Edit tour

Windows Analysis Report
nQBmwBd90o.exe

Overview

General Information

Sample name:	nQBmwBd90o.exe renamed because original name is a hash value
Original sample name:	2bbb433718d061e161f1d0e224451746.exe
Analysis ID:	1520705
MD5:	2bbb433718d061e161f1d0e224451746
SHA1:	94d37443c9d9b71997f4918106533b76c01d8032
SHA256:	cb15dc95e0a14080e8c3df816b6d54a101c3b4a307a8db0d71131869602480d9
Tags:	exeXenoRATuser-abuse_ch
Infos:

Detection

XenoRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected XenoRAT

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

Uses schtasks.exe or at.exe to add and modify task schedules

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

nQBmwBd90o.exe (PID: 6836 cmdline: "C:\Users\user\Desktop\nQBmwBd90o.exe" MD5: 2BBB433718D061E161F1D0E224451746)

nQBmwBd90o.exe (PID: 7004 cmdline: "C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe" MD5: 2BBB433718D061E161F1D0E224451746)

schtasks.exe (PID: 3300 cmdline: "schtasks.exe" /Create /TN "update_blender" /XML "C:\Users\user\AppData\Local\Temp\tmp86AB.tmp" /F MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nQBmwBd90o.exe (PID: 3696 cmdline: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe MD5: 2BBB433718D061E161F1D0E224451746)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XenoRAT		No Attribution	https://github.com/moom825/xeno-rat https://hunt.io/blog/good-game-gone-bad-xeno-rat-spread-via-gg-domains-and-github	https://malpedia.caad.fkie.fraunhofer.de/details/win.xenorat

Malware Configuration

Threatname: XenoRAT

{"C2 url": "82.64.210.112", "Mutex Name": "update_discord_nd8912d", "Install Folder": "appdata"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
nQBmwBd90o.exe	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000000.1664494365.0000000000E12000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security
00000000.00000002.1668178797.00000000013F5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security
Process Memory Space: nQBmwBd90o.exe PID: 6836	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.nQBmwBd90o.exe.e10000.0.unpack	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security

Sigma Signatures

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "schtasks.exe" /Create /TN "update_blender" /XML "C:\Users\user\AppData\Local\Temp\tmp86AB.tmp" /F, CommandLine: "schtasks.exe" /Create /TN "update_blender" /XML "C:\Users\user\AppData\Local\Temp\tmp86AB.tmp" /F, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe" , ParentImage: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe, ParentProcessId: 7004, ParentProcessName: nQBmwBd90o.exe, ProcessCommandLine: "schtasks.exe" /Create /TN "update_blender" /XML "C:\Users\user\AppData\Local\Temp\tmp86AB.tmp" /F, ProcessId: 3300, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "schtasks.exe" /Create /TN "update_blender" /XML "C:\Users\user\AppData\Local\Temp\tmp86AB.tmp" /F, CommandLine: "schtasks.exe" /Create /TN "update_blender" /XML "C:\Users\user\AppData\Local\Temp\tmp86AB.tmp" /F, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe" , ParentImage: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe, ParentProcessId: 7004, ParentProcessName: nQBmwBd90o.exe, ProcessCommandLine: "schtasks.exe" /Create /TN "update_blender" /XML "C:\Users\user\AppData\Local\Temp\tmp86AB.tmp" /F, ProcessId: 3300, ProcessName: schtasks.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: nQBmwBd90o.exe

Malware Configuration Extractor: XenoRAT {"C2 url": "82.64.210.112", "Mutex Name": "update_discord_nd8912d", "Install Folder": "appdata"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe

ReversingLabs: Detection: 81%

Multi AV Scanner detection for submitted file

Source: nQBmwBd90o.exe

ReversingLabs: Detection: 81%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: nQBmwBd90o.exe

Joe Sandbox ML: detected

Source: nQBmwBd90o.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 82.64.210.112

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 82.64.210.112:25565

Source: Joe Sandbox View

ASN Name: PROXADFR PROXADFR

Source: C:\Users\user\Desktop\nQBmwBd90o.exe	Code function: 0_2_01640B11	0_2_01640B11
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Code function: 1_2_02E30B13	1_2_02E30B13
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Code function: 1_2_02E32CC8	1_2_02E32CC8

Source: nQBmwBd90o.exe, 00000000.00000000.1664507002.0000000000E1E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamediscord.exe> vs nQBmwBd90o.exe
Source: nQBmwBd90o.exe, 00000000.00000002.1668178797.00000000013BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs nQBmwBd90o.exe
Source: nQBmwBd90o.exe, 00000001.00000002.2932477946.0000000000FFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs nQBmwBd90o.exe
Source: nQBmwBd90o.exe	Binary or memory string: OriginalFilenamediscord.exe> vs nQBmwBd90o.exe
Source: nQBmwBd90o.exe.0.dr	Binary or memory string: OriginalFilenamediscord.exe> vs nQBmwBd90o.exe

Source: nQBmwBd90o.exe, Encryption.cs	Cryptographic APIs: 'CreateDecryptor'
Source: nQBmwBd90o.exe.0.dr, Encryption.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/4@0/1

Source: C:\Users\user\Desktop\nQBmwBd90o.exe

File created: C:\Users\user\AppData\Roaming\XenoManager

Jump to behavior

Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Mutant created: \Sessions\1\BaseNamedObjects\update_discord_nd8912d-admin
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5180:120:WilError_03

Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe

File created: C:\Users\user\AppData\Local\Temp\tmp86AB.tmp

Jump to behavior

Source: nQBmwBd90o.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: nQBmwBd90o.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\nQBmwBd90o.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\nQBmwBd90o.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: nQBmwBd90o.exe

ReversingLabs: Detection: 81%

Source: C:\Users\user\Desktop\nQBmwBd90o.exe

File read: C:\Users\user\Desktop\nQBmwBd90o.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\nQBmwBd90o.exe "C:\Users\user\Desktop\nQBmwBd90o.exe"
Source: C:\Users\user\Desktop\nQBmwBd90o.exe	Process created: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe "C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe"
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /Create /TN "update_blender" /XML "C:\Users\user\AppData\Local\Temp\tmp86AB.tmp" /F
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe
Source: C:\Users\user\Desktop\nQBmwBd90o.exe	Process created: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe "C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /Create /TN "update_blender" /XML "C:\Users\user\AppData\Local\Temp\tmp86AB.tmp" /F	Jump to behavior

Source: C:\Users\user\Desktop\nQBmwBd90o.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior

