLabs, Detection: 84%
              • Antivirus: Virustotal, Detection: 71%, Browse
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f.................p............... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......**..(......*.s.........s ........s!........s".........*.0...........~....o#....+..*.0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

              C:\system.exe:Zone.Identifier

              Download File
              Process:C:\Users\user\Desktop\7tjt3u68PZ.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):26
              Entropy (8bit):3.95006375643621
              Encrypted:false
              SSDEEP:3:ggPYV:rPYV
              MD5:187F488E27DB4AF347237FE461A079AD
              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
              Malicious:true
              Preview:[ZoneTransfer]....ZoneId=0

              \Device\ConDrv

              Download File
              Process:C:\Windows\SysWOW64\netsh.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):313
              Entropy (8bit):4.971939296804078
              Encrypted:false
              SSDEEP:6:/ojfKsUTGN8Ypox42k9L+DbGMKeQE+vigqAZs2E+AYeDPO+Yswyha:wjPIGNrkHk9iaeIM6ADDPOHyha
              MD5:689E2126A85BF55121488295EE068FA1
              SHA1:09BAAA253A49D80C18326DFBCA106551EBF22DD6
              SHA-256:D968A966EF474068E41256321F77807A042F1965744633D37A203A705662EC25
              SHA-512:C3736A8FC7E6573FA1B26FE6A901C05EE85C55A4A276F8F569D9EADC9A58BEC507D1BB90DBF9EA62AE79A6783178C69304187D6B90441D82E46F5F56172B5C5C
              Malicious:false
              Preview:..IMPORTANT: Command executed successfully...However, "netsh firewall" is deprecated;..use "netsh advfirewall firewall" instead...For more information on using "netsh advfirewall firewall" commands..instead of "netsh firewall", see KB article 947709..at https://go.microsoft.com/fwlink/?linkid=121488 .....Ok.....

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Entropy (8bit):5.561764870808992
              TrID:
              • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
              • Win32 Executable (generic) a (10002005/4) 49.75%
              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
              • Windows Screen Saver (13104/52) 0.07%
              • Generic Win/DOS Executable (2004/3) 0.01%
              File name:7tjt3u68PZ.exe
              File size:95'232 bytes
              MD5:02cefbda3396f784034e71616e52d67e
              SHA1:b38666d28beb902565260bf87d4f367911e94eda
              SHA256:bb128ec75526887e8ebc2c1e4c0daf7b7ec1d41f039c0fb88e927b90fce6df9e
              SHA512:4c17201e33a1c9fc6ff5cb476fe548447cdeeea20f494ea1a77bde704d97de7826b6ec880274fed2071d29499f3df09a8737770557f27d7d3134e16a8e80b92a
              SSDEEP:1536:jy+C+xhUa9urgOBPmNvM4jEwzGi1dDVD/gS:jyIUa9urgOkdGi1dhY
              TLSH:DE93D74977E53524E4BF56F79472F2004E34B44B1602E39E49F259EA0A33AC44F89EEB
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.................p............... ........@.. ....................................@................................

              File Icon

              Icon Hash:90cececece8e8eb0

              Static PE Info

              General

              Entrypoint:0x418f0e
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Time Stamp:0x66DDA8C5 [Sun Sep 8 13:38:13 2024 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:4
              OS Version Minor:0
              File Version Major:4
              File Version Minor:0
              Subsystem Version Major:4
              Subsystem Version Minor:0
              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

              Entrypoint Preview

              Instruction
              jmp dword ptr [00402000h]
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0x18eb80x53.text
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x1a0000xc.reloc
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x20000x16f140x170006d5781fda14111c1d332ca01c3044030False0.36819590692934784data5.593491839710464IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              .reloc0x1a0000xc0x20026def8a0407cc7078ce41b7ef703298eFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

              Imports

              DLLImport
              mscoree.dll_CorExeMain

              Network Behavior

              Suricata IDS Alerts

              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
              2024-09-11T02:02:02.603963+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4497303.125.209.9411348TCP
              2024-09-11T02:02:02.603963+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4497303.125.209.9411348TCP
              2024-09-11T02:02:08.278941+02002825564ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)1192.168.2.4497303.125.209.9411348TCP
              2024-09-11T02:03:06.370956+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4507763.125.209.9411348TCP
              2024-09-11T02:03:06.370956+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4507763.125.209.9411348TCP
              2024-09-11T02:03:11.011982+02002825564ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)1192.168.2.4507763.125.209.9411348TCP
              2024-09-11T02:04:18.274738+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.45077718.192.31.16511348TCP
              2024-09-11T02:04:18.274738+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.45077718.192.31.16511348TCP
              2024-09-11T02:04:25.276660+02002825564ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)1192.168.2.45077718.192.31.16511348TCP
              2024-09-11T02:05:23.300184+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.45077818.158.249.7511348TCP
              2024-09-11T02:05:23.300184+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.45077818.158.249.7511348TCP
              2024-09-11T02:05:26.867195+02002825564ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)1192.168.2.45077818.158.249.7511348TCP

              Network Port Distribution

              TCP Packets

              TimestampSource PortDest PortSource IPDest IP
              Sep 11, 2024 02:02:02.128613949 CEST4973011348192.168.2.43.125.209.94
              Sep 11, 2024 02:02:02.134041071 CEST11348497303.125.209.94192.168.2.4
              Sep 11, 2024 02:02:02.134162903 CEST4973011348192.168.2.43.125.209.94
              Sep 11, 2024 02:02:02.603962898 CEST4973011348192.168.2.43.125.209.94
              Sep 11, 2024 02:02:02.608835936 CEST11348497303.125.209.94192.168.2.4
              Sep 11, 2024 02:02:02.608907938 CEST4973011348192.168.2.43.125.209.94
              Sep 11, 2024 02:02:02.613723040 CEST11348497303.125.209.94192.168.2.4
              Sep 11, 2024 02:02:08.278940916 CEST4973011348192.168.2.43.125.209.94
              Sep 11, 2024 02:02:08.283927917 CEST11348497303.125.209.94192.168.2.4
              Sep 11, 2024 02:03:04.221611977 CEST11348497303.125.209.94192.168.2.4
              Sep 11, 2024 02:03:04.221683025 CEST4973011348192.168.2.43.125.209.94
              Sep 11, 2024 02:03:06.328397989 CEST4973011348192.168.2.43.125.209.94
              Sep 11, 2024 02:03:06.333722115 CEST11348497303.125.209.94192.168.2.4
              Sep 11, 2024 02:03:06.365047932 CEST5077611348192.168.2.43.125.209.94
              Sep 11, 2024 02:03:06.370002985 CEST11348507763.125.209.94192.168.2.4
              Sep 11, 2024 02:03:06.370085001 CEST5077611348192.168.2.43.125.209.94
              Sep 11, 2024 02:03:06.370955944 CEST5077611348192.168.2.43.125.209.94
              Sep 11, 2024 02:03:06.375703096 CEST11348507763.125.209.94192.168.2.4
              Sep 11, 2024 02:03:06.375776052 CEST5077611348192.168.2.43.125.209.94
              Sep 11, 2024 02:03:06.380808115 CEST11348507763.125.209.94192.168.2.4
              Sep 11, 2024 02:03:11.011981964 CEST5077611348192.168.2.43.125.209.94
              Sep 11, 2024 02:03:11.016782999 CEST11348507763.125.209.94192.168.2.4
              Sep 11, 2024 02:04:08.223855972 CEST11348507763.125.209.94192.168.2.4
              Sep 11, 2024 02:04:08.223994017 CEST5077611348192.168.2.43.125.209.94
              Sep 11, 2024 02:04:10.250626087 CEST5077611348192.168.2.43.125.209.94
              Sep 11, 2024 02:04:10.255572081 CEST11348507763.125.209.94192.168.2.4
              Sep 11, 2024 02:04:18.267785072 CEST5077711348192.168.2.418.192.31.165
              Sep 11, 2024 02:04:18.273720980 CEST113485077718.192.31.165192.168.2.4
              Sep 11, 2024 02:04:18.273813963 CEST5077711348192.168.2.418.192.31.165
              Sep 11, 2024 02:04:18.274738073 CEST5077711348192.168.2.418.192.31.165
              Sep 11, 2024 02:04:18.282072067 CEST113485077718.192.31.165192.168.2.4
              Sep 11, 2024 02:04:18.282150984 CEST5077711348192.168.2.418.192.31.165
              Sep 11, 2024 02:04:18.287309885 CEST113485077718.192.31.165192.168.2.4
              Sep 11, 2024 02:04:25.276659966 CEST5077711348192.168.2.418.192.31.165
              Sep 11, 2024 02:04:25.281691074 CEST113485077718.192.31.165192.168.2.4
              Sep 11, 2024 02:05:20.231575966 CEST113485077718.192.31.165192.168.2.4
              Sep 11, 2024 02:05:20.231687069 CEST5077711348192.168.2.418.192.31.165
              Sep 11, 2024 02:05:22.275408030 CEST5077711348192.168.2.418.192.31.165
              Sep 11, 2024 02:05:22.280267000 CEST113485077718.192.31.165192.168.2.4
              Sep 11, 2024 02:05:23.294194937 CEST5077811348192.168.2.418.158.249.75
              Sep 11, 2024 02:05:23.299242973 CEST113485077818.158.249.75192.168.2.4
              Sep 11, 2024 02:05:23.299335957 CEST5077811348192.168.2.418.158.249.75
              Sep 11, 2024 02:05:23.300184011 CEST5077811348192.168.2.418.158.249.75
              Sep 11, 2024 02:05:23.304986954 CEST113485077818.158.249.75192.168.2.4
              Sep 11, 2024 02:05:23.305077076 CEST5077811348192.168.2.418.158.249.75
              Sep 11, 2024 02:05:23.309899092 CEST113485077818.158.249.75192.168.2.4
              Sep 11, 2024 02:05:26.867194891 CEST5077811348192.168.2.418.158.249.75
              Sep 11, 2024 02:05:26.872163057 CEST113485077818.158.249.75192.168.2.4

              UDP Packets

              TimestampSource PortDest PortSource IPDest IP
              Sep 11, 2024 02:02:02.109468937 CEST6374653192.168.2.41.1.1.1
              Sep 11, 2024 02:02:02.118558884 CEST53637461.1.1.1192.168.2.4
              Sep 11, 2024 02:02:18.664587975 CEST53642551.1.1.1192.168.2.4
              Sep 11, 2024 02:03:06.329502106 CEST5099553192.168.2.41.1.1.1
              Sep 11, 2024 02:03:06.338296890 CEST53509951.1.1.1192.168.2.4
              Sep 11, 2024 02:04:18.257030010 CEST5666353192.168.2.41.1.1.1
              Sep 11, 2024 02:04:18.267018080 CEST53566631.1.1.1192.168.2.4
              Sep 11, 2024 02:05:23.255028009 CEST5874153192.168.2.41.1.1.1
              Sep 11, 2024 02:05:23.263590097 CEST53587411.1.1.1192.168.2.4

              DNS Queries

              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
              Sep 11, 2024 02:02:02.109468937 CEST192.168.2.41.1.1.10xd8bcStandard query (0)0.tcp.eu.ngrok.ioA (IP address)IN (0x0001)false
              Sep 11, 2024 02:03:06.329502106 CEST192.168.2.41.1.1.10xd90cStandard query (0)0.tcp.eu.ngrok.ioA (IP address)IN (0x0001)false
              Sep 11, 2024 02:04:18.257030010 CEST192.168.2.41.1.1.10xa33bStandard query (0)0.tcp.eu.ngrok.ioA (IP address)IN (0x0001)false
              Sep 11, 2024 02:05:23.255028009 CEST192.168.2.41.1.1.10xc0bdStandard query (0)0.tcp.eu.ngrok.ioA (IP address)IN (0x0001)false

              DNS Answers

              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
              Sep 11, 2024 02:02:02.118558884 CEST1.1.1.1192.168.2.40xd8bcNo error (0)0.tcp.eu.ngrok.io3.125.209.94A (IP address)IN (0x0001)false
              Sep 11, 2024 02:03:06.338296890 CEST1.1.1.1192.168.2.40xd90cNo error (0)0.tcp.eu.ngrok.io3.125.209.94A (IP address)IN (0x0001)false
              Sep 11, 2024 02:04:18.267018080 CEST1.1.1.1192.168.2.40xa33bNo error (0)0.tcp.eu.ngrok.io18.192.31.165A (IP address)IN (0x0001)false
              Sep 11, 2024 02:05:23.263590097 CEST1.1.1.1192.168.2.40xc0bdNo error (0)0.tcp.eu.ngrok.io18.158.249.75A (IP address)IN (0x0001)false

              Statistics

              CPU Usage

              Click to jump to process

              Memory Usage

              Click to jump to process

              High Level Behavior Distribution

              Click to dive into process behavior distribution

              Behavior

              Click to jump to process

              System Behavior

              General

              Target ID:0
              Start time:20:01:56
              Start date:10/09/2024
              Path:C:\Users\user\Desktop\7tjt3u68PZ.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\Desktop\7tjt3u68PZ.exe"
              Imagebase:0x8b0000
              File size:95'232 bytes
              MD5 hash:02CEFBDA3396F784034E71616E52D67E
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000000.1664656287.00000000008B2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000000.00000000.1664656287.00000000008B2000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
              • Rule: Njrat, Description: detect njRAT in memory, Source: 00000000.00000000.1664656287.00000000008B2000.00000002.00000001.01000000.00000003.sdmp, Author: JPCERT/CC Incident Response Group
              • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000002.4123213231.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              Reputation:low
              Has exited:false

              General

              Target ID:1
              Start time:20:01:57
              Start date:10/09/2024
              Path:C:\Windows\SysWOW64\netsh.exe
              Wow64 process (32bit):true
              Commandline:netsh firewall add allowedprogram "C:\Users\user\Desktop\7tjt3u68PZ.exe" "7tjt3u68PZ.exe" ENABLE
              Imagebase:0x1560000
              File size:82'432 bytes
              MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:2
              Start time:20:01:57
              Start date:10/09/2024
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff7699e0000
              File size:862'208 bytes
              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:3
              Start time:20:02:09
              Start date:10/09/2024
              Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe"
              Imagebase:0x140000
              File size:95'232 bytes
              MD5 hash:02CEFBDA3396F784034E71616E52D67E
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Antivirus matches:
              • Detection: 84%, ReversingLabs
              • Detection: 71%, Virustotal, Browse
              Reputation:low
              Has exited:true

              Disassembly

              Reset < >

                Execution Graph

                Execution Coverage:36.9%
                Dynamic/Decrypted Code Coverage:100%
                Signature Coverage:6.1%
                Total number of Nodes:115
                Total number of Limit Nodes:7
                execution_graph 20467 12f222e 20469 12f2269 LoadLibraryA 20467->20469 20470 12f22a6 20469->20470 20557 11ca65e 20558 11ca68a CloseHandle 20557->20558 20559 11ca6c0 20557->20559 20560 11ca698 20558->20560 20559->20558 20471 12f2daa 20473 12f2ddf GetExitCodeProcess 20471->20473 20474 12f2e08 20473->20474 20561 12f2f6a 20562 12f2f9f SetProcessWorkingSetSize 20561->20562 20564 12f2fcb 20562->20564 20475 11cb31a 20477 11cb34f RegQueryValueExW 20475->20477 20478 11cb3a3 20477->20478 20479 11ca59a 20480 11ca5d8 DuplicateHandle 20479->20480 20481 11ca610 20479->20481 20482 11ca5e6 20480->20482 20481->20480 20569 50802c0 20572 50802dc 20569->20572 20570 508043d 20571 50800b8 GetLogicalDrives GetLogicalDrives 20571->20572 20572->20570 20572->20571 20483 12f1522 20484 12f155a ConvertStringSecurityDescriptorToSecurityDescriptorW 20483->20484 20486 12f159b 20484->20486 20487 12f1da2 20488 12f1ddd getaddrinfo 20487->20488 20490 12f1e4f 20488->20490 20491 11caa12 20492 11caa3e SetErrorMode 20491->20492 20493 11caa67 20491->20493 20494 11caa53 20492->20494 20493->20492 20495 11cb212 20496 11cb24a RegOpenKeyExW 20495->20496 20498 11cb2a0 20496->20498 20499 12f1c3e 20501 12f1c73 GetProcessTimes 20499->20501 20502 12f1ca5 20501->20502 20503 11cb40e 20506 11cb443 RegSetValueExW 20503->20506 20505 11cb48f 20506->20505 20577 12f2bfa 20579 12f2c2f ioctlsocket 20577->20579 20580 12f2c5b 20579->20580 20581 12f1976 20583 12f19ab shutdown 20581->20583 20584 12f19d4 20583->20584 20585 12f10f6 20586 12f112e WSASocketW 20585->20586 20588 12f116a 20586->20588 20511 11ca186 20512 11ca1bb send 20511->20512 20513 11ca1f3 20511->20513 20514 11ca1c9 20512->20514 20513->20512 20515 11cbc02 20517 11cbc2b LookupPrivilegeValueW 20515->20517 20518 11cbc52 20517->20518 20519 11cbd82 20520 11cbdb1 AdjustTokenPrivileges 20519->20520 20522 11cbdd3 20520->20522 20523 11ca0be 20524 11ca10e FindNextFileW 20523->20524 20525 11ca116 20524->20525 20589 11cbefe 20590 11cbf5e 20589->20590 20591 11cbf33 NtQuerySystemInformation 20589->20591 20590->20591 20592 11cbf48 20591->20592 20530 12f2e86 20532 12f2ebb GetProcessWorkingSetSize 20530->20532 20533 12f2ee7 20532->20533 20534 11cbab6 20536 11cbadf SetFileAttributesW 20534->20536 20537 11cbafb 20536->20537 20593 11cb4f6 20595 11cb531 SendMessageTimeoutA 20593->20595 20596 11cb579 20595->20596 20538 12f1f82 20539 12f1fb7 WSAConnect 20538->20539 20541 12f1fd6 20539->20541 20597 12f0a42 20598 12f0a7a RegCreateKeyExW 20597->20598 20600 12f0aec 20598->20600 20601 11cb9f2 20602 11cba1e FindClose 20601->20602 20603 11cba50 20601->20603 20604 11cba33 20602->20604 20603->20602 20542 11ca72e 20543 11ca77e OleGetClipboard 20542->20543 20544 11ca78c 20543->20544 20545 11caeae 20546 11caee3 WriteFile 20545->20546 20548 11caf15 20546->20548 20549 11cb8aa 20551 11cb8d0 DeleteFileW 20549->20551 20552 11cb8ec 20551->20552 20608 11cac6a 20611 11cac9f GetFileType 20608->20611 20610 11caccc 20611->20610 20612 11cb06a 20613 11cb0a2 CreateMutexW 20612->20613 20615 11cb0e5 20613->20615 20616 12f2cd6 20617 12f2cff select 20616->20617 20619 12f2d34 20617->20619 20553 11caaa6 20554 11caade CreateFileW 20553->20554 20556 11cab2d 20554->20556 20620 12f16d2 20621 12f170a MapViewOfFile 20620->20621 20623 12f1759 20621->20623 20624 11cb7e2 20626 11cb80b CopyFileW 20624->20626 20627 11cb832 20626->20627