Source: C:\Users\user\Desktop\nQBmwBd90o.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: nQBmwBd90o.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: nQBmwBd90o.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: nQBmwBd90o.exe, DllHandler.cs	.Net Code: DllNodeHandler System.Reflection.Assembly.Load(byte[])
Source: nQBmwBd90o.exe, DllHandler.cs	.Net Code: DllNodeHandler
Source: nQBmwBd90o.exe.0.dr, DllHandler.cs	.Net Code: DllNodeHandler System.Reflection.Assembly.Load(byte[])
Source: nQBmwBd90o.exe.0.dr, DllHandler.cs	.Net Code: DllNodeHandler

Source: nQBmwBd90o.exe

Static PE information: 0xB6F61BA2 [Sat Apr 9 13:44:02 2067 UTC]

Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Code function: 1_2_02E304F8 push ebx; retf 0002h		1_2_02E30502
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Code function: 1_2_02E305EF push edi; retf 0002h		1_2_02E3061A

Source: C:\Users\user\Desktop\nQBmwBd90o.exe

File created: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /Create /TN "update_blender" /XML "C:\Users\user\AppData\Local\Temp\tmp86AB.tmp" /F

Source: C:\Users\user\Desktop\nQBmwBd90o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\nQBmwBd90o.exe	Memory allocated: 1640000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe	Memory allocated: 30F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nQBmwBd90o.exe	Memory allocated: 50F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Memory allocated: 2E30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Memory allocated: 2E60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Memory allocated: 4E60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Memory allocated: 710000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Memory allocated: 24C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Memory allocated: B20000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\nQBmwBd90o.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Window / User API: threadDelayed 1506			Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Window / User API: threadDelayed 8357			Jump to behavior

Source: C:\Users\user\Desktop\nQBmwBd90o.exe TID: 6908	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe TID: 7096	Thread sleep time: -27670116110564310s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe TID: 932	Thread sleep count: 1506 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe TID: 932	Thread sleep count: 8357 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe TID: 1068	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\nQBmwBd90o.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: nQBmwBd90o.exe, 00000000.00000002.1668178797.00000000013F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}h
Source: nQBmwBd90o.exe, 00000001.00000002.2932477946.0000000001086000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\nQBmwBd90o.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\nQBmwBd90o.exe	Process created: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe "C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe"			Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /Create /TN "update_blender" /XML "C:\Users\user\AppData\Local\Temp\tmp86AB.tmp" /F			Jump to behavior

Source: C:\Users\user\Desktop\nQBmwBd90o.exe	Queries volume information: C:\Users\user\Desktop\nQBmwBd90o.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Queries volume information: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	Queries volume information: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected XenoRAT

Source: Yara match	File source: nQBmwBd90o.exe, type: SAMPLE
Source: Yara match	File source: 0.0.nQBmwBd90o.exe.e10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1664494365.0000000000E12000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1668178797.00000000013F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: nQBmwBd90o.exe PID: 6836, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe, type: DROPPED

Remote Access Functionality

Yara detected XenoRAT

Source: Yara match	File source: nQBmwBd90o.exe, type: SAMPLE
Source: Yara match	File source: 0.0.nQBmwBd90o.exe.e10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1664494365.0000000000E12000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1668178797.00000000013F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: nQBmwBd90o.exe PID: 6836, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	11 Process Injection	1 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	31 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	12 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Timestomp	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
nQBmwBd90o.exe	82%	ReversingLabs	ByteCode-MSIL.Trojan.Bigisoft
nQBmwBd90o.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe	82%	ReversingLabs	ByteCode-MSIL.Trojan.Bigisoft

Name	Malicious	Antivirus Detection	Reputation
82.64.210.112	true		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
82.64.210.112	unknown	France		12322	PROXADFR	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1520705
Start date and time:	2024-09-27 18:31:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	nQBmwBd90o.exe renamed because original name is a hash value
Original Sample Name:	2bbb433718d061e161f1d0e224451746.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/4@0/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 95% Number of executed functions: 78 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target nQBmwBd90o.exe, PID 3696 because it is empty
Execution Graph export aborted for target nQBmwBd90o.exe, PID 6836 because it is empty
Execution Graph export aborted for target nQBmwBd90o.exe, PID 7004 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: nQBmwBd90o.exe

Simulations

Behavior and APIs

Time	Type	Description
12:32:25	API Interceptor	160x Sleep call for process: nQBmwBd90o.exe modified
17:32:03	Task Scheduler	Run new task: update_blender path: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
PROXADFR	rsJtZBgpwG.elf	Get hash	malicious	Mirai	Browse	88.189.158.43
	SecuriteInfo.com.Linux.Siggen.9999.13221.8731.elf	Get hash	malicious	Unknown	Browse	82.234.13.66
	SecuriteInfo.com.Linux.Siggen.9999.32167.12194.elf	Get hash	malicious	Unknown	Browse	82.247.213.185
	SecuriteInfo.com.Linux.Siggen.9999.18891.22819.elf	Get hash	malicious	Unknown	Browse	78.218.37.103
	jade.arm.elf	Get hash	malicious	Mirai	Browse	82.254.162.127
	jade.arm6.elf	Get hash	malicious	Mirai	Browse	88.125.239.231
	jade.arm7.elf	Get hash	malicious	Mirai	Browse	78.224.112.142
	jade.ppc.elf	Get hash	malicious	Mirai	Browse	62.147.6.224
	jade.spc.elf	Get hash	malicious	Mirai	Browse	88.180.232.179
	jade.x86.elf	Get hash	malicious	Mirai	Browse	88.165.18.250

Process:	C:\Users\user\Desktop\nQBmwBd90o.exe
File Type:	CSV text
Category:	modified
Size (bytes):	226
Entropy (8bit):	5.360398796477698
Encrypted:	false
SSDEEP:	6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
MD5:	3A8957C6382192B71471BD14359D0B12
SHA1:	71B96C965B65A051E7E7D10F61BEBD8CCBB88587
SHA-256:	282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
SHA-512:	76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

C:\Users\user\AppData\Local\Temp\tmp86AB.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1069
Entropy (8bit):	3.9440022926047367
Encrypted:	false
SSDEEP:	12:StLJ+DWg0Sa+Nn/WNeMS7Xp1yd3YL6WVYXqOVl7KfTShhJKShjNI0QBDO1dArHAP:StLJ+S8AMEoL6fUMhEMj+0QdrOtn
MD5:	88EA762AAB6D928943116D1B7CDA315D
SHA1:	9AAA2CB3F7D98A7647366A0DBF2A9521A3A4E9EF
SHA-256:	99EC813AD8022A9C0FD509E56D85B211934D763F5B121249F6ECD594DBAE95C0
SHA-512:	258AB7D0FCF58CE41DDF3C4E8BD429D56A9CA405E80A749BF6C964E34A9E34736ED746241D838ADD296B5AE8BF64DC5F157B59D089DCE9D34AD4C60C638123AA
Malicious:	true
Reputation:	low
Preview:	.. <Task xmlns='http://schemas.microsoft.com/windows/2004/02/mit/task'>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. </LogonTrigger>.. </Triggers>.. <Principals>.. <Principal id='Author'>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. </Settings>.. <Actions>.. <Exec>.. <Command>C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe</Command>..

C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe

Download File

Process:	C:\Users\user\Desktop\nQBmwBd90o.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	46592
Entropy (8bit):	5.645570077432501
Encrypted:	false
SSDEEP:	768:qdhO/poiiUcjlJInjTH9Xqk5nWEZ5SbTDaLIuI7CPW5N:Mw+jjgnPH9XqcnW85SbTwIuIl
MD5:	2BBB433718D061E161F1D0E224451746
SHA1:	94D37443C9D9B71997F4918106533B76C01D8032
SHA-256:	CB15DC95E0A14080E8C3DF816B6D54A101C3B4A307A8DB0D71131869602480D9
SHA-512:	D61D90ECFFB3EC0DEBC1AA679BC1DDCAFEAFFF2CF466EE9E29B630098D2B9F6E94C994617740DC31D3962EF05371831473311CD9A2112D1AB824CD6240F71BCB
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XenoRAT, Description: Yara detected XenoRAT, Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe, Author: Joe Security
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 82%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.............>.... ........@.. ....................... ............`.....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H.......,l...^......^...................................................moom825.:.g.R=;^...:.D.iY..<.=...1..X....(......s....}.....r...p}.....(....(...........s....o......o....s....( ...r...p(!...,.("....6.\|.....(?...V.(......}......}.....6.\|.....(?...6.\|.....(?...6.\|"....(?...6.\|&....(?...6.\|-....(?...6.\|2....(?...6.\|;....(?...6.\|A....(?.....sl...}F.....}I.....}J.....}K....(......}G.....}E...6.{F....om...f..i..i3.....ij(+.......6.{G....oL...2.{G...oM...*

C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\nQBmwBd90o.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.645570077432501
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	nQBmwBd90o.exe
File size:	46'592 bytes
MD5:	2bbb433718d061e161f1d0e224451746
SHA1:	94d37443c9d9b71997f4918106533b76c01d8032
SHA256:	cb15dc95e0a14080e8c3df816b6d54a101c3b4a307a8db0d71131869602480d9
SHA512:	d61d90ecffb3ec0debc1aa679bc1ddcafeafff2cf466ee9e29b630098d2b9f6e94c994617740dc31d3962ef05371831473311cd9a2112d1ab824cd6240f71bcb
SSDEEP:	768:qdhO/poiiUcjlJInjTH9Xqk5nWEZ5SbTDaLIuI7CPW5N:Mw+jjgnPH9XqcnW85SbTwIuIl
TLSH:	6223F94C57AC8923E6AF5ABD98324253C7B3E3669532E38F08CCD4E93B933855905397
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.............>.... ........@.. ....................... ............`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x40cb3e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xB6F61BA2 [Sat Apr 9 13:44:02 2067 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xcaec	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe000	0x5d0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x10000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xab44	0xac00	c03c7ef6d6906a87d19f00516fb9fc14	False	0.44996820494186046	data	5.729349277699212	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xe000	0x5d0	0x600	843fffb00488351e39bae2ab4b7582e2	False	0.4518229166666667	data	4.4145118075704755	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x10000	0xc	0x200	de905fb7c6069ebdb3769c659dcb2285	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xe0a0	0x344	data			0.4533492822966507
RT_MANIFEST	0xe3e4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 27, 2024 18:32:05.972501040 CEST	49730	25565	192.168.2.4	82.64.210.112
Sep 27, 2024 18:32:05.977930069 CEST	25565	49730	82.64.210.112	192.168.2.4
Sep 27, 2024 18:32:05.978054047 CEST	49730	25565	192.168.2.4	82.64.210.112
Sep 27, 2024 18:32:27.331974983 CEST	25565	49730	82.64.210.112	192.168.2.4
Sep 27, 2024 18:32:27.332072020 CEST	49730	25565	192.168.2.4	82.64.210.112
Sep 27, 2024 18:32:37.347496033 CEST	49735	25565	192.168.2.4	82.64.210.112
Sep 27, 2024 18:32:37.352431059 CEST	25565	49735	82.64.210.112	192.168.2.4
Sep 27, 2024 18:32:37.352518082 CEST	49735	25565	192.168.2.4	82.64.210.112
Sep 27, 2024 18:32:58.772048950 CEST	25565	49735	82.64.210.112	192.168.2.4
Sep 27, 2024 18:32:58.772242069 CEST	49735	25565	192.168.2.4	82.64.210.112
Sep 27, 2024 18:33:08.767889977 CEST	49738	25565	192.168.2.4	82.64.210.112
Sep 27, 2024 18:33:08.772968054 CEST	25565	49738	82.64.210.112	192.168.2.4
Sep 27, 2024 18:33:08.773070097 CEST	49738	25565	192.168.2.4	82.64.210.112
Sep 27, 2024 18:33:30.143501043 CEST	25565	49738	82.64.210.112	192.168.2.4
Sep 27, 2024 18:33:30.143570900 CEST	49738	25565	192.168.2.4	82.64.210.112
Sep 27, 2024 18:33:40.158546925 CEST	49740	25565	192.168.2.4	82.64.210.112
Sep 27, 2024 18:33:40.163681984 CEST	25565	49740	82.64.210.112	192.168.2.4
Sep 27, 2024 18:33:40.163774967 CEST	49740	25565	192.168.2.4	82.64.210.112
Sep 27, 2024 18:34:01.517478943 CEST	25565	49740	82.64.210.112	192.168.2.4
Sep 27, 2024 18:34:01.517580032 CEST	49740	25565	192.168.2.4	82.64.210.112

Target ID:	0
Start time:	12:31:56
Start date:	27/09/2024
Path:	C:\Users\user\Desktop\nQBmwBd90o.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\nQBmwBd90o.exe"
Imagebase:	0xe10000
File size:	46'592 bytes
MD5 hash:	2BBB433718D061E161F1D0E224451746
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XenoRAT, Description: Yara detected XenoRAT, Source: 00000000.00000000.1664494365.0000000000E12000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_XenoRAT, Description: Yara detected XenoRAT, Source: 00000000.00000002.1668178797.00000000013F5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	12:31:56
Start date:	27/09/2024
Path:	C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe"
Imagebase:	0xbe0000
File size:	46'592 bytes
MD5 hash:	2BBB433718D061E161F1D0E224451746
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XenoRAT, Description: Yara detected XenoRAT, Source: C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 82%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	12:32:01
Start date:	27/09/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"schtasks.exe" /Create /TN "update_blender" /XML "C:\Users\user\AppData\Local\Temp\tmp86AB.tmp" /F
Imagebase:	0x960000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	12:32:01
Start date:	27/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	12:32:03
Start date:	27/09/2024
Path:	C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe
Imagebase:	0x90000
File size:	46'592 bytes
MD5 hash:	2BBB433718D061E161F1D0E224451746
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Function 01640B11 Relevance: 1.8, Strings: 1, Instructions: 577COMMON