                Executed Functions

                Function 05084290 Relevance: 10.7, Strings: 7, Instructions: 1950COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4127303963.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_5080000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID: :@k$:@k$:@k$:@k$:@k$:@k$@
                • API String ID: 0-4108611281
                • Opcode ID: be3632a1309a8a1cfffab243ff473ae5d8980b85212889115841dc64d0bf9128
                • Instruction ID: 9baf6e1464910de731d1693484a2df7b5f97873aa841c27a2c4cbdf62f4dd345
                • Opcode Fuzzy Hash: be3632a1309a8a1cfffab243ff473ae5d8980b85212889115841dc64d0bf9128
                • Instruction Fuzzy Hash: 28234B74A01228CFDB65EF60E864BEDB7B2BB88304F0141E9D959A7794DB319E85CF40
                Function 0508427F Relevance: 10.5, Strings: 7, Instructions: 1746COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4127303963.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_5080000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID: $:@k$:@k$:@k$:@k$:@k$:@k
                • API String ID: 0-3720531893
                • Opcode ID: 324df51bc96bfbc592bdf1ef32be42541cc30d67fb1a4e2acc940069f65b5d4a
                • Instruction ID: e3a583920c0d4daf96c22403cbf1c0fc394d42fd972cb8a9892b186b939309fd
                • Opcode Fuzzy Hash: 324df51bc96bfbc592bdf1ef32be42541cc30d67fb1a4e2acc940069f65b5d4a
                • Instruction Fuzzy Hash: 9A132974A01228CFDB25EF60E864BEDB7B2BB88304F0141E9D95967798DB319E85CF50
                Function 050844E9 Relevance: 10.4, Strings: 7, Instructions: 1624COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1117 50844e9-5084675 1138 508467b-50847ca 1117->1138 1139 5084805-5084819 1117->1139 1138->1139 1140 508481f-5084924 1139->1140 1141 5084967-508497b 1139->1141 1334 508492c 1140->1334 1143 508497d-5084983 call 5084208 1141->1143 1144 50849ce-50849e2 1141->1144 1152 5084988-5084993 1143->1152 1147 5084a2a-5084a3e 1144->1147 1148 50849e4-50849ef 1144->1148 1149 5084b8c-5084ba0 1147->1149 1150 5084a44-5084b51 1147->1150 1148->1147 1154 5084ccc-5084ce0 1149->1154 1155 5084ba6-5084bba 1149->1155 1150->1149 1152->1144 1161 5084f6c-5084f80 1154->1161 1162 5084ce6-5084f25 1154->1162 1157 5084bc8-5084bdc 1155->1157 1158 5084bbc-5084bc3 1155->1158 1166 5084bde-5084be5 1157->1166 1167 5084be7-5084bfb 1157->1167 1164 5084c40-5084c54 1158->1164 1168 5084fda-5084fee 1161->1168 1169 5084f82-5084f93 1161->1169 1162->1161 1170 5084c6e-5084c7a 1164->1170 1171 5084c56-5084c6c 1164->1171 1166->1164 1174 5084bfd-5084c04 1167->1174 1175 5084c06-5084c1a 1167->1175 1177 508503d-5085051 1168->1177 1178 5084ff0 1168->1178 1169->1168 1185 5084c85 1170->1185 1171->1185 1174->1164 1183 5084c1c-5084c23 1175->1183 1184 5084c25-5084c39 1175->1184 1179 508509a-50850ae 1177->1179 1180 5085053 1177->1180 1642 5084ff0 call 50872c9 1178->1642 1643 5084ff0 call 5087173 1178->1643 1187 50850b0-50850d9 1179->1187 1188 5085125-5085139 1179->1188 1180->1179 1183->1164 1184->1164 1193 5084c3b-5084c3d 1184->1193 1185->1154 1186 5084ff6 1186->1177 1187->1188 1195 50853ac-50853c0 1188->1195 1196 508513f-508535b 1188->1196 1193->1164 1199 5085496-50854aa 1195->1199 1200 50853c6-508544f 1195->1200 1580 508535d 1196->1580 1581 508535f 1196->1581 1204 50854b0-50855df 1199->1204 1205 5085667-508567b 1199->1205 1200->1199 1548 50855ea-5085620 1204->1548 1210 50857de-50857f2 1205->1210 1211 5085681-508578c 1205->1211 1218 50857f8-5085903 1210->1218 1219 5085955-5085969 1210->1219 1496 5085797 1211->1496 1513 508590e 1218->1513 1222 5085acc-5085ae0 1219->1222 1223 508596f-5085a7a 1219->1223 1230 5085c43-5085c57 1222->1230 1231 5085ae6-5085bf1 1222->1231 1520 5085a85 1223->1520 1236 5085dba-5085dce 1230->1236 1237 5085c5d-5085d68 1230->1237 1536 5085bfc 1231->1536 1248 5085f31-5085f45 1236->1248 1249 5085dd4-5085edf 1236->1249 1553 5085d73 1237->1553 1255 50860a8-50860bc 1248->1255 1256 5085f4b-5086061 1248->1256 1557 5085eea 1249->1557 1264 508621f-5086233 1255->1264 1265 50860c2-50861cd 1255->1265 1256->1255 1272 5086239-5086344 1264->1272 1273 5086396-50863aa 1264->1273 1577 50861d8 1265->1577 1585 508634f 1272->1585 1282 508652e-5086542 1273->1282 1283 50863b0-50863f5 call 5084270 1273->1283 1286 5086548-5086567 1282->1286 1287 5086685-5086699 1282->1287 1416 50864b5-50864d7 1283->1416 1320 508660c-508662e 1286->1320 1299 508669f-508679f 1287->1299 1300 50867e6-50867fa 1287->1300 1299->1300 1318 5086800-5086900 1300->1318 1319 5086947-508695b 1300->1319 1318->1319 1325 5086aa8-5086ad2 1319->1325 1326 5086961-5086a61 1319->1326 1332 508656c-508657b 1320->1332 1333 5086634 1320->1333 1345 5086ad8-5086b4b 1325->1345 1346 5086b92-5086ba6 1325->1346 1326->1325 1355 5086581-5086585 1332->1355 1356 5086636 1332->1356 1333->1287 1334->1141 1345->1346 1361 5086bac-5086c03 1346->1361 1362 5086c83-5086c97 1346->1362 1367 5086590-50865b4 1355->1367 1376 508663b-5086683 1356->1376 1486 5086c0a-5086c3c 1361->1486 1369 5086ddd-5086df1 1362->1369 1370 5086c9d-5086d96 1362->1370 1437 50865fb-5086604 1367->1437 1438 50865b6-50865f0 1367->1438 1381 5087054-5087068 1369->1381 1382 5086df7-5086e47 1369->1382 1370->1369 1376->1287 1402 508706e-5087109 call 5084270 * 2 1381->1402 1403 5087150-5087157 1381->1403 1497 5086e49-5086e6f 1382->1497 1498 5086eb5-5086ee0 1382->1498 1402->1403 1430 50863fa-5086409 1416->1430 1431 50864dd 1416->1431 1434 50864df 1430->1434 1435 508640f-508646f 1430->1435 1431->1282 1461 50864e4-508652c 1434->1461 1554 5086479-50864ad 1435->1554 1437->1376 1455 5086606 1437->1455 1438->1437 1455->1320 1461->1282 1486->1362 1496->1210 1575 5086eb0 1497->1575 1576 5086e71-5086e91 1497->1576 1572 5086fbe-508704f 1498->1572 1573 5086ee6-5086fb9 1498->1573 1513->1219 1520->1222 1536->1230 1548->1205 1553->1236 1554->1461 1574 50864af 1554->1574 1557->1248 1572->1381 1573->1381 1574->1416 1575->1381 1576->1575 1577->1264 1582 5085365 1580->1582 1581->1582 1641 508535f call 5087351 1581->1641 1582->1195 1585->1273 1641->1582 1642->1186 1643->1186
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4127303963.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_5080000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID: $:@k$:@k$:@k$:@k$:@k$:@k
                • API String ID: 0-3720531893
                • Opcode ID: b7dd53db76a241f8bc74e5b7ca46fbc54b6c26d0fa183bd7a3435111eb7613f6
                • Instruction ID: 0c43c1f32e7da10132db22eb12268d7de8350095b529a7b32b38e2d93b3ec52a
                • Opcode Fuzzy Hash: b7dd53db76a241f8bc74e5b7ca46fbc54b6c26d0fa183bd7a3435111eb7613f6
                • Instruction Fuzzy Hash: F6033974A01228CFDB25EF60E864BADB7B2FB88304F0141E9D95967798DB319E85CF50
                Function 0508453C Relevance: 10.4, Strings: 7, Instructions: 1618COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1644 508453c-5084675 1662 508467b-50847ca 1644->1662 1663 5084805-5084819 1644->1663 1662->1663 1664 508481f-5084924 1663->1664 1665 5084967-508497b 1663->1665 1858 508492c 1664->1858 1667 508497d-5084983 call 5084208 1665->1667 1668 50849ce-50849e2 1665->1668 1676 5084988-5084993 1667->1676 1671 5084a2a-5084a3e 1668->1671 1672 50849e4-50849ef 1668->1672 1673 5084b8c-5084ba0 1671->1673 1674 5084a44-5084b51 1671->1674 1672->1671 1678 5084ccc-5084ce0 1673->1678 1679 5084ba6-5084bba 1673->1679 1674->1673 1676->1668 1685 5084f6c-5084f80 1678->1685 1686 5084ce6-5084f25 1678->1686 1681 5084bc8-5084bdc 1679->1681 1682 5084bbc-5084bc3 1679->1682 1690 5084bde-5084be5 1681->1690 1691 5084be7-5084bfb 1681->1691 1688 5084c40-5084c54 1682->1688 1692 5084fda-5084fee 1685->1692 1693 5084f82-5084f93 1685->1693 1686->1685 1694 5084c6e-5084c7a 1688->1694 1695 5084c56-5084c6c 1688->1695 1690->1688 1698 5084bfd-5084c04 1691->1698 1699 5084c06-5084c1a 1691->1699 1701 508503d-5085051 1692->1701 1702 5084ff0 1692->1702 1693->1692 1709 5084c85 1694->1709 1695->1709 1698->1688 1707 5084c1c-5084c23 1699->1707 1708 5084c25-5084c39 1699->1708 1703 508509a-50850ae 1701->1703 1704 5085053 1701->1704 2165 5084ff0 call 50872c9 1702->2165 2166 5084ff0 call 5087173 1702->2166 1711 50850b0-50850d9 1703->1711 1712 5085125-5085139 1703->1712 1704->1703 1707->1688 1708->1688 1717 5084c3b-5084c3d 1708->1717 1709->1678 1710 5084ff6 1710->1701 1711->1712 1719 50853ac-50853c0 1712->1719 1720 508513f-508535b 1712->1720 1717->1688 1723 5085496-50854aa 1719->1723 1724 50853c6-508544f 1719->1724 2104 508535d 1720->2104 2105 508535f 1720->2105 1728 50854b0-50855df 1723->1728 1729 5085667-508567b 1723->1729 1724->1723 2072 50855ea-5085620 1728->2072 1734 50857de-50857f2 1729->1734 1735 5085681-508578c 1729->1735 1742 50857f8-5085903 1734->1742 1743 5085955-5085969 1734->1743 2020 5085797 1735->2020 2037 508590e 1742->2037 1746 5085acc-5085ae0 1743->1746 1747 508596f-5085a7a 1743->1747 1754 5085c43-5085c57 1746->1754 1755 5085ae6-5085bf1 1746->1755 2044 5085a85 1747->2044 1760 5085dba-5085dce 1754->1760 1761 5085c5d-5085d68 1754->1761 2060 5085bfc 1755->2060 1772 5085f31-5085f45 1760->1772 1773 5085dd4-5085edf 1760->1773 2077 5085d73 1761->2077 1779 50860a8-50860bc 1772->1779 1780 5085f4b-5086061 1772->1780 2081 5085eea 1773->2081 1788 508621f-5086233 1779->1788 1789 50860c2-50861cd 1779->1789 1780->1779 1796 5086239-5086344 1788->1796 1797 5086396-50863aa 1788->1797 2101 50861d8 1789->2101 2109 508634f 1796->2109 1806 508652e-5086542 1797->1806 1807 50863b0-50863f5 call 5084270 1797->1807 1810 5086548-5086567 1806->1810 1811 5086685-5086699 1806->1811 1940 50864b5-50864d7 1807->1940 1844 508660c-508662e 1810->1844 1823 508669f-508679f 1811->1823 1824 50867e6-50867fa 1811->1824 1823->1824 1842 5086800-5086900 1824->1842 1843 5086947-508695b 1824->1843 1842->1843 1849 5086aa8-5086ad2 1843->1849 1850 5086961-5086a61 1843->1850 1856 508656c-508657b 1844->1856 1857 5086634 1844->1857 1869 5086ad8-5086b4b 1849->1869 1870 5086b92-5086ba6 1849->1870 1850->1849 1879 5086581-5086585 1856->1879 1880 5086636 1856->1880 1857->1811 1858->1665 1869->1870 1885 5086bac-5086c03 1870->1885 1886 5086c83-5086c97 1870->1886 1891 5086590-50865b4 1879->1891 1900 508663b-5086683 1880->1900 2010 5086c0a-5086c3c 1885->2010 1893 5086ddd-5086df1 1886->1893 1894 5086c9d-5086d96 1886->1894 1961 50865fb-5086604 1891->1961 1962 50865b6-50865f0 1891->1962 1905 5087054-5087068 1893->1905 1906 5086df7-5086e47 1893->1906 1894->1893 1900->1811 1926 508706e-5087109 call 5084270 * 2 1905->1926 1927 5087150-5087157 1905->1927 2021 5086e49-5086e6f 1906->2021 2022 5086eb5-5086ee0 1906->2022 1926->1927 1954 50863fa-5086409 1940->1954 1955 50864dd 1940->1955 1958 50864df 1954->1958 1959 508640f-508646f 1954->1959 1955->1806 1985 50864e4-508652c 1958->1985 2078 5086479-50864ad 1959->2078 1961->1900 1979 5086606 1961->1979 1962->1961 1979->1844 1985->1806 2010->1886 2020->1734 2099 5086eb0 2021->2099 2100 5086e71-5086e91 2021->2100 2096 5086fbe-508704f 2022->2096 2097 5086ee6-5086fb9 2022->2097 2037->1743 2044->1746 2060->1754 2072->1729 2077->1760 2078->1985 2098 50864af 2078->2098 2081->1772 2096->1905 2097->1905 2098->1940 2099->1905 2100->2099 2101->1788 2106 5085365 2104->2106 2105->2106 2167 508535f call 5087351 2105->2167 2106->1719 2109->1797 2165->1710 2166->1710 2167->2106
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4127303963.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_5080000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID: $:@k$:@k$:@k$:@k$:@k$:@k
                • API String ID: 0-3720531893
                • Opcode ID: f2be60475e1aaa007f73679d6e64152733a0af06b165895f8f66d4787cad5685
                • Instruction ID: 8d57fbaf12772c33049fd3b1e3f77c78f2759e86d60f08ee1e456d471cad6cce
                • Opcode Fuzzy Hash: f2be60475e1aaa007f73679d6e64152733a0af06b165895f8f66d4787cad5685
                • Instruction Fuzzy Hash: D2032874A01228CFDB25EF60E864BEDB7B2BB88304F0141E9D95967798DB319E85CF50
                Function 05084628 Relevance: 9.1, Strings: 6, Instructions: 1579COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 2168 5084628-5084675 2175 508467b-50847ca 2168->2175 2176 5084805-5084819 2168->2176 2175->2176 2177 508481f-5084924 2176->2177 2178 5084967-508497b 2176->2178 2371 508492c 2177->2371 2180 508497d-5084983 call 5084208 2178->2180 2181 50849ce-50849e2 2178->2181 2189 5084988-5084993 2180->2189 2184 5084a2a-5084a3e 2181->2184 2185 50849e4-50849ef 2181->2185 2186 5084b8c-5084ba0 2184->2186 2187 5084a44-5084b51 2184->2187 2185->2184 2191 5084ccc-5084ce0 2186->2191 2192 5084ba6-5084bba 2186->2192 2187->2186 2189->2181 2198 5084f6c-5084f80 2191->2198 2199 5084ce6-5084f25 2191->2199 2194 5084bc8-5084bdc 2192->2194 2195 5084bbc-5084bc3 2192->2195 2203 5084bde-5084be5 2194->2203 2204 5084be7-5084bfb 2194->2204 2201 5084c40-5084c54 2195->2201 2205 5084fda-5084fee 2198->2205 2206 5084f82-5084f93 2198->2206 2199->2198 2207 5084c6e-5084c7a 2201->2207 2208 5084c56-5084c6c 2201->2208 2203->2201 2211 5084bfd-5084c04 2204->2211 2212 5084c06-5084c1a 2204->2212 2214 508503d-5085051 2205->2214 2215 5084ff0 2205->2215 2206->2205 2222 5084c85 2207->2222 2208->2222 2211->2201 2220 5084c1c-5084c23 2212->2220 2221 5084c25-5084c39 2212->2221 2216 508509a-50850ae 2214->2216 2217 5085053 2214->2217 2678 5084ff0 call 50872c9 2215->2678 2679 5084ff0 call 5087173 2215->2679 2224 50850b0-50850d9 2216->2224 2225 5085125-5085139 2216->2225 2217->2216 2220->2201 2221->2201 2230 5084c3b-5084c3d 2221->2230 2222->2191 2223 5084ff6 2223->2214 2224->2225 2232 50853ac-50853c0 2225->2232 2233 508513f-508535b 2225->2233 2230->2201 2236 5085496-50854aa 2232->2236 2237 50853c6-508544f 2232->2237 2617 508535d 2233->2617 2618 508535f 2233->2618 2241 50854b0-50855df 2236->2241 2242 5085667-508567b 2236->2242 2237->2236 2585 50855ea-5085620 2241->2585 2247 50857de-50857f2 2242->2247 2248 5085681-508578c 2242->2248 2255 50857f8-5085903 2247->2255 2256 5085955-5085969 2247->2256 2533 5085797 2248->2533 2550 508590e 2255->2550 2259 5085acc-5085ae0 2256->2259 2260 508596f-5085a7a 2256->2260 2267 5085c43-5085c57 2259->2267 2268 5085ae6-5085bf1 2259->2268 2557 5085a85 2260->2557 2273 5085dba-5085dce 2267->2273 2274 5085c5d-5085d68 2267->2274 2573 5085bfc 2268->2573 2285 5085f31-5085f45 2273->2285 2286 5085dd4-5085edf 2273->2286 2590 5085d73 2274->2590 2292 50860a8-50860bc 2285->2292 2293 5085f4b-5086061 2285->2293 2594 5085eea 2286->2594 2301 508621f-5086233 2292->2301 2302 50860c2-50861cd 2292->2302 2293->2292 2309 5086239-5086344 2301->2309 2310 5086396-50863aa 2301->2310 2614 50861d8 2302->2614 2622 508634f 2309->2622 2319 508652e-5086542 2310->2319 2320 50863b0-50863f5 call 5084270 2310->2320 2323 5086548-5086567 2319->2323 2324 5086685-5086699 2319->2324 2453 50864b5-50864d7 2320->2453 2357 508660c-508662e 2323->2357 2336 508669f-508679f 2324->2336 2337 50867e6-50867fa 2324->2337 2336->2337 2355 5086800-5086900 2337->2355 2356 5086947-508695b 2337->2356 2355->2356 2362 5086aa8-5086ad2 2356->2362 2363 5086961-5086a61 2356->2363 2369 508656c-508657b 2357->2369 2370 5086634 2357->2370 2382 5086ad8-5086b4b 2362->2382 2383 5086b92-5086ba6 2362->2383 2363->2362 2392 5086581-5086585 2369->2392 2393 5086636 2369->2393 2370->2324 2371->2178 2382->2383 2398 5086bac-5086c03 2383->2398 2399 5086c83-5086c97 2383->2399 2404 5086590-50865b4 2392->2404 2413 508663b-5086683 2393->2413 2523 5086c0a-5086c3c 2398->2523 2406 5086ddd-5086df1 2399->2406 2407 5086c9d-5086d96 2399->2407 2474 50865fb-5086604 2404->2474 2475 50865b6-50865f0 2404->2475 2418 5087054-5087068 2406->2418 2419 5086df7-5086e47 2406->2419 2407->2406 2413->2324 2439 508706e-5087109 call 5084270 * 2 2418->2439 2440 5087150-5087157 2418->2440 2534 5086e49-5086e6f 2419->2534 2535 5086eb5-5086ee0 2419->2535 2439->2440 2467 50863fa-5086409 2453->2467 2468 50864dd 2453->2468 2471 50864df 2467->2471 2472 508640f-508646f 2467->2472 2468->2319 2498 50864e4-508652c 2471->2498 2591 5086479-50864ad 2472->2591 2474->2413 2492 5086606 2474->2492 2475->2474 2492->2357 2498->2319 2523->2399 2533->2247 2612 5086eb0 2534->2612 2613 5086e71-5086e91 2534->2613 2609 5086fbe-508704f 2535->2609 2610 5086ee6-5086fb9 2535->2610 2550->2256 2557->2259 2573->2267 2585->2242 2590->2273 2591->2498 2611 50864af 2591->2611 2594->2285 2609->2418 2610->2418 2611->2453 2612->2418 2613->2612 2614->2301 2619 5085365 2617->2619 2618->2619 2680 508535f call 5087351 2618->2680 2619->2232 2622->2310 2678->2223 2679->2223 2680->2619
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4127303963.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_5080000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID: $:@k$:@k$:@k$:@k$:@k
                • API String ID: 0-2050216740
                • Opcode ID: 333083243de6bd170f1a928dbf552ff00f22bb0e8c83a8442a0fc4485b9e553a
                • Instruction ID: 67a49b09bb1b1d36b6ec7b7ea5231f2598db71350252c617e31d92e4affca7c5
                • Opcode Fuzzy Hash: 333083243de6bd170f1a928dbf552ff00f22bb0e8c83a8442a0fc4485b9e553a
                • Instruction Fuzzy Hash: D8032974A01228CFDB25EF60E864BEDB7B2BB88304F0141E9D95967798DB319E85CF50
                Function 05084707 Relevance: 9.0, Strings: 6, Instructions: 1544COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 2681 5084707-5084819 2695 508481f-5084924 2681->2695 2696 5084967-508497b 2681->2696 2876 508492c 2695->2876 2697 508497d-5084983 call 5084208 2696->2697 2698 50849ce-50849e2 2696->2698 2705 5084988-5084993 2697->2705 2701 5084a2a-5084a3e 2698->2701 2702 50849e4-50849ef 2698->2702 2703 5084b8c-5084ba0 2701->2703 2704 5084a44-5084b51 2701->2704 2702->2701 2707 5084ccc-5084ce0 2703->2707 2708 5084ba6-5084bba 2703->2708 2704->2703 2705->2698 2713 5084f6c-5084f80 2707->2713 2714 5084ce6-5084f25 2707->2714 2710 5084bc8-5084bdc 2708->2710 2711 5084bbc-5084bc3 2708->2711 2718 5084bde-5084be5 2710->2718 2719 5084be7-5084bfb 2710->2719 2716 5084c40-5084c54 2711->2716 2720 5084fda-5084fee 2713->2720 2721 5084f82-5084f93 2713->2721 2714->2713 2722 5084c6e-5084c7a 2716->2722 2723 5084c56-5084c6c 2716->2723 2718->2716 2725 5084bfd-5084c04 2719->2725 2726 5084c06-5084c1a 2719->2726 2728 508503d-5085051 2720->2728 2729 5084ff0 2720->2729 2721->2720 2736 5084c85 2722->2736 2723->2736 2725->2716 2734 5084c1c-5084c23 2726->2734 2735 5084c25-5084c39 2726->2735 2730 508509a-50850ae 2728->2730 2731 5085053 2728->2731 3183 5084ff0 call 50872c9 2729->3183 3184 5084ff0 call 5087173 2729->3184 2738 50850b0-50850d9 2730->2738 2739 5085125-5085139 2730->2739 2731->2730 2734->2716 2735->2716 2743 5084c3b-5084c3d 2735->2743 2736->2707 2737 5084ff6 2737->2728 2738->2739 2745 50853ac-50853c0 2739->2745 2746 508513f-508535b 2739->2746 2743->2716 2748 5085496-50854aa 2745->2748 2749 50853c6-508544f 2745->2749 3122 508535d 2746->3122 3123 508535f 2746->3123 2753 50854b0-50855df 2748->2753 2754 5085667-508567b 2748->2754 2749->2748 3090 50855ea-5085620 2753->3090 2760 50857de-50857f2 2754->2760 2761 5085681-508578c 2754->2761 2766 50857f8-5085903 2760->2766 2767 5085955-5085969 2760->2767 3038 5085797 2761->3038 3055 508590e 2766->3055 2769 5085acc-5085ae0 2767->2769 2770 508596f-5085a7a 2767->2770 2776 5085c43-5085c57 2769->2776 2777 5085ae6-5085bf1 2769->2777 3062 5085a85 2770->3062 2783 5085dba-5085dce 2776->2783 2784 5085c5d-5085d68 2776->2784 3078 5085bfc 2777->3078 2792 5085f31-5085f45 2783->2792 2793 5085dd4-5085edf 2783->2793 3095 5085d73 2784->3095 2800 50860a8-50860bc 2792->2800 2801 5085f4b-5086061 2792->2801 3099 5085eea 2793->3099 2808 508621f-5086233 2800->2808 2809 50860c2-50861cd 2800->2809 2801->2800 2816 5086239-5086344 2808->2816 2817 5086396-50863aa 2808->2817 3119 50861d8 2809->3119 3127 508634f 2816->3127 2825 508652e-5086542 2817->2825 2826 50863b0-50863f5 call 5084270 2817->2826 2829 5086548-5086567 2825->2829 2830 5086685-5086699 2825->2830 2958 50864b5-50864d7 2826->2958 2862 508660c-508662e 2829->2862 2842 508669f-508679f 2830->2842 2843 50867e6-50867fa 2830->2843 2842->2843 2860 5086800-5086900 2843->2860 2861 5086947-508695b 2843->2861 2860->2861 2867 5086aa8-5086ad2 2861->2867 2868 5086961-5086a61 2861->2868 2874 508656c-508657b 2862->2874 2875 5086634 2862->2875 2887 5086ad8-5086b4b 2867->2887 2888 5086b92-5086ba6 2867->2888 2868->2867 2897 5086581-5086585 2874->2897 2898 5086636 2874->2898 2875->2830 2876->2696 2887->2888 2903 5086bac-5086c03 2888->2903 2904 5086c83-5086c97 2888->2904 2909 5086590-50865b4 2897->2909 2918 508663b-5086683 2898->2918 3028 5086c0a-5086c3c 2903->3028 2911 5086ddd-5086df1 2904->2911 2912 5086c9d-5086d96 2904->2912 2979 50865fb-5086604 2909->2979 2980 50865b6-50865f0 2909->2980 2923 5087054-5087068 2911->2923 2924 5086df7-5086e47 2911->2924 2912->2911 2918->2830 2944 508706e-5087109 call 5084270 * 2 2923->2944 2945 5087150-5087157 2923->2945 3039 5086e49-5086e6f 2924->3039 3040 5086eb5-5086ee0 2924->3040 2944->2945 2972 50863fa-5086409 2958->2972 2973 50864dd 2958->2973 2976 50864df 2972->2976 2977 508640f-508646f 2972->2977 2973->2825 3003 50864e4-508652c 2976->3003 3096 5086479-50864ad 2977->3096 2979->2918 2997 5086606 2979->2997 2980->2979 2997->2862 3003->2825 3028->2904 3038->2760 3117 5086eb0 3039->3117 3118 5086e71-5086e91 3039->3118 3114 5086fbe-508704f 3040->3114 3115 5086ee6-5086fb9 3040->3115 3055->2767 3062->2769 3078->2776 3090->2754 3095->2783 3096->3003 3116 50864af 3096->3116 3099->2792 3114->2923 3115->2923 3116->2958 3117->2923 3118->3117 3119->2808 3124 5085365 3122->3124 3123->3124 3185 508535f call 5087351 3123->3185 3124->2745 3127->2817 3183->2737 3184->2737 3185->3124
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4127303963.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_5080000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID: $:@k$:@k$:@k$:@k$:@k
                • API String ID: 0-2050216740
                • Opcode ID: ec931800b2d31342345314c096be2b775dc397a38222ad4d4f2cf250ac55f1ed
                • Instruction ID: de4a3ae64db6b1c9f26d914e39ca5f9bf6af15973ab58ea9f2fd6f1bd7707bf6
                • Opcode Fuzzy Hash: ec931800b2d31342345314c096be2b775dc397a38222ad4d4f2cf250ac55f1ed
                • Instruction Fuzzy Hash: A7F23974A01228CFDB25EF60E864BEDB7B2BB88304F0141E9D95967798DB319E85CF50
                Function 050847CC Relevance: 9.0, Strings: 6, Instructions: 1513COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 3186 50847cc-5084819 3193 508481f-5084924 3186->3193 3194 5084967-508497b 3186->3194 3374 508492c 3193->3374 3195 508497d-5084983 call 5084208 3194->3195 3196 50849ce-50849e2 3194->3196 3203 5084988-5084993 3195->3203 3199 5084a2a-5084a3e 3196->3199 3200 50849e4-50849ef 3196->3200 3201 5084b8c-5084ba0 3199->3201 3202 5084a44-5084b51 3199->3202 3200->3199 3205 5084ccc-5084ce0 3201->3205 3206 5084ba6-5084bba 3201->3206 3202->3201 3203->3196 3211 5084f6c-5084f80 3205->3211 3212 5084ce6-5084f25 3205->3212 3208 5084bc8-5084bdc 3206->3208 3209 5084bbc-5084bc3 3206->3209 3216 5084bde-5084be5 3208->3216 3217 5084be7-5084bfb 3208->3217 3214 5084c40-5084c54 3209->3214 3218 5084fda-5084fee 3211->3218 3219 5084f82-5084f93 3211->3219 3212->3211 3220 5084c6e-5084c7a 3214->3220 3221 5084c56-5084c6c 3214->3221 3216->3214 3223 5084bfd-5084c04 3217->3223 3224 5084c06-5084c1a 3217->3224 3226 508503d-5085051 3218->3226 3227 5084ff0 3218->3227 3219->3218 3234 5084c85 3220->3234 3221->3234 3223->3214 3232 5084c1c-5084c23 3224->3232 3233 5084c25-5084c39 3224->3233 3228 508509a-50850ae 3226->3228 3229 5085053 3226->3229 3682 5084ff0 call 50872c9 3227->3682 3683 5084ff0 call 5087173 3227->3683 3236 50850b0-50850d9 3228->3236 3237 5085125-5085139 3228->3237 3229->3228 3232->3214 3233->3214 3241 5084c3b-5084c3d 3233->3241 3234->3205 3235 5084ff6 3235->3226 3236->3237 3243 50853ac-50853c0 3237->3243 3244 508513f-508535b 3237->3244 3241->3214 3246 5085496-50854aa 3243->3246 3247 50853c6-508544f 3243->3247 3620 508535d 3244->3620 3621 508535f 3244->3621 3251 50854b0-50855df 3246->3251 3252 5085667-508567b 3246->3252 3247->3246 3588 50855ea-5085620 3251->3588 3258 50857de-50857f2 3252->3258 3259 5085681-508578c 3252->3259 3264 50857f8-5085903 3258->3264 3265 5085955-5085969 3258->3265 3536 5085797 3259->3536 3553 508590e 3264->3553 3267 5085acc-5085ae0 3265->3267 3268 508596f-5085a7a 3265->3268 3274 5085c43-5085c57 3267->3274 3275 5085ae6-5085bf1 3267->3275 3560 5085a85 3268->3560 3281 5085dba-5085dce 3274->3281 3282 5085c5d-5085d68 3274->3282 3576 5085bfc 3275->3576 3290 5085f31-5085f45 3281->3290 3291 5085dd4-5085edf 3281->3291 3593 5085d73 3282->3593 3298 50860a8-50860bc 3290->3298 3299 5085f4b-5086061 3290->3299 3597 5085eea 3291->3597 3306 508621f-5086233 3298->3306 3307 50860c2-50861cd 3298->3307 3299->3298 3314 5086239-5086344 3306->3314 3315 5086396-50863aa 3306->3315 3617 50861d8 3307->3617 3625 508634f 3314->3625 3323 508652e-5086542 3315->3323 3324 50863b0-50863f5 call 5084270 3315->3324 3327 5086548-5086567 3323->3327 3328 5086685-5086699 3323->3328 3456 50864b5-50864d7 3324->3456 3360 508660c-508662e 3327->3360 3340 508669f-508679f 3328->3340 3341 50867e6-50867fa 3328->3341 3340->3341 3358 5086800-5086900 3341->3358 3359 5086947-508695b 3341->3359 3358->3359 3365 5086aa8-5086ad2 3359->3365 3366 5086961-5086a61 3359->3366 3372 508656c-508657b 3360->3372 3373 5086634 3360->3373 3385 5086ad8-5086b4b 3365->3385 3386 5086b92-5086ba6 3365->3386 3366->3365 3395 5086581-5086585 3372->3395 3396 5086636 3372->3396 3373->3328 3374->3194 3385->3386 3401 5086bac-5086c03 3386->3401 3402 5086c83-5086c97 3386->3402 3407 5086590-50865b4 3395->3407 3416 508663b-5086683 3396->3416 3526 5086c0a-5086c3c 3401->3526 3409 5086ddd-5086df1 3402->3409 3410 5086c9d-5086d96 3402->3410 3477 50865fb-5086604 3407->3477 3478 50865b6-50865f0 3407->3478 3421 5087054-5087068 3409->3421 3422 5086df7-5086e47 3409->3422 3410->3409 3416->3328 3442 508706e-5087109 call 5084270 * 2 3421->3442 3443 5087150-5087157 3421->3443 3537 5086e49-5086e6f 3422->3537 3538 5086eb5-5086ee0 3422->3538 3442->3443 3470 50863fa-5086409 3456->3470 3471 50864dd 3456->3471 3474 50864df 3470->3474 3475 508640f-508646f 3470->3475 3471->3323 3501 50864e4-508652c 3474->3501 3594 5086479-50864ad 3475->3594 3477->3416 3495 5086606 3477->3495 3478->3477 3495->3360 3501->3323 3526->3402 3536->3258 3615 5086eb0 3537->3615 3616 5086e71-5086e91 3537->3616 3612 5086fbe-508704f 3538->3612 3613 5086ee6-5086fb9 3538->3613 3553->3265 3560->3267 3576->3274 3588->3252 3593->3281 3594->3501 3614 50864af 3594->3614 3597->3290 3612->3421 3613->3421 3614->3456 3615->3421 3616->3615 3617->3306 3622 5085365 3620->3622 3621->3622 3681 508535f call 5087351 3621->3681 3622->3243 3625->3315 3681->3622 3682->3235 3683->3235
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4127303963.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_5080000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID: $:@k$:@k$:@k$:@k$:@k
                • API String ID: 0-2050216740
                • Opcode ID: e97d085330fef2df7915bc39b146ccecf00985c550e26961589646a0083fab10
                • Instruction ID: bc399313661b47eb4055c68bba70a9bd1d8680ea1fd0920013c50d342a1656d0
                • Opcode Fuzzy Hash: e97d085330fef2df7915bc39b146ccecf00985c550e26961589646a0083fab10
                • Instruction Fuzzy Hash: 88F23974A01228CFDB25EF60E864BEDB7B2BB88304F0141E9D95967798DB319E85CF50
                Function 0508492E Relevance: 9.0, Strings: 6, Instructions: 1456COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 3684 508492e-508497b 3691 508497d-5084983 call 5084208 3684->3691 3692 50849ce-50849e2 3684->3692 3698 5084988-5084993 3691->3698 3694 5084a2a-5084a3e 3692->3694 3695 50849e4-50849ef 3692->3695 3696 5084b8c-5084ba0 3694->3696 3697 5084a44-5084b51 3694->3697 3695->3694 3700 5084ccc-5084ce0 3696->3700 3701 5084ba6-5084bba 3696->3701 3697->3696 3698->3692 3705 5084f6c-5084f80 3700->3705 3706 5084ce6-5084f25 3700->3706 3702 5084bc8-5084bdc 3701->3702 3703 5084bbc-5084bc3 3701->3703 3709 5084bde-5084be5 3702->3709 3710 5084be7-5084bfb 3702->3710 3708 5084c40-5084c54 3703->3708 3711 5084fda-5084fee 3705->3711 3712 5084f82-5084f93 3705->3712 3706->3705 3713 5084c6e-5084c7a 3708->3713 3714 5084c56-5084c6c 3708->3714 3709->3708 3716 5084bfd-5084c04 3710->3716 3717 5084c06-5084c1a 3710->3717 3719 508503d-5085051 3711->3719 3720 5084ff0 3711->3720 3712->3711 3726 5084c85 3713->3726 3714->3726 3716->3708 3724 5084c1c-5084c23 3717->3724 3725 5084c25-5084c39 3717->3725 3721 508509a-50850ae 3719->3721 3722 5085053 3719->3722 4163 5084ff0 call 50872c9 3720->4163 4164 5084ff0 call 5087173 3720->4164 3728 50850b0-50850d9 3721->3728 3729 5085125-5085139 3721->3729 3722->3721 3724->3708 3725->3708 3733 5084c3b-5084c3d 3725->3733 3726->3700 3727 5084ff6 3727->3719 3728->3729 3734 50853ac-50853c0 3729->3734 3735 508513f-508535b 3729->3735 3733->3708 3737 5085496-50854aa 3734->3737 3738 50853c6-508544f 3734->3738 4102 508535d 3735->4102 4103 508535f 3735->4103 3742 50854b0-50855df 3737->3742 3743 5085667-508567b 3737->3743 3738->3737 4070 50855ea-5085620 3742->4070 3748 50857de-50857f2 3743->3748 3749 5085681-508578c 3743->3749 3753 50857f8-5085903 3748->3753 3754 5085955-5085969 3748->3754 4018 5085797 3749->4018 4035 508590e 3753->4035 3756 5085acc-5085ae0 3754->3756 3757 508596f-5085a7a 3754->3757 3763 5085c43-5085c57 3756->3763 3764 5085ae6-5085bf1 3756->3764 4042 5085a85 3757->4042 3769 5085dba-5085dce 3763->3769 3770 5085c5d-5085d68 3763->3770 4058 5085bfc 3764->4058 3777 5085f31-5085f45 3769->3777 3778 5085dd4-5085edf 3769->3778 4075 5085d73 3770->4075 3785 50860a8-50860bc 3777->3785 3786 5085f4b-5086061 3777->3786 4079 5085eea 3778->4079 3793 508621f-5086233 3785->3793 3794 50860c2-50861cd 3785->3794 3786->3785 3800 5086239-5086344 3793->3800 3801 5086396-50863aa 3793->3801 4099 50861d8 3794->4099 4107 508634f 3800->4107 3808 508652e-5086542 3801->3808 3809 50863b0-50863f5 call 5084270 3801->3809 3812 5086548-5086567 3808->3812 3813 5086685-5086699 3808->3813 3938 50864b5-50864d7 3809->3938 3843 508660c-508662e 3812->3843 3824 508669f-508679f 3813->3824 3825 50867e6-50867fa 3813->3825 3824->3825 3841 5086800-5086900 3825->3841 3842 5086947-508695b 3825->3842 3841->3842 3848 5086aa8-5086ad2 3842->3848 3849 5086961-5086a61 3842->3849 3855 508656c-508657b 3843->3855 3856 5086634 3843->3856 3867 5086ad8-5086b4b 3848->3867 3868 5086b92-5086ba6 3848->3868 3849->3848 3877 5086581-5086585 3855->3877 3878 5086636 3855->3878 3856->3813 3867->3868 3883 5086bac-5086c03 3868->3883 3884 5086c83-5086c97 3868->3884 3889 5086590-50865b4 3877->3889 3898 508663b-5086683 3878->3898 4008 5086c0a-5086c3c 3883->4008 3891 5086ddd-5086df1 3884->3891 3892 5086c9d-5086d96 3884->3892 3959 50865fb-5086604 3889->3959 3960 50865b6-50865f0 3889->3960 3903 5087054-5087068 3891->3903 3904 5086df7-5086e47 3891->3904 3892->3891 3898->3813 3924 508706e-5087109 call 5084270 * 2 3903->3924 3925 5087150-5087157 3903->3925 4019 5086e49-5086e6f 3904->4019 4020 5086eb5-5086ee0 3904->4020 3924->3925 3952 50863fa-5086409 3938->3952 3953 50864dd 3938->3953 3956 50864df 3952->3956 3957 508640f-508646f 3952->3957 3953->3808 3983 50864e4-508652c 3956->3983 4076 5086479-50864ad 3957->4076 3959->3898 3977 5086606 3959->3977 3960->3959 3977->3843 3983->3808 4008->3884 4018->3748 4097 5086eb0 4019->4097 4098 5086e71-5086e91 4019->4098 4094 5086fbe-508704f 4020->4094 4095 5086ee6-5086fb9 4020->4095 4035->3754 4042->3756 4058->3763 4070->3743 4075->3769 4076->3983 4096 50864af 4076->4096 4079->3777 4094->3903 4095->3903 4096->3938 4097->3903 4098->4097 4099->3793 4104 5085365 4102->4104 4103->4104 4165 508535f call 5087351 4103->4165 4104->3734 4107->3801 4163->3727 4164->3727 4165->4104
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4127303963.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_5080000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID: $:@k$:@k$:@k$:@k$:@k
                • API String ID: 0-2050216740
                • Opcode ID: 9e3541df1824b58e0248c2daf2ca22700d5253ddb8e901a00b8586035642f6bd
                • Instruction ID: c95f31bcd63df512124504c6ea44a312667a21ff91c08681602ddc6fb6e45fc7
                • Opcode Fuzzy Hash: 9e3541df1824b58e0248c2daf2ca22700d5253ddb8e901a00b8586035642f6bd
                • Instruction Fuzzy Hash: EEF24A74A01228CFDB25EF60E864BEDB7B2BB88304F0141E9D95967798DB319E85CF50
                Function 05084995 Relevance: 8.9, Strings: 6, Instructions: 1447COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 4166 5084995-50849e2 4173 5084a2a-5084a3e 4166->4173 4174 50849e4-50849ef 4166->4174 4175 5084b8c-5084ba0 4173->4175 4176 5084a44-5084b51 4173->4176 4174->4173 4178 5084ccc-5084ce0 4175->4178 4179 5084ba6-5084bba 4175->4179 4176->4175 4183 5084f6c-5084f80 4178->4183 4184 5084ce6-5084f25 4178->4184 4180 5084bc8-5084bdc 4179->4180 4181 5084bbc-5084bc3 4179->4181 4186 5084bde-5084be5 4180->4186 4187 5084be7-5084bfb 4180->4187 4185 5084c40-5084c54 4181->4185 4188 5084fda-5084fee 4183->4188 4189 5084f82-5084f93 4183->4189 4184->4183 4190 5084c6e-5084c7a 4185->4190 4191 5084c56-5084c6c 4185->4191 4186->4185 4193 5084bfd-5084c04 4187->4193 4194 5084c06-5084c1a 4187->4194 4196 508503d-5085051 4188->4196 4197 5084ff0 4188->4197 4189->4188 4203 5084c85 4190->4203 4191->4203 4193->4185 4201 5084c1c-5084c23 4194->4201 4202 5084c25-5084c39 4194->4202 4198 508509a-50850ae 4196->4198 4199 5085053 4196->4199 4640 5084ff0 call 50872c9 4197->4640 4641 5084ff0 call 5087173 4197->4641 4205 50850b0-50850d9 4198->4205 4206 5085125-5085139 4198->4206 4199->4198 4201->4185 4202->4185 4210 5084c3b-5084c3d 4202->4210 4203->4178 4204 5084ff6 4204->4196 4205->4206 4211 50853ac-50853c0 4206->4211 4212 508513f-508535b 4206->4212 4210->4185 4214 5085496-50854aa 4211->4214 4215 50853c6-508544f 4211->4215 4579 508535d 4212->4579 4580 508535f 4212->4580 4219 50854b0-50855df 4214->4219 4220 5085667-508567b 4214->4220 4215->4214 4547 50855ea-5085620 4219->4547 4225 50857de-50857f2 4220->4225 4226 5085681-508578c 4220->4226 4230 50857f8-5085903 4225->4230 4231 5085955-5085969 4225->4231 4495 5085797 4226->4495 4512 508590e 4230->4512 4233 5085acc-5085ae0 4231->4233 4234 508596f-5085a7a 4231->4234 4240 5085c43-5085c57 4233->4240 4241 5085ae6-5085bf1 4233->4241 4519 5085a85 4234->4519 4246 5085dba-5085dce 4240->4246 4247 5085c5d-5085d68 4240->4247 4535 5085bfc 4241->4535 4254 5085f31-5085f45 4246->4254 4255 5085dd4-5085edf 4246->4255 4552 5085d73 4247->4552 4262 50860a8-50860bc 4254->4262 4263 5085f4b-5086061 4254->4263 4556 5085eea 4255->4556 4270 508621f-5086233 4262->4270 4271 50860c2-50861cd 4262->4271 4263->4262 4277 5086239-5086344 4270->4277 4278 5086396-50863aa 4270->4278 4576 50861d8 4271->4576 4584 508634f 4277->4584 4285 508652e-5086542 4278->4285 4286 50863b0-50863f5 call 5084270 4278->4286 4289 5086548-5086567 4285->4289 4290 5086685-5086699 4285->4290 4415 50864b5-50864d7 4286->4415 4320 508660c-508662e 4289->4320 4301 508669f-508679f 4290->4301 4302 50867e6-50867fa 4290->4302 4301->4302 4318 5086800-5086900 4302->4318 4319 5086947-508695b 4302->4319 4318->4319 4325 5086aa8-5086ad2 4319->4325 4326 5086961-5086a61 4319->4326 4332 508656c-508657b 4320->4332 4333 5086634 4320->4333 4344 5086ad8-5086b4b 4325->4344 4345 5086b92-5086ba6 4325->4345 4326->4325 4354 5086581-5086585 4332->4354 4355 5086636 4332->4355 4333->4290 4344->4345 4360 5086bac-5086c03 4345->4360 4361 5086c83-5086c97 4345->4361 4366 5086590-50865b4 4354->4366 4375 508663b-5086683 4355->4375 4485 5086c0a-5086c3c 4360->4485 4368 5086ddd-5086df1 4361->4368 4369 5086c9d-5086d96 4361->4369 4436 50865fb-5086604 4366->4436 4437 50865b6-50865f0 4366->4437 4380 5087054-5087068 4368->4380 4381 5086df7-5086e47 4368->4381 4369->4368 4375->4290 4401 508706e-5087109 call 5084270 * 2 4380->4401 4402 5087150-5087157 4380->4402 4496 5086e49-5086e6f 4381->4496 4497 5086eb5-5086ee0 4381->4497 4401->4402 4429 50863fa-5086409 4415->4429 4430 50864dd 4415->4430 4433 50864df 4429->4433 4434 508640f-508646f 4429->4434 4430->4285 4460 50864e4-508652c 4433->4460 4553 5086479-50864ad 4434->4553 4436->4375 4454 5086606 4436->4454 4437->4436 4454->4320 4460->4285 4485->4361 4495->4225 4574 5086eb0 4496->4574 4575 5086e71-5086e91 4496->4575 4571 5086fbe-508704f 4497->4571 4572 5086ee6-5086fb9 4497->4572 4512->4231 4519->4233 4535->4240 4547->4220 4552->4246 4553->4460 4573 50864af 4553->4573 4556->4254 4571->4380 4572->4380 4573->4415 4574->4380 4575->4574 4576->4270 4581 5085365 4579->4581 4580->4581 4642 508535f call 5087351 4580->4642 4581->4211 4584->4278 4640->4204 4641->4204 4642->4581
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4127303963.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_5080000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID: $:@k$:@k$:@k$:@k$:@k
                • API String ID: 0-2050216740
                • Opcode ID: f20d9eb65a7e809536a94325242b4eaf113e82b02295a2acf426c4a6d68e7475
                • Instruction ID: 7c3f6d333f9bd288023e9fbd51cd2a0e1b4c6bdf90f47bc49b6d4598d8641459
                • Opcode Fuzzy Hash: f20d9eb65a7e809536a94325242b4eaf113e82b02295a2acf426c4a6d68e7475
                • Instruction Fuzzy Hash: 99F24A74A01228CFDB25EF60E864BEDB7B2BB88304F0141E9D95967798DB319E85CF50
                Function 050849F1 Relevance: 8.9, Strings: 6, Instructions: 1440COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 4643 50849f1-5084a3e 4650 5084b8c-5084ba0 4643->4650 4651 5084a44-5084b51 4643->4651 4652 5084ccc-5084ce0 4650->4652 4653 5084ba6-5084bba 4650->4653 4651->4650 4657 5084f6c-5084f80 4652->4657 4658 5084ce6-5084f25 4652->4658 4654 5084bc8-5084bdc 4653->4654 4655 5084bbc-5084bc3 4653->4655 4660 5084bde-5084be5 4654->4660 4661 5084be7-5084bfb 4654->4661 4659 5084c40-5084c54 4655->4659 4662 5084fda-5084fee 4657->4662 4663 5084f82-5084f93 4657->4663 4658->4657 4664 5084c6e-5084c7a 4659->4664 4665 5084c56-5084c6c 4659->4665 4660->4659 4667 5084bfd-5084c04 4661->4667 4668 5084c06-5084c1a 4661->4668 4670 508503d-5085051 4662->4670 4671 5084ff0 4662->4671 4663->4662 4677 5084c85 4664->4677 4665->4677 4667->4659 4675 5084c1c-5084c23 4668->4675 4676 5084c25-5084c39 4668->4676 4672 508509a-50850ae 4670->4672 4673 5085053 4670->4673 5115 5084ff0 call 50872c9 4671->5115 5116 5084ff0 call 5087173 4671->5116 4679 50850b0-50850d9 4672->4679 4680 5085125-5085139 4672->4680 4673->4672 4675->4659 4676->4659 4684 5084c3b-5084c3d 4676->4684 4677->4652 4678 5084ff6 4678->4670 4679->4680 4685 50853ac-50853c0 4680->4685 4686 508513f-508535b 4680->4686 4684->4659 4688 5085496-50854aa 4685->4688 4689 50853c6-508544f 4685->4689 5053 508535d 4686->5053 5054 508535f 4686->5054 4693 50854b0-50855df 4688->4693 4694 5085667-508567b 4688->4694 4689->4688 5021 50855ea-5085620 4693->5021 4699 50857de-50857f2 4694->4699 4700 5085681-508578c 4694->4700 4704 50857f8-5085903 4699->4704 4705 5085955-5085969 4699->4705 4969 5085797 4700->4969 4986 508590e 4704->4986 4707 5085acc-5085ae0 4705->4707 4708 508596f-5085a7a 4705->4708 4714 5085c43-5085c57 4707->4714 4715 5085ae6-5085bf1 4707->4715 4993 5085a85 4708->4993 4720 5085dba-5085dce 4714->4720 4721 5085c5d-5085d68 4714->4721 5009 5085bfc 4715->5009 4728 5085f31-5085f45 4720->4728 4729 5085dd4-5085edf 4720->4729 5026 5085d73 4721->5026 4736 50860a8-50860bc 4728->4736 4737 5085f4b-5086061 4728->4737 5030 5085eea 4729->5030 4744 508621f-5086233 4736->4744 4745 50860c2-50861cd 4736->4745 4737->4736 4751 5086239-5086344 4744->4751 4752 5086396-50863aa 4744->4752 5050 50861d8 4745->5050 5058 508634f 4751->5058 4759 508652e-5086542 4752->4759 4760 50863b0-50863f5 call 5084270 4752->4760 4763 5086548-5086567 4759->4763 4764 5086685-5086699 4759->4764 4889 50864b5-50864d7 4760->4889 4794 508660c-508662e 4763->4794 4775 508669f-508679f 4764->4775 4776 50867e6-50867fa 4764->4776 4775->4776 4792 5086800-5086900 4776->4792 4793 5086947-508695b 4776->4793 4792->4793 4799 5086aa8-5086ad2 4793->4799 4800 5086961-5086a61 4793->4800 4806 508656c-508657b 4794->4806 4807 5086634 4794->4807 4818 5086ad8-5086b4b 4799->4818 4819 5086b92-5086ba6 4799->4819 4800->4799 4828 5086581-5086585 4806->4828 4829 5086636 4806->4829 4807->4764 4818->4819 4834 5086bac-5086c03 4819->4834 4835 5086c83-5086c97 4819->4835 4840 5086590-50865b4 4828->4840 4849 508663b-5086683 4829->4849 4959 5086c0a-5086c3c 4834->4959 4842 5086ddd-5086df1 4835->4842 4843 5086c9d-5086d96 4835->4843 4910 50865fb-5086604 4840->4910 4911 50865b6-50865f0 4840->4911 4854 5087054-5087068 4842->4854 4855 5086df7-5086e47 4842->4855 4843->4842 4849->4764 4875 508706e-5087109 call 5084270 * 2 4854->4875 4876 5087150-5087157 4854->4876 4970 5086e49-5086e6f 4855->4970 4971 5086eb5-5086ee0 4855->4971 4875->4876 4903 50863fa-5086409 4889->4903 4904 50864dd 4889->4904 4907 50864df 4903->4907 4908 508640f-508646f 4903->4908 4904->4759 4934 50864e4-508652c 4907->4934 5027 5086479-50864ad 4908->5027 4910->4849 4928 5086606 4910->4928 4911->4910 4928->4794 4934->4759 4959->4835 4969->4699 5048 5086eb0 4970->5048 5049 5086e71-5086e91 4970->5049 5045 5086fbe-508704f 4971->5045 5046 5086ee6-5086fb9 4971->5046 4986->4705 4993->4707 5009->4714 5021->4694 5026->4720 5027->4934 5047 50864af 5027->5047 5030->4728 5045->4854 5046->4854 5047->4889 5048->4854 5049->5048 5050->4744 5055 5085365 5053->5055 5054->5055 5114 508535f call 5087351 5054->5114 5055->4685 5058->4752 5114->5055 5115->4678 5116->4678
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4127303963.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_5080000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID: $:@k$:@k$:@k$:@k$:@k
                • API String ID: 0-2050216740
                • Opcode ID: 6891878084e0fe0e97c5eeb44bf91f6bcfa596d8633330921445973e96b80e58
                • Instruction ID: 5386a5be558bfaf5deb1cd68d65f261a3cd61ac475e21b6bfeafcce90c2cd906
                • Opcode Fuzzy Hash: 6891878084e0fe0e97c5eeb44bf91f6bcfa596d8633330921445973e96b80e58
                • Instruction Fuzzy Hash: 3EF24A74A01228CFDB25EF60E864BEDB7B2BB88304F0141E9D95967798DB319E85CF50
                Function 05084B53 Relevance: 8.9, Strings: 6, Instructions: 1383COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 5117 5084b53-5084ba0 5124 5084ccc-5084ce0 5117->5124 5125 5084ba6-5084bba 5117->5125 5128 5084f6c-5084f80 5124->5128 5129 5084ce6-5084f25 5124->5129 5126 5084bc8-5084bdc 5125->5126 5127 5084bbc-5084bc3 5125->5127 5131 5084bde-5084be5 5126->5131 5132 5084be7-5084bfb 5126->5132 5130 5084c40-5084c54 5127->5130 5133 5084fda-5084fee 5128->5133 5134 5084f82-5084f93 5128->5134 5129->5128 5135 5084c6e-5084c7a 5130->5135 5136 5084c56-5084c6c 5130->5136 5131->5130 5137 5084bfd-5084c04 5132->5137 5138 5084c06-5084c1a 5132->5138 5140 508503d-5085051 5133->5140 5141 5084ff0 5133->5141 5134->5133 5147 5084c85 5135->5147 5136->5147 5137->5130 5145 5084c1c-5084c23 5138->5145 5146 5084c25-5084c39 5138->5146 5142 508509a-50850ae 5140->5142 5143 5085053 5140->5143 5572 5084ff0 call 50872c9 5141->5572 5573 5084ff0 call 5087173 5141->5573 5149 50850b0-50850d9 5142->5149 5150 5085125-5085139 5142->5150 5143->5142 5145->5130 5146->5130 5153 5084c3b-5084c3d 5146->5153 5147->5124 5148 5084ff6 5148->5140 5149->5150 5154 50853ac-50853c0 5150->5154 5155 508513f-508535b 5150->5155 5153->5130 5157 5085496-50854aa 5154->5157 5158 50853c6-508544f 5154->5158 5511 508535d 5155->5511 5512 508535f 5155->5512 5161 50854b0-50855df 5157->5161 5162 5085667-508567b 5157->5162 5158->5157 5479 50855ea-5085620 5161->5479 5166 50857de-50857f2 5162->5166 5167 5085681-508578c 5162->5167 5171 50857f8-5085903 5166->5171 5172 5085955-5085969 5166->5172 5427 5085797 5167->5427 5444 508590e 5171->5444 5174 5085acc-5085ae0 5172->5174 5175 508596f-5085a7a 5172->5175 5180 5085c43-5085c57 5174->5180 5181 5085ae6-5085bf1 5174->5181 5451 5085a85 5175->5451 5185 5085dba-5085dce 5180->5185 5186 5085c5d-5085d68 5180->5186 5467 5085bfc 5181->5467 5193 5085f31-5085f45 5185->5193 5194 5085dd4-5085edf 5185->5194 5484 5085d73 5186->5484 5200 50860a8-50860bc 5193->5200 5201 5085f4b-5086061 5193->5201 5488 5085eea 5194->5488 5207 508621f-5086233 5200->5207 5208 50860c2-50861cd 5200->5208 5201->5200 5214 5086239-5086344 5207->5214 5215 5086396-50863aa 5207->5215 5508 50861d8 5208->5508 5516 508634f 5214->5516 5222 508652e-5086542 5215->5222 5223 50863b0-50863f5 call 5084270 5215->5223 5226 5086548-5086567 5222->5226 5227 5086685-5086699 5222->5227 5347 50864b5-50864d7 5223->5347 5255 508660c-508662e 5226->5255 5237 508669f-508679f 5227->5237 5238 50867e6-50867fa 5227->5238 5237->5238 5253 5086800-5086900 5238->5253 5254 5086947-508695b 5238->5254 5253->5254 5260 5086aa8-5086ad2 5254->5260 5261 5086961-5086a61 5254->5261 5267 508656c-508657b 5255->5267 5268 5086634 5255->5268 5278 5086ad8-5086b4b 5260->5278 5279 5086b92-5086ba6 5260->5279 5261->5260 5287 5086581-5086585 5267->5287 5288 5086636 5267->5288 5268->5227 5278->5279 5293 5086bac-5086c03 5279->5293 5294 5086c83-5086c97 5279->5294 5299 5086590-50865b4 5287->5299 5307 508663b-5086683 5288->5307 5417 5086c0a-5086c3c 5293->5417 5301 5086ddd-5086df1 5294->5301 5302 5086c9d-5086d96 5294->5302 5368 50865fb-5086604 5299->5368 5369 50865b6-50865f0 5299->5369 5312 5087054-5087068 5301->5312 5313 5086df7-5086e47 5301->5313 5302->5301 5307->5227 5333 508706e-5087109 call 5084270 * 2 5312->5333 5334 5087150-5087157 5312->5334 5428 5086e49-5086e6f 5313->5428 5429 5086eb5-5086ee0 5313->5429 5333->5334 5361 50863fa-5086409 5347->5361 5362 50864dd 5347->5362 5365 50864df 5361->5365 5366 508640f-508646f 5361->5366 5362->5222 5392 50864e4-508652c 5365->5392 5485 5086479-50864ad 5366->5485 5368->5307 5386 5086606 5368->5386 5369->5368 5386->5255 5392->5222 5417->5294 5427->5166 5506 5086eb0 5428->5506 5507 5086e71-5086e91 5428->5507 5503 5086fbe-508704f 5429->5503 5504 5086ee6-5086fb9 5429->5504 5444->5172 5451->5174 5467->5180 5479->5162 5484->5185 5485->5392 5505 50864af 5485->5505 5488->5193 5503->5312 5504->5312 5505->5347 5506->5312 5507->5506 5508->5207 5513 5085365 5511->5513 5512->5513 5574 508535f call 5087351 5512->5574 5513->5154 5516->5215 5572->5148 5573->5148 5574->5513
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4127303963.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_5080000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID: $:@k$:@k$:@k$:@k$:@k
                • API String ID: 0-2050216740
                • Opcode ID: 63c8e30573064738c5c5affe46dbed8ca09a5cac55eb2d447e3657bdca042105
                • Instruction ID: 7e56ffbee4931ed0090a9184c8d8542fa6e7426d109201a45c6187a09069cc94
                • Opcode Fuzzy Hash: 63c8e30573064738c5c5affe46dbed8ca09a5cac55eb2d447e3657bdca042105
                • Instruction Fuzzy Hash: F4E24A74A01228CFDB25EF60E864BEDB7B2BB88304F0141E9D959A7794DB319E85CF50
                Function 05084C87 Relevance: 7.6, Strings: 5, Instructions: 1362COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 5575 5084c87-5084ce0 5582 5084f6c-5084f80 5575->5582 5583 5084ce6-5084f25 5575->5583 5584 5084fda-5084fee 5582->5584 5585 5084f82-5084f93 5582->5585 5583->5582 5587 508503d-5085051 5584->5587 5588 5084ff0 5584->5588 5585->5584 5589 508509a-50850ae 5587->5589 5590 5085053 5587->5590 6014 5084ff0 call 50872c9 5588->6014 6015 5084ff0 call 5087173 5588->6015 5593 50850b0-50850d9 5589->5593 5594 5085125-5085139 5589->5594 5590->5589 5592 5084ff6 5592->5587 5593->5594 5596 50853ac-50853c0 5594->5596 5597 508513f-508535b 5594->5597 5599 5085496-50854aa 5596->5599 5600 50853c6-508544f 5596->5600 5953 508535d 5597->5953 5954 508535f 5597->5954 5603 50854b0-50855df 5599->5603 5604 5085667-508567b 5599->5604 5600->5599 5921 50855ea-5085620 5603->5921 5608 50857de-50857f2 5604->5608 5609 5085681-508578c 5604->5609 5613 50857f8-5085903 5608->5613 5614 5085955-5085969 5608->5614 5869 5085797 5609->5869 5886 508590e 5613->5886 5616 5085acc-5085ae0 5614->5616 5617 508596f-5085a7a 5614->5617 5622 5085c43-5085c57 5616->5622 5623 5085ae6-5085bf1 5616->5623 5893 5085a85 5617->5893 5627 5085dba-5085dce 5622->5627 5628 5085c5d-5085d68 5622->5628 5909 5085bfc 5623->5909 5635 5085f31-5085f45 5627->5635 5636 5085dd4-5085edf 5627->5636 5926 5085d73 5628->5926 5642 50860a8-50860bc 5635->5642 5643 5085f4b-5086061 5635->5643 5930 5085eea 5636->5930 5649 508621f-5086233 5642->5649 5650 50860c2-50861cd 5642->5650 5643->5642 5656 5086239-5086344 5649->5656 5657 5086396-50863aa 5649->5657 5950 50861d8 5650->5950 5958 508634f 5656->5958 5664 508652e-5086542 5657->5664 5665 50863b0-50863f5 call 5084270 5657->5665 5668 5086548-5086567 5664->5668 5669 5086685-5086699 5664->5669 5789 50864b5-50864d7 5665->5789 5697 508660c-508662e 5668->5697 5679 508669f-508679f 5669->5679 5680 50867e6-50867fa 5669->5680 5679->5680 5695 5086800-5086900 5680->5695 5696 5086947-508695b 5680->5696 5695->5696 5702 5086aa8-5086ad2 5696->5702 5703 5086961-5086a61 5696->5703 5709 508656c-508657b 5697->5709 5710 5086634 5697->5710 5720 5086ad8-5086b4b 5702->5720 5721 5086b92-5086ba6 5702->5721 5703->5702 5729 5086581-5086585 5709->5729 5730 5086636 5709->5730 5710->5669 5720->5721 5735 5086bac-5086c03 5721->5735 5736 5086c83-5086c97 5721->5736 5741 5086590-50865b4 5729->5741 5749 508663b-5086683 5730->5749 5859 5086c0a-5086c3c 5735->5859 5743 5086ddd-5086df1 5736->5743 5744 5086c9d-5086d96 5736->5744 5810 50865fb-5086604 5741->5810 5811 50865b6-50865f0 5741->5811 5754 5087054-5087068 5743->5754 5755 5086df7-5086e47 5743->5755 5744->5743 5749->5669 5775 508706e-5087109 call 5084270 * 2 5754->5775 5776 5087150-5087157 5754->5776 5870 5086e49-5086e6f 5755->5870 5871 5086eb5-5086ee0 5755->5871 5775->5776 5803 50863fa-5086409 5789->5803 5804 50864dd 5789->5804 5807 50864df 5803->5807 5808 508640f-508646f 5803->5808 5804->5664 5834 50864e4-508652c 5807->5834 5927 5086479-50864ad 5808->5927 5810->5749 5828 5086606 5810->5828 5811->5810 5828->5697 5834->5664 5859->5736 5869->5608 5948 5086eb0 5870->5948 5949 5086e71-5086e91 5870->5949 5945 5086fbe-508704f 5871->5945 5946 5086ee6-5086fb9 5871->5946 5886->5614 5893->5616 5909->5622 5921->5604 5926->5627 5927->5834 5947 50864af 5927->5947 5930->5635 5945->5754 5946->5754 5947->5789 5948->5754 5949->5948 5950->5649 5955 5085365 5953->5955 5954->5955 6016 508535f call 5087351 5954->6016 5955->5596 5958->5657 6014->5592 6015->5592 6016->5955
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4127303963.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_5080000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID: :@k$:@k$:@k$:@k$:@k
                • API String ID: 0-1600721942
                • Opcode ID: 444898a8a10d6169ee2cc7c94ebd13c317451f9cc29166114c81099595c06fa4
                • Instruction ID: af32739dc2198339cad8260da9e7ec69df421b6b3a25b7c85b4c2da3b2a567bd
                • Opcode Fuzzy Hash: 444898a8a10d6169ee2cc7c94ebd13c317451f9cc29166114c81099595c06fa4
                • Instruction Fuzzy Hash: 26E23A74A01228CFDB25EF60E864BEDB7B2BB88304F0141E9D959A7794DB319E85CF50
                Function 05084F27 Relevance: 3.7, Strings: 2, Instructions: 1245COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 6017 5084f27-5084f80 6024 5084fda-5084fee 6017->6024 6025 5084f82-5084f93 6017->6025 6026 508503d-5085051 6024->6026 6027 5084ff0 6024->6027 6025->6024 6028 508509a-50850ae 6026->6028 6029 5085053 6026->6029 6423 5084ff0 call 50872c9 6027->6423 6424 5084ff0 call 5087173 6027->6424 6032 50850b0-50850d9 6028->6032 6033 5085125-5085139 6028->6033 6029->6028 6031 5084ff6 6031->6026 6032->6033 6034 50853ac-50853c0 6033->6034 6035 508513f-508535b 6033->6035 6037 5085496-50854aa 6034->6037 6038 50853c6-508544f 6034->6038 6368 508535d 6035->6368 6369 508535f 6035->6369 6040 50854b0-50855df 6037->6040 6041 5085667-508567b 6037->6041 6038->6037 6337 50855ea-5085620 6040->6337 6045 50857de-50857f2 6041->6045 6046 5085681-508578c 6041->6046 6049 50857f8-5085903 6045->6049 6050 5085955-5085969 6045->6050 6294 5085797 6046->6294 6304 508590e 6049->6304 6051 5085acc-5085ae0 6050->6051 6052 508596f-5085a7a 6050->6052 6057 5085c43-5085c57 6051->6057 6058 5085ae6-5085bf1 6051->6058 6316 5085a85 6052->6316 6062 5085dba-5085dce 6057->6062 6063 5085c5d-5085d68 6057->6063 6336 5085bfc 6058->6336 6069 5085f31-5085f45 6062->6069 6070 5085dd4-5085edf 6062->6070 6347 5085d73 6063->6347 6075 50860a8-50860bc 6069->6075 6076 5085f4b-5086061 6069->6076 6354 5085eea 6070->6354 6082 508621f-5086233 6075->6082 6083 50860c2-50861cd 6075->6083 6076->6075 6087 5086239-5086344 6082->6087 6088 5086396-50863aa 6082->6088 6372 50861d8 6083->6372 6377 508634f 6087->6377 6096 508652e-5086542 6088->6096 6097 50863b0-50863f5 call 5084270 6088->6097 6100 5086548-5086567 6096->6100 6101 5086685-5086699 6096->6101 6215 50864b5-50864d7 6097->6215 6127 508660c-508662e 6100->6127 6110 508669f-508679f 6101->6110 6111 50867e6-50867fa 6101->6111 6110->6111 6125 5086800-5086900 6111->6125 6126 5086947-508695b 6111->6126 6125->6126 6132 5086aa8-5086ad2 6126->6132 6133 5086961-5086a61 6126->6133 6139 508656c-508657b 6127->6139 6140 5086634 6127->6140 6149 5086ad8-5086b4b 6132->6149 6150 5086b92-5086ba6 6132->6150 6133->6132 6158 5086581-5086585 6139->6158 6159 5086636 6139->6159 6140->6101 6149->6150 6163 5086bac-5086c03 6150->6163 6164 5086c83-5086c97 6150->6164 6169 5086590-50865b4 6158->6169 6177 508663b-5086683 6159->6177 6288 5086c0a-5086c3c 6163->6288 6171 5086ddd-5086df1 6164->6171 6172 5086c9d-5086d96 6164->6172 6236 50865fb-5086604 6169->6236 6237 50865b6-50865f0 6169->6237 6182 5087054-5087068 6171->6182 6183 5086df7-5086e47 6171->6183 6172->6171 6177->6101 6202 508706e-5087109 call 5084270 * 2 6182->6202 6203 5087150-5087157 6182->6203 6296 5086e49-5086e6f 6183->6296 6297 5086eb5-5086ee0 6183->6297 6202->6203 6229 50863fa-5086409 6215->6229 6230 50864dd 6215->6230 6233 50864df 6229->6233 6234 508640f-508646f 6229->6234 6230->6096 6263 50864e4-508652c 6233->6263 6350 5086479-50864ad 6234->6350 6236->6177 6249 5086606 6236->6249 6237->6236 6249->6127 6263->6096 6288->6164 6294->6045 6370 5086eb0 6296->6370 6371 5086e71-5086e91 6296->6371 6365 5086fbe-508704f 6297->6365 6366 5086ee6-5086fb9 6297->6366 6304->6050 6316->6051 6336->6057 6337->6041 6347->6062 6350->6263 6367 50864af 6350->6367 6354->6069 6365->6182 6366->6182 6367->6215 6374 5085365 6368->6374 6369->6374 6422 508535f call 5087351 6369->6422 6370->6182 6371->6370 6372->6082 6374->6034 6377->6088 6422->6374 6423->6031 6424->6031
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4127303963.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_5080000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID: :@k$:@k
                • API String ID: 0-4032727010
                • Opcode ID: de67760cd80d6e770142fc3092f9634e9ecb85c80a26ea214c0e09ac60cef1ce
                • Instruction ID: 89579281f89029cdb48998dc9b29d1e3b9f15fd5a9bfeaf743ee48ce43857562
                • Opcode Fuzzy Hash: de67760cd80d6e770142fc3092f9634e9ecb85c80a26ea214c0e09ac60cef1ce
                • Instruction Fuzzy Hash: EDD23A74A012288FDB65EF70E864BEDB7B2BB48304F0141E9D959A7398DB319E85DF40
                Function 05084F95 Relevance: 3.7, Strings: 2, Instructions: 1236COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 6813 5084f95-5084fee 6820 508503d-5085051 6813->6820 6821 5084ff0 6813->6821 6822 508509a-50850ae 6820->6822 6823 5085053 6820->6823 7215 5084ff0 call 50872c9 6821->7215 7216 5084ff0 call 5087173 6821->7216 6825 50850b0-50850d9 6822->6825 6826 5085125-5085139 6822->6826 6823->6822 6824 5084ff6 6824->6820 6825->6826 6827 50853ac-50853c0 6826->6827 6828 508513f-508535b 6826->6828 6829 5085496-50854aa 6827->6829 6830 50853c6-508544f 6827->6830 7160 508535d 6828->7160 7161 508535f 6828->7161 6832 50854b0-50855df 6829->6832 6833 5085667-508567b 6829->6833 6830->6829 7129 50855ea-5085620 6832->7129 6837 50857de-50857f2 6833->6837 6838 5085681-508578c 6833->6838 6841 50857f8-5085903 6837->6841 6842 5085955-5085969 6837->6842 7086 5085797 6838->7086 7096 508590e 6841->7096 6843 5085acc-5085ae0 6842->6843 6844 508596f-5085a7a 6842->6844 6849 5085c43-5085c57 6843->6849 6850 5085ae6-5085bf1 6843->6850 7108 5085a85 6844->7108 6854 5085dba-5085dce 6849->6854 6855 5085c5d-5085d68 6849->6855 7128 5085bfc 6850->7128 6861 5085f31-5085f45 6854->6861 6862 5085dd4-5085edf 6854->6862 7139 5085d73 6855->7139 6867 50860a8-50860bc 6861->6867 6868 5085f4b-5086061 6861->6868 7146 5085eea 6862->7146 6874 508621f-5086233 6867->6874 6875 50860c2-50861cd 6867->6875 6868->6867 6879 5086239-5086344 6874->6879 6880 5086396-50863aa 6874->6880 7164 50861d8 6875->7164 7169 508634f 6879->7169 6888 508652e-5086542 6880->6888 6889 50863b0-50863f5 call 5084270 6880->6889 6892 5086548-5086567 6888->6892 6893 5086685-5086699 6888->6893 7007 50864b5-50864d7 6889->7007 6919 508660c-508662e 6892->6919 6902 508669f-508679f 6893->6902 6903 50867e6-50867fa 6893->6903 6902->6903 6917 5086800-5086900 6903->6917 6918 5086947-508695b 6903->6918 6917->6918 6924 5086aa8-5086ad2 6918->6924 6925 5086961-5086a61 6918->6925 6931 508656c-508657b 6919->6931 6932 5086634 6919->6932 6941 5086ad8-5086b4b 6924->6941 6942 5086b92-5086ba6 6924->6942 6925->6924 6950 5086581-5086585 6931->6950 6951 5086636 6931->6951 6932->6893 6941->6942 6955 5086bac-5086c03 6942->6955 6956 5086c83-5086c97 6942->6956 6961 5086590-50865b4 6950->6961 6969 508663b-5086683 6951->6969 7080 5086c0a-5086c3c 6955->7080 6963 5086ddd-5086df1 6956->6963 6964 5086c9d-5086d96 6956->6964 7028 50865fb-5086604 6961->7028 7029 50865b6-50865f0 6961->7029 6974 5087054-5087068 6963->6974 6975 5086df7-5086e47 6963->6975 6964->6963 6969->6893 6994 508706e-5087109 call 5084270 * 2 6974->6994 6995 5087150-5087157 6974->6995 7088 5086e49-5086e6f 6975->7088 7089 5086eb5-5086ee0 6975->7089 6994->6995 7021 50863fa-5086409 7007->7021 7022 50864dd 7007->7022 7025 50864df 7021->7025 7026 508640f-508646f 7021->7026 7022->6888 7055 50864e4-508652c 7025->7055 7142 5086479-50864ad 7026->7142 7028->6969 7041 5086606 7028->7041 7029->7028 7041->6919 7055->6888 7080->6956 7086->6837 7162 5086eb0 7088->7162 7163 5086e71-5086e91 7088->7163 7157 5086fbe-508704f 7089->7157 7158 5086ee6-5086fb9 7089->7158 7096->6842 7108->6843 7128->6849 7129->6833 7139->6854 7142->7055 7159 50864af 7142->7159 7146->6861 7157->6974 7158->6974 7159->7007 7166 5085365 7160->7166 7161->7166 7214 508535f call 5087351 7161->7214 7162->6974 7163->7162 7164->6874 7166->6827 7169->6880 7214->7166 7215->6824 7216->6824
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4127303963.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_5080000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID: :@k$:@k
                • API String ID: 0-4032727010
                • Opcode ID: 7ebafd750b6069692375810e46cf9867574b54cf3813e541553bf07757ab35ff
                • Instruction ID: 94948829217587a991d7e5196055b151648f8a7e71d93e51d8a3d0dce6514d7c
                • Opcode Fuzzy Hash: 7ebafd750b6069692375810e46cf9867574b54cf3813e541553bf07757ab35ff
                • Instruction Fuzzy Hash: D4D22974A012288FDB65EF70E864BEDB7B2BB48304F0141E9D959A7398DB319E85DF40
                Function 05084FF8 Relevance: 3.7, Strings: 2, Instructions: 1230COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 7217 5084ff8-5085051 7224 508509a-50850ae 7217->7224 7225 5085053 7217->7225 7226 50850b0-50850d9 7224->7226 7227 5085125-5085139 7224->7227 7225->7224 7226->7227 7228 50853ac-50853c0 7227->7228 7229 508513f-508535b 7227->7229 7230 5085496-50854aa 7228->7230 7231 50853c6-508544f 7228->7231 7561 508535d 7229->7561 7562 508535f 7229->7562 7233 50854b0-50855df 7230->7233 7234 5085667-508567b 7230->7234 7231->7230 7530 50855ea-5085620 7233->7530 7238 50857de-50857f2 7234->7238 7239 5085681-508578c 7234->7239 7242 50857f8-5085903 7238->7242 7243 5085955-5085969 7238->7243 7487 5085797 7239->7487 7497 508590e 7242->7497 7244 5085acc-5085ae0 7243->7244 7245 508596f-5085a7a 7243->7245 7250 5085c43-5085c57 7244->7250 7251 5085ae6-5085bf1 7244->7251 7509 5085a85 7245->7509 7255 5085dba-5085dce 7250->7255 7256 5085c5d-5085d68 7250->7256 7529 5085bfc 7251->7529 7262 5085f31-5085f45 7255->7262 7263 5085dd4-5085edf 7255->7263 7540 5085d73 7256->7540 7268 50860a8-50860bc 7262->7268 7269 5085f4b-5086061 7262->7269 7547 5085eea 7263->7547 7275 508621f-5086233 7268->7275 7276 50860c2-50861cd 7268->7276 7269->7268 7280 5086239-5086344 7275->7280 7281 5086396-50863aa 7275->7281 7565 50861d8 7276->7565 7570 508634f 7280->7570 7289 508652e-5086542 7281->7289 7290 50863b0-50863f5 call 5084270 7281->7290 7293 5086548-5086567 7289->7293 7294 5086685-5086699 7289->7294 7408 50864b5-50864d7 7290->7408 7320 508660c-508662e 7293->7320 7303 508669f-508679f 7294->7303 7304 50867e6-50867fa 7294->7304 7303->7304 7318 5086800-5086900 7304->7318 7319 5086947-508695b 7304->7319 7318->7319 7325 5086aa8-5086ad2 7319->7325 7326 5086961-5086a61 7319->7326 7332 508656c-508657b 7320->7332 7333 5086634 7320->7333 7342 5086ad8-5086b4b 7325->7342 7343 5086b92-5086ba6 7325->7343 7326->7325 7351 5086581-5086585 7332->7351 7352 5086636 7332->7352 7333->7294 7342->7343 7356 5086bac-5086c03 7343->7356 7357 5086c83-5086c97 7343->7357 7362 5086590-50865b4 7351->7362 7370 508663b-5086683 7352->7370 7481 5086c0a-5086c3c 7356->7481 7364 5086ddd-5086df1 7357->7364 7365 5086c9d-5086d96 7357->7365 7429 50865fb-5086604 7362->7429 7430 50865b6-50865f0 7362->7430 7375 5087054-5087068 7364->7375 7376 5086df7-5086e47 7364->7376 7365->7364 7370->7294 7395 508706e-5087109 call 5084270 * 2 7375->7395 7396 5087150-5087157 7375->7396 7489 5086e49-5086e6f 7376->7489 7490 5086eb5-5086ee0 7376->7490 7395->7396 7422 50863fa-5086409 7408->7422 7423 50864dd 7408->7423 7426 50864df 7422->7426 7427 508640f-508646f 7422->7427 7423->7289 7456 50864e4-508652c 7426->7456 7543 5086479-50864ad 7427->7543 7429->7370 7442 5086606 7429->7442 7430->7429 7442->7320 7456->7289 7481->7357 7487->7238 7563 5086eb0 7489->7563 7564 5086e71-5086e91 7489->7564 7558 5086fbe-508704f 7490->7558 7559 5086ee6-5086fb9 7490->7559 7497->7243 7509->7244 7529->7250 7530->7234 7540->7255 7543->7456 7560 50864af 7543->7560 7547->7262 7558->7375 7559->7375 7560->7408 7567 5085365 7561->7567 7562->7567 7615 508535f call 5087351 7562->7615 7563->7375 7564->7563 7565->7275 7567->7228 7570->7281 7615->7567
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4127303963.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_5080000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID: :@k$:@k
                • API String ID: 0-4032727010
                • Opcode ID: 4ac9c825ba564c46a1f25638bfe056f4e4175ec3c9c1d7d0f67e307cd0783034
                • Instruction ID: 3f8dc191846f699c514bdd462db17fcb3d4292d89f4a13c7514b1d15a3844b17
                • Opcode Fuzzy Hash: 4ac9c825ba564c46a1f25638bfe056f4e4175ec3c9c1d7d0f67e307cd0783034
                • Instruction Fuzzy Hash: 61D23A74A012288FDB65EF70E864BEDB7B2BB88304F0141E9D959A7394DB319E85DF40
                Function 05085055 Relevance: 3.7, Strings: 2, Instructions: 1225COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 7616 5085055-50850ae 7623 50850b0-50850d9 7616->7623 7624 5085125-5085139 7616->7624 7623->7624 7625 50853ac-50853c0 7624->7625 7626 508513f-508535b 7624->7626 7627 5085496-50854aa 7625->7627 7628 50853c6-508544f 7625->7628 7958 508535d 7626->7958 7959 508535f 7626->7959 7630 50854b0-50855df 7627->7630 7631 5085667-508567b 7627->7631 7628->7627 7927 50855ea-5085620 7630->7927 7635 50857de-50857f2 7631->7635 7636 5085681-508578c 7631->7636 7639 50857f8-5085903 7635->7639 7640 5085955-5085969 7635->7640 7884 5085797 7636->7884 7894 508590e 7639->7894 7641 5085acc-5085ae0 7640->7641 7642 508596f-5085a7a 7640->7642 7647 5085c43-5085c57 7641->7647 7648 5085ae6-5085bf1 7641->7648 7906 5085a85 7642->7906 7652 5085dba-5085dce 7647->7652 7653 5085c5d-5085d68 7647->7653 7926 5085bfc 7648->7926 7659 5085f31-5085f45 7652->7659 7660 5085dd4-5085edf 7652->7660 7937 5085d73 7653->7937 7665 50860a8-50860bc 7659->7665 7666 5085f4b-5086061 7659->7666 7944 5085eea 7660->7944 7672 508621f-5086233 7665->7672 7673 50860c2-50861cd 7665->7673 7666->7665 7677 5086239-5086344 7672->7677 7678 5086396-50863aa 7672->7678 7962 50861d8 7673->7962 7967 508634f 7677->7967 7686 508652e-5086542 7678->7686 7687 50863b0-50863f5 call 5084270 7678->7687 7690 5086548-5086567 7686->7690 7691 5086685-5086699 7686->7691 7805 50864b5-50864d7 7687->7805 7717 508660c-508662e 7690->7717 7700 508669f-508679f 7691->7700 7701 50867e6-50867fa 7691->7701 7700->7701 7715 5086800-5086900 7701->7715 7716 5086947-508695b 7701->7716 7715->7716 7722 5086aa8-5086ad2 7716->7722 7723 5086961-5086a61 7716->7723 7729 508656c-508657b 7717->7729 7730 5086634 7717->7730 7739 5086ad8-5086b4b 7722->7739 7740 5086b92-5086ba6 7722->7740 7723->7722 7748 5086581-5086585 7729->7748 7749 5086636 7729->7749 7730->7691 7739->7740 7753 5086bac-5086c03 7740->7753 7754 5086c83-5086c97 7740->7754 7759 5086590-50865b4 7748->7759 7767 508663b-5086683 7749->7767 7878 5086c0a-5086c3c 7753->7878 7761 5086ddd-5086df1 7754->7761 7762 5086c9d-5086d96 7754->7762 7826 50865fb-5086604 7759->7826 7827 50865b6-50865f0 7759->7827 7772 5087054-5087068 7761->7772 7773 5086df7-5086e47 7761->7773 7762->7761 7767->7691 7792 508706e-5087109 call 5084270 * 2 7772->7792 7793 5087150-5087157 7772->7793 7886 5086e49-5086e6f 7773->7886 7887 5086eb5-5086ee0 7773->7887 7792->7793 7819 50863fa-5086409 7805->7819 7820 50864dd 7805->7820 7823 50864df 7819->7823 7824 508640f-508646f 7819->7824 7820->7686 7853 50864e4-508652c 7823->7853 7940 5086479-50864ad 7824->7940 7826->7767 7839 5086606 7826->7839 7827->7826 7839->7717 7853->7686 7878->7754 7884->7635 7960 5086eb0 7886->7960 7961 5086e71-5086e91 7886->7961 7955 5086fbe-508704f 7887->7955 7956 5086ee6-5086fb9 7887->7956 7894->7640 7906->7641 7926->7647 7927->7631 7937->7652 7940->7853 7957 50864af 7940->7957 7944->7659 7955->7772 7956->7772 7957->7805 7964 5085365 7958->7964 7959->7964 8012 508535f call 5087351 7959->8012 7960->7772 7961->7960 7962->7672 7964->7625 7967->7678 8012->7964
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4127303963.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_5080000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID: :@k$:@k
                • API String ID: 0-4032727010
                • Opcode ID: 4da7813448ed464e921f75a8b5eabbfb0a93f01e1b9d6471fd95f6f1d74ddfd0
                • Instruction ID: 744854ba00f6b17b0b30fbf504692a15e50c311cc62775578785439504529fb8
                • Opcode Fuzzy Hash: 4da7813448ed464e921f75a8b5eabbfb0a93f01e1b9d6471fd95f6f1d74ddfd0
                • Instruction Fuzzy Hash: A8D23A74A012288FDB65EF70E864BEDB7B2BB88304F0141E9D959A7394DB319E85DF40
                Function 050850DB Relevance: 3.7, Strings: 2, Instructions: 1210COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 8013 50850db-5085139 8021 50853ac-50853c0 8013->8021 8022 508513f-508535b 8013->8022 8023 5085496-50854aa 8021->8023 8024 50853c6-508544f 8021->8024 8351 508535d 8022->8351 8352 508535f 8022->8352 8025 50854b0-50855df 8023->8025 8026 5085667-508567b 8023->8026 8024->8023 8320 50855ea-5085620 8025->8320 8029 50857de-50857f2 8026->8029 8030 5085681-508578c 8026->8030 8033 50857f8-5085903 8029->8033 8034 5085955-5085969 8029->8034 8277 5085797 8030->8277 8287 508590e 8033->8287 8035 5085acc-5085ae0 8034->8035 8036 508596f-5085a7a 8034->8036 8040 5085c43-5085c57 8035->8040 8041 5085ae6-5085bf1 8035->8041 8299 5085a85 8036->8299 8045 5085dba-5085dce 8040->8045 8046 5085c5d-5085d68 8040->8046 8319 5085bfc 8041->8319 8052 5085f31-5085f45 8045->8052 8053 5085dd4-5085edf 8045->8053 8330 5085d73 8046->8330 8058 50860a8-50860bc 8052->8058 8059 5085f4b-5086061 8052->8059 8337 5085eea 8053->8337 8065 508621f-5086233 8058->8065 8066 50860c2-50861cd 8058->8066 8059->8058 8070 5086239-5086344 8065->8070 8071 5086396-50863aa 8065->8071 8355 50861d8 8066->8355 8360 508634f 8070->8360 8079 508652e-5086542 8071->8079 8080 50863b0-50863f5 call 5084270 8071->8080 8083 5086548-5086567 8079->8083 8084 5086685-5086699 8079->8084 8198 50864b5-50864d7 8080->8198 8110 508660c-508662e 8083->8110 8093 508669f-508679f 8084->8093 8094 50867e6-50867fa 8084->8094 8093->8094 8108 5086800-5086900 8094->8108 8109 5086947-508695b 8094->8109 8108->8109 8115 5086aa8-5086ad2 8109->8115 8116 5086961-5086a61 8109->8116 8122 508656c-508657b 8110->8122 8123 5086634 8110->8123 8132 5086ad8-5086b4b 8115->8132 8133 5086b92-5086ba6 8115->8133 8116->8115 8141 5086581-5086585 8122->8141 8142 5086636 8122->8142 8123->8084 8132->8133 8146 5086bac-5086c03 8133->8146 8147 5086c83-5086c97 8133->8147 8152 5086590-50865b4 8141->8152 8160 508663b-5086683 8142->8160 8271 5086c0a-5086c3c 8146->8271 8154 5086ddd-5086df1 8147->8154 8155 5086c9d-5086d96 8147->8155 8219 50865fb-5086604 8152->8219 8220 50865b6-50865f0 8152->8220 8165 5087054-5087068 8154->8165 8166 5086df7-5086e47 8154->8166 8155->8154 8160->8084 8185 508706e-5087109 call 5084270 * 2 8165->8185 8186 5087150-5087157 8165->8186 8279 5086e49-5086e6f 8166->8279 8280 5086eb5-5086ee0 8166->8280 8185->8186 8212 50863fa-5086409 8198->8212 8213 50864dd 8198->8213 8216 50864df 8212->8216 8217 508640f-508646f 8212->8217 8213->8079 8246 50864e4-508652c 8216->8246 8333 5086479-50864ad 8217->8333 8219->8160 8232 5086606 8219->8232 8220->8219 8232->8110 8246->8079 8271->8147 8277->8029 8353 5086eb0 8279->8353 8354 5086e71-5086e91 8279->8354 8348 5086fbe-508704f 8280->8348 8349 5086ee6-5086fb9 8280->8349 8287->8034 8299->8035 8319->8040 8320->8026 8330->8045 8333->8246 8350 50864af 8333->8350 8337->8052 8348->8165 8349->8165 8350->8198 8357 5085365 8351->8357 8352->8357 8405 508535f call 5087351 8352->8405 8353->8165 8354->8353 8355->8065 8357->8021 8360->8071 8405->8357
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4127303963.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_5080000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID: :@k$:@k
                • API String ID: 0-4032727010
                • Opcode ID: 68344641228aee1358181c66a97afd59d64fcc590d42b65e584f7ad75c9c70cb
                • Instruction ID: e28724e140f3a0a77e333f9d91624c6059813669a0691329e65ee1105f8eadb9
                • Opcode Fuzzy Hash: 68344641228aee1358181c66a97afd59d64fcc590d42b65e584f7ad75c9c70cb
                • Instruction Fuzzy Hash: 7BD23974A012288FDB65EF70E864BEDB7B2BB88304F0141E9D959A7394DB319E85DF40
                Function 05085367 Relevance: 3.6, Strings: 2, Instructions: 1071COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4127303963.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_5080000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID: :@k$:@k
                • API String ID: 0-4032727010
                • Opcode ID: 1297f4a691bb3eeefc1f56614217350fe96a602c3f86c9c1b12e7e40c7b9d30c
                • Instruction ID: 4030d958b3798e2cdcb58f8f30b56619c7c26dfe2e70bbc863b66a9a586a4f7f
                • Opcode Fuzzy Hash: 1297f4a691bb3eeefc1f56614217350fe96a602c3f86c9c1b12e7e40c7b9d30c
                • Instruction Fuzzy Hash: B3C21874A01228CFDB65EF60E864BADB7B6FB88304F1141E9D90967794DB329E85CF40
                Function 05085451 Relevance: 3.5, Strings: 2, Instructions: 1040COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4127303963.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_5080000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID: :@k$:@k
                • API String ID: 0-4032727010
                • Opcode ID: 3c1dddfaaef917cca7487d41900c7c538270b7df5b01d029cb88fae2e458c63d
                • Instruction ID: 0c5407b3e1b8e550d76872c0b1c2ee190d76bc14a34ec24b1036b8a0f6679233
                • Opcode Fuzzy Hash: 3c1dddfaaef917cca7487d41900c7c538270b7df5b01d029cb88fae2e458c63d
                • Instruction Fuzzy Hash: 04C20874A01228CFDB65EF60E864BADB7B6FB48304F1141E9D90967798DB329E85CF40
                Function 011CBD4B Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                Download Yara Rule
                APIs
                • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 011CBDCB
                Memory Dump Source
                • Source File: 00000000.00000002.4122735908.00000000011CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CA000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_11ca000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: AdjustPrivilegesToken
                • String ID:
                • API String ID: 2874748243-0
                • Opcode ID: cbc142bad7a08f6b3517a1ce85e29385b7a058e5abf0c9709ee992b6872fb5fd
                • Instruction ID: 19200247d8b6cca2a60dc1620089632e1799b4aadf145c843a1eec43249b0e0c
                • Opcode Fuzzy Hash: cbc142bad7a08f6b3517a1ce85e29385b7a058e5abf0c9709ee992b6872fb5fd
                • Instruction Fuzzy Hash: F321BC755093809FEB238F25DC45BA2BFB4EF06710F08849AE984CF563D330A908DB62
                Function 011CBECD Relevance: 1.6, APIs: 1, Instructions: 57nativeCOMMON
                Download Yara Rule
                APIs
                • NtQuerySystemInformation.NTDLL ref: 011CBF39
                Memory Dump Source
                • Source File: 00000000.00000002.4122735908.00000000011CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CA000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_11ca000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: InformationQuerySystem
                • String ID:
                • API String ID: 3562636166-0
                • Opcode ID: cd2ec981b2b65a91803c10580e4549458b03259bbcd7e902557cae5367694ebb
                • Instruction ID: 2f3b19fa582592eb67f8ee15e366f1b67f5647682027b100e05bb69600933d76
                • Opcode Fuzzy Hash: cd2ec981b2b65a91803c10580e4549458b03259bbcd7e902557cae5367694ebb
                • Instruction Fuzzy Hash: E0118E754093849FDB228B25DC45A52FFB4EF06314F0984DAE9848B663D265A908CB62
                Function 011CBD82 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                Download Yara Rule
                APIs
                • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 011CBDCB
                Memory Dump Source
                • Source File: 00000000.00000002.4122735908.00000000011CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CA000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_11ca000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: AdjustPrivilegesToken
                • String ID:
                • API String ID: 2874748243-0
                • Opcode ID: 056a6a079d0b5513a885d979dfbd559a701f3202b7ac85d99f82fc6c8164808d
                • Instruction ID: 1f5359fe16ac35298463291b05d90e7439a8bd231fe2ec8328972dca7bd56f03
                • Opcode Fuzzy Hash: 056a6a079d0b5513a885d979dfbd559a701f3202b7ac85d99f82fc6c8164808d
                • Instruction Fuzzy Hash: AA119E756042009FEB20CF55D985B66FBE4EF14620F08C46EDE45CB652D331E418DFA2
                Function 011CBEFE Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON
                Download Yara Rule
                APIs
                • NtQuerySystemInformation.NTDLL ref: 011CBF39
                Memory Dump Source
                • Source File: 00000000.00000002.4122735908.00000000011CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CA000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_11ca000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: InformationQuerySystem
                • String ID:
                • API String ID: 3562636166-0
                • Opcode ID: 8d010d9fbeaa8a7bec6c47cbb70a4340fbb22e6be676fcdc6035cf7ec3889d2a
                • Instruction ID: c2366eb6419144b374722e486e364700602482fe926619a5f94dbaca688c9ef8
                • Opcode Fuzzy Hash: 8d010d9fbeaa8a7bec6c47cbb70a4340fbb22e6be676fcdc6035cf7ec3889d2a
                • Instruction Fuzzy Hash: 6C018F755042049FEB218F15D985B61FBE0EF24B20F08C09EED494A762C376E418CFA2
                Function 05087418 Relevance: .8, Instructions: 755COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4127303963.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_5080000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b8bcfbea466d376e778d34e892440ce211b75de3027ca318b68f2c2a3c3b86ed
                • Instruction ID: c783c17bc423644422377d77e6a8a03b89e79b9f977cccc1ae45aef443c2d7ed
                • Opcode Fuzzy Hash: b8bcfbea466d376e778d34e892440ce211b75de3027ca318b68f2c2a3c3b86ed
                • Instruction Fuzzy Hash: 5F4205316012229BDB29FB71F450A7C73B2FB80355B668175D4A19B2D8EB3BED81C790
                Function 05087EA8 Relevance: 3.7, Strings: 2, Instructions: 1239COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4127303963.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_5080000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID: :@k$:@k
                • API String ID: 0-4032727010
                • Opcode ID: cea969ed68ecf000de79216011611871668db87f9efdf4fccffc1262b042b404