Download Yara Rule

Strings

dbq, xrefs: 01640CA2

Memory Dump Source

Source File: 00000000.00000002.1668492770.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1640000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID: dbq
API String ID: 0-1887291361
Opcode ID: 44d90203e6a4a9af2c9eefa5fce2b3d7a9967efdc510b3ebdfa3d6decc112db0
Instruction ID: 9228d2947f5beda7a36dd9dc635921c07f6ff8975f2771fc2e3b2b57ae80e799
Opcode Fuzzy Hash: 44d90203e6a4a9af2c9eefa5fce2b3d7a9967efdc510b3ebdfa3d6decc112db0
Instruction Fuzzy Hash: BC421770A002498FCB15DFA8D584A9DBBF2BF89314F1581A9E415EF36ADB34AC85CF50

Function 01640981 Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

LR^q, xrefs: 01640A64

Memory Dump Source

Source File: 00000000.00000002.1668492770.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1640000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: e9b5c9f78d5c842d86b6d13b4fc28e3bcbca27b45d62725bcbb3171647f34ed9
Instruction ID: ebf951121875868d1149f5e268858c5e7cfe7009043788081b46998ed6f27aa7
Opcode Fuzzy Hash: e9b5c9f78d5c842d86b6d13b4fc28e3bcbca27b45d62725bcbb3171647f34ed9
Instruction Fuzzy Hash: A5211B7091020ADFCB45EFA8E94469DBBF2FB84304B1045B9C014AF665EB796E49CF81

Function 01640990 Relevance: 1.3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

LR^q, xrefs: 01640A64

Memory Dump Source

Source File: 00000000.00000002.1668492770.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1640000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: cf17a6719b5a09364fb54585c2ef09316b7b48021165f7864f96602277297012
Instruction ID: cc8276e765357aa480718efc65e258c9bbffa4f36afd68dbb0f8dbb7b6f8f702
Opcode Fuzzy Hash: cf17a6719b5a09364fb54585c2ef09316b7b48021165f7864f96602277297012
Instruction Fuzzy Hash: AC210C7091020A9FCB44EF68E98469DBBF2FB84304F1045B9C414AF765EB796E498F80

Function 01640877 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1668492770.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1640000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16702f8b42938c48297a3e7711600275c7f28b7b262f29b521be3b970f7b61e0
Instruction ID: 93d0bb0b01de5f49ebe68cd199766ec49d3b850acd7c2fd2dc77887b3a5abdd7
Opcode Fuzzy Hash: 16702f8b42938c48297a3e7711600275c7f28b7b262f29b521be3b970f7b61e0
Instruction Fuzzy Hash: 77015E32D1065ADBCB119FB8DC500DCBB76EEC6310F5A0656D001B7164E770299AC790

Function 016408F9 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1668492770.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1640000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42cc5d8fc40a13cf2e3fcc9ed2ab0939dd99c1377f3238580122fd1215baf1c7
Instruction ID: a5ebd53a14f6269517c46c6ebb023f9f0f1ca6fa4437b6b442643ce5a78445cc
Opcode Fuzzy Hash: 42cc5d8fc40a13cf2e3fcc9ed2ab0939dd99c1377f3238580122fd1215baf1c7
Instruction Fuzzy Hash: 30F0C872E505059BDB14DB64C9949EFFBB6AF84300F05862AD412B7244DF706906CBD1

Function 01640908 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1668492770.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1640000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58d02029dd8736869c19a4ebf507955c615d918b16c08aa08a3bedb2fa638490
Instruction ID: 4afb0d745ceb93716983b61333f2561f984965131208fe0d3ae6d99868fe8a90
Opcode Fuzzy Hash: 58d02029dd8736869c19a4ebf507955c615d918b16c08aa08a3bedb2fa638490
Instruction Fuzzy Hash: ADF08972D1011997DF14DB74C5555EFBFBA9F84300F054529D512BB344DE70690687D2

Function 01640839 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1668492770.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1640000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a11aa6999546ca8ce4e0ba223f097e67a3cab5c304443d5918f387e2304b407b
Instruction ID: 792c3e5a67e1df5b03d3b11c5811fa6855aa9187866bd0dfacae4c23b8bb0353
Opcode Fuzzy Hash: a11aa6999546ca8ce4e0ba223f097e67a3cab5c304443d5918f387e2304b407b
Instruction Fuzzy Hash: D8F0397190A3849FE702CFA899143997FB1AF02280F1A45EBE498CB257D7359D10C791

Function 016413A1 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1668492770.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1640000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30c133153dc5d482e1781ecd92781b752e99f9402e9e7c2761a5e08f5dbfeadd
Instruction ID: c52bf658a09cc599b2da95e738379aafb1f7295b416568a3da69ec65400fce8d
Opcode Fuzzy Hash: 30c133153dc5d482e1781ecd92781b752e99f9402e9e7c2761a5e08f5dbfeadd
Instruction Fuzzy Hash: 56E0ED75D412498FCB45DFB88C411FEBFF1AF8A210F5585AAC509E3601E63411568B80

Function 01640848 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1668492770.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1640000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99033bd26aaf290a59dbca50ed987b57b404a9f74aadb690aab881f6664b86d5
Instruction ID: c7381e886d61f481149f0596679be82fa542f69b715dd880e88c13040c420584
Opcode Fuzzy Hash: 99033bd26aaf290a59dbca50ed987b57b404a9f74aadb690aab881f6664b86d5
Instruction Fuzzy Hash: 56D01771905248AFEB11DFB8CA0579E7BB8AB05240F6144AAE458CB305DB319E10D791

Function 016413B0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1668492770.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1640000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fef043d575c0f54f122b0501c9fa8b484036c79d8b33f2a125a1e09fb6ee5efe
Instruction ID: 47a2037e58bdc781ff00b21f2139c62e0b0e213972a47dfe0d5f7162bc47dd1b
Opcode Fuzzy Hash: fef043d575c0f54f122b0501c9fa8b484036c79d8b33f2a125a1e09fb6ee5efe
Instruction Fuzzy Hash: 4AE067B4D4531E9F8B40EFB988421BEFFF5AB49200F5085AADA08E3300F67056518FD1

Analysis Process: nQBmwBd90o.exePID: 7004, Parent PID: 6836COMMON

Executed Functions

Function 02E30B13 Relevance: 1.8, Strings: 1, Instructions: 559COMMON

Download Yara Rule

Strings

dbq, xrefs: 02E30CA2

Memory Dump Source

Source File: 00000001.00000002.2933217644.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID: dbq
API String ID: 0-1887291361
Opcode ID: a86702c7e74691cb5374f2b1a2d15de70be957dfa8c7316d3e0c7dfc538b0397
Instruction ID: 4f22706fe71dd0d7b777d6d266875e38309ec996cba19b5c3d6938e74a263ed3
Opcode Fuzzy Hash: a86702c7e74691cb5374f2b1a2d15de70be957dfa8c7316d3e0c7dfc538b0397
Instruction Fuzzy Hash: 36324A74A002498FCB05DFA9D584A9DBBF2BF89314F1586A9E405EF3A9DB30AC45CF50

Function 02E32CC8 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2933217644.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3176ead4dfa782530566bcb4fe799889a06405f09db3b1acc2f6573d94334bc
Instruction ID: c72f0482b84fe7a28329f0106f0a49f23e98f50793fcb71633829844842bf1ac
Opcode Fuzzy Hash: c3176ead4dfa782530566bcb4fe799889a06405f09db3b1acc2f6573d94334bc
Instruction Fuzzy Hash: 05020574A412089FDB06CF68D484A9DBBF2BF49325F5586A5E806EB366D730EC81CF50

Function 02E34430 Relevance: 1.5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

Strings

(bq, xrefs: 02E34632

Memory Dump Source

Source File: 00000001.00000002.2933217644.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: 5b976fd312eff89627f4fe2cc7de120bb2003789538a31aa84f315eecfe737db
Instruction ID: f877eb642bbb411ea02f212976d21f5975fc826d89ed189619f64655782beec4
Opcode Fuzzy Hash: 5b976fd312eff89627f4fe2cc7de120bb2003789538a31aa84f315eecfe737db
Instruction Fuzzy Hash: F1815E35B412499FCB05DF68D494A9EBBF2FF89314F258264E405AB3A5DB30EC85CB90

Function 02E30C9A Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

dbq, xrefs: 02E30CA2

Memory Dump Source

Source File: 00000001.00000002.2933217644.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID: dbq
API String ID: 0-1887291361
Opcode ID: f4c6acf9cb82f925b28810bae823979fb8ae8ed95bc88c2ece7e3177abbbee77
Instruction ID: bf64c10e339020513328bfd1f5450a0c4b428cd6b68be57bce0e6baf7dd0661c
Opcode Fuzzy Hash: f4c6acf9cb82f925b28810bae823979fb8ae8ed95bc88c2ece7e3177abbbee77
Instruction Fuzzy Hash: 2A21F475E002498FCF06DFA9D4449DDBBF6FF89314F198066D809AB225E730AA45CF10

Function 02E3098B Relevance: 1.3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

LR^q, xrefs: 02E30A64

Memory Dump Source

Source File: 00000001.00000002.2933217644.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 7486b02964b6305d945d0ccb0372fd7519bf441edfc25f6c75c3dd9338ccc794
Instruction ID: 07ecc95f4aae9f5cff5fdd707b7661b43f820d54e2d81d95b6f5dd69459936d6
Opcode Fuzzy Hash: 7486b02964b6305d945d0ccb0372fd7519bf441edfc25f6c75c3dd9338ccc794
Instruction Fuzzy Hash: 76213674D4011ADFCF05EFA9E55469E7BB2FB44344F004B69C0049B369D7705A49CF80

Function 02E30990 Relevance: 1.3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

LR^q, xrefs: 02E30A64

Memory Dump Source

Source File: 00000001.00000002.2933217644.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: e50e25701ff43d549bef3518ea4401ee919c365e4c2a0e33c0d701fc8a9697ca
Instruction ID: 249b5406a46d0f7d74e2235422071844c9bd1a539ff94995932676468d8a7e1c
Opcode Fuzzy Hash: e50e25701ff43d549bef3518ea4401ee919c365e4c2a0e33c0d701fc8a9697ca
Instruction Fuzzy Hash: 1F211574D4021ADFCF05EFA9E95469EBBB2FB44344F108B69D0049B369EB706A49CF80

Function 02E331E4 Relevance: 1.3, Strings: 1, Instructions: 52COMMON

Download Yara Rule

Strings

h_q, xrefs: 02E3326B

Memory Dump Source

Source File: 00000001.00000002.2933217644.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID: h_q
API String ID: 0-1834438436
Opcode ID: 115298ffc315095e174b520765387cd62dfdd7b03b71e77b1390ecafc9b0959f
Instruction ID: 33ccf664f06713c4472f50dd7d29db558d3d0e1cf34f4228b3e31dcc8773def8
Opcode Fuzzy Hash: 115298ffc315095e174b520765387cd62dfdd7b03b71e77b1390ecafc9b0959f
Instruction Fuzzy Hash: D811C232D0838A9BCB129BB9C8101DDBFB6EFCB210F1586A7D110B7165E7702489C7A2

Function 02E339EB Relevance: 1.3, Strings: 1, Instructions: 50COMMON

Download Yara Rule

Strings

h_q, xrefs: 02E33A69

Memory Dump Source

Source File: 00000001.00000002.2933217644.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID: h_q
API String ID: 0-1834438436
Opcode ID: f938f5dc9e2918493594bb736c963b90656cf3a5536233690ffc7b0503e092c7
Instruction ID: 4f3b619756d588c7bd42d0356016d5da738fa821f51e6bf297bfbd0314c7609e
Opcode Fuzzy Hash: f938f5dc9e2918493594bb736c963b90656cf3a5536233690ffc7b0503e092c7
Instruction Fuzzy Hash: D2018032E1060A97DB10DBA9C8401DDF7BAEFC9314F158626E515B3250EB70294ACB60

Function 02E33200 Relevance: 1.3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

Strings

h_q, xrefs: 02E3326B

Memory Dump Source

Source File: 00000001.00000002.2933217644.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID: h_q
API String ID: 0-1834438436
Opcode ID: 005c46a548dd2baa8feea7ac15bc06839f69aadc84a782532811ad134f44c5ca
Instruction ID: 9050ec21c19ec5306c10f9c3786ab5d5369a58b9b7f5944afe8e90950cd43a26
Opcode Fuzzy Hash: 005c46a548dd2baa8feea7ac15bc06839f69aadc84a782532811ad134f44c5ca
Instruction Fuzzy Hash: F7018F32D1060B97CB009BA9C8004DEF7B6EFC9310F158622D11177164EB702599CBA1

Function 02E323FD Relevance: .5, Instructions: 519COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2933217644.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f98938f1e251a57042b94f158bcb7b63369a525ae089d185bde94797ac627ab5
Instruction ID: 1a3789e2325f7c0cf84147c9c7a336bfd406f07df5527f52599d8de7b918a9a3
Opcode Fuzzy Hash: f98938f1e251a57042b94f158bcb7b63369a525ae089d185bde94797ac627ab5
Instruction Fuzzy Hash: 7841AF70C053899FCB16CFA9C854AEEBFF1AF49310F1480AAE945AB251CB349D45CFA1