                • Instruction ID: 13ec2f692fc059ce22e55d136fddf5dc966bffd8128d44b506324f5a80e090f2
                • Opcode Fuzzy Hash: cea969ed68ecf000de79216011611871668db87f9efdf4fccffc1262b042b404
                • Instruction Fuzzy Hash: C4B25D74B0015ACBDB25AF65F820BBD77F2BB98304F12806AD99593798CB348D85DF21
                Function 05087F24 Relevance: 3.6, Strings: 2, Instructions: 1079COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4127303963.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_5080000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID: :@k$:@k
                • API String ID: 0-4032727010
                • Opcode ID: f34c1699609265d884ab5a41f7da97288655c8c0850c7f17e8e9e6a4ad146975
                • Instruction ID: f26ca0127fcd8191125a21f8b379ee5804fc7bff4ff3fde6f2ebbef8b59c64c7
                • Opcode Fuzzy Hash: f34c1699609265d884ab5a41f7da97288655c8c0850c7f17e8e9e6a4ad146975
                • Instruction Fuzzy Hash: C792A03470016A8BDF15BF65A820BBD77F7AB98304F12806BD89593B98CB74CD85DB21
                Function 05087F5E Relevance: 3.6, Strings: 2, Instructions: 1076COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4127303963.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_5080000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID: :@k$:@k
                • API String ID: 0-4032727010
                • Opcode ID: 054eb9cb15a13aa7b4c95df17d84ef45e740b8850f82bcb78b1b5595edbeab51
                • Instruction ID: f3e2168e2e2128843bada90860d57a90a402a8b813dd7feae4c191aaa96e860d
                • Opcode Fuzzy Hash: 054eb9cb15a13aa7b4c95df17d84ef45e740b8850f82bcb78b1b5595edbeab51
                • Instruction Fuzzy Hash: 3792A13470016A8BDF15BF65A820BBD77F7AB98304F12806BD89593B98CB74CD85DB21
                Function 05087F8D Relevance: 3.6, Strings: 2, Instructions: 1075COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4127303963.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_5080000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID: :@k$:@k
                • API String ID: 0-4032727010
                • Opcode ID: a35504da64228eba5575a6a4c4a0b83e10fbf91041c3c66d11a997ea37031808
                • Instruction ID: 12791cb084c52f6a485ba8a4ea3f1006e6572f5b6c1c32add04d29cf12f7aec9
                • Opcode Fuzzy Hash: a35504da64228eba5575a6a4c4a0b83e10fbf91041c3c66d11a997ea37031808
                • Instruction Fuzzy Hash: 2392A03470016A8BDF15BF65A820BBD77F7AB98304F12806BD89593B98CB74CD85DB21
                Function 05085622 Relevance: 2.2, Strings: 1, Instructions: 963COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4127303963.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_5080000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID: :@k
                • API String ID: 0-2277858631
                • Opcode ID: d354c95938dde2a6dc824d133d6ef47ed5db4207615863241db3a49ff9107ca1
                • Instruction ID: 73ce99937c6abb7ad9e669aa49ccbb36588eeaa6f0fbf47435cd0fc459d7f4ea
                • Opcode Fuzzy Hash: d354c95938dde2a6dc824d133d6ef47ed5db4207615863241db3a49ff9107ca1
                • Instruction Fuzzy Hash: 62B21774A01228CFDB65EF60E864BADB7B6FB48304F1141E9D90967798DB329E85CF40
                Function 05085799 Relevance: 2.2, Strings: 1, Instructions: 906COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4127303963.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_5080000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID: :@k
                • API String ID: 0-2277858631
                • Opcode ID: 5b6d03df030ef8e1a8ba67cbab1f15366b73a955b3c4ddf1ef6c454c9900582a
                • Instruction ID: 0bb3cff257573f550944984c4a4303b85d8f609d7faf52fb7632273bc7c43c37
                • Opcode Fuzzy Hash: 5b6d03df030ef8e1a8ba67cbab1f15366b73a955b3c4ddf1ef6c454c9900582a
                • Instruction Fuzzy Hash: 5CA21874A01228CFDB65EF60E864BADB7B6FB48304F0141E9D94967798DB329E85CF40
                Function 05085910 Relevance: 2.1, Strings: 1, Instructions: 849COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4127303963.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_5080000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID: :@k
                • API String ID: 0-2277858631
                • Opcode ID: 38a35b10996c3b20fc4a1f0f250fee474d8189dfab92ee3fb270aa6cb760a750
                • Instruction ID: 1a734748333d552ac202e2173dbf53b94d5085f2641ca6bae2b538b93f191d98
                • Opcode Fuzzy Hash: 38a35b10996c3b20fc4a1f0f250fee474d8189dfab92ee3fb270aa6cb760a750
                • Instruction Fuzzy Hash: CD921874A01228CFDB65EF60E864BADB7B6FB48304F1141E9D909A7794DB329E85CF40
                Function 05085A87 Relevance: 2.0, Strings: 1, Instructions: 792COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4127303963.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_5080000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID: :@k
                • API String ID: 0-2277858631
                • Opcode ID: 30f129636d7c921bc7618732fc9d6a954fefd0b5037aeaec695beb313af086c4
                • Instruction ID: 31a56e292a26e20e83f2373ca89b0d8d30feca3a55ce5fa7b55eb771106ec911
                • Opcode Fuzzy Hash: 30f129636d7c921bc7618732fc9d6a954fefd0b5037aeaec695beb313af086c4
                • Instruction Fuzzy Hash: 57920874A01228CFDB65EF60E864BADB7B6FB48304F1141E9D909A7794DB329E85CF40
                Function 05085BFE Relevance: 2.0, Strings: 1, Instructions: 735COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4127303963.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_5080000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID: :@k
                • API String ID: 0-2277858631
                • Opcode ID: 3c28665580b7e42efa5f8bc0366c2926ae3a0120516124d0097eb7e08473d6ed
                • Instruction ID: c55b8bde26944b68d8a2ce65e1649c04ac481a538bc4173c1d9012aa04aef113
                • Opcode Fuzzy Hash: 3c28665580b7e42efa5f8bc0366c2926ae3a0120516124d0097eb7e08473d6ed
                • Instruction Fuzzy Hash: DC821874A01228CFDB65EF60E864BADB7B6FB48304F1141E9D949A7394DB329E85CF40
                Function 05085D75 Relevance: 1.9, Strings: 1, Instructions: 678COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4127303963.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_5080000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID: :@k
                • API String ID: 0-2277858631
                • Opcode ID: 3018934412761796757370fae61be327dcb775d4f439a9193779b1964c950524
                • Instruction ID: c0eaa79686d3675def9905f9872437a1628c01efd0d7e3e44c3000791527878a
                • Opcode Fuzzy Hash: 3018934412761796757370fae61be327dcb775d4f439a9193779b1964c950524
                • Instruction Fuzzy Hash: 35721974A01228CFDB65EF64E864BADB7B6FB48304F1141E9D909A7394DB329E85CF40
                Function 05085EEC Relevance: 1.9, Strings: 1, Instructions: 621COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4127303963.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_5080000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID: :@k
                • API String ID: 0-2277858631
                • Opcode ID: 4f40ccc281c5ef3cf9cb52953343e55828bf860a6ca4238281e64da4996263ad
                • Instruction ID: bffcf66c273ba08a16994f5fdabe29b2699772c316d36765ee95805cce3ade33
                • Opcode Fuzzy Hash: 4f40ccc281c5ef3cf9cb52953343e55828bf860a6ca4238281e64da4996263ad
                • Instruction Fuzzy Hash: 60621A74A01228CFDB65EF64E864BADB7B6FB48304F1141E9D909A7394DB329E85CF40
                Function 05086063 Relevance: 1.8, Strings: 1, Instructions: 564COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4127303963.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_5080000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID: :@k
                • API String ID: 0-2277858631
                • Opcode ID: 1781a4ef30508222f3bf59ab2cac05b75718349d7e304a9c0102128e1ab8a9b1
                • Instruction ID: 2e7db922d76558ff01fcddd41e020fb9d834c22280072beae04f8f3a4919bd7f
                • Opcode Fuzzy Hash: 1781a4ef30508222f3bf59ab2cac05b75718349d7e304a9c0102128e1ab8a9b1
                • Instruction Fuzzy Hash: CE520A74A01228CFDB65EF74E864BADB7B6BB88304F1141E9D949A7394DB319E85CF00
                Function 050861DA Relevance: 1.8, Strings: 1, Instructions: 507COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4127303963.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_5080000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID: :@k
                • API String ID: 0-2277858631
                • Opcode ID: a86bb177b0f3132315e55bd7a3c8b9b7fa95ae59084ec9582de2a545002a5c76
                • Instruction ID: 1cb0b077e13cf554c0f2a9b4e7dc080f3478482e1dea20b7519d122bad8a1552
                • Opcode Fuzzy Hash: a86bb177b0f3132315e55bd7a3c8b9b7fa95ae59084ec9582de2a545002a5c76
                • Instruction Fuzzy Hash: F4421A74A01228CFDB65EF74E864BADB7B6BB88304F1141E9D949A7394DB319E85CF00
                Function 05086351 Relevance: 1.7, Strings: 1, Instructions: 450COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4127303963.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_5080000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID: :@k
                • API String ID: 0-2277858631
                • Opcode ID: c1dcad507be5a876e504c7fed3f2b023ef9e126c045d53a8299ecdad81df0b46
                • Instruction ID: 87f8b85173ac5efa63517fcc1ad5e473fd233c0f40b0980ca1a416f2d9db188d
                • Opcode Fuzzy Hash: c1dcad507be5a876e504c7fed3f2b023ef9e126c045d53a8299ecdad81df0b46
                • Instruction Fuzzy Hash: BB322874A01228CFDB65EF34E864BACB7B6BB88304F1141E9D959A7394DB359E84CF00
                Function 0508647B Relevance: 1.7, Strings: 1, Instructions: 427COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4127303963.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_5080000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID: :@k
                • API String ID: 0-2277858631
                • Opcode ID: 2ddd1c63fbea6014925d162e4c80485152b1767cec21502b3c7d20b1101618cd
                • Instruction ID: 3e83fca44c5a46a1f8972f11f08b939407b74ac0b62857df12513bdaa3dcb3f8
                • Opcode Fuzzy Hash: 2ddd1c63fbea6014925d162e4c80485152b1767cec21502b3c7d20b1101618cd
                • Instruction Fuzzy Hash: EA221874A01228CFDB65EF74E864BACB7B6BB88304F1141E9D959A7394DB319E84CF00
                Function 012F0A24 Relevance: 1.6, APIs: 1, Instructions: 98registryCOMMON
                Download Yara Rule
                APIs
                • RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 012F0ADD
                Memory Dump Source
                • Source File: 00000000.00000002.4123109540.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_12f0000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: Create
                • String ID:
                • API String ID: 2289755597-0
                • Opcode ID: 2fd536fbf3a5466eb9407fe6c4bb3f4a08f3c95594e4ab0f073842e77321150b
                • Instruction ID: e6ad43700315459818adca7461ef161cd57989625d164c4d28785adccdc8ec1b
                • Opcode Fuzzy Hash: 2fd536fbf3a5466eb9407fe6c4bb3f4a08f3c95594e4ab0f073842e77321150b
                • Instruction Fuzzy Hash: AC31B0B6500344AFE7218B25CD44FA7FBFCEF09614F08455AFA85CB652E220E848CB71
                Function 012F0FE3 Relevance: 1.6, APIs: 1, Instructions: 98registryCOMMON
                Download Yara Rule
                APIs
                • RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 012F10AA
                Memory Dump Source
                • Source File: 00000000.00000002.4123109540.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_12f0000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: QueryValue
                • String ID:
                • API String ID: 3660427363-0
                • Opcode ID: 8b9e0e225550f078d1b73bfeb9d8c70a487968a86c7ffd4029aa6d9388c7a053
                • Instruction ID: 7327dfb159c34fbbee49564a5589b738ac9a2bffc4ecf779330833a751b4ee07
                • Opcode Fuzzy Hash: 8b9e0e225550f078d1b73bfeb9d8c70a487968a86c7ffd4029aa6d9388c7a053
                • Instruction Fuzzy Hash: E9317C6110E3C06FD3138B358C61A61BFB4EF47610F0E45CBD9848B6A3D229A959C7B2
                Function 011CB1E6 Relevance: 1.6, APIs: 1, Instructions: 97registryCOMMON
                Download Yara Rule
                APIs
                • RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 011CB291
                Memory Dump Source
                • Source File: 00000000.00000002.4122735908.00000000011CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CA000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_11ca000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: Open
                • String ID:
                • API String ID: 71445658-0
                • Opcode ID: bc4cfae06c50abb2dcc7ce117755e12e5db65b58e73eaa35151076791e276f85
                • Instruction ID: 4ecef884bddb9293efbea7166004176e022fefb321e9a950c344b2ea5ec22184
                • Opcode Fuzzy Hash: bc4cfae06c50abb2dcc7ce117755e12e5db65b58e73eaa35151076791e276f85
                • Instruction Fuzzy Hash: F53190715093846FE7228B65DC45FAABFB8EF06610F08849AE984DB663D324E44DC762
                Function 012F1D80 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                Download Yara Rule
                APIs
                • getaddrinfo.WS2_32(?,00000E24), ref: 012F1E47
                Memory Dump Source
                • Source File: 00000000.00000002.4123109540.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_12f0000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: getaddrinfo
                • String ID:
                • API String ID: 300660673-0
                • Opcode ID: 628ff0dd31a07b1e62be79d752a8e24591f516f515f2c40ab8bd5edd2bf0c1fe
                • Instruction ID: a0404c758a605c8b881c2cacb994150ccea9b2aa6172526df218ee6570e00dec
                • Opcode Fuzzy Hash: 628ff0dd31a07b1e62be79d752a8e24591f516f515f2c40ab8bd5edd2bf0c1fe
                • Instruction Fuzzy Hash: 6F3193B1504344AFE721CB51DD84FA6FBACEF04714F04489AFA489B692D374A94DCB71
                Function 050867A1 Relevance: 1.6, Strings: 1, Instructions: 343COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4127303963.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_5080000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID: :@k
                • API String ID: 0-2277858631
                • Opcode ID: 410ed48bd5639d8b1b3542a80e0450ec7b1437024425101fafe880d5ae907950
                • Instruction ID: da163586cc7eea54f26f0e360581cf0d9bfeddcbeadaf26d50f3d79f03e31ea4
                • Opcode Fuzzy Hash: 410ed48bd5639d8b1b3542a80e0450ec7b1437024425101fafe880d5ae907950
                • Instruction Fuzzy Hash: 78022974A01228CFDB25EF74E860BADB7B6BB88304F1141E9D959A7394DB359E81CF00
                Function 012F1C00 Relevance: 1.6, APIs: 1, Instructions: 92timeCOMMON
                Download Yara Rule
                APIs
                • GetProcessTimes.KERNELBASE(?,00000E24,FEEAE30E,00000000,00000000,00000000,00000000), ref: 012F1C9D
                Memory Dump Source
                • Source File: 00000000.00000002.4123109540.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_12f0000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: ProcessTimes
                • String ID:
                • API String ID: 1995159646-0
                • Opcode ID: 77df8e3007a014f19028476f4f5d603d59f45a16ef91cd41163eb58f213ad1ce
                • Instruction ID: a1c43f66faa374f4216387aaa11a4347a711ea38fbe017859746e8c6f29a14a1
                • Opcode Fuzzy Hash: 77df8e3007a014f19028476f4f5d603d59f45a16ef91cd41163eb58f213ad1ce
                • Instruction Fuzzy Hash: CA31F4755093809FEB228F25DD44BA6BFB8EF06320F0884EAE9848F593D2249549C772
                Function 011CAA75 Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON
                Download Yara Rule
                APIs
                • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 011CAB25
                Memory Dump Source
                • Source File: 00000000.00000002.4122735908.00000000011CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CA000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_11ca000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: CreateFile
                • String ID:
                • API String ID: 823142352-0
                • Opcode ID: 23b053c8abb97a471fef9b206ddcc6e0ebdbcc7513a57a5e63b472ce54b54e34
                • Instruction ID: ba0167475ad8850d96229c093faa2198f6effa026afc2278f5701882af5e063c
                • Opcode Fuzzy Hash: 23b053c8abb97a471fef9b206ddcc6e0ebdbcc7513a57a5e63b472ce54b54e34
                • Instruction Fuzzy Hash: F131AEB1508384AFE722CF65DC84F56BFF8EF05610F08889EE9858B652D375E848CB61
                Function 012F14FC Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                Download Yara Rule
                APIs
                • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 012F1593
                Memory Dump Source
                • Source File: 00000000.00000002.4123109540.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_12f0000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: DescriptorSecurity$ConvertString
                • String ID:
                • API String ID: 3907675253-0
                • Opcode ID: f4d8f9314e2d0e96f02bb4942160dfe5fabedb43cd7ee6d0dea4322b92b2596f
                • Instruction ID: abc19b7b55dd45e16434852cbf1c577fb120ca4e9a63bf41b9ee0db33aec0de9
                • Opcode Fuzzy Hash: f4d8f9314e2d0e96f02bb4942160dfe5fabedb43cd7ee6d0dea4322b92b2596f
                • Instruction Fuzzy Hash: F631C371504344AFEB22CB65DC45FA7BFF8EF05210F0884AAE945CB652D324E948CB71
                Function 011CB036 Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON
                Download Yara Rule
                APIs
                • CreateMutexW.KERNELBASE(?,?), ref: 011CB0DD
                Memory Dump Source
                • Source File: 00000000.00000002.4122735908.00000000011CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CA000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_11ca000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: CreateMutex
                • String ID:
                • API String ID: 1964310414-0
                • Opcode ID: f0f39e772da73c753354a3bf5f444f858faa4e4424c30989aab4c378682709e9
                • Instruction ID: 7b6945b69f7d63a8ea4fba307f95f72958c5500d70cd7128c2782e8af5b6403f
                • Opcode Fuzzy Hash: f0f39e772da73c753354a3bf5f444f858faa4e4424c30989aab4c378682709e9
                • Instruction Fuzzy Hash: 5931B1B15093806FE712CB65DC85B96BFF8EF06610F08849EE984CB693D375E909C762
                Function 011CB2D9 Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON
                Download Yara Rule
                APIs
                • RegQueryValueExW.KERNELBASE(?,00000E24,FEEAE30E,00000000,00000000,00000000,00000000), ref: 011CB394
                Memory Dump Source
                • Source File: 00000000.00000002.4122735908.00000000011CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CA000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_11ca000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: QueryValue
                • String ID:
                • API String ID: 3660427363-0
                • Opcode ID: bec09b431c67ac465bc85f759cdff751573d9fd1bc1c948b6a0365e9479a901f
                • Instruction ID: 70d8b64522a444c1bc6a097b4e262f32e1f4c6fe3f79cc4debb88686578a1692
                • Opcode Fuzzy Hash: bec09b431c67ac465bc85f759cdff751573d9fd1bc1c948b6a0365e9479a901f
                • Instruction Fuzzy Hash: CC31D1755083806FE722CB26CC45FA2BFB8EF06710F08849AE984CB253D364E84CCB65
                Function 012F15F3 Relevance: 1.6, APIs: 1, Instructions: 87COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4123109540.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_12f0000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 738b85e9ee4cd53242a5b39bc9ddf13670a88bbcf2bcfa43657dd06212eb33cb
                • Instruction ID: 24bd0bf5bfa3f1103841ced5966f245435518af4bfb2864a27ee20654d6d9f21
                • Opcode Fuzzy Hash: 738b85e9ee4cd53242a5b39bc9ddf13670a88bbcf2bcfa43657dd06212eb33cb
                • Instruction Fuzzy Hash: 7B31DC724093848FE7138B25EC45AA5FFB4EF07224F0844EED9848B663D3259A1DC7B2
                Function 012F0A42 Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON
                Download Yara Rule
                APIs
                • RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 012F0ADD
                Memory Dump Source
                • Source File: 00000000.00000002.4123109540.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_12f0000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: Create
                • String ID:
                • API String ID: 2289755597-0
                • Opcode ID: 0527b1dc113a94dc1a4e6497469a093c143e007c4cfcc10dbfb72ad977ec7692
                • Instruction ID: b244df7e8b709abe9f6e76504f2565b60f9926b7171b2aa7fc9f729ef3031981
                • Opcode Fuzzy Hash: 0527b1dc113a94dc1a4e6497469a093c143e007c4cfcc10dbfb72ad977ec7692
                • Instruction Fuzzy Hash: 0A219EB6600204AFEB21CE15CD44FA7FBECEF08614F08852AFB45D7A52E320E44C8A65
                Function 050894D0 Relevance: 1.6, Strings: 1, Instructions: 335COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4127303963.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_5080000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID: :@k
                • API String ID: 0-2277858631
                • Opcode ID: 44453e03f99aed60acda1d5b83896dafbb1284c22b4d6956613b96d01eea8548
                • Instruction ID: 922acccac78b6892e37f1ddf7fe4fbd1e93363eca76c95c588c2424d0dc71181
                • Opcode Fuzzy Hash: 44453e03f99aed60acda1d5b83896dafbb1284c22b4d6956613b96d01eea8548
                • Instruction Fuzzy Hash: 5BD13B30A00209EFDB09FFB5F460AAD77B2BF88344B528529D416A77A8DF35AC45DB50
                Function 011CA6CE Relevance: 1.6, APIs: 1, Instructions: 85comclipboardCOMMON
                Download Yara Rule
                APIs
                • OleGetClipboard.OLE32(?,00000E24,?,?), ref: 011CA77E
                Memory Dump Source
                • Source File: 00000000.00000002.4122735908.00000000011CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CA000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_11ca000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: Clipboard
                • String ID:
                • API String ID: 220874293-0
                • Opcode ID: 0d158fc60b0cd2adc98ac301739ab075b4698f7236622013cbb2b62d621c0fd8
                • Instruction ID: bfcc267e89ffcd159245e31a196942550ba2f6a00cabfd634c26e72b7fa701b5
                • Opcode Fuzzy Hash: 0d158fc60b0cd2adc98ac301739ab075b4698f7236622013cbb2b62d621c0fd8
                • Instruction Fuzzy Hash: 18316D7104D3C06FD3138B259C61B62BFB4EF87614F0A80CBE884CB6A3D2296819D772
                Function 012F0B25 Relevance: 1.6, APIs: 1, Instructions: 84registryCOMMON
                Download Yara Rule
                APIs
                • RegSetValueExW.KERNELBASE(?,00000E24,FEEAE30E,00000000,00000000,00000000,00000000), ref: 012F0BD4
                Memory Dump Source
                • Source File: 00000000.00000002.4123109540.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_12f0000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: Value
                • String ID:
                • API String ID: 3702945584-0
                • Opcode ID: 77b4a2c1949b87c5f0355818baac98f79843dde1657444f38ee4094d51aa42fb
                • Instruction ID: 90e0113876daf81d1ff85a206484c0b1ee3d615caed1f06d377760d573016b0c
                • Opcode Fuzzy Hash: 77b4a2c1949b87c5f0355818baac98f79843dde1657444f38ee4094d51aa42fb
                • Instruction Fuzzy Hash: 2831F5764087C06FDB228B258C44B93FFB8EF06710F0885DEE9858B593D364E448C761
                Function 012F2D6C Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                Download Yara Rule
                APIs
                • GetExitCodeProcess.KERNELBASE(?,00000E24,FEEAE30E,00000000,00000000,00000000,00000000), ref: 012F2E00
                Memory Dump Source
                • Source File: 00000000.00000002.4123109540.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_12f0000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: CodeExitProcess
                • String ID:
                • API String ID: 3861947596-0
                • Opcode ID: 1309939f77e1da33babbbc2a89607aba0e97a79b7f5c07a6d0ad98fbc33381f7
                • Instruction ID: 557e37e819a69c5d5ba101524645cde84c9e36b588b52dfc2b729a9b4f1dba24
                • Opcode Fuzzy Hash: 1309939f77e1da33babbbc2a89607aba0e97a79b7f5c07a6d0ad98fbc33381f7
                • Instruction Fuzzy Hash: 952104755093805FE7138B21DC54B96FFA8AF42224F1C84DAE9888F293D228A949C761
                Function 012F1DA2 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                Download Yara Rule
                APIs
                • getaddrinfo.WS2_32(?,00000E24), ref: 012F1E47
                Memory Dump Source
                • Source File: 00000000.00000002.4123109540.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_12f0000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: getaddrinfo
                • String ID:
                • API String ID: 300660673-0
                • Opcode ID: a7a77d3f5684d92203e0ba3a80e4541669f270c013c60e00f46ba07108494d94
                • Instruction ID: 35395ae7dbd2deb01424e48c85bc1937f38df6fed7c3c219caed9e0dc1282df0
                • Opcode Fuzzy Hash: a7a77d3f5684d92203e0ba3a80e4541669f270c013c60e00f46ba07108494d94
                • Instruction Fuzzy Hash: 8821D1B2500204AEEB21DF61CD85FAAF7ACEF04714F04485AFA489A681D7B4E54D8BB1
                Function 011CB4C8 Relevance: 1.6, APIs: 1, Instructions: 82windowtimeCOMMON
                Download Yara Rule
                APIs
                • SendMessageTimeoutA.USER32(?,00000E24), ref: 011CB571
                Memory Dump Source
                • Source File: 00000000.00000002.4122735908.00000000011CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CA000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_11ca000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: MessageSendTimeout
                • String ID:
                • API String ID: 1599653421-0
                • Opcode ID: 914f0a95192c5177a43224d3bca183cd39e6a750ca69fb66197a05639125e5c3
                • Instruction ID: ed22df0304e06958e4c7476591d624e739e1138033cf182c3f836a177c0e74c2
                • Opcode Fuzzy Hash: 914f0a95192c5177a43224d3bca183cd39e6a750ca69fb66197a05639125e5c3
                • Instruction Fuzzy Hash: 0D21E471504340AFEB228F61DC45FA6FFB8EF46710F08849EFA848B662D375A509CB65
                Function 011CBA5E Relevance: 1.6, APIs: 1, Instructions: 81COMMON
                Download Yara Rule
                APIs
                • SetFileAttributesW.KERNELBASE(?,?), ref: 011CBAF3
                Memory Dump Source
                • Source File: 00000000.00000002.4122735908.00000000011CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CA000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_11ca000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: AttributesFile
                • String ID:
                • API String ID: 3188754299-0
                • Opcode ID: 3c78a34b303dbad0b87e29ab22db1a1c2919e827e74b71e128a165b6302b87a3
                • Instruction ID: 724fecd255941130e4bc91228257a81dae0e2a837ad70ccd5572813bad1ff7eb
                • Opcode Fuzzy Hash: 3c78a34b303dbad0b87e29ab22db1a1c2919e827e74b71e128a165b6302b87a3
                • Instruction Fuzzy Hash: DB31487150E3C09FD7138B259C65A52BFB4EF43210B0A84DBD985CF2A3D228A849CB72
                Function 012F2C9D Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.4123109540.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_12f0000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: select
                • String ID:
                • API String ID: 1274211008-0
                • Opcode ID: e739e2e0b7fb84efbf8f05ce6e70aa8fc25d00ce1ea26bbda432800820f41a16
                • Instruction ID: b84e556f452eb95f272cbcb1a7350a3ddad613c04bb9810760c39f0408beebfa
                • Opcode Fuzzy Hash: e739e2e0b7fb84efbf8f05ce6e70aa8fc25d00ce1ea26bbda432800820f41a16
                • Instruction Fuzzy Hash: 4E213E755093849FEB22CF25DC44B92BFF8EF06610F09849AEA84CB162D265E949CB61
                Function 011CAE77 Relevance: 1.6, APIs: 1, Instructions: 78fileCOMMON
                Download Yara Rule
                APIs
                • WriteFile.KERNELBASE(?,00000E24,FEEAE30E,00000000,00000000,00000000,00000000), ref: 011CAF0D
                Memory Dump Source
                • Source File: 00000000.00000002.4122735908.00000000011CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CA000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_11ca000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: FileWrite
                • String ID:
                • API String ID: 3934441357-0
                • Opcode ID: 9d835aca13be72eb348ed5a2cdd4966faa74197320f0c9331bdd8935ce4e35cc
                • Instruction ID: 6d3a7c3a98edfeea51da1ea189833108371e754ff6fe65fce28acb4258c06510
                • Opcode Fuzzy Hash: 9d835aca13be72eb348ed5a2cdd4966faa74197320f0c9331bdd8935ce4e35cc
                • Instruction Fuzzy Hash: DD21D6B5409384AFDB22CB51DD44F96BFB8EF46714F08849AE9849F553D234A508CB71
                Function 012F16B2 Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON
                Download Yara Rule
                APIs
                • MapViewOfFile.KERNELBASE(00000000), ref: 012F1746
                Memory Dump Source
                • Source File: 00000000.00000002.4123109540.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_12f0000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: FileView
                • String ID:
                • API String ID: 3314676101-0
                • Opcode ID: 084a86a556c9fcbecd2db8eadf8799915e8073d8f868badebf66d1c023ac52b4
                • Instruction ID: a186a2b3fffa77f2d4b7612783473c0a207bf225e8816f057a7fbd228fa9fa22
                • Opcode Fuzzy Hash: 084a86a556c9fcbecd2db8eadf8799915e8073d8f868badebf66d1c023ac52b4
                • Instruction Fuzzy Hash: 1D21E171404340AFE722CB56CC44F96FBF8EF09224F08849EEA858B652C375E548CB61
                Function 012F10D6 Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON
                Download Yara Rule
                APIs
                • WSASocketW.WS2_32(?,?,?,?,?), ref: 012F1162
                Memory Dump Source
                • Source File: 00000000.00000002.4123109540.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_12f0000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: Socket
                • String ID:
                • API String ID: 38366605-0
                • Opcode ID: 3458911f197c4d4090d9ec7f561ba55abe23894d769c4a7a2da0103ce271cf9b
                • Instruction ID: 01cf3f3abce910059822c40d3e9a235550b51c5da8af94209d543689b9aaf3fd
                • Opcode Fuzzy Hash: 3458911f197c4d4090d9ec7f561ba55abe23894d769c4a7a2da0103ce271cf9b
                • Instruction Fuzzy Hash: 31219E71505380AFE722CF55DD45B96FFB8EF05210F08889EEA858B692C375A548CB61
                Function 011CA078 Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON
                Download Yara Rule
                APIs
                • FindNextFileW.KERNELBASE(?,00000E24,?,?), ref: 011CA10E
                Memory Dump Source
                • Source File: 00000000.00000002.4122735908.00000000011CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CA000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_11ca000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: FileFindNext
                • String ID:
                • API String ID: 2029273394-0
                • Opcode ID: 6173f201682d12b44ffd048147f396294dee4baa7d33dca9c7b35265554453a0
                • Instruction ID: 8aafb43fe8bd6920bb67732cf9a0e26817c6308ef4cafa939baafc980945ce81
                • Opcode Fuzzy Hash: 6173f201682d12b44ffd048147f396294dee4baa7d33dca9c7b35265554453a0
                • Instruction Fuzzy Hash: 4021B37150D3C06FC3128B218C55B66BFB4EF87620F1985DBD984DF693D238A909CBA2
                Function 011CB3EA Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON
                Download Yara Rule
                APIs
                • RegSetValueExW.KERNELBASE(?,00000E24,FEEAE30E,00000000,00000000,00000000,00000000), ref: 011CB480
                Memory Dump Source
                • Source File: 00000000.00000002.4122735908.00000000011CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CA000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_11ca000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: Value
                • String ID:
                • API String ID: 3702945584-0
                • Opcode ID: b0e45def1af37f89d9c8745064e75b0f35220be33858eaf822cc0cdbd21edbc1
                • Instruction ID: f4959fb70ca33391432f2fd32ff5f55315c292cf61b1dcf792ef2706bee40234
                • Opcode Fuzzy Hash: b0e45def1af37f89d9c8745064e75b0f35220be33858eaf822cc0cdbd21edbc1
                • Instruction Fuzzy Hash: 7D21DE76508780AFEB228B15DC45FA3FFB8EF46610F08848AE985CB652C324E848C771
                Function 012F1522 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                Download Yara Rule
                APIs
                • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 012F1593
                Memory Dump Source
                • Source File: 00000000.00000002.4123109540.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_12f0000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: DescriptorSecurity$ConvertString
                • String ID:
                • API String ID: 3907675253-0
                • Opcode ID: f6ed031f7978655a7de8c012029e4f1ba2d6d445ce2c995fe9f2787bf8eae06f
                • Instruction ID: 8fbff0d9386d187507c3158425a097217a2681c65a5c251a5045ef6ab78349d1
                • Opcode Fuzzy Hash: f6ed031f7978655a7de8c012029e4f1ba2d6d445ce2c995fe9f2787bf8eae06f
                • Instruction Fuzzy Hash: 7B21D771600204AFEB20DF65DD45FAAFBECEF04214F08846AEA45CB641D374E548CB71
                Function 012F140A Relevance: 1.6, APIs: 1, Instructions: 76registryCOMMON
                Download Yara Rule
                APIs
                • RegQueryValueExW.KERNELBASE(?,00000E24,FEEAE30E,00000000,00000000,00000000,00000000), ref: 012F14A8
                Memory Dump Source
                • Source File: 00000000.00000002.4123109540.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_12f0000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: QueryValue
                • String ID:
                • API String ID: 3660427363-0
                • Opcode ID: f0a01eb6e9bc79b712deed82f6e38b67e7242c022588562f478cd9afb4fb3094
                • Instruction ID: 58a9586243085ffd24ddff485ca4a8176bfb5901cb153c7b4b7f95da8b9db478
                • Opcode Fuzzy Hash: f0a01eb6e9bc79b712deed82f6e38b67e7242c022588562f478cd9afb4fb3094
                • Instruction Fuzzy Hash: 9721A175504384AFE722CB56DD44FA7FFF8EF45610F08849AEA859B692D324E408CB61
                Function 011CAAA6 Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
                Download Yara Rule
                APIs
                • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 011CAB25
                Memory Dump Source
                • Source File: 00000000.00000002.4122735908.00000000011CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CA000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_11ca000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: CreateFile
                • String ID:
                • API String ID: 823142352-0
                • Opcode ID: 2c755afad841ac81c0f9e9a138c52781fa25d3c5bddb635c243082e198d83679
                • Instruction ID: a859c5b0907ad4059220cb8c8c10f86b3d7f784dea45fcc3603e41576c96f40c
                • Opcode Fuzzy Hash: 2c755afad841ac81c0f9e9a138c52781fa25d3c5bddb635c243082e198d83679
                • Instruction Fuzzy Hash: F72181B1600204AFEB25CF66DD85B66FBE8EF14614F08886DEA458B652E375E408CB71
                Function 011CB212 Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON
                Download Yara Rule
                APIs
                • RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 011CB291
                Memory Dump Source
                • Source File: 00000000.00000002.4122735908.00000000011CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CA000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_11ca000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: Open
                • String ID:
                • API String ID: 71445658-0
                • Opcode ID: 04011f5e636dc4f83caa54fba3ef1179a8ca99368020a18c025360a8ad3bbc94
                • Instruction ID: d6ca475956388adb8c2067c06dd59b1e156775e0d68c557c753a802241287e89
                • Opcode Fuzzy Hash: 04011f5e636dc4f83caa54fba3ef1179a8ca99368020a18c025360a8ad3bbc94
                • Instruction Fuzzy Hash: 6C21FFB2500204AEEB208B55CD45FABFBECEF14710F04841AE944CAA42D320E44CCAB6
                Function 012F2E63 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                Download Yara Rule
                APIs
                • GetProcessWorkingSetSize.KERNEL32(?,00000E24,FEEAE30E,00000000,00000000,00000000,00000000), ref: 012F2EDF
                Memory Dump Source
                • Source File: 00000000.00000002.4123109540.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_12f0000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: ProcessSizeWorking
                • String ID:
                • API String ID: 3584180929-0
                • Opcode ID: b5c05b44ac1aabb551b83ca46275ad4d37a5cb25473afcbc01eadd9c38d570d0
                • Instruction ID: 9aa8523cb6e5fffb4bd3d08c5e7756b21f53f5c5bec3f2b6a36ec8a458041210
                • Opcode Fuzzy Hash: b5c05b44ac1aabb551b83ca46275ad4d37a5cb25473afcbc01eadd9c38d570d0