Function 02E30B1F Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2933217644.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e2c30a0128ef87ff81d9a4b4df4773220c28f71dd36050c3f100098e4205638
Instruction ID: 41a74eb51944854c373328bc29dba1a8f6c90c7f152d86f159162dc7a273a741
Opcode Fuzzy Hash: 3e2c30a0128ef87ff81d9a4b4df4773220c28f71dd36050c3f100098e4205638
Instruction Fuzzy Hash: 51E11974A002898FCB15DFA9D584A9CBBB2FF49324F1586A8E415EF3A9D730AC45CF50

Function 02E335B0 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2933217644.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8869f7afda94aab0d30ec1cd86a0616938e1907e28788a232fb32046c80718d1
Instruction ID: 064bef018720bbdb9a7777bd8882202afefe774ba106cef2bad8baeef630c87b
Opcode Fuzzy Hash: 8869f7afda94aab0d30ec1cd86a0616938e1907e28788a232fb32046c80718d1
Instruction Fuzzy Hash: 5D119071E402048FDB05CF68D4949DEBBF6EF89311F1881A6E401E7621D7319D45CBA0

Function 02E312A3 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2933217644.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb9b67f4affcff1d3cfd3903adbdaa68c8f56dea65d54bcc1e11f770cb6cf464
Instruction ID: 4bf782c72650a9e33ccf83046b8797aacc7a276b1b98ab01a525ad4d4b5154c8
Opcode Fuzzy Hash: fb9b67f4affcff1d3cfd3903adbdaa68c8f56dea65d54bcc1e11f770cb6cf464
Instruction Fuzzy Hash: 08A11970A01249CFCB05DFA9C584A9CBBB2FF89325F5586A8E415AF3A9D730AC45CF50

Function 02E33718 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2933217644.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6e8e6d9a115121435e0cd1dca0fe61a3a502fedcd9e362f2f3044bf597cc860
Instruction ID: 22c0ab4403ce134cdfc4e7f429492a3ede30a2b29681f296d26471222b2a4f61
Opcode Fuzzy Hash: e6e8e6d9a115121435e0cd1dca0fe61a3a502fedcd9e362f2f3044bf597cc860
Instruction Fuzzy Hash: 89819E75B402058FCB16CF68C548A9EBBF2BF88315F15D694D846AB365CB30EC41CBA0

Function 02E31EC8 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2933217644.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63bd38eb27e0d455928eb115ef1b9a885fa2d5f91e36def69e8cc6ed24fc30fd
Instruction ID: 42fd223e4e64827acb0e24787a138b7a82344c93d9ed524fc4961abdf57dd250
Opcode Fuzzy Hash: 63bd38eb27e0d455928eb115ef1b9a885fa2d5f91e36def69e8cc6ed24fc30fd
Instruction Fuzzy Hash: 08713C34640245CFCB06DF68C544A9DB7F2BF89311F2585A8E509AB365DB36ED41CFA0

Function 02E31EB7 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2933217644.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8ff1c3ffd64513a649de31e76b53bb609e2f90f6143759c1c23480de5175d88
Instruction ID: a7c52efd2cf503a5498a1a4bc9c5d525690630b89d09e12d423fb97be74decf2
Opcode Fuzzy Hash: f8ff1c3ffd64513a649de31e76b53bb609e2f90f6143759c1c23480de5175d88
Instruction Fuzzy Hash: 6B517D30740205CFCB06DB78C554A9DBBF6BF88314B2485A8E509AB365DB36ED41CFA0

Function 02E33AFF Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2933217644.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 147fc7f55cd0e4a100128b5945a797fc4a1b25f7d9c9e78ef1e5fbb73605175a
Instruction ID: ac7a881cd7b293babb71602a9ca8e8d00a2de959a5b2216cb59f39252830f866
Opcode Fuzzy Hash: 147fc7f55cd0e4a100128b5945a797fc4a1b25f7d9c9e78ef1e5fbb73605175a
Instruction Fuzzy Hash: 4D518E30A007059FDB25CF35C98499ABBF2FF88310B64CA9DE49A97650D731F945CB90

Function 02E329D8 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2933217644.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8eb3435f2abe10688cd1df97d2e36802ca1a03c44b2ef53235064e54c6d5d60
Instruction ID: 1188786933aa02f3d0b86154c5fc8ef064fc7b15ffdf124f48809abbfa7d0574
Opcode Fuzzy Hash: f8eb3435f2abe10688cd1df97d2e36802ca1a03c44b2ef53235064e54c6d5d60
Instruction Fuzzy Hash: 2B518D70A002058FCB15CF68C494ACEBBF2EF88324F1596A4D455AB3A5C730ED45CFA0

Function 02E329D1 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2933217644.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7405da84a4998b1890afc095a60d5b10e43ee00c440e627ed99aefb2b017795
Instruction ID: 87867227492c6d0b2a424a27f69167a720a2425fbe63ab9acee6464019b84093
Opcode Fuzzy Hash: b7405da84a4998b1890afc095a60d5b10e43ee00c440e627ed99aefb2b017795
Instruction Fuzzy Hash: C4318D30A402059FCB15DF68D8949CEBBF6EF88324F1486A8E415AB3A5D771ED45CFA0

Function 02E32768 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2933217644.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8507b4a11575c89333e34ba46c7e2b704456b113b57e87759cab1fa94b22c75
Instruction ID: 333ae4cb24a2c5f707299b2f29eec373cd566ce5b2600d66d0e0d3d1123df7db
Opcode Fuzzy Hash: c8507b4a11575c89333e34ba46c7e2b704456b113b57e87759cab1fa94b22c75
Instruction Fuzzy Hash: 723135B0D00249DFDB15CFAAC584ADEBFF5AF48314F248429E949AB250DB349945CFA0

Function 02E31890 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2933217644.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45e2e0588616e64e793dbf67319e7373278490bcb4b7341f1b4358e6cd124f7a
Instruction ID: 537f3c7a247c860638774dc8bed86e593bf14c8030b940b44f7a35a6ebbd06ec
Opcode Fuzzy Hash: 45e2e0588616e64e793dbf67319e7373278490bcb4b7341f1b4358e6cd124f7a
Instruction Fuzzy Hash: 8A21AE71D01258EFCF05DBA5D9846DEBFF6EF8A301F1484AAE401AB214DB315D44CB60

Function 02E318A0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2933217644.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c5e16fb95d7d50eab9d8adfcd62c3b9ec872acb3c270f9cd84c17997d37f5ec
Instruction ID: c8425d73481ad4ec6d2a08f9bbde35f6a61a1594980b75835a1db4a246a7c465
Opcode Fuzzy Hash: 8c5e16fb95d7d50eab9d8adfcd62c3b9ec872acb3c270f9cd84c17997d37f5ec
Instruction Fuzzy Hash: C521A231E01258AFCF05DFA5DA84ADEBFF6AF89301F1485AAE402BB214DB315D44CB60

Function 02E328A1 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2933217644.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aad2dadddf87a77d12cfb8df33c1c143d18c11ee7470215259dbcf2593dcc7a0
Instruction ID: 2a01db5cff0c9acb6f7c2227b794285293bbb08fec746a5bd4a3c31373b7c878
Opcode Fuzzy Hash: aad2dadddf87a77d12cfb8df33c1c143d18c11ee7470215259dbcf2593dcc7a0
Instruction Fuzzy Hash: 33114F32D0060EABCB00CFA9D8406DDFBBAEF99310F254626E810B7250E7707A56CB50

Function 02E328B0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2933217644.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32ebc3dec2b6122d55f0b4c4e1e675a228e13b9e843b3347ca89f8edff0db52b
Instruction ID: dd16ab3cf5f2c205d5bc5cc89e6f0076e2a0fed71e76463ce38acd6e51c47fb2
Opcode Fuzzy Hash: 32ebc3dec2b6122d55f0b4c4e1e675a228e13b9e843b3347ca89f8edff0db52b
Instruction Fuzzy Hash: 62115E32D1060EABCF00DFA9D9805DDFBBAEF99310F254626E814B7250E7706A56CB50

Function 02E32BA8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2933217644.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35c478dfb88267788cba384776671b4a3b25dacf742c56483e6b678ad63a99fb
Instruction ID: 1bebff4154e618d3077b1948329b1a76e8ce79bbd7159742ad615bf981f6f410
Opcode Fuzzy Hash: 35c478dfb88267788cba384776671b4a3b25dacf742c56483e6b678ad63a99fb
Instruction Fuzzy Hash: FD115B32D1161ADBCF10DFA9D8801CDF7B6FF89310F554626E111B7160EB742956CBA0

Function 02E31A33 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2933217644.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39fdb6d59b7b82936cd0a724a21f4982375323d0b8ba77e1f052ccaa09ff7c87
Instruction ID: 17973f207cb9066b227285b00afd56fc4efa98ef2fcac1585efac4c1535fb4a3
Opcode Fuzzy Hash: 39fdb6d59b7b82936cd0a724a21f4982375323d0b8ba77e1f052ccaa09ff7c87
Instruction Fuzzy Hash: 2501F572E0010E9BCF15DBA4D8599EEFB75EF84321F00862AD01AB7290EF70150BCB91

Function 02E34310 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2933217644.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b23755beec71b72f80e1f49be1bf83b30b119c612ff5ec3db42399b08b7b3c89
Instruction ID: f81da631cb5398624944bb367674b2ecce671dcd3b6b7aaa338be901c1b93d61
Opcode Fuzzy Hash: b23755beec71b72f80e1f49be1bf83b30b119c612ff5ec3db42399b08b7b3c89
Instruction Fuzzy Hash: CC01B132D0160AABCB00DFA9D8402DEFBBAEFC9310F254766E110B7250E7742A4ACB51

Function 02E31875 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2933217644.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa54e1f1006b92412d68920854e372d4936d4bda8d827dd9e10f223db2b4e115
Instruction ID: b4b5c5617b65a6de8b41d8fceafcf0f805913341f1e04300965ffcada16dc689
Opcode Fuzzy Hash: aa54e1f1006b92412d68920854e372d4936d4bda8d827dd9e10f223db2b4e115
Instruction Fuzzy Hash: 69012B35E04245EFCF02DBA8E9445DC7F72AF8A320B4881D7D911AF169CA305855CB91

Function 02E319AB Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2933217644.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d75bf33863cfd211217dead4c2480f0b3d1fc39d10a192e667edbcbf18977fbe
Instruction ID: 5a32fea6dbd837cc853d0905c42112a94bc11df5352a06c12bddca9ae8ee7987
Opcode Fuzzy Hash: d75bf33863cfd211217dead4c2480f0b3d1fc39d10a192e667edbcbf18977fbe
Instruction Fuzzy Hash: 9F01B132D1060AABCB04DBA9EC405DDF7B9FFC9310F158766E520B7260EB74244ACB50

Function 02C9D149 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2933017577.0000000002C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c9d000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3c6eccef629910515f7b07c58f21c18332f3f85d17e5bdc4f866343027832ec
Instruction ID: 2d55f2b39e49a36f4d75d57eef1298e1da90391faaa95a73f9623dce0f85bd63
Opcode Fuzzy Hash: e3c6eccef629910515f7b07c58f21c18332f3f85d17e5bdc4f866343027832ec
Instruction Fuzzy Hash: EB0120730043009AEB10AA16CD88767BFD8DF85334F08C566ED0A5B296C339D440CE71

Function 02E346E1 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2933217644.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0950a799391a801ed3333f22ccaa1670c828cc3c4d5ff22c5faabd6556aae107
Instruction ID: d197732d4d07221b4d0a5ed75d5027ac182bd00ea3f0a62fd61180de8e53a5cc
Opcode Fuzzy Hash: 0950a799391a801ed3333f22ccaa1670c828cc3c4d5ff22c5faabd6556aae107
Instruction Fuzzy Hash: 4901D432D1061AABCF04DBA9DC445DDB7B6FFCA310F164666E000B7160EB70254ACB51

Function 02E34320 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2933217644.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cda45f0c2ecaf4c504d841e3bd05e4c3fb3a8cc2c7f286535429b1869a480279
Instruction ID: d01dfd773d0d7119afe81a197888ff76bbc1283a3896e470971b55914d53f6a2
Opcode Fuzzy Hash: cda45f0c2ecaf4c504d841e3bd05e4c3fb3a8cc2c7f286535429b1869a480279
Instruction Fuzzy Hash: 72016232D1160EA7CF00DFA9D9401DDFBBAEFD9310F654666E111B7150EB702A4AC791

Function 02E319B8 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2933217644.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09a7ab200d51aa9e10cac8aa652c212c7add3e678a0f2a1975cb6e2eb45034b5
Instruction ID: b27af627d0c3089fceb0edc0176a19991305da3a785e62e0791c2b81711ee485
Opcode Fuzzy Hash: 09a7ab200d51aa9e10cac8aa652c212c7add3e678a0f2a1975cb6e2eb45034b5
Instruction Fuzzy Hash: 97018F32D1060EA7CB049BA9EC404DDF7BAFFC9310B158766E12473160EB70254ACB90

Function 02E346F0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2933217644.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11113fd16be49f61a7e5e401c5b6f64014b14ae89405ccc0aced4f6a51fc1770
Instruction ID: caaf394a3148e93f10859f3ede9ba071ae153176c541c0e4b8610d9e8a2d16a7
Opcode Fuzzy Hash: 11113fd16be49f61a7e5e401c5b6f64014b14ae89405ccc0aced4f6a51fc1770
Instruction Fuzzy Hash: EE018132D1061AA7CB04DBA9DC444DDF7BAEFC9310F154766E111B7160EB70298AC791