                • Instruction Fuzzy Hash: 7321D7755053846FDB22CB15DC44FA6FFA8EF46210F0884AEE944CB592D374E548CB71
                Function 011CA9BF Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                Download Yara Rule
                APIs
                • SetErrorMode.KERNELBASE(?), ref: 011CAA44
                Memory Dump Source
                • Source File: 00000000.00000002.4122735908.00000000011CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CA000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_11ca000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: ErrorMode
                • String ID:
                • API String ID: 2340568224-0
                • Opcode ID: 9d88c5b9d43165b9a0c28025beedf55c481341de54a96a5aebab8e096a5abb34
                • Instruction ID: a531e62c403be0b180651bde06e873551c4aa71d866efcf2c28405bdcf4b5669
                • Opcode Fuzzy Hash: 9d88c5b9d43165b9a0c28025beedf55c481341de54a96a5aebab8e096a5abb34
                • Instruction Fuzzy Hash: 0E21896540E3C49FDB138B259C64A51BFB4EF53624F0E80DBD8848F6A3D268980CCB72
                Function 011CAC37 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                Download Yara Rule
                APIs
                • GetFileType.KERNELBASE(?,00000E24,FEEAE30E,00000000,00000000,00000000,00000000), ref: 011CACBD
                Memory Dump Source
                • Source File: 00000000.00000002.4122735908.00000000011CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CA000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_11ca000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: FileType
                • String ID:
                • API String ID: 3081899298-0
                • Opcode ID: 859d6a4d61c2aadfb2b4f82eddb5cea819965031f6a02972093e182514c57c36
                • Instruction ID: bbb3ad2c675dd44a84302ea1255bc8a05e6500a5a9314cceeb014b3a682dd5a6
                • Opcode Fuzzy Hash: 859d6a4d61c2aadfb2b4f82eddb5cea819965031f6a02972093e182514c57c36
                • Instruction Fuzzy Hash: 312105B54083846FE7128B11DC44BA2BFB8EF43714F0880DAE9848B693D268A90DC775
                Function 012F1949 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                Download Yara Rule
                APIs
                • shutdown.WS2_32(?,00000E24,FEEAE30E,00000000,00000000,00000000,00000000), ref: 012F19CC
                Memory Dump Source
                • Source File: 00000000.00000002.4123109540.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_12f0000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: shutdown
                • String ID:
                • API String ID: 2510479042-0
                • Opcode ID: dcd325b03fbd3c103622cc2b3950a599e4e90e6d38dea1bcd125d80cd3450781
                • Instruction ID: b227f4afe8869712ea1e514a3252afb275065bd70ad03b3eb8ab1a0ae0dcda9a
                • Opcode Fuzzy Hash: dcd325b03fbd3c103622cc2b3950a599e4e90e6d38dea1bcd125d80cd3450781
                • Instruction Fuzzy Hash: EB21D4B1409384AFDB12CB15DC44B96FFB8EF46620F0884DBE9849F653C368A548CB72
                Function 011CA140 Relevance: 1.6, APIs: 1, Instructions: 72networkCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.4122735908.00000000011CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CA000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_11ca000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: send
                • String ID:
                • API String ID: 2809346765-0
                • Opcode ID: 9e7d5c8bd664380ac956652c5b6d3b2f5f2f799bdb4220b6bb519403dac3df97
                • Instruction ID: c94a4d85fe175ce7f48e4f302e4577a70565933e14146ac4ebad0adf042897a6
                • Opcode Fuzzy Hash: 9e7d5c8bd664380ac956652c5b6d3b2f5f2f799bdb4220b6bb519403dac3df97
                • Instruction Fuzzy Hash: 5F21AC7540D3C09FDB238B259C94A52BFB4EF47220F0984DBD9848F5A3D269A809DB72
                Function 011CB06A Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                Download Yara Rule
                APIs
                • CreateMutexW.KERNELBASE(?,?), ref: 011CB0DD
                Memory Dump Source
                • Source File: 00000000.00000002.4122735908.00000000011CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CA000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_11ca000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: CreateMutex
                • String ID:
                • API String ID: 1964310414-0
                • Opcode ID: 7e4029ef37c5dabba79a764621a5cc1819debb7454eadbf6cb99f35c12a4a040
                • Instruction ID: 2247edd9f27869db16e4bff4f38cf9128bbb907c6d70bfaef63fce26937bdc57
                • Opcode Fuzzy Hash: 7e4029ef37c5dabba79a764621a5cc1819debb7454eadbf6cb99f35c12a4a040
                • Instruction Fuzzy Hash: B221D4B16042009FEB20DF66DD86BA6FBE8EF14620F04846DE945CB742D375E408CB76
                Function 012F2BD7 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                Download Yara Rule
                APIs
                • ioctlsocket.WS2_32(?,00000E24,FEEAE30E,00000000,00000000,00000000,00000000), ref: 012F2C53
                Memory Dump Source
                • Source File: 00000000.00000002.4123109540.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_12f0000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: ioctlsocket
                • String ID:
                • API String ID: 3577187118-0
                • Opcode ID: 8b8066c5ac9914d450a91a2cfbb149b1b45e74d07bca7fd77693bbaf1ebe669b
                • Instruction ID: 14fe7a61f4d0499c60808b13aebe6cfaca2d548896e8ce8bae89086be9293320
                • Opcode Fuzzy Hash: 8b8066c5ac9914d450a91a2cfbb149b1b45e74d07bca7fd77693bbaf1ebe669b
                • Instruction Fuzzy Hash: 9B21F371409384AFDB22CF51DD44FA6FFB8EF46210F08849AEA849B652C334A508C7B1
                Function 011CB31A Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                Download Yara Rule
                APIs
                • RegQueryValueExW.KERNELBASE(?,00000E24,FEEAE30E,00000000,00000000,00000000,00000000), ref: 011CB394
                Memory Dump Source
                • Source File: 00000000.00000002.4122735908.00000000011CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CA000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_11ca000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: QueryValue
                • String ID:
                • API String ID: 3660427363-0
                • Opcode ID: f82ebd018fd8714042bfccacba492c463bce1e4be3628c109ff44add9a1c3dcd
                • Instruction ID: 4882e365bca19f446c54e3194a0507f85bb9b941b51f98fe4352c9f3fbe9b513
                • Opcode Fuzzy Hash: f82ebd018fd8714042bfccacba492c463bce1e4be3628c109ff44add9a1c3dcd
                • Instruction Fuzzy Hash: E921C075608200AFE720CF56DD85FA7B7ECEF14B50F08845AED45CB652D360E848CAB5
                Function 011CB7B5 Relevance: 1.6, APIs: 1, Instructions: 69fileCOMMON
                Download Yara Rule
                APIs
                • CopyFileW.KERNELBASE(?,?,?), ref: 011CB82A
                Memory Dump Source
                • Source File: 00000000.00000002.4122735908.00000000011CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CA000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_11ca000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: CopyFile
                • String ID:
                • API String ID: 1304948518-0
                • Opcode ID: 2512a9f6dd8d21015d1404734ecd133d1753da2eb0094c84e674a67606e2e56f
                • Instruction ID: 6b1ccdee18f871fc5b2d4ce7c92b238e299ec60004297035fcb017983933059e
                • Opcode Fuzzy Hash: 2512a9f6dd8d21015d1404734ecd133d1753da2eb0094c84e674a67606e2e56f
                • Instruction Fuzzy Hash: 0A2181716093805FEB628F29DC55B63BFE8EF46610F08849EED85CB652D225E804CB61
                Function 012F1F52 Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON
                Download Yara Rule
                APIs
                • WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 012F1FCE
                Memory Dump Source
                • Source File: 00000000.00000002.4123109540.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_12f0000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: Connect
                • String ID:
                • API String ID: 3144859779-0
                • Opcode ID: 9ec6b7ae80cce5267834d4d6b521220b0b5cf18cd2aa5b486bb5413924fb83b4
                • Instruction ID: 28dc29a4f0377ec74dd78d6161e46458d548d3433b02cad4dc65cf1badb90021
                • Opcode Fuzzy Hash: 9ec6b7ae80cce5267834d4d6b521220b0b5cf18cd2aa5b486bb5413924fb83b4
                • Instruction Fuzzy Hash: 25217F75508380AFDB228F55DC44B62FFB4EF06710F08859EEA858B562D235A418DB61
                Function 012F10F6 Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON
                Download Yara Rule
                APIs
                • WSASocketW.WS2_32(?,?,?,?,?), ref: 012F1162
                Memory Dump Source
                • Source File: 00000000.00000002.4123109540.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_12f0000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: Socket
                • String ID:
                • API String ID: 38366605-0
                • Opcode ID: 61fb8731024baff3f4787786c1d92c774b5fd5a0f039419eef9ecb59c7003c76
                • Instruction ID: 4a932b599c9d7902a4e853365f7cb5d82ec0b23f8fe26748d313275222253690
                • Opcode Fuzzy Hash: 61fb8731024baff3f4787786c1d92c774b5fd5a0f039419eef9ecb59c7003c76
                • Instruction Fuzzy Hash: 0D21A171500200AFEB21CF56DD45BA6FBE8EF08324F04886EEA458AB52D375E559CB71
                Function 012F16D2 Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON
                Download Yara Rule
                APIs
                • MapViewOfFile.KERNELBASE(00000000), ref: 012F1746
                Memory Dump Source
                • Source File: 00000000.00000002.4123109540.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_12f0000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: FileView
                • String ID:
                • API String ID: 3314676101-0
                • Opcode ID: 9de3f43e3ff41f05e8478b33a1b2cb9f49429c1419843feb1dbebcd61211f4fb
                • Instruction ID: 565477e355f26dcc3834452925529088f61804f05262297fdb5a2a3b20fbbb04
                • Opcode Fuzzy Hash: 9de3f43e3ff41f05e8478b33a1b2cb9f49429c1419843feb1dbebcd61211f4fb
                • Instruction Fuzzy Hash: AE21D171500200AFE721CF56DD85FA6FBE8EF08224F04846DEA498B652D371E548CBA1
                Function 012F220E Relevance: 1.6, APIs: 1, Instructions: 66libraryCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNELBASE(?,00000E24), ref: 012F2297
                Memory Dump Source
                • Source File: 00000000.00000002.4123109540.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_12f0000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: LibraryLoad
                • String ID:
                • API String ID: 1029625771-0
                • Opcode ID: 8dbdefa7f5b620f280f046c726a589b6e99a91634bee108183925d65466c31c2
                • Instruction ID: 9ee1b96652cbd15edddde91678aac88dc60e369e6c52ed670897d0b095d33704
                • Opcode Fuzzy Hash: 8dbdefa7f5b620f280f046c726a589b6e99a91634bee108183925d65466c31c2
                • Instruction Fuzzy Hash: 1211E475504340AFE721CB15DD85FA6FBA8DF45720F18809AFA448B692C264A948CB61
                Function 011CB4F6 Relevance: 1.6, APIs: 1, Instructions: 66windowtimeCOMMON
                Download Yara Rule
                APIs
                • SendMessageTimeoutA.USER32(?,00000E24), ref: 011CB571
                Memory Dump Source
                • Source File: 00000000.00000002.4122735908.00000000011CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CA000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_11ca000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: MessageSendTimeout
                • String ID:
                • API String ID: 1599653421-0
                • Opcode ID: 74322041b0963ffca8ac1f99e346359b0a88b85555bf5a426a0f1f9f893a01e6
                • Instruction ID: a51f6cd54eb31309836b51df3aa73745f7a357b3c2b367855d2d92718662cbf9
                • Opcode Fuzzy Hash: 74322041b0963ffca8ac1f99e346359b0a88b85555bf5a426a0f1f9f893a01e6
                • Instruction Fuzzy Hash: 7C212172500200AFEB318F51DC41FA6FBA8EF14710F18845EEE458AA91C371E508CBB5
                Function 012F1436 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                Download Yara Rule
                APIs
                • RegQueryValueExW.KERNELBASE(?,00000E24,FEEAE30E,00000000,00000000,00000000,00000000), ref: 012F14A8
                Memory Dump Source
                • Source File: 00000000.00000002.4123109540.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_12f0000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: QueryValue
                • String ID:
                • API String ID: 3660427363-0
                • Opcode ID: dfbc2663a97930880cb2d9cd9d1ca4bd746c6cfee755b1ca0f56c155920545da
                • Instruction ID: f0f5f24295365b2f24cfca56077b24bad94332a2f3e526e5e8b57acd2eb0c59b
                • Opcode Fuzzy Hash: dfbc2663a97930880cb2d9cd9d1ca4bd746c6cfee755b1ca0f56c155920545da
                • Instruction Fuzzy Hash: AA11E4756002049FEB21CF16CD44FA6F7ECEF44624F08806EEA458BA52D374E448CBB1
                Function 011CB40E Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                Download Yara Rule
                APIs
                • RegSetValueExW.KERNELBASE(?,00000E24,FEEAE30E,00000000,00000000,00000000,00000000), ref: 011CB480
                Memory Dump Source
                • Source File: 00000000.00000002.4122735908.00000000011CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CA000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_11ca000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: Value
                • String ID:
                • API String ID: 3702945584-0
                • Opcode ID: 33320e04af1b6244e5c3eb4394fbbc5ba3b97469f47d218aa030c58d11e5ff85
                • Instruction ID: 4041fb968a27a106a84cb5a5e0d00903b5a6d30eecd602b59a3dd1646c4471a9
                • Opcode Fuzzy Hash: 33320e04af1b6244e5c3eb4394fbbc5ba3b97469f47d218aa030c58d11e5ff85
                • Instruction Fuzzy Hash: 1C1106755046009FEB218F05DC41FA7FBECEF14610F08845AED42CA752D330E408CAB5
                Function 012F1C3E Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON
                Download Yara Rule
                APIs
                • GetProcessTimes.KERNELBASE(?,00000E24,FEEAE30E,00000000,00000000,00000000,00000000), ref: 012F1C9D
                Memory Dump Source
                • Source File: 00000000.00000002.4123109540.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_12f0000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: ProcessTimes
                • String ID:
                • API String ID: 1995159646-0
                • Opcode ID: 66dddb7bb0a4cf408381b1f5f6b865e225d9a7fa91bc7505a81e3952f26d8a28
                • Instruction ID: 127a4f0d9c5677c2ecba301d79479cbf57cde40cda15dc45ae0aabae06719974
                • Opcode Fuzzy Hash: 66dddb7bb0a4cf408381b1f5f6b865e225d9a7fa91bc7505a81e3952f26d8a28
                • Instruction Fuzzy Hash: 7C11E675500200AFEB21CF55DD45BAAFBE8EF04320F18846EEA45CB651D375E458CBB2
                Function 011CBBE2 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                Download Yara Rule
                APIs
                • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 011CBC4A
                Memory Dump Source
                • Source File: 00000000.00000002.4122735908.00000000011CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CA000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_11ca000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: LookupPrivilegeValue
                • String ID:
                • API String ID: 3899507212-0
                • Opcode ID: 21b3148216e0aa3be6ad9bf2cfcefad7b10ab1168dad8ad61ce9fa10b38a1fb3
                • Instruction ID: 1c2d4b28e42418c2292e62c74cb48e4765ced8f98908b98b8270da706d12d605
                • Opcode Fuzzy Hash: 21b3148216e0aa3be6ad9bf2cfcefad7b10ab1168dad8ad61ce9fa10b38a1fb3
                • Instruction Fuzzy Hash: 3511D3B16043405FEB21CF29DC45B63BFE8EF45620F0884AEED45CB252D275E804CB65
                Function 012F2F47 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                Download Yara Rule
                APIs
                • SetProcessWorkingSetSize.KERNEL32(00000000,?,00000E24,FEEAE30E,00000000,00000000,00000000,00000000), ref: 012F2FC3
                Memory Dump Source
                • Source File: 00000000.00000002.4123109540.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_12f0000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: ProcessSizeWorking
                • String ID:
                • API String ID: 3584180929-0
                • Opcode ID: 7bf7b622dab0c1e86796b455464c75df5352b5ee119b2253201594f6fd9c0785
                • Instruction ID: fdb9943f283e3737b2e9953e0cb31df949d4c7d65b8237ccdfdb37724ac94f00
                • Opcode Fuzzy Hash: 7bf7b622dab0c1e86796b455464c75df5352b5ee119b2253201594f6fd9c0785
                • Instruction Fuzzy Hash: 51117FB55093806FEB22CB25CD48F56BFA8AF46614F08849EF584DB592C364A848CB65
                Function 012F2E86 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                Download Yara Rule
                APIs
                • GetProcessWorkingSetSize.KERNEL32(?,00000E24,FEEAE30E,00000000,00000000,00000000,00000000), ref: 012F2EDF
                Memory Dump Source
                • Source File: 00000000.00000002.4123109540.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_12f0000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: ProcessSizeWorking
                • String ID:
                • API String ID: 3584180929-0
                • Opcode ID: 82d641a6e420fe274e7bcabac0725ffaec4ddf586432c882cbb98f4dae83e91e
                • Instruction ID: b2a5de841261d66a80e6c4fc748c34cfa1f5dcb0e149c281cbd666be384b201d
                • Opcode Fuzzy Hash: 82d641a6e420fe274e7bcabac0725ffaec4ddf586432c882cbb98f4dae83e91e
                • Instruction Fuzzy Hash: 5611C4756102009FEB21CF15DD45BA6F7E8DF45324F18846AEE45CB641D374E548CBB1
                Function 012F0B6A Relevance: 1.6, APIs: 1, Instructions: 61registryCOMMON
                Download Yara Rule
                APIs
                • RegSetValueExW.KERNELBASE(?,00000E24,FEEAE30E,00000000,00000000,00000000,00000000), ref: 012F0BD4
                Memory Dump Source
                • Source File: 00000000.00000002.4123109540.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_12f0000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: Value
                • String ID:
                • API String ID: 3702945584-0
                • Opcode ID: 327b3a0b27391f17768af1f03a913f885dbb7396e195b1ed03c745f4ff6ebaec
                • Instruction ID: 57042261f9826523bb5af818ba949adc76e5c976e690c4002f017a46c426c9a3
                • Opcode Fuzzy Hash: 327b3a0b27391f17768af1f03a913f885dbb7396e195b1ed03c745f4ff6ebaec
                • Instruction Fuzzy Hash: E511C476500704AFEB218F15DD45FA6FBE8EF04714F08846AFA458B652D370E448CBB5
                Function 012F2DAA Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                Download Yara Rule
                APIs
                • GetExitCodeProcess.KERNELBASE(?,00000E24,FEEAE30E,00000000,00000000,00000000,00000000), ref: 012F2E00
                Memory Dump Source
                • Source File: 00000000.00000002.4123109540.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_12f0000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: CodeExitProcess
                • String ID:
                • API String ID: 3861947596-0
                • Opcode ID: bffba17d5a4c01805d8049b6232e95cdc81f1ae37608b87420903cf871aecb3c
                • Instruction ID: 710203bf4a2037662ca1746ca91d20bf32d46aa7aa9002bc58f18a17caf339a9
                • Opcode Fuzzy Hash: bffba17d5a4c01805d8049b6232e95cdc81f1ae37608b87420903cf871aecb3c
                • Instruction Fuzzy Hash: D211E375600200AFEB11CF16DD85BAAF7A8DF05224F28846AEE05CF652D374E5488BB1
                Function 011CA573 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                Download Yara Rule
                APIs
                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 011CA5DE
                Memory Dump Source
                • Source File: 00000000.00000002.4122735908.00000000011CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CA000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_11ca000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: DuplicateHandle
                • String ID:
                • API String ID: 3793708945-0
                • Opcode ID: d787e922ada47f65ee78b9f2c383c4324a4a36be991d144e6e0778ba8ad529bc
                • Instruction ID: 8ed86dd16fcacda7ddfa10b07f3173bfe6ed8cb5977b6359a4be93b9f69706e0
                • Opcode Fuzzy Hash: d787e922ada47f65ee78b9f2c383c4324a4a36be991d144e6e0778ba8ad529bc
                • Instruction Fuzzy Hash: A311AF71408380AFDB228F55DC44B62FFF4EF4A610F08889EEE858B562D235A418DB62
                Function 011CAEAE Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                Download Yara Rule
                APIs
                • WriteFile.KERNELBASE(?,00000E24,FEEAE30E,00000000,00000000,00000000,00000000), ref: 011CAF0D
                Memory Dump Source
                • Source File: 00000000.00000002.4122735908.00000000011CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CA000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_11ca000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: FileWrite
                • String ID:
                • API String ID: 3934441357-0
                • Opcode ID: 624f673d06c8bc64bc11646e2b2d70ea5fb386c051ef9fd54d8db1df9389af1f
                • Instruction ID: 3afa1d77226f22267c8942b1fe2f3d1f70d1954f46b8aa41607a6583509c4fa9
                • Opcode Fuzzy Hash: 624f673d06c8bc64bc11646e2b2d70ea5fb386c051ef9fd54d8db1df9389af1f
                • Instruction Fuzzy Hash: D4112BB1500204AFEB21CF55DD44FAAFBE8EF14710F04845AE9458B651D334E448CBB2
                Function 011CB885 Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON
                Download Yara Rule
                APIs
                • DeleteFileW.KERNELBASE(?), ref: 011CB8E4
                Memory Dump Source
                • Source File: 00000000.00000002.4122735908.00000000011CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CA000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_11ca000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: DeleteFile
                • String ID:
                • API String ID: 4033686569-0
                • Opcode ID: ae24426d7d0d0e23f038012976e996bf685ee1372fc113eba4ee52c9086846b4
                • Instruction ID: db0997fd5dd9010e9cc1104efc54d8d9154838592347d5d123745adf063326c7
                • Opcode Fuzzy Hash: ae24426d7d0d0e23f038012976e996bf685ee1372fc113eba4ee52c9086846b4
                • Instruction Fuzzy Hash: D91190B19093805FDB11CB25DC85B66BFE8EF46620F0984AEE985CB253D224E948CB61
                Function 012F2BFA Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                Download Yara Rule
                APIs
                • ioctlsocket.WS2_32(?,00000E24,FEEAE30E,00000000,00000000,00000000,00000000), ref: 012F2C53
                Memory Dump Source
                • Source File: 00000000.00000002.4123109540.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_12f0000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: ioctlsocket
                • String ID:
                • API String ID: 3577187118-0
                • Opcode ID: 89647d587a5d3440a2f41086be10abb6c5294d667d1262756d79ce246f8529b9
                • Instruction ID: a8e42d22b606cc7ecd0d0f3f2cfebc2d027eff33cf8303032aac0c5e12ce0237
                • Opcode Fuzzy Hash: 89647d587a5d3440a2f41086be10abb6c5294d667d1262756d79ce246f8529b9
                • Instruction Fuzzy Hash: 4A11E0B5500204AFEB21CF55DD85BA6FBA8EF05324F18846AEA489B642C374E548CBB1
                Function 012F1976 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                Download Yara Rule
                APIs
                • shutdown.WS2_32(?,00000E24,FEEAE30E,00000000,00000000,00000000,00000000), ref: 012F19CC
                Memory Dump Source
                • Source File: 00000000.00000002.4123109540.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_12f0000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: shutdown
                • String ID:
                • API String ID: 2510479042-0
                • Opcode ID: 8fba7dbc4681e3cd773e78c7211db166695f286bc9842bdb0ac245f9290f4e41
                • Instruction ID: dcf68e100fadc7156d75b734342c7640123b1bab2ca1a27f3dff4576e70088af
                • Opcode Fuzzy Hash: 8fba7dbc4681e3cd773e78c7211db166695f286bc9842bdb0ac245f9290f4e41
                • Instruction Fuzzy Hash: 47110275500200AFEB21CF16DD85BA6F7E8DF04724F1884AAEE448B642D374E548CBB1
                Function 012F222E Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNELBASE(?,00000E24), ref: 012F2297
                Memory Dump Source
                • Source File: 00000000.00000002.4123109540.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_12f0000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: LibraryLoad
                • String ID:
                • API String ID: 1029625771-0
                • Opcode ID: 4b39a90aa34836e51e0a1635b9a59a835f0c83fe3a8ae35fa267c28741175c2a
                • Instruction ID: 327991d1e2f7d359f204cd2e48c7a44e2a24e97c3e4baa97876d3f332a00b07e
                • Opcode Fuzzy Hash: 4b39a90aa34836e51e0a1635b9a59a835f0c83fe3a8ae35fa267c28741175c2a
                • Instruction Fuzzy Hash: 3E11E575510200AEEB20DB16DD85FB6F7A8DF05724F148059EE445A782D3B4E54CCAB5
                Function 011CA20C Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                Download Yara Rule
                APIs
                • GetLogicalDrives.KERNELBASE ref: 011CA269
                Memory Dump Source
                • Source File: 00000000.00000002.4122735908.00000000011CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CA000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_11ca000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: DrivesLogical
                • String ID:
                • API String ID: 999431828-0
                • Opcode ID: f264b16b4840d03311245b8dc5a1b96368efc97b9785c5f69f426b0639676a0a
                • Instruction ID: cdafab5ff7899fc53295a80c0ae154620caf0edff2ee080197176dfe83d2fb68
                • Opcode Fuzzy Hash: f264b16b4840d03311245b8dc5a1b96368efc97b9785c5f69f426b0639676a0a
                • Instruction Fuzzy Hash: 5A1191715083809FEB128F15ED44BA2BFA8EF47620F0884DAED848F253D275A908DB71
                Function 012F2CD6 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.4123109540.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_12f0000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: select
                • String ID:
                • API String ID: 1274211008-0
                • Opcode ID: 535adcf684e905331ac36795180940999d800b2cbd519bacadc5b7d84ee062aa
                • Instruction ID: 290481cc0fdda8562ff76b990c2dbef32b3aa00f9a951a5c0019c9cf1a1fc995
                • Opcode Fuzzy Hash: 535adcf684e905331ac36795180940999d800b2cbd519bacadc5b7d84ee062aa
                • Instruction Fuzzy Hash: 9D119475610204CFEB20CF19D985B92FBE8EF05610F08846EDE49CB6A6D370E448CBB1
                Function 011CBC02 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                Download Yara Rule
                APIs
                • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 011CBC4A
                Memory Dump Source
                • Source File: 00000000.00000002.4122735908.00000000011CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CA000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_11ca000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: LookupPrivilegeValue
                • String ID:
                • API String ID: 3899507212-0
                • Opcode ID: 8d192960744ade39079dcc4f035a5fc3ad5f38f41ccef6ee5085b02df29cec11
                • Instruction ID: e2f27ce4325d5dd5d41aae4bdf5c6c2343e8af3584aa6f1595979044a9ca5219
                • Opcode Fuzzy Hash: 8d192960744ade39079dcc4f035a5fc3ad5f38f41ccef6ee5085b02df29cec11
                • Instruction Fuzzy Hash: C311A5B56042008FEB54CF19D886B66FBD8EF14620F08846EDD49CB752D775E504CB6A
                Function 011CB7E2 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                Download Yara Rule
                APIs
                • CopyFileW.KERNELBASE(?,?,?), ref: 011CB82A
                Memory Dump Source
                • Source File: 00000000.00000002.4122735908.00000000011CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CA000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_11ca000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: CopyFile
                • String ID:
                • API String ID: 1304948518-0
                • Opcode ID: 8d192960744ade39079dcc4f035a5fc3ad5f38f41ccef6ee5085b02df29cec11
                • Instruction ID: 6a57f6cea0386e0408d0ae2a8b8318859b309fb1ac43763d0def5cae862f3b74
                • Opcode Fuzzy Hash: 8d192960744ade39079dcc4f035a5fc3ad5f38f41ccef6ee5085b02df29cec11
                • Instruction Fuzzy Hash: FD1182B1A042008FEB54CF19D886767FBD8EF14A60F08846EDD45CB752D374D404CA75
                Function 011CB9D0 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.4122735908.00000000011CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CA000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_11ca000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: CloseFind
                • String ID:
                • API String ID: 1863332320-0
                • Opcode ID: 9a2587fa42069ec1d4c6d91044394ea90dc2f845968b23f463e1e1f01a361f51
                • Instruction ID: 16606286ed1d2a93fa33552f1ca29032282e949c2af80e4f1495aef044567821
                • Opcode Fuzzy Hash: 9a2587fa42069ec1d4c6d91044394ea90dc2f845968b23f463e1e1f01a361f51
                • Instruction Fuzzy Hash: 2711E5755093C09FDB128B15DC85B52FFB4DF06220F0880DEED858B263D274E908CB62
                Function 011CAC6A Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                Download Yara Rule
                APIs
                • GetFileType.KERNELBASE(?,00000E24,FEEAE30E,00000000,00000000,00000000,00000000), ref: 011CACBD
                Memory Dump Source
                • Source File: 00000000.00000002.4122735908.00000000011CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CA000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_11ca000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: FileType
                • String ID:
                • API String ID: 3081899298-0
                • Opcode ID: aa798094678a46abb0e898a799ebbd5635e7ca6b704db20575c9d316c219473a
                • Instruction ID: 498cc6346dd4e98b70b121b5c37889460dfd2557582ba55651a23334f5630849
                • Opcode Fuzzy Hash: aa798094678a46abb0e898a799ebbd5635e7ca6b704db20575c9d316c219473a
                • Instruction Fuzzy Hash: 7201D675504204AFE721CB06ED85BA6F79CDF15724F18C05AEE048B742D374E44CCAB6
                Function 012F1F82 Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON
                Download Yara Rule
                APIs
                • WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 012F1FCE
                Memory Dump Source
                • Source File: 00000000.00000002.4123109540.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_12f0000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: Connect
                • String ID:
                • API String ID: 3144859779-0
                • Opcode ID: fcbafc3b33ea956ee2f0018d73fc84f4e2984d394aba819e80e09d4e85ee602e
                • Instruction ID: b4c7e8169d3c6b33b370793f2065138c90947d591a31a533ff7123cc8070d70a
                • Opcode Fuzzy Hash: fcbafc3b33ea956ee2f0018d73fc84f4e2984d394aba819e80e09d4e85ee602e
                • Instruction Fuzzy Hash: 3C11A072510300DFEB20CF55D844B62FBE4EF18710F08856EDE458B622D375E418CBA1
                Function 011CBAB6 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                Download Yara Rule
                APIs
                • SetFileAttributesW.KERNELBASE(?,?), ref: 011CBAF3
                Memory Dump Source
                • Source File: 00000000.00000002.4122735908.00000000011CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CA000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_11ca000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: AttributesFile
                • String ID:
                • API String ID: 3188754299-0
                • Opcode ID: 9e28442c749f685e7d2ab3845e767ef0e7ba6fbf0ea4bbd63ab867ea464a396f
                • Instruction ID: 7ee81b76eca4c924e1b4038fad602753a8330b531563015c3c6322fd547152e9
                • Opcode Fuzzy Hash: 9e28442c749f685e7d2ab3845e767ef0e7ba6fbf0ea4bbd63ab867ea464a396f
                • Instruction Fuzzy Hash: AE01B5756042408FEB64CF29D985766FBE8EF14620F08C4AEDD45CB756D374E404CBA6
                Function 012F2F6A Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                Download Yara Rule
                APIs
                • SetProcessWorkingSetSize.KERNEL32(00000000,?,00000E24,FEEAE30E,00000000,00000000,00000000,00000000), ref: 012F2FC3
                Memory Dump Source
                • Source File: 00000000.00000002.4123109540.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_12f0000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: ProcessSizeWorking
                • String ID:
                • API String ID: 3584180929-0
                • Opcode ID: a8d47847c9ee059ae9b5e1eb9b366dbbd94ef628bcf883532be182da6d65441b
                • Instruction ID: 2473a4e92aea5f110ba020514bae0dd7c510974045067f6418d9a161d33c3702
                • Opcode Fuzzy Hash: a8d47847c9ee059ae9b5e1eb9b366dbbd94ef628bcf883532be182da6d65441b
                • Instruction Fuzzy Hash: D60180B4100200AFEB21CB15CD84F66BBECEF05714F18846DEA44DB692D374A848CB74
                Function 011CA0BE Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON
                Download Yara Rule
                APIs
                • FindNextFileW.KERNELBASE(?,00000E24,?,?), ref: 011CA10E
                Memory Dump Source
                • Source File: 00000000.00000002.4122735908.00000000011CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CA000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_11ca000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: FileFindNext
                • String ID:
                • API String ID: 2029273394-0
                • Opcode ID: 98e2e24d0451bbbcf422c628b298566b8389b98b7688d1f7a8245b535185e165
                • Instruction ID: d32bbe1dd8ae30b3b86ee6b4ca12470038b65f2ea7449b537020604664d861b8
                • Opcode Fuzzy Hash: 98e2e24d0451bbbcf422c628b298566b8389b98b7688d1f7a8245b535185e165
                • Instruction Fuzzy Hash: 4301B171A00200ABD710DF16DD46B76FBE8EB88A20F14815AED089BB41D735F955CBE1
                Function 011CB8AA Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON
                Download Yara Rule
                APIs
                • DeleteFileW.KERNELBASE(?), ref: 011CB8E4
                Memory Dump Source
                • Source File: 00000000.00000002.4122735908.00000000011CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CA000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_11ca000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: DeleteFile
                • String ID:
                • API String ID: 4033686569-0
                • Opcode ID: 41e83e06e8db648e7e7236b490ff18d5daaef7c2b855adbf1c365aeb66b8f555
                • Instruction ID: d04f7f879095ea2967501f5e113d83cf645025a812c686fb3f8d491cb60d0df5
                • Opcode Fuzzy Hash: 41e83e06e8db648e7e7236b490ff18d5daaef7c2b855adbf1c365aeb66b8f555
                • Instruction Fuzzy Hash: D30192B1A042048FEB54CF29D8867A6BBD8DF14620F0884AEDD45CB756D374D404CB62
                Function 011CA59A Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                Download Yara Rule
                APIs
                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 011CA5DE
                Memory Dump Source
                • Source File: 00000000.00000002.4122735908.00000000011CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CA000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_11ca000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: DuplicateHandle
                • String ID:
                • API String ID: 3793708945-0
                • Opcode ID: 0d481065dbffec84307b44c589abff6542e535de3b0f44380451d310eeda09b7
                • Instruction ID: b5ec18c5a2df4ff24ec68dbbfb60023308573367f903f307f62ef459afaaa601
                • Opcode Fuzzy Hash: 0d481065dbffec84307b44c589abff6542e535de3b0f44380451d310eeda09b7
                • Instruction Fuzzy Hash: 4801A1715002049FDB218F55E944B56FFE4EF58720F08C89EDE854B612D335E418DFA2
                Function 012F105A Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON
                Download Yara Rule
                APIs
                • RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 012F10AA
                Memory Dump Source
                • Source File: 00000000.00000002.4123109540.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_12f0000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: QueryValue
                • String ID:
                • API String ID: 3660427363-0
                • Opcode ID: 2639ba90981e817ce293ed560059b69e1af669ef34bfaaa36692269855a5e405
                • Instruction ID: 5f9b09ddb31bdc21721edcd111853bf00edb16e2ca12cea8ad6f58ced088ac84
                • Opcode Fuzzy Hash: 2639ba90981e817ce293ed560059b69e1af669ef34bfaaa36692269855a5e405
                • Instruction Fuzzy Hash: 7001A271600200ABD310DF16DD46B66FBE8FB88A20F14811AED089BB41D771F959CBE5
                Function 011CA72E Relevance: 1.5, APIs: 1, Instructions: 43comclipboardCOMMON
                Download Yara Rule
                APIs
                • OleGetClipboard.OLE32(?,00000E24,?,?), ref: 011CA77E
                Memory Dump Source
                • Source File: 00000000.00000002.4122735908.00000000011CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CA000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_11ca000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: Clipboard
                • String ID:
                • API String ID: 220874293-0
                • Opcode ID: 2e7c1dd0fe73a46ed6256e5034a70e410b02bf875676306d6f6d44abeb5d6aca
                • Instruction ID: f033ca8d4699ebe1a678862cb3726eaebc5499aa27b5ab872a69ba4949a2c4e5
                • Opcode Fuzzy Hash: 2e7c1dd0fe73a46ed6256e5034a70e410b02bf875676306d6f6d44abeb5d6aca
                • Instruction Fuzzy Hash: 6B01A271600200ABD310DF16DD46B66FBE8FB88A20F148159ED089BB41D731F959CBE5
                Function 011CA186 Relevance: 1.5, APIs: 1, Instructions: 42networkCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.4122735908.00000000011CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CA000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_11ca000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: send
                • String ID:
                • API String ID: 2809346765-0
                • Opcode ID: 5c05fb5ecc8768ea63619e64598d89082f8fc335cee17612c370b56f219f1adb
                • Instruction ID: f51b7c44ad014542d00f7f2a396811ac6c25b309d1abc11abe7f1655e9a67a92
                • Opcode Fuzzy Hash: 5c05fb5ecc8768ea63619e64598d89082f8fc335cee17612c370b56f219f1adb
                • Instruction Fuzzy Hash: 1A019E719042449FDB21CF59E984B66FBE4EF64720F08849EDD498B612D375E448CBA2
                Function 011CB9F2 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.4122735908.00000000011CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CA000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_11ca000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: CloseFind
                • String ID:
                • API String ID: 1863332320-0
                • Opcode ID: 81ea93551af246d1708e7ab590b81fb0fc08dd2aafaaf912de8df793f29e5efd
                • Instruction ID: c047781250332b79618d933b90fa6c1872d9a03815769a763e40221e0551ab3a
                • Opcode Fuzzy Hash: 81ea93551af246d1708e7ab590b81fb0fc08dd2aafaaf912de8df793f29e5efd
                • Instruction Fuzzy Hash: 00014475608200CFDB148F1AD886762FBE4EF10A21F08C0AEDD4A8B752C374E408CFA2
                Function 011CA23A Relevance: 1.5, APIs: 1, Instructions: 38COMMON
                Download Yara Rule
                APIs
                • GetLogicalDrives.KERNELBASE ref: 011CA269
                Memory Dump Source
                • Source File: 00000000.00000002.4122735908.00000000011CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CA000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_11ca000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: DrivesLogical
                • String ID:
                • API String ID: 999431828-0
                • Opcode ID: ec0cd487e5adf43ae78ad47502d185f5e23ac0f7fdc6a7420f9a68549a3e3f0b
                • Instruction ID: b0414e02b52ff306cfc08d902e46d48212c8917af3c1317b6b47e45c55d2c815
                • Opcode Fuzzy Hash: ec0cd487e5adf43ae78ad47502d185f5e23ac0f7fdc6a7420f9a68549a3e3f0b
                • Instruction Fuzzy Hash: 9C0121719042548FEB11CF15E888761FBE4DF10A20F08C4AADD088F306E379E408CBA2
                Function 05086902 Relevance: 1.5, Strings: 1, Instructions: 287COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4127303963.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_5080000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID: :@k
                • API String ID: 0-2277858631
                • Opcode ID: 4f7c4ff291bb9bcc32e65cf7fb7648bdce172698590a44667215cbab228861d4
                • Instruction ID: f786c5a9f511d1fdf64c2e473936b62103b0d88a80e3afa7e0a45a329d495949
                • Opcode Fuzzy Hash: 4f7c4ff291bb9bcc32e65cf7fb7648bdce172698590a44667215cbab228861d4
                • Instruction Fuzzy Hash: 4BD12B74A01228CFDB29EF74E860BADB7B6BB88304F1141E9D559A7394DB359E85CF00
                Function 011CAA12 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                Download Yara Rule
                APIs
                • SetErrorMode.KERNELBASE(?), ref: 011CAA44
                Memory Dump Source
                • Source File: 00000000.00000002.4122735908.00000000011CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CA000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_11ca000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: ErrorMode
                • String ID:
                • API String ID: 2340568224-0
                • Opcode ID: e2024081fa0e04bf866d5905f93a0659b470e8c4db2707e1e4d5fd37944db8ea
                • Instruction ID: c6c82b4080d925da9ea997e940bd656cbf01a2a83058515ab31f123889264859
                • Opcode Fuzzy Hash: e2024081fa0e04bf866d5905f93a0659b470e8c4db2707e1e4d5fd37944db8ea
                • Instruction Fuzzy Hash: 00F0FF759002488FDB218F09EA84761FBE0EF54A20F08C09ADD480B752E378E408CFA2
                Function 050894C0 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4127303963.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_5080000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID: :@k
                • API String ID: 0-2277858631
                • Opcode ID: 64de771d50572cbcf659f0b362a1a425aacc358c9a33069f00728a09e3ef46e2
                • Instruction ID: 92b07c3b1897ead7958b8fbc1eff554ca31698f21b6075d4d99d22b39ff67003
                • Opcode Fuzzy Hash: 64de771d50572cbcf659f0b362a1a425aacc358c9a33069f00728a09e3ef46e2
                • Instruction Fuzzy Hash: AAA13C34A00209EFCB09FFB5F460AAD77B2BB88344F528539E816977A8DB359805DB50
                Function 050895D5 Relevance: 1.5, Strings: 1, Instructions: 232COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4127303963.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_5080000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID: :@k
                • API String ID: 0-2277858631
                • Opcode ID: 89a4fc7535b495c2b7f567d19b53e2e398e3b27a11e412796e455d77985683b8
                • Instruction ID: 33fe1670dd0d3d60c413fdd31f988f7a7786d438f972344e9b5abcf99709203a
                • Opcode Fuzzy Hash: 89a4fc7535b495c2b7f567d19b53e2e398e3b27a11e412796e455d77985683b8
                • Instruction Fuzzy Hash: CC912A34A00209EFCB09FFB5F460AAD77B2BF88348B528579E416977A8DF359805DB50
                Function 05086A63 Relevance: 1.5, Strings: 1, Instructions: 231COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4127303963.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_5080000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID: :@k
                • API String ID: 0-2277858631
                • Opcode ID: ed734fdb60dec33cc382bc347b39a716b7199f1ac3c355897491eadc3cfa9b57
                • Instruction ID: 058f6602ffdb1458ea8d98bb318280259f8b37e26884863c5d5c8f29b48c5091
                • Opcode Fuzzy Hash: ed734fdb60dec33cc382bc347b39a716b7199f1ac3c355897491eadc3cfa9b57
                • Instruction Fuzzy Hash: 99B12970A012288FDB29EF74E860BEDB7B6BB88304F5141E9D519A7394DB359E85CF40
                Function 05089633 Relevance: 1.5, Strings: 1, Instructions: 221COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4127303963.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_5080000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID: :@k
                • API String ID: 0-2277858631
                • Opcode ID: f19c12707e0d9f203eb79485dedf28cd279bd9f4fdfd18c63c7f522d93fd277e
                • Instruction ID: 61fafe53f7e9b319b8d2802f67e95dfa08adc59d91ee268d06ac0ad43d0ef6a7
                • Opcode Fuzzy Hash: f19c12707e0d9f203eb79485dedf28cd279bd9f4fdfd18c63c7f522d93fd277e
                • Instruction Fuzzy Hash: DC913C34A00209EFCB09FFB5F460AAD77B2BF88348B528569E416977A8DB359C05DB50
                Function 05089683 Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4127303963.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_5080000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID: :@k
                • API String ID: 0-2277858631
                • Opcode ID: 63a59d7752510c6f25ce40d056498a5a59163571df08097c629e605ea5c6e206
                • Instruction ID: 0d7fea022996e2c973c44223bf646aa38dbd788c73b8ddbd01334816f27f7012
                • Opcode Fuzzy Hash: 63a59d7752510c6f25ce40d056498a5a59163571df08097c629e605ea5c6e206
                • Instruction Fuzzy Hash: D4814C34A00209EFCB09FFB5F460AAD73B2BB88348B528579E416977A8DB359C05DB50
                Function 05086B4D Relevance: 1.4, Strings: 1, Instructions: 198COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4127303963.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_5080000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID: :@k
                • API String ID: 0-2277858631
                • Opcode ID: 0f10b5db675d8fe2a667b4dbb23a1ac94aa6b25d2a0bfacd5d9d470c846e7bc8
                • Instruction ID: 8a3c3cececdf93a07dd24b2b1b3946df606979197bba66d1c00f578c456fb859
                • Opcode Fuzzy Hash: 0f10b5db675d8fe2a667b4dbb23a1ac94aa6b25d2a0bfacd5d9d470c846e7bc8
                • Instruction Fuzzy Hash: AF914B70A012288FDB29EF74E860BEDB7B6BF88304F5141E99519A7394DB359E85CF40
                Function 05089705 Relevance: 1.4, Strings: 1, Instructions: 193COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4127303963.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_5080000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID: :@k
                • API String ID: 0-2277858631
                • Opcode ID: b317a3d8bb7ed0ef3198c04e7f5ca9db5d4be078378f30dae8078135ff367fd1
                • Instruction ID: 13b10980240ca72dc053bbcbd7223fd75de13bc3d81320ccc01f67d3bd62048a
                • Opcode Fuzzy Hash: b317a3d8bb7ed0ef3198c04e7f5ca9db5d4be078378f30dae8078135ff367fd1
                • Instruction Fuzzy Hash: F8714B34B00209DFDB09BFB5F460AAD73B2BB88348F528579D816977A8DB359C05DB50
                Function 050897F5 Relevance: 1.4, Strings: 1, Instructions: 146COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4127303963.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_5080000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID: :@k
                • API String ID: 0-2277858631
                • Opcode ID: 86e0b78f3877469ba43b2647647f6b81316bade774338a0eb09964e1344fab4f
                • Instruction ID: e84cf78c3e2f74789c02be195e4b2dbcf41b6d8cf7bd89422607203b6aa97994
                • Opcode Fuzzy Hash: 86e0b78f3877469ba43b2647647f6b81316bade774338a0eb09964e1344fab4f
                • Instruction Fuzzy Hash: BC515D30B002199FDB19BFB5F461ABD73A6AF84348F12852AD816977A8DF359C02CB50
                Function 050802C0 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4127303963.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_5080000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID: :@k
                • API String ID: 0-2277858631
                • Opcode ID: c7cf70a154bb99b4b9e6e12fb79a20470ca658e5c4b9290906f435d540225eca
                • Instruction ID: f5a51f3661438d3f25f125efc638760bc5891a52ec52cc57a8434196caeeb8f3
                • Opcode Fuzzy Hash: c7cf70a154bb99b4b9e6e12fb79a20470ca658e5c4b9290906f435d540225eca
                • Instruction Fuzzy Hash: 9031C530B002169FDB04BB74E425BFE73A6ABD8208F124439D51597798EF39DD4A87A1
                Function 011CAB7C Relevance: 1.3, APIs: 1, Instructions: 69COMMON
                Download Yara Rule
                APIs
                • CloseHandle.KERNELBASE(?), ref: 011CABF0
                Memory Dump Source
                • Source File: 00000000.00000002.4122735908.00000000011CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CA000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_11ca000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: CloseHandle
                • String ID:
                • API String ID: 2962429428-0
                • Opcode ID: 7c460c0f91aa9664a34d80b7bd87f900d4236dbabb867df002e267e06f47cb88
                • Instruction ID: 4a7caf7b893b00630a16b41ece18120be2add579f3de9cde507c9a36b1696ec8
                • Opcode Fuzzy Hash: 7c460c0f91aa9664a34d80b7bd87f900d4236dbabb867df002e267e06f47cb88
                • Instruction Fuzzy Hash: 3F21F6755097C05FDB038B25ED95752BFA8EF07620F0984DADD848B663D2249908CB61
                Function 011CBE18 Relevance: 1.3, APIs: 1, Instructions: 68COMMON
                Download Yara Rule
                APIs
                • CloseHandle.KERNELBASE(?), ref: 011CBE84
                Memory Dump Source
                • Source File: 00000000.00000002.4122735908.00000000011CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CA000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_11ca000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: CloseHandle
                • String ID:
                • API String ID: 2962429428-0
                • Opcode ID: 7a37a6b856ae8e039d0ae525c4e95acae69112f81b14a4f4473711d6e1aa10bb
                • Instruction ID: 9720c97816b9fcd52631284d711f9356156de5e485f1b5247058c2acf587729e
                • Opcode Fuzzy Hash: 7a37a6b856ae8e039d0ae525c4e95acae69112f81b14a4f4473711d6e1aa10bb
                • Instruction Fuzzy Hash: 6021DEB250D3C05FDB028B25DC95792BFB4AF07720F0984DAE9848F663D234A908CB62
                Function 011CA61E Relevance: 1.3, APIs: 1, Instructions: 63COMMON
                Download Yara Rule
                APIs
                • CloseHandle.KERNELBASE(?), ref: 011CA690
                Memory Dump Source
                • Source File: 00000000.00000002.4122735908.00000000011CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CA000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_11ca000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: CloseHandle
                • String ID:
                • API String ID: 2962429428-0
                • Opcode ID: 28a33df2d341486490e4ca511be82f6620d0e5e08d44103d2ac8a860696ace5b
                • Instruction ID: 93dcbfabdd50df611859382f5da22082733a1cef4ef80d86092ebb7226394966
                • Opcode Fuzzy Hash: 28a33df2d341486490e4ca511be82f6620d0e5e08d44103d2ac8a860696ace5b
                • Instruction Fuzzy Hash: C22188718093C45FDB128B259C94752BFB4EF47220F0984DAD8848F2A3D2699908CBB2
                Function 011CABBE Relevance: 1.3, APIs: 1, Instructions: 43COMMON
                Download Yara Rule
                APIs
                • CloseHandle.KERNELBASE(?), ref: 011CABF0
                Memory Dump Source
                • Source File: 00000000.00000002.4122735908.00000000011CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CA000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_11ca000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: CloseHandle
                • String ID:
                • API String ID: 2962429428-0
                • Opcode ID: 205c3d5c9d222fe0fbe341f09edae2839b532f1cf0f817432e6be7c874331354
                • Instruction ID: d232a8efc5d820710e260973aed43bcc2e9d46b0544397ccf0c8223cc2531e43
                • Opcode Fuzzy Hash: 205c3d5c9d222fe0fbe341f09edae2839b532f1cf0f817432e6be7c874331354
                • Instruction Fuzzy Hash: 7401D4756042048FDB158F15E985765FBD4DF15620F08C4AEDD498F752D375D408CBA2
                Function 011CBE52 Relevance: 1.3, APIs: 1, Instructions: 43COMMON
                Download Yara Rule
                APIs
                • CloseHandle.KERNELBASE(?), ref: 011CBE84
                Memory Dump Source
                • Source File: 00000000.00000002.4122735908.00000000011CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CA000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_11ca000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: CloseHandle
                • String ID:
                • API String ID: 2962429428-0
                • Opcode ID: da32dba11c35c5079fe65f9de0c7f8c79b8dc181c734eeb1932273b131cee598
                • Instruction ID: c0ef694784d9b4f92f93b23e88a1e5e1b7a20005a7ea056ff65baec432ebd78a
                • Opcode Fuzzy Hash: da32dba11c35c5079fe65f9de0c7f8c79b8dc181c734eeb1932273b131cee598
                • Instruction Fuzzy Hash: B601B1756042008FDB548F19E986756BBE8DF14A20F08C0AADD49CB752C374E408CFA2
                Function 011CA65E Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                Download Yara Rule
                APIs
                • CloseHandle.KERNELBASE(?), ref: 011CA690
                Memory Dump Source
                • Source File: 00000000.00000002.4122735908.00000000011CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CA000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_11ca000_7tjt3u68PZ.jbxd
                Similarity
                • API ID: CloseHandle
                • String ID:
                • API String ID: 2962429428-0
                • Opcode ID: 324cc435e817ce8bacbe2aa60838ad02b8bc6c95fe1080aa77fae1fb1e67ad4c
                • Instruction ID: b4ff5d778b2e25d88e48f0094f60a7962f70e676774f6cb059263403306c8442
                • Opcode Fuzzy Hash: 324cc435e817ce8bacbe2aa60838ad02b8bc6c95fe1080aa77fae1fb1e67ad4c
                • Instruction Fuzzy Hash: E501F2B09002048FDB11CF05E984765FBE4DF54624F08C4AACD488F312D375E408CFA2
                Function 050837FA Relevance: .5, Instructions: 495COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4127303963.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_5080000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: cb7eb0d6a062ad453ca4caa3175cb6dc2d02bf08277b000903d45f95018377ad
                • Instruction ID: c5dab42c379bc6ea037b2538371ab8dde69c6a57ada91d773c10f37fce992648
                • Opcode Fuzzy Hash: cb7eb0d6a062ad453ca4caa3175cb6dc2d02bf08277b000903d45f95018377ad
                • Instruction Fuzzy Hash: CE323C30A01218CFDB18EF74E965BEDB7B2BB88308F1145A9D509AB798DB359D85CF40
                Function 05083DC4 Relevance: .2, Instructions: 193COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4127303963.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_5080000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 988355e6a31013a300590f305d3bca6e6293272e455ec66e151f011ceeab37d4
                • Instruction ID: 4ef431aabc8a78cae6a8fc0c1e8612e8849b645863cc3c6104275226b6086fcf
                • Opcode Fuzzy Hash: 988355e6a31013a300590f305d3bca6e6293272e455ec66e151f011ceeab37d4
                • Instruction Fuzzy Hash: 05A1D574A01218CFDB29EF64E961BECB7B2FB48308F1141A9D909A7359DB359E84CF40
                Function 050839B7 Relevance: .2, Instructions: 182COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4127303963.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_5080000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d7d6d0aa0d999d163e7b26cb71595d6a9f60d031bdd1d91b24a8257aba1207c8
                • Instruction ID: a6c0e58d1882e88420d896af632bbe7094b8b2f218e86bb3f6aa52e11253a8f2
                • Opcode Fuzzy Hash: d7d6d0aa0d999d163e7b26cb71595d6a9f60d031bdd1d91b24a8257aba1207c8
                • Instruction Fuzzy Hash: FF817D30A012588FDB18EFB4D850BEDB7B2BF89308F0045A9D50AAB398DB759D85CF51
                Function 05087E4E Relevance: .1, Instructions: 137COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4127303963.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_5080000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d52c3cf4c9539ebf79d1674df7e40d48c0dde637060b6bc7a586029436e3c807
                • Instruction ID: 9c5b6f5b5eb47db23d39a7af244864c107cade230ea061556e9b20716c9ca5ae
                • Opcode Fuzzy Hash: d52c3cf4c9539ebf79d1674df7e40d48c0dde637060b6bc7a586029436e3c807
                • Instruction Fuzzy Hash: 1C41C0306052058BE729EF36B815BBD33E3BB84314F698169D492DB2D9DB3ADD41CB20
                Function 05087173 Relevance: .1, Instructions: 135COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4127303963.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_5080000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 30f4a7f6d8258b5ce46cc2cb72485065115c08e79934a9c65ca4331f382c12ac
                • Instruction ID: b168c3526793e3648ff183651a136729b7b33e69e41ac05430061182d906e829
                • Opcode Fuzzy Hash: 30f4a7f6d8258b5ce46cc2cb72485065115c08e79934a9c65ca4331f382c12ac
                • Instruction Fuzzy Hash: 914182307002448FCB05EBB8D465ABE7BF2AFC9208F2A8079D405DB799DB359C45DB92
                Function 05083B10 Relevance: .1, Instructions: 111COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4127303963.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_5080000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 61fee5dd0500548a9b61391655890dea4433f965d06f9600700c84288b7de46b
                • Instruction ID: 10b3aab3917588bc2fe22c182684e9a580243bb69e7234cf1368c3680bd55913
                • Opcode Fuzzy Hash: 61fee5dd0500548a9b61391655890dea4433f965d06f9600700c84288b7de46b
                • Instruction Fuzzy Hash: C3417C70A012588FDB18EFB4D950BECB7F2BF89308F1045AAD009AB694DB745E44CF51
                Function 05089DD0 Relevance: .1, Instructions: 107COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4127303963.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_5080000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 120464cf782dda653e6b805bae5b1abe1e660b24e811d6933d2834812dd7d2d2
                • Instruction ID: efca0d9f9952091b84e9820c14a76a21b512905e4d6cb11714ad5696a61bdd05
                • Opcode Fuzzy Hash: 120464cf782dda653e6b805bae5b1abe1e660b24e811d6933d2834812dd7d2d2
                • Instruction Fuzzy Hash: A831A034B002059FDB14EF79E855BBEBBE6BF88204F144439E405EB3A5DB709805CB90
                Function 050800B8 Relevance: .1, Instructions: 93COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4127303963.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_5080000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: cd33678719c0e1a297444ca020cb05f2484ec681aac096a2814c89cd57834691
                • Instruction ID: 595f2d27fe0f45886c2fe2bcf3b8a14f55533b1f8a61e21ca2c549340c7458b0
                • Opcode Fuzzy Hash: cd33678719c0e1a297444ca020cb05f2484ec681aac096a2814c89cd57834691
                • Instruction Fuzzy Hash: 2031C3317003449FD718ABB5A821BAE37E7ABD6218F09856AD001DB7C5CF79AC098792
                Function 00EA07B4 Relevance: .1, Instructions: 60COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4122202614.0000000000EA0000.00000040.00000020.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ea0000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1daca05862ac7dbb95b06923c6f08748cf40de3a0be41765020cf21c3769dcb4
                • Instruction ID: cadac44756696e493eebc85173934c134b2be99fccddccdca3b54957c23c9eb5
                • Opcode Fuzzy Hash: 1daca05862ac7dbb95b06923c6f08748cf40de3a0be41765020cf21c3769dcb4
                • Instruction Fuzzy Hash: 6C218E315093C08FC7078B20C850B15BF71AF4B708F1996EED4855F6A3C33A9806CB52
                Function 061D2194 Relevance: .1, Instructions: 60COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4128469323.00000000061D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061D0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_61d0000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e8568e7ee5bc09eff247d172de866d69ccc3bd67186002772a89e053bf513436
                • Instruction ID: 1bd2eee6b071ce90d9ab0446fa408e69a79832edfb51c9b7e48e736e0c05a4b2
                • Opcode Fuzzy Hash: e8568e7ee5bc09eff247d172de866d69ccc3bd67186002772a89e053bf513436
                • Instruction Fuzzy Hash: D211EAB5908301AFD340CF19D840A5BFBE4FB88664F04895EF998D7311D231E9088FA2
                Function 00EA07E4 Relevance: .1, Instructions: 59COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4122202614.0000000000EA0000.00000040.00000020.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ea0000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e72385058932245d8be6ee2a90686b9dc619a46431fb1ecbf48a9a896f24850c
                • Instruction ID: 8f18abdb69f204fdd82b25bb5d7c8b766a88cd5973fc31310ce1fdfd8d24f83f
                • Opcode Fuzzy Hash: e72385058932245d8be6ee2a90686b9dc619a46431fb1ecbf48a9a896f24850c
                • Instruction Fuzzy Hash: AC11D230604280DFC315CB10D580B55B795AB8E718F28C9ADE4492B642C73BE813CA85
                Function 05080118 Relevance: .1, Instructions: 56COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4127303963.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_5080000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ea3853cdba1d77dd09edcc46335ed5bc323fbd55087036df7b68e84ac74569a7
                • Instruction ID: d1dc8f999e82ca876163b6f44f8f6902df22d95de58f5d250c6a563f2978db14
                • Opcode Fuzzy Hash: ea3853cdba1d77dd09edcc46335ed5bc323fbd55087036df7b68e84ac74569a7
                • Instruction Fuzzy Hash: 0111C4317012448FC318AB75A4217BE33DBABE6348705853ED001DBB85CF7AEC0A8792
                Function 05089AF0 Relevance: .1, Instructions: 54COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4127303963.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_5080000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ce1750741c027cfe060bf857b3493deaa1cedbdc2c23b9099818e9df60ee85b4
                • Instruction ID: fd4a4d0fd31ea2f346ca23707961ee22c7f9737eb09451aefa01e2081c2ae658
                • Opcode Fuzzy Hash: ce1750741c027cfe060bf857b3493deaa1cedbdc2c23b9099818e9df60ee85b4
                • Instruction Fuzzy Hash: A6110472F002098FCF54EB78E9555AE73F6FB89244715047AC409E3354EB319D05CBA0
                Function 05087351 Relevance: .1, Instructions: 53COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4127303963.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_5080000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a492b7c1a9e170cd7efe99a68744d873cd4d3c01a995c4848aebd0793a9afebf
                • Instruction ID: a157003b1377d0dcd3d4019b1ebc26d1747e2b7110f9ee00c485e16f43eb1ced
                • Opcode Fuzzy Hash: a492b7c1a9e170cd7efe99a68744d873cd4d3c01a995c4848aebd0793a9afebf
                • Instruction Fuzzy Hash: F901F7367103108BD3097A74A8517AE3766DB92347B42C5BAE5409B381DB3A88068742
                Function 061D2038 Relevance: .1, Instructions: 52COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4128469323.00000000061D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061D0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_61d0000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 61c2275b93e818abdb28a31a06d4a25bbc34dfeaaf0080a382f2ae45cbc2abf2
                • Instruction ID: 346a9d719f46747e757d926e8c0a2269ef1fec0eb3589966e26d8e15d7178a69
                • Opcode Fuzzy Hash: 61c2275b93e818abdb28a31a06d4a25bbc34dfeaaf0080a382f2ae45cbc2abf2
                • Instruction Fuzzy Hash: 231100B5508301AFD750CF09DC45E57FBE8EB88660F14881EF95897311D231E908CFA2
                Function 011DB2F8 Relevance: .1, Instructions: 52COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4122798388.00000000011DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DA000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_11da000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 78a61c09eec78cb2fd3d739dc505bf233abbfb7cbb97208a5074b6788480a1be
                • Instruction ID: 1cb1d291c53a89068e0d9ee77a4e5ec484baf84d3a1b8851735a32f4e825f600
                • Opcode Fuzzy Hash: 78a61c09eec78cb2fd3d739dc505bf233abbfb7cbb97208a5074b6788480a1be
                • Instruction Fuzzy Hash: 6B110CB5A08301AFD750CF09DC41E5BFBE8EB98660F14891EF99897311D231E908CFA2
                Function 00EA05E0 Relevance: .0, Instructions: 44COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4122202614.0000000000EA0000.00000040.00000020.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ea0000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 83194ae762ab53c93d972da8daf2a519f0015a1457f5026c7de6cfd2b854d46a
                • Instruction ID: e1d6676754246339b14039bb80f86d7cb7a5d4527d8bc56f79406fec8ce14273
                • Opcode Fuzzy Hash: 83194ae762ab53c93d972da8daf2a519f0015a1457f5026c7de6cfd2b854d46a
                • Instruction Fuzzy Hash: BD0186B65093846FD7118F16AD41862FFE8EB86660709C49FEC498B612D225B908CB76
                Function 00EA0794 Relevance: .0, Instructions: 39COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4122202614.0000000000EA0000.00000040.00000020.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ea0000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5295eafabc236e28bf91a8a097e274b36075317ab6b172fdeed5cc82d8806274
                • Instruction ID: 27cfe0ffeceddb918c56fe5457892535ea44c3f0082ea2e2b2e48a2d03fd46ec
                • Opcode Fuzzy Hash: 5295eafabc236e28bf91a8a097e274b36075317ab6b172fdeed5cc82d8806274
                • Instruction Fuzzy Hash: 8B01E13550D2809FC306CB20C550B15BFB1EF9B708F2986DAD8855B6A3C33AA816DB92
                Function 050801E1 Relevance: .0, Instructions: 39COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4127303963.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_5080000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 44bff6589f35c939a9908c70e1706f1837c7489c32dfaf3a98abb412a23c14d8
                • Instruction ID: 190a0e8b9d40f65ac044221d5d3364e1207afab7cbfd2a2160c6e0a9835f6892
                • Opcode Fuzzy Hash: 44bff6589f35c939a9908c70e1706f1837c7489c32dfaf3a98abb412a23c14d8
                • Instruction Fuzzy Hash: 3B019230612242CFC708EF78D15C55C7BE2FFA4208B40882CE55597758DB30D858CF42
                Function 050800A8 Relevance: .0, Instructions: 38COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4127303963.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_5080000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ff1986018cda6242c44900e9b0e9748b80d35f96990d1eeaaa1256739ccfd901
                • Instruction ID: a49348bfedba360609fb04d4ccb872801f90c15fb9cf195bf61f08a953887b86
                • Opcode Fuzzy Hash: ff1986018cda6242c44900e9b0e9748b80d35f96990d1eeaaa1256739ccfd901
                • Instruction Fuzzy Hash: 81F0F672B003046FEB18EBB0DC12BAE7B72DF81224F0585AE9141DF2D0DA315841C790
                Function 00EA08A0 Relevance: .0, Instructions: 31COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4122202614.0000000000EA0000.00000040.00000020.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ea0000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a3c181a57d58872c77186dea16c7b84c2b348ca3ffffdec1f3d2b946b90fd649
                • Instruction ID: a9c4e13f6882b44e305cff7cd8ac8121207eb14f13989c10c35b17629809bb66
                • Opcode Fuzzy Hash: a3c181a57d58872c77186dea16c7b84c2b348ca3ffffdec1f3d2b946b90fd649
                • Instruction Fuzzy Hash: 3DF01D35548644DFC306CF00D540B15FBA2EB89718F24CAADE9491B752C737E813DB81
                Function 00EA0606 Relevance: .0, Instructions: 27COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4122202614.0000000000EA0000.00000040.00000020.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ea0000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0b7aeb1179dd86642e9b686d45e79827db5953daf7995523023ecdbe531f542b
                • Instruction ID: 592e68aee219a2293774c455924f1d3ed98080a6154d530d901b11d71f6974b9
                • Opcode Fuzzy Hash: 0b7aeb1179dd86642e9b686d45e79827db5953daf7995523023ecdbe531f542b
                • Instruction Fuzzy Hash: 69E092B66046044B9650DF0BFD42462F7D8EB88630718C07FDC0D8B711D235B548CAA5
                Function 061D2087 Relevance: .0, Instructions: 26COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4128469323.00000000061D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061D0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_61d0000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: af381fd0cac0fb28958cfd3bc552bdb9ceb84393db0da429645a70de14c399a1
                • Instruction ID: 61bfb2afe249edfa1b6cb8d5907d4d5476039f60173e50e2068bd0827764014e
                • Opcode Fuzzy Hash: af381fd0cac0fb28958cfd3bc552bdb9ceb84393db0da429645a70de14c399a1
                • Instruction Fuzzy Hash: A5E0D8F250020467D6509E07AD46F63FB98DB50930F14C45BED081F752D172B5048AF1
                Function 061D1AAB Relevance: .0, Instructions: 26COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4128469323.00000000061D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061D0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_61d0000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c3cbde1f07b975ad1d62b011b1647257f0202e32874276cd1705ad3be8a86073
                • Instruction ID: 6b37e9d90fd03d52f766319328fd585398e969e452f0b53b59e3bd4146f53699
                • Opcode Fuzzy Hash: c3cbde1f07b975ad1d62b011b1647257f0202e32874276cd1705ad3be8a86073
                • Instruction Fuzzy Hash: 05E0DFF2A0020467D6109E07AD4AF63FB98DB90A30F18C46BEE081F706E172B518CAF1
                Function 061D21FF Relevance: .0, Instructions: 26COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4128469323.00000000061D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061D0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_61d0000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7547418af4bbaf16a729dca4cebd14251874103f4fd163a5fcd02c1ef583350d
                • Instruction ID: 2fd27f6456a51ab80247b08638090876c6b761baa104b4224359f8df18754319
                • Opcode Fuzzy Hash: 7547418af4bbaf16a729dca4cebd14251874103f4fd163a5fcd02c1ef583350d
                • Instruction Fuzzy Hash: D8E0DFF2A4020467D7109E07AD46F62FB98DB94A30F18C46BED081F742E172F5188AF1
                Function 011DB347 Relevance: .0, Instructions: 26COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4122798388.00000000011DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DA000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_11da000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8c3f30a3a3e82f21fda316e0470db627adb292efa06bfed084f3f94915bf3384
                • Instruction ID: 68b5d0f0609f1f6eab25f58afbb75d2a7c7836a9817b53754dde1858126ec0bc
                • Opcode Fuzzy Hash: 8c3f30a3a3e82f21fda316e0470db627adb292efa06bfed084f3f94915bf3384
                • Instruction Fuzzy Hash: 3EE0DFF2A4020467D6509E07AD46F62FB98DB50A30F18C56BEE085F712E176B5088AF1
                Function 050841F8 Relevance: .0, Instructions: 18COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4127303963.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_5080000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6798c7883ca6a0206d516e7666d98f042f0744067cf241279cc95ee06bb1106c
                • Instruction ID: 83426732e9f4744cbe0ebe43e28727684906034d3613cac536eafcd531d72cfc
                • Opcode Fuzzy Hash: 6798c7883ca6a0206d516e7666d98f042f0744067cf241279cc95ee06bb1106c
                • Instruction Fuzzy Hash: 7CE0C2B2D06208EBC704DFA4DC02A8A7BE4DB00205F0540B9980AD3B51EA316A008B46
                Function 011C23F4 Relevance: .0, Instructions: 15COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4122708399.00000000011C2000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C2000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_11c2000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 377f4c677f6ecd3969afacc26b9e703780b865c16ca8766f494216cdb0b0ee6e
                • Instruction ID: 8aa0a16d5b10968189123656f199c02ce96667def8fcc9d9b00e21578f180cd9
                • Opcode Fuzzy Hash: 377f4c677f6ecd3969afacc26b9e703780b865c16ca8766f494216cdb0b0ee6e
                • Instruction Fuzzy Hash: 71D02E3A3006C04FE31A8B0CC2A8B863BE4AB60B04F0A00FDA800CB763C738D4C0C200
                Function 05083010 Relevance: .0, Instructions: 15COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4127303963.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_5080000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: da89be5700a0ba0f64dc8e077ef5c74e7fc4bb67c264802d3eb3df42305af425
                • Instruction ID: 79ca2e0cbf86d3d66caf85b6aacf484c56548ef94531e9ae15a05306a2c31a19
                • Opcode Fuzzy Hash: da89be5700a0ba0f64dc8e077ef5c74e7fc4bb67c264802d3eb3df42305af425
                • Instruction Fuzzy Hash: A0E0123420A384CFDB2A2774A53C4593F31AB4620934904FEC5954A66AD63A8841CB01
                Function 05089D90 Relevance: .0, Instructions: 15COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4127303963.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_5080000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5bf6f140583fd2fd1deb5d2b73af676252a5ae4c4d5d1fa11f2ed002159c9b9d
                • Instruction ID: 5c56cc23b4d14ad9898b3d5adeabb0e0cccedd7b026e8a878993dc4bd17e66ac
                • Opcode Fuzzy Hash: 5bf6f140583fd2fd1deb5d2b73af676252a5ae4c4d5d1fa11f2ed002159c9b9d
                • Instruction Fuzzy Hash: 1AD05EF2D41204ABCB18EBA4E94A6FC77A4AB61351F1105AA9446927A1EA350A048B41
                Function 011C23BC Relevance: .0, Instructions: 14COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4122708399.00000000011C2000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C2000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_11c2000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: df6e9d82fe39a753d0fa7cd4a89c31d63ca0460b56604ec60a1596b20f203f80
                • Instruction ID: 90a63fdc925660a8155d80e269ee962b477cb0e0d409ffbc6f706427f18da5e0
                • Opcode Fuzzy Hash: df6e9d82fe39a753d0fa7cd4a89c31d63ca0460b56604ec60a1596b20f203f80
                • Instruction Fuzzy Hash: 41D05E343046814BD719DA0CC2E4F593BD4AB54B14F0A44ECAC108B762C7B8D8C4DA00
                Function 05084208 Relevance: .0, Instructions: 14COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4127303963.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_5080000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f37d05d39a8ddae0030adc09cc5095c784dfe40030c58f00fa6b4f0cd233befd
                • Instruction ID: 2a82878f48005e75e4ab68b2e314033b6fbba6f8365b4c617db3cf67ec0670ee
                • Opcode Fuzzy Hash: f37d05d39a8ddae0030adc09cc5095c784dfe40030c58f00fa6b4f0cd233befd
                • Instruction Fuzzy Hash: 1ED0C971A16208EF8744DFA8D90189DB7F9EB45215B1041BAA80AD3B50EE315E04DB95

                Non-executed Functions

                Function 050873FE Relevance: .3, Instructions: 344COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4127303963.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_5080000_7tjt3u68PZ.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 49621d3344241866127443127e612c2c11bb5159d29b10bf68a9da817a2ebcd1
                • Instruction ID: 5a3d4ec0c9bcd477340791deac7b656996b93b72f50a0a3dd0eae21bae0414d7
                • Opcode Fuzzy Hash: 49621d3344241866127443127e612c2c11bb5159d29b10bf68a9da817a2ebcd1
                • Instruction Fuzzy Hash: FAB1E6716062628BD735FA73B56083DB6F2BA802523664173E4F1CB2C9EF29C981D761

                Execution Graph

                Execution Coverage:13.8%
                Dynamic/Decrypted Code Coverage:100%
                Signature Coverage:0%
                Total number of Nodes:52
                Total number of Limit Nodes:4
                execution_graph 1797 71a573 1798 71a59a DuplicateHandle 1797->1798 1800 71a5e6 1798->1800 1762 71aa12 1763 71aa3e SetErrorMode 1762->1763 1765 71aa67 1762->1765 1764 71aa53 1763->1764 1765->1763 1801 71aa75 1803 71aaa6 CreateFileW 1801->1803 1804 71ab2d 1803->1804 1821 71ac37 1823 71ac6a GetFileType 1821->1823 1824 71accc 1823->1824 1805 71af76 1807 71afaa CreateMutexW 1805->1807 1808 71b025 1807->1808 1766 71a59a 1767 71a610 1766->1767 1768 71a5d8 DuplicateHandle 1766->1768 1767->1768 1769 71a5e6 1768->1769 1809 71ab7c 1810 71abbe CloseHandle 1809->1810 1812 71abf8 1810->1812 1825 71a9bf 1826 71a9c9 SetErrorMode 1825->1826 1828 71aa53 1826->1828 1770 71a65e 1771 71a6c0 1770->1771 1772 71a68a OleInitialize 1770->1772 1771->1772 1773 71a698 1772->1773 1774 71abbe 1775 71ac29 1774->1775 1776 71abea CloseHandle 1774->1776 1775->1776 1777 71abf8 1776->1777 1829 71a61e 1830 71a65e OleInitialize 1829->1830 1832 71a698 1830->1832 1778 71aaa6 1779 71aade CreateFileW 1778->1779 1781 71ab2d 1779->1781 1786 71afaa 1788 71afe2 CreateMutexW 1786->1788 1789 71b025 1788->1789 1793 71adee 1795 71ae23 WriteFile 1793->1795 1796 71ae55 1795->1796 1813 71a6ce 1814 71a72e OleGetClipboard 1813->1814 1816 71a78c 1814->1816 1817 71adce 1819 71adee WriteFile 1817->1819 1820 71ae55 1819->1820

                Callgraph

                • Executed
                • Not Executed
                • Opacity -> Relevance
                • Disassembly available
                callgraph 0 Function_0071A573 1 Function_04920290 2 Function_0071A472 3 Function_0071AA75 4 Function_0071B074 5 Function_0071AF76 6 Function_0071A078 7 Function_0071AB7C 8 Function_0071A865 9 Function_00712264 10 Function_00712364 11 Function_0071AC6A 12 Function_0071266E 13 Function_0071AD52 14 Function_049202B1 17 Function_049200B8 14->17 15 Function_049239B7 16 Function_00712458 17->15 25 Function_0071A23A 17->25 27 Function_00A905E7 17->27 35 Function_049237FA 17->35 45 Function_0071A20C 17->45 49 Function_04923B10 17->49 67 Function_00A90606 17->67 18 Function_0071A65E 19 Function_0071A140 20 Function_049200A8 20->15 20->25 20->27 20->35 20->45 20->49 20->67 21 Function_0071A44A 22 Function_00712430 23 Function_0071AC37 24 Function_0071A836 26 Function_0071213C 28 Function_049202C0 28->17 29 Function_04923FC0 30 Function_04923DC4 31 Function_0071A72E 32 Function_0071A02E 33 Function_00A905C8 34 Function_0071AA12 36 Function_049241F8 37 Function_04923CF9 38 Function_0071201C 39 Function_0071A61E 40 Function_0071281E 41 Function_00A905D8 42 Function_049201E1 42->27 42->67 43 Function_0071A005 44 Function_0071A50A 46 Function_007125F1 47 Function_007121F0 48 Function_007126F3 50 Function_04923010 50->27 50->67 51 Function_007123F4 52 Function_0071ACF8 53 Function_04920118 53->15 53->27 53->35 53->49 53->67 54 Function_0071A2FE 55 Function_04920006 55->17 55->20 55->27 55->67 56 Function_04924208 57 Function_0071ADEE 58 Function_00A90736 59 Function_0071A7D1 60 Function_007120D0 61 Function_04924230 62 Function_0071AED2 63 Function_0071A2D2 64 Function_007125D2 65 Function_0071A4D8 66 Function_00A90007 68 Function_007125C6 69 Function_00A90710 70 Function_0071A3CA 71 Function_0071A6CE 72 Function_0071ADCE 73 Function_0071A2B0 74 Function_0071A7B0 75 Function_0071B0B2 76 Function_00A9066A 77 Function_00A9026D 78 Function_04922656 79 Function_04923058 80 Function_04923C5E 81 Function_007123BC 82 Function_0071A9BF 83 Function_0071A0BE 84 Function_0071ABBE 85 Function_007124A2 86 Function_04923141 87 Function_007126A5 88 Function_04923047 89 Function_04924147 90 Function_00A9067F 91 Function_0071AAA6 92 Function_0071A3A8 93 Function_0071AFAA 94 Function_04920449 95 Function_00A90074 96 Function_00712194 97 Function_00712794 98 Function_00A9064C 98->76 99 Function_0071AE97 100 Function_00712098 101 Function_0071A59A 102 Function_04923160 103 Function_04924261 103->79 104 Function_0071A384 105 Function_0071A186 106 Function_00A90053 107 Function_0071258A

                Executed Functions

                Function 049201E1 Relevance: 3.8, Strings: 3, Instructions: 39COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 0 49201e1-4920200 14 4920202 call a905e7 0->14 15 4920202 call a90606 0->15 3 4920208-4920288 14->3 15->3
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.1822489600.0000000004920000.00000040.00000800.00020000.00000000.sdmp, Offset: 04920000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4920000_Explower.jbxd
                Similarity
                • API ID:
                • String ID: HQr$XRr$Pr
                • API String ID: 0-2956780941
                • Opcode ID: 05a73c1183474d05e04890f08c420c04dbe353f9a5b81009ba5e847ba1760546
                • Instruction ID: b87d2772a6041274315a2e85b0ff158c2866e1c77e06a5028e66f1ec479744cf
                • Opcode Fuzzy Hash: 05a73c1183474d05e04890f08c420c04dbe353f9a5b81009ba5e847ba1760546
                • Instruction Fuzzy Hash: B1015630606681CFC744EB78D65869D7BE1EFC8308B04892CE5568B39AEB78D865CB46
                Function 049200B8 Relevance: 2.6, Strings: 2, Instructions: 95COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 16 49200b8-49200cd 43 49200d0 call 71a23a 16->43 44 49200d0 call 71a20c 16->44 45 49200d0 call a905e7 16->45 46 49200d0 call a90606 16->46 18 49200d5-49200f7 21 492010b-49201d5 18->21 22 49200f9-492010a 18->22 38 49201d5 call 4923b10 21->38 39 49201d5 call 49239b7 21->39 40 49201d5 call 49237fa 21->40 41 49201d5 call a905e7 21->41 42 49201d5 call a90606 21->42 37 49201db-49201de 38->37 39->37 40->37 41->37 42->37 43->18 44->18 45->18 46->18
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.1822489600.0000000004920000.00000040.00000800.00020000.00000000.sdmp, Offset: 04920000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4920000_Explower.jbxd
                Similarity
                • API ID:
                • String ID: 5],l^$E],l^
                • API String ID: 0-853727092
                • Opcode ID: 0988be3a5d91f4c38a2c17cc4c086407efcd27e102e6c94b1adc489ade88936e
                • Instruction ID: ddc9fc05aac1c8d42da1a48ac38a2fd5a0103490aac77b94eacaf7272fe625a7
                • Opcode Fuzzy Hash: 0988be3a5d91f4c38a2c17cc4c086407efcd27e102e6c94b1adc489ade88936e
                • Instruction Fuzzy Hash: 8131F6317043409FD715ABB59811BAE7BE7ABD6304B0485AAD0018F796CF799C068392
                Function 04920118 Relevance: 2.6, Strings: 2, Instructions: 58COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 47 4920118-4920169 52 4920174-492017a 47->52 53 4920181-49201bd 52->53 58 49201c8-49201d5 53->58 61 49201d5 call 4923b10 58->61 62 49201d5 call 49239b7 58->62 63 49201d5 call 49237fa 58->63 64 49201d5 call a905e7 58->64 65 49201d5 call a90606 58->65 60 49201db-49201de 61->60 62->60 63->60 64->60 65->60
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.1822489600.0000000004920000.00000040.00000800.00020000.00000000.sdmp, Offset: 04920000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4920000_Explower.jbxd
                Similarity
                • API ID:
                • String ID: 5],l^$E],l^
                • API String ID: 0-853727092
                • Opcode ID: 314e7d7fdc02a03d308037c8de78c9025abcdcd886c31daf22540dbdc172e4ee
                • Instruction ID: 2d88b20666f5e2e0ab9f30a55a56b68b7c3d2c6e4d781bd94fa980fb0c33f63d
                • Opcode Fuzzy Hash: 314e7d7fdc02a03d308037c8de78c9025abcdcd886c31daf22540dbdc172e4ee
                • Instruction Fuzzy Hash: 8D11C6307001408FC715ABB9A410BED37DBABD7348305496ED0058FB96CF7ADC1A8792
                Function 0071AA75 Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 66 71aa75-71aafe 70 71ab00 66->70 71 71ab03-71ab0f 66->71 70->71 72 71ab11 71->72 73 71ab14-71ab1d 71->73 72->73 74 71ab1f-71ab43 CreateFileW 73->74 75 71ab6e-71ab73 73->75 78 71ab75-71ab7a 74->78 79 71ab45-71ab6b 74->79 75->74 78->79
                APIs
                • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0071AB25
                Memory Dump Source
                • Source File: 00000003.00000002.1815224947.000000000071A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0071A000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_71a000_Explower.jbxd
                Similarity
                • API ID: CreateFile
                • String ID:
                • API String ID: 823142352-0
                • Opcode ID: be717112de3e703be189ed901c5e0d5a2a4e98b83f2406fded5edf4140aea833
                • Instruction ID: 0ed700d7bee4a127046af4504550fc6fe47a977bd8712156bc66205c114b1cee
                • Opcode Fuzzy Hash: be717112de3e703be189ed901c5e0d5a2a4e98b83f2406fded5edf4140aea833
                • Instruction Fuzzy Hash: 013183B1509380AFE721CF65CC85F96BBF8EF05310F08849EE9458B692D375E848CB62
                Function 0071AF76 Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 82 71af76-71aff9 86 71affb 82->86 87 71affe-71b007 82->87 86->87 88 71b009 87->88 89 71b00c-71b015 87->89 88->89 90 71b017-71b03b CreateMutexW 89->90 91 71b066-71b06b 89->91 94 71b06d-71b072 90->94 95 71b03d-71b063 90->95 91->90 94->95
                APIs
                • CreateMutexW.KERNELBASE(?,?), ref: 0071B01D
                Memory Dump Source
                • Source File: 00000003.00000002.1815224947.000000000071A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0071A000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_71a000_Explower.jbxd
                Similarity
                • API ID: CreateMutex
                • String ID:
                • API String ID: 1964310414-0
                • Opcode ID: 2bca91c598f65b26276a4d29b96ba413b8ee780ad0bf16cd4aded850de72ff85
                • Instruction ID: 1ec8f1f2ad2875eacd24a313cbfda5f517d39059cc7bebe28fb8900ebfe99e76
                • Opcode Fuzzy Hash: 2bca91c598f65b26276a4d29b96ba413b8ee780ad0bf16cd4aded850de72ff85
                • Instruction Fuzzy Hash: 4E31B1B15093806FE711CB65CC85B96BFF8EF06310F08849AE984CB293D379E949C762
                Function 0071A6CE Relevance: 1.6, APIs: 1, Instructions: 85comclipboardCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 98 71a6ce-71a72b 99 71a72e-71a786 OleGetClipboard 98->99 101 71a78c-71a7a2 99->101
                APIs
                • OleGetClipboard.OLE32(?,00000E24,?,?), ref: 0071A77E
                Memory Dump Source
                • Source File: 00000003.00000002.1815224947.000000000071A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0071A000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_71a000_Explower.jbxd
                Similarity
                • API ID: Clipboard
                • String ID:
                • API String ID: 220874293-0
                • Opcode ID: 65b8fd18b0ed36ee8d90fbabad52c23d301a6645a9703c27ce1fb3837ab50e23
                • Instruction ID: 505e26fd548d3212e46d171e85117edb2ef9432f236b2380249a89558f31c59d
                • Opcode Fuzzy Hash: 65b8fd18b0ed36ee8d90fbabad52c23d301a6645a9703c27ce1fb3837ab50e23
                • Instruction Fuzzy Hash: 10317E7504D3C06FD3138B259C61B61BFB4EF87614F0A80CBE884CB6A3D2296919D772
                Function 0071AAA6 Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 102 71aaa6-71aafe 105 71ab00 102->105 106 71ab03-71ab0f 102->106 105->106 107 71ab11 106->107 108 71ab14-71ab1d 106->108 107->108 109 71ab1f-71ab27 CreateFileW 108->109 110 71ab6e-71ab73 108->110 111 71ab2d-71ab43 109->111 110->109 113 71ab75-71ab7a 111->113 114 71ab45-71ab6b 111->114 113->114
                APIs
                • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0071AB25
                Memory Dump Source
                • Source File: 00000003.00000002.1815224947.000000000071A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0071A000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_71a000_Explower.jbxd
                Similarity
                • API ID: CreateFile
                • String ID:
                • API String ID: 823142352-0
                • Opcode ID: ba6faab8d0a9f474bee2b4f31ccb9388e58e331a3b627d83a08b7e5b7d774a8f
                • Instruction ID: 6e9663a856d787603ad8a5f6b398b87c90a3d18a14683f0e43ea291ca0f812ff
                • Opcode Fuzzy Hash: ba6faab8d0a9f474bee2b4f31ccb9388e58e331a3b627d83a08b7e5b7d774a8f
                • Instruction Fuzzy Hash: 5721B2B1605240AFE720CF66DD85FA6FBE8EF08310F04846DE9458B692D375E848CB72
                Function 0071AC37 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 128 71ac37-71acb5 132 71acb7-71acca GetFileType 128->132 133 71acea-71acef 128->133 134 71acf1-71acf6 132->134 135 71accc-71ace9 132->135 133->132 134->135
                APIs
                • GetFileType.KERNELBASE(?,00000E24,10FA911B,00000000,00000000,00000000,00000000), ref: 0071ACBD
                Memory Dump Source
                • Source File: 00000003.00000002.1815224947.000000000071A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0071A000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_71a000_Explower.jbxd
                Similarity
                • API ID: FileType
                • String ID:
                • API String ID: 3081899298-0
                • Opcode ID: 7ffdd73eea18befea57933378d8afc74b5c19d70c89553300b4f34526f698dbf
                • Instruction ID: 941d35bf1c7d853d78177095d196af85ad08dbaddc288016c0d101eba8a2c223
                • Opcode Fuzzy Hash: 7ffdd73eea18befea57933378d8afc74b5c19d70c89553300b4f34526f698dbf
                • Instruction Fuzzy Hash: 8421EBB54093806FE7128B15DC45BE2BFB8DF47714F0880DBE9848B693D268A94DD772
                Function 0071A9BF Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 117 71a9bf-71aa3c 122 71aa67-71aa6c 117->122 123 71aa3e-71aa51 SetErrorMode 117->123 122->123 124 71aa53-71aa66 123->124 125 71aa6e-71aa73 123->125 125->124
                APIs
                • SetErrorMode.KERNELBASE(?), ref: 0071AA44
                Memory Dump Source
                • Source File: 00000003.00000002.1815224947.000000000071A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0071A000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_71a000_Explower.jbxd
                Similarity
                • API ID: ErrorMode
                • String ID:
                • API String ID: 2340568224-0
                • Opcode ID: 15033a1e186b780e695a7479af4f2410b6e5148a537f1b70323c8e5ea634e412
                • Instruction ID: f1be08b36f23c5466ffbb879e6602d0ec0fa69bc961c28c14cc860afd4377f36
                • Opcode Fuzzy Hash: 15033a1e186b780e695a7479af4f2410b6e5148a537f1b70323c8e5ea634e412
                • Instruction Fuzzy Hash: 6021366540E3C0AFD7138B258C65A91BFB4EF57624B0E80DBD9848F5A3D2689849CB72
                Function 0071AFAA Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 139 71afaa-71aff9 142 71affb 139->142 143 71affe-71b007 139->143 142->143 144 71b009 143->144 145 71b00c-71b015 143->145 144->145 146 71b017-71b01f CreateMutexW 145->146 147 71b066-71b06b 145->147 149 71b025-71b03b 146->149 147->146 150 71b06d-71b072 149->150 151 71b03d-71b063 149->151 150->151
                APIs
                • CreateMutexW.KERNELBASE(?,?), ref: 0071B01D
                Memory Dump Source
                • Source File: 00000003.00000002.1815224947.000000000071A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0071A000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_71a000_Explower.jbxd
                Similarity
                • API ID: CreateMutex
                • String ID:
                • API String ID: 1964310414-0
                • Opcode ID: 7fbbf57c18a9b871c70acf2dc897e71a7f1fdf627baba3a85281ee6fdb219e20
                • Instruction ID: edfe28cdf144cccc924450984ebbfae5259991b2fb183e9c4411356c5ed567f5
                • Opcode Fuzzy Hash: 7fbbf57c18a9b871c70acf2dc897e71a7f1fdf627baba3a85281ee6fdb219e20
                • Instruction Fuzzy Hash: 9D2195B1600200AFE720CF65DD85BA6F7E8EF08714F148469E945CB782D375E949CB71
                Function 0071ADCE Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 154 71adce-71ae45 158 71ae47-71ae67 WriteFile 154->158 159 71ae89-71ae8e 154->159 162 71ae90-71ae95 158->162 163 71ae69-71ae86 158->163 159->158 162->163
                APIs
                • WriteFile.KERNELBASE(?,00000E24,10FA911B,00000000,00000000,00000000,00000000), ref: 0071AE4D
                Memory Dump Source
                • Source File: 00000003.00000002.1815224947.000000000071A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0071A000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_71a000_Explower.jbxd
                Similarity
                • API ID: FileWrite
                • String ID:
                • API String ID: 3934441357-0
                • Opcode ID: 68031c2c2ec311fd8bbe9155b92e354227df32b6e0f247343f596f67dc1fa3a3
                • Instruction ID: dcf4999eef7816013aad44330e52446e8af778a11073b47adfeb6ebe4d20ba51
                • Opcode Fuzzy Hash: 68031c2c2ec311fd8bbe9155b92e354227df32b6e0f247343f596f67dc1fa3a3
                • Instruction Fuzzy Hash: 7721A175405380AFDB22CF55DC85F97BFB8EF45320F08849AE9449B552C334A548CBB6
                Function 0071A61E Relevance: 1.6, APIs: 1, Instructions: 65comCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 166 71a61e-71a688 168 71a6c0-71a6c5 166->168 169 71a68a-71a692 OleInitialize 166->169 168->169 171 71a698-71a6aa 169->171 172 71a6c7-71a6cc 171->172 173 71a6ac-71a6bf 171->173 172->173
                APIs
                Memory Dump Source
                • Source File: 00000003.00000002.1815224947.000000000071A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0071A000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_71a000_Explower.jbxd
                Similarity
                • API ID: Initialize
                • String ID:
                • API String ID: 2538663250-0
                • Opcode ID: 9146d2ad490ab908b53814df9e7e04050426926b3cee0a893e2c66156ce61de1
                • Instruction ID: 09e99a21fed92580c102312271223d85aa0d14d3268eb5bab3565103983e0b1d
                • Opcode Fuzzy Hash: 9146d2ad490ab908b53814df9e7e04050426926b3cee0a893e2c66156ce61de1
                • Instruction Fuzzy Hash: DC21587540E3C0AFDB538B259C95692BFB4DF07220F0D84DBD8848F1A7D2699908CBB2
                Function 0071A573 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 175 71a573-71a5d6 177 71a610-71a615 175->177 178 71a5d8-71a5e0 DuplicateHandle 175->178 177->178 179 71a5e6-71a5f8 178->179 181 71a617-71a61c 179->181 182 71a5fa-71a60d 179->182 181->182
                APIs
                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0071A5DE
                Memory Dump Source
                • Source File: 00000003.00000002.1815224947.000000000071A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0071A000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_71a000_Explower.jbxd
                Similarity
                • API ID: DuplicateHandle
                • String ID:
                • API String ID: 3793708945-0
                • Opcode ID: f24e9ac90d3ff89d0ab4141830c270509b7b5c5b66129bbbbfa4f8f5cde4e8be
                • Instruction ID: 0d881b1125e9626b4e62d5dadf5f4a3d26feabadc0db9d52b67a2ee59d302297
                • Opcode Fuzzy Hash: f24e9ac90d3ff89d0ab4141830c270509b7b5c5b66129bbbbfa4f8f5cde4e8be
                • Instruction Fuzzy Hash: F1118475409380AFDB228F55DC44B62FFF4EF4A310F0888DEED858B562C275A918DB62
                Function 0071ADEE Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 184 71adee-71ae45 187 71ae47-71ae4f WriteFile 184->187 188 71ae89-71ae8e 184->188 189 71ae55-71ae67 187->189 188->187 191 71ae90-71ae95 189->191 192 71ae69-71ae86 189->192 191->192
                APIs
                • WriteFile.KERNELBASE(?,00000E24,10FA911B,00000000,00000000,00000000,00000000), ref: 0071AE4D
                Memory Dump Source
                • Source File: 00000003.00000002.1815224947.000000000071A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0071A000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_71a000_Explower.jbxd
                Similarity
                • API ID: FileWrite
                • String ID:
                • API String ID: 3934441357-0
                • Opcode ID: 0aa84e6e220af60764763b327ac8fc0d7736eb632da44ad6e20662310068f20e
                • Instruction ID: e6a205ac586232ecfbbfe0e4e3812443d53677efb676d26d8ba2ac0b3209cec7
                • Opcode Fuzzy Hash: 0aa84e6e220af60764763b327ac8fc0d7736eb632da44ad6e20662310068f20e
                • Instruction Fuzzy Hash: 1611B275500200AFEB21CF55DC45FE6FBA8EF14324F18845AE9458B651C374E548CBB2
                Function 0071AC6A Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 195 71ac6a-71acb5 198 71acb7-71acca GetFileType 195->198 199 71acea-71acef 195->199 200 71acf1-71acf6 198->200 201 71accc-71ace9 198->201 199->198 200->201
                APIs
                • GetFileType.KERNELBASE(?,00000E24,10FA911B,00000000,00000000,00000000,00000000), ref: 0071ACBD
                Memory Dump Source
                • Source File: 00000003.00000002.1815224947.000000000071A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0071A000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_71a000_Explower.jbxd
                Similarity
                • API ID: FileType
                • String ID:
                • API String ID: 3081899298-0
                • Opcode ID: ed226bde437f9cac5da4b8c92c0aaae3cfcf68ac5a7893d75c4aaae7692f5631
                • Instruction ID: 4b7e7cc53f74849cce03022829914a3ca3ba50b037c35fd37a7ddd7ba1f0a475
                • Opcode Fuzzy Hash: ed226bde437f9cac5da4b8c92c0aaae3cfcf68ac5a7893d75c4aaae7692f5631
                • Instruction Fuzzy Hash: 0C01D675505200AFE720CF06DD85BE6F798DF55724F18C056ED049B782D378E588CAB6
                Function 0071A59A Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                Download Yara Rule
                APIs
                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0071A5DE
                Memory Dump Source
                • Source File: 00000003.00000002.1815224947.000000000071A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0071A000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_71a000_Explower.jbxd
                Similarity
                • API ID: DuplicateHandle
                • String ID:
                • API String ID: 3793708945-0
                • Opcode ID: c0a8b3924ccc02203449d28ceb4cb33e949ef0d0e382a7ca2e178f6c52ec88d1
                • Instruction ID: 60bf9bd40117827d0628abfa1c0953d17ffb178f7a5f57e6af2bbaab4ed8bcbb
                • Opcode Fuzzy Hash: c0a8b3924ccc02203449d28ceb4cb33e949ef0d0e382a7ca2e178f6c52ec88d1
                • Instruction Fuzzy Hash: A901AD72504200EFDB218F55D884B92FFE0EF48320F08889ADE494A656C33AE458DFA2
                Function 0071A72E Relevance: 1.5, APIs: 1, Instructions: 43comclipboardCOMMON
                Download Yara Rule
                APIs
                • OleGetClipboard.OLE32(?,00000E24,?,?), ref: 0071A77E
                Memory Dump Source
                • Source File: 00000003.00000002.1815224947.000000000071A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0071A000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_71a000_Explower.jbxd
                Similarity
                • API ID: Clipboard
                • String ID:
                • API String ID: 220874293-0
                • Opcode ID: 9a871ae4581c2083c961d85f2f50f0f87fc9f6a4c710a68d6ed7035fe2f42f0e
                • Instruction ID: 3e42ea033b000d00589d20405d713df37935e6a3bbb82ac6b53f01b4a52a95d2
                • Opcode Fuzzy Hash: 9a871ae4581c2083c961d85f2f50f0f87fc9f6a4c710a68d6ed7035fe2f42f0e
                • Instruction Fuzzy Hash: 2401A271500200ABD310DF16CD86B66FBE8FB88A20F148159EC089BB41D731F955CBE6
                Function 0071A65E Relevance: 1.5, APIs: 1, Instructions: 39comCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000003.00000002.1815224947.000000000071A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0071A000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_71a000_Explower.jbxd
                Similarity
                • API ID: Initialize
                • String ID:
                • API String ID: 2538663250-0
                • Opcode ID: 89a27bc5e2b0bed46b424eb198f44bcf95590a643d9710f15fa9432227f83cf3
                • Instruction ID: fe0a0aace6b4fa11038b6e33c5f9f82a2f20db46a6fc2adce63ed0940ddf9b93
                • Opcode Fuzzy Hash: 89a27bc5e2b0bed46b424eb198f44bcf95590a643d9710f15fa9432227f83cf3
                • Instruction Fuzzy Hash: 6D018B75905240AFDB10CF19D8857A6FBA4EF15320F18C4AADD488B69AD279E448CBA2
                Function 0071AA12 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                Download Yara Rule
                APIs
                • SetErrorMode.KERNELBASE(?), ref: 0071AA44
                Memory Dump Source
                • Source File: 00000003.00000002.1815224947.000000000071A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0071A000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_71a000_Explower.jbxd
                Similarity
                • API ID: ErrorMode
                • String ID:
                • API String ID: 2340568224-0
                • Opcode ID: fc7efc114584b7496d18dd0bab5cfc2437f8cd8d4da0689c8ca38aa6a631999a
                • Instruction ID: 85472b531841adfbeb616ab2bd40dd7623d8fa9a1cf811834b98f5eade59d3be
                • Opcode Fuzzy Hash: fc7efc114584b7496d18dd0bab5cfc2437f8cd8d4da0689c8ca38aa6a631999a
                • Instruction Fuzzy Hash: 72F0FF75900240EFDB208F09D9857A1FBE0EF14320F08C09ADD080B792D378E848CFA2
                Function 049202C0 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.1822489600.0000000004920000.00000040.00000800.00020000.00000000.sdmp, Offset: 04920000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4920000_Explower.jbxd
                Similarity
                • API ID:
                • String ID: :@k
                • API String ID: 0-2277858631
                • Opcode ID: 16d1ff2075726415c6bd9b1f842c2f9fe04429ca8f345556d0dd6d0e59e9d6d7
                • Instruction ID: 6a421a12c4cb70373e93aa7f19f65bbf5bf54f05d287f3cf350a23140ebcf867
                • Opcode Fuzzy Hash: 16d1ff2075726415c6bd9b1f842c2f9fe04429ca8f345556d0dd6d0e59e9d6d7
                • Instruction Fuzzy Hash: 1631E530B012118FE704BB74D8117AE32A69BD8208F114439D115D7BADEF789D5AC7A1
                Function 0071AB7C Relevance: 1.3, APIs: 1, Instructions: 71COMMON
                Download Yara Rule
                APIs
                • CloseHandle.KERNELBASE(?), ref: 0071ABF0
                Memory Dump Source
                • Source File: 00000003.00000002.1815224947.000000000071A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0071A000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_71a000_Explower.jbxd
                Similarity
                • API ID: CloseHandle
                • String ID:
                • API String ID: 2962429428-0
                • Opcode ID: 35469729c7ec8f48a07595e6fa9a8986e4dbcf26770b707c50182e4111588200
                • Instruction ID: 7422ec872da2d4f531524a59fe54c851f3e4ea6597280a4bd8231829653e7e61
                • Opcode Fuzzy Hash: 35469729c7ec8f48a07595e6fa9a8986e4dbcf26770b707c50182e4111588200
                • Instruction Fuzzy Hash: 6E21D7755093C05FD7038F25DC95692BFB8EF07220F0984DBDC858F5A3D2645908C762
                Function 0071ABBE Relevance: 1.3, APIs: 1, Instructions: 43COMMON
                Download Yara Rule
                APIs
                • CloseHandle.KERNELBASE(?), ref: 0071ABF0
                Memory Dump Source
                • Source File: 00000003.00000002.1815224947.000000000071A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0071A000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_71a000_Explower.jbxd
                Similarity
                • API ID: CloseHandle
                • String ID:
                • API String ID: 2962429428-0
                • Opcode ID: 3f252c2caa8cc988f9cddb27fbb6bf9beba3a1c427ff766f732f688d01cbb568
                • Instruction ID: c4798c12b5bc9e9350f6c2f7611577e27ac9e95cb24d6be4e0972051ffc8615e
                • Opcode Fuzzy Hash: 3f252c2caa8cc988f9cddb27fbb6bf9beba3a1c427ff766f732f688d01cbb568
                • Instruction Fuzzy Hash: D101DF75A052409FDB108F19D8857A6FBE4DF14320F08C4ABDC098B686D279E848CBA2
                Function 049237FA Relevance: .5, Instructions: 497COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.1822489600.0000000004920000.00000040.00000800.00020000.00000000.sdmp, Offset: 04920000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4920000_Explower.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b4fb137a5f364511c1920b541ea8eef3f931ada57546d8d474b6deed2e5da584
                • Instruction ID: 29e589f6f52f2904f1ee603c34eb7e63e986cd426dbe0d5199b850c3293903a8
                • Opcode Fuzzy Hash: b4fb137a5f364511c1920b541ea8eef3f931ada57546d8d474b6deed2e5da584
                • Instruction Fuzzy Hash: 30325830E01228CFDB24EF74D954BEDB7B2AB49304F1045A9D509AB3A9DB799E85CF40
                Function 049239B7 Relevance: .2, Instructions: 182COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.1822489600.0000000004920000.00000040.00000800.00020000.00000000.sdmp, Offset: 04920000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4920000_Explower.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: fb2ea478974f2e9937a67cec0fb1fc87f07d61221b72430d87039b52a7464873
                • Instruction ID: efd61069a50263147af54b41ca5fafd5f884b4db3ae14e99dcba2f82ddc728d7
                • Opcode Fuzzy Hash: fb2ea478974f2e9937a67cec0fb1fc87f07d61221b72430d87039b52a7464873
                • Instruction Fuzzy Hash: E8815A30E012588FDB24EFB4C950BEDB7B2AF89308F1044A9D509AB298DB799D85CF51
                Function 04923B10 Relevance: .1, Instructions: 111COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.1822489600.0000000004920000.00000040.00000800.00020000.00000000.sdmp, Offset: 04920000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4920000_Explower.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f8519a791f1ac11fde70f1ffe0abecbe044716ce080bee9eb2762c17860e86f0
                • Instruction ID: 3cbeddc189ecd22a2b0371c57d180e7ed29db6f6aa89e8f62db69c11a0578dd1
                • Opcode Fuzzy Hash: f8519a791f1ac11fde70f1ffe0abecbe044716ce080bee9eb2762c17860e86f0
                • Instruction Fuzzy Hash: 5C414930E012688FDB24EFB4D954BECB7F2AF49304F1045AAD409AB299DB785E45CF61
                Function 04920006 Relevance: .1, Instructions: 54COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.1822489600.0000000004920000.00000040.00000800.00020000.00000000.sdmp, Offset: 04920000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4920000_Explower.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4a5e861ad87dde6bc0dffb9cc2c1746597735d65fd40a33184ffef7a8f8ceef5
                • Instruction ID: 652fa9a14e57e4988c6fc1ea7c30dd48ab61a8264cbce033a47340401f82b1b8
                • Opcode Fuzzy Hash: 4a5e861ad87dde6bc0dffb9cc2c1746597735d65fd40a33184ffef7a8f8ceef5
                • Instruction Fuzzy Hash: 7A117C6044F7D64FD313873098A8985BF70AE27204B5E85DBC090CF5A7D25C492AC7A3
                Function 00A905E7 Relevance: .0, Instructions: 42COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.1819122352.0000000000A90000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_a90000_Explower.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b2b5f6a1404a6a4507245b089b9157e3ded5bebea49b417bc1f45a1f09d16d38
                • Instruction ID: 3d9ddb1c1dac045fc614b2b77089920fe86ea0a5fc745ba6fba194c5985ae9d4
                • Opcode Fuzzy Hash: b2b5f6a1404a6a4507245b089b9157e3ded5bebea49b417bc1f45a1f09d16d38
                • Instruction Fuzzy Hash: EEF0C8B65093806FD7118F16AC41863FFF8EF86630709C4AFEC498B612D225B908CB72
                Function 049200A8 Relevance: .0, Instructions: 39COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.1822489600.0000000004920000.00000040.00000800.00020000.00000000.sdmp, Offset: 04920000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4920000_Explower.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 073afcebdc5a4590331bcf8915651e7384efb6b902d026786c9ad6c529188fd7
                • Instruction ID: 04f498145912facb08b8a58420a06d02499c5c82bcdf970d0983b344afa57fe5
                • Opcode Fuzzy Hash: 073afcebdc5a4590331bcf8915651e7384efb6b902d026786c9ad6c529188fd7
                • Instruction Fuzzy Hash: 5AF0C872A01314ABE7149F71DC12BAE7B76EF81714F0485AAA6459B2D1DA355940C390
                Function 00A90606 Relevance: .0, Instructions: 27COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.1819122352.0000000000A90000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_a90000_Explower.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0792e331c27426ce93dc4c28d337ba04f9e320f278eab5e12d070f6080a78332
                • Instruction ID: cde3d760a7153a77cc47c6bb424807513dfab3fb755b5faab563e764fb264c01
                • Opcode Fuzzy Hash: 0792e331c27426ce93dc4c28d337ba04f9e320f278eab5e12d070f6080a78332
                • Instruction Fuzzy Hash: 29E092B66046049B9650CF0AFC82452F7D8EB88630718C47FDC0D8B701D235B508CAA6
                Function 04923010 Relevance: .0, Instructions: 17COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.1822489600.0000000004920000.00000040.00000800.00020000.00000000.sdmp, Offset: 04920000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4920000_Explower.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 70b6f6966a5bce1843292049668e688424c451a2abeff539c258825e99a96ee8
                • Instruction ID: 9be13a7cdad39e7b9777ba6fb298b8b7ff633353a9add6c4a13e008df58593cb
                • Opcode Fuzzy Hash: 70b6f6966a5bce1843292049668e688424c451a2abeff539c258825e99a96ee8
                • Instruction Fuzzy Hash: 3BE0C2341093C08FC71A2738A42C4597F756FC720834C48FDC4854A66ACA7EC851CB40
                Function 007123F4 Relevance: .0, Instructions: 15COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.1812196041.0000000000712000.00000040.00000800.00020000.00000000.sdmp, Offset: 00712000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_712000_Explower.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f9940fe08c7a6ad01a03bca77dc4e7290fb976f2226bb9905a76203c47d3c0ca
                • Instruction ID: d8843fcc697169c0912af83853ff8c777f7fb3d83850cb7db27e6ebb6067028c
                • Opcode Fuzzy Hash: f9940fe08c7a6ad01a03bca77dc4e7290fb976f2226bb9905a76203c47d3c0ca
                • Instruction Fuzzy Hash: C7D0C7792006C04ED3128A0CC2A8B8637D4AB40704F0A00B9AC008B7A3C72CE8C2C200
                Function 007123BC Relevance: .0, Instructions: 14COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.1812196041.0000000000712000.00000040.00000800.00020000.00000000.sdmp, Offset: 00712000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_712000_Explower.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: bb3abcde2e67ac128ffc491d96e71dc93c566777b2a0c7e0bce10894c4e97790
                • Instruction ID: 039d07cd83986b3fe91548f92930e16eadf2da9c2fc860104a06bcc6f999dd68
                • Opcode Fuzzy Hash: bb3abcde2e67ac128ffc491d96e71dc93c566777b2a0c7e0bce10894c4e97790
                • Instruction Fuzzy Hash: 0BD05E342006814FC715DA0CC2E4F9937D4AB40714F0A44E8AC208B7A2C7ACD8D5DA00

                Non-executed Functions

                Function 04923047 Relevance: 5.1, Strings: 4, Instructions: 92COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.1822489600.0000000004920000.00000040.00000800.00020000.00000000.sdmp, Offset: 04920000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4920000_Explower.jbxd
                Similarity
                • API ID:
                • String ID: Nr$Nr$Nr$Nr
                • API String ID: 0-3364712948
                • Opcode ID: 2463b1fdd03c9cf7af679aa676821dda23ac47231198d1711c0ca34c9daeb561
                • Instruction ID: 8234468a46d208a7df609c55fd37e7dcb2a0e6a7702b303e8a3d72790a9050b4
                • Opcode Fuzzy Hash: 2463b1fdd03c9cf7af679aa676821dda23ac47231198d1711c0ca34c9daeb561
                • Instruction Fuzzy Hash: 27318034B012599FEB20CB79C940BAA77E9FF89304F140528E902EB744EB74FC058B64
                Function 04923058 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.1822489600.0000000004920000.00000040.00000800.00020000.00000000.sdmp, Offset: 04920000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4920000_Explower.jbxd
                Similarity
                • API ID:
                • String ID: Nr$Nr$Nr$Nr
                • API String ID: 0-3364712948
                • Opcode ID: 2fa406d1e67bb0376c8bf938e39a96c577fc589c84a80cc0f6cb7b541bcb75ae
                • Instruction ID: 270abedb0214f35c9fa2591775cf3522dd6c0cfc72adcd4fd33dd854883f722c
                • Opcode Fuzzy Hash: 2fa406d1e67bb0376c8bf938e39a96c577fc589c84a80cc0f6cb7b541bcb75ae
                • Instruction Fuzzy Hash: 8C216D34B012599FEB20DB79D840BAA73E9FF89704F140568E901AB758EB74FC048BA5