Function 02E30881 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2933217644.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c6895316c9a0e02495dae9053a721689026e13f028b084c60264212cf25f0f9
Instruction ID: cf38950c3d9303ad1dc0db36ed70a89c0a0846c29eaf6e77bf86671cc57c9281
Opcode Fuzzy Hash: 8c6895316c9a0e02495dae9053a721689026e13f028b084c60264212cf25f0f9
Instruction Fuzzy Hash: 0B014B32D1066A9ACF119BB8DC440DCBB76EFC6310F5A0755D50177164EB74299AC790

Function 02E34768 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2933217644.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 047a01642ccb2a8dd08baac68d7bbefb8b4875ee1201083e1a0be0e02a286ec7
Instruction ID: 0a049fc3c2f980ef358cea93d97b33124cbac85ba1d6a7ae7d4e5669d1fa8c18
Opcode Fuzzy Hash: 047a01642ccb2a8dd08baac68d7bbefb8b4875ee1201083e1a0be0e02a286ec7
Instruction Fuzzy Hash: 41F04632D501099BDF05DB74C8597EFBBB69F84304F04892AC006B7380DF716906C6C2

Function 02E33281 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2933217644.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99684d6721e0c27be1e796c8c0c834c448c71de713aeff5d36abfc11fef31ae3
Instruction ID: 53dab3dd52f274ff7523fd796f320f0b73b0fa037480f2fd9f0597a43d6984f3
Opcode Fuzzy Hash: 99684d6721e0c27be1e796c8c0c834c448c71de713aeff5d36abfc11fef31ae3
Instruction Fuzzy Hash: B4F0F672D0010997DB05DB64C816AEFBBB6AF84304F158966D402B7240DE71A506C7C1

Function 02E3439B Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2933217644.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 730b0087f3db5ea55a3cfa85ce0014eaec1282607fc3673c6deb43cfa33e793c
Instruction ID: 4aa714fbfea47c848bb0f3cca19f776ed9b68e98a82f0d38d01a2acc77d5d28b
Opcode Fuzzy Hash: 730b0087f3db5ea55a3cfa85ce0014eaec1282607fc3673c6deb43cfa33e793c
Instruction Fuzzy Hash: 5AF0F6729501099BDF059B74C4156DFBFB59F44314F0489258003F7290DE705906CAD2

Function 02E33A83 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2933217644.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d51a5d1ea286fae2bfe4b962c2347888f6af8b423777dc976cf9cece839a53ca
Instruction ID: ba554fc5edec37ded9a4510d3992e8faf0814f2f4ede013872e935b11af5b2a8
Opcode Fuzzy Hash: d51a5d1ea286fae2bfe4b962c2347888f6af8b423777dc976cf9cece839a53ca
Instruction Fuzzy Hash: B7F0BB72D1010997DF059B74C86AAEFBFB59F44305F048566D503F7340DE715506C6C2

Function 02E32C40 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2933217644.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb4a4dd11e83478f06dc31e04974e7c151997db48c85e4cf447cd250d17d96ff
Instruction ID: eee94f0b72bb22880f5fda7a77c1c9f02602e5775174187590fae0d2934bc1a4
Opcode Fuzzy Hash: bb4a4dd11e83478f06dc31e04974e7c151997db48c85e4cf447cd250d17d96ff
Instruction Fuzzy Hash: 39F0C27295014A8BDB05DB74C8299EEBFA25B44300F058A2AD552BB240DF701907CB92

Function 02E32949 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2933217644.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de2ddd452501a7f487540d56c375c44d679f73fb6893cbeb9550806a8ab55d27
Instruction ID: e4ee77ab519b4f3782e9f5f74e844e9762624309a79367b1d003cc2c023462dd
Opcode Fuzzy Hash: de2ddd452501a7f487540d56c375c44d679f73fb6893cbeb9550806a8ab55d27
Instruction Fuzzy Hash: 70F0B472D1010A97DF15DB74C459AEFBFB69B84300F558826D512B7380DEB15906C6D2

Function 02E3312A Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2933217644.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9e59e116e34a2ecaa30c8eb286061f732b45c8c945e5dbd9c46a3dec0dcd804
Instruction ID: 4fe67fdc51d68c2cb3d2052158ff8ac0c677cdd0767715aaa537992c155c3848
Opcode Fuzzy Hash: a9e59e116e34a2ecaa30c8eb286061f732b45c8c945e5dbd9c46a3dec0dcd804
Instruction Fuzzy Hash: F7014B71A012458FDB06CFACD484A9CBBF1AF89224F15C2A5E419EB2A2C730D881CB20

Function 02C9D148 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2933017577.0000000002C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c9d000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3c74f415fcbb615e81268d4e0d866f4211e8a841349a0f3a9f7474646c3c24e
Instruction ID: a37353e684ac805c6ab5b050f2059a0df1fd36240300d136786b454d0c8a06f8
Opcode Fuzzy Hash: b3c74f415fcbb615e81268d4e0d866f4211e8a841349a0f3a9f7474646c3c24e
Instruction Fuzzy Hash: DFF062724043449EEB109A1ADC88B62FFA8EF85634F18C45AED095B296C3799944CAB1

Function 02E32C50 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2933217644.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f114996b8762d038eb84a4d0bf2fd920cbfc000742a153b6399b04827df54848
Instruction ID: 5c9013eb6e3a8966499f629cd08211e4fa7c93afd68cd0801aadd69fba6f54e3
Opcode Fuzzy Hash: f114996b8762d038eb84a4d0bf2fd920cbfc000742a153b6399b04827df54848
Instruction Fuzzy Hash: 4DF0E232E501099BDF05DB74C819AEFBFB69F84300F008926C502BB280DEB0690BC7C2

Function 02E30907 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2933217644.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf3d9a8302d9aaeb13600ff479893e72107041700f625ed7177889239d5fda12
Instruction ID: b55d5069441b2c3a84c99ed69924c5f3710d299f2f0b1d8e8c9d7ede95e7552b
Opcode Fuzzy Hash: bf3d9a8302d9aaeb13600ff479893e72107041700f625ed7177889239d5fda12
Instruction Fuzzy Hash: 78F0BE72E501099BEF159B74C469AEFBFB69F84300F05892AD002BB244DEB05907CAC2

Function 02E30908 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2933217644.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3cd79a0732cea70d7da7de5399a7652dacf1aca9158044e89b04934d8b3f79a
Instruction ID: e2ad6607bb09278de3cd9580a5916cac074b9a294fda31d850b1179f5feca3bf
Opcode Fuzzy Hash: e3cd79a0732cea70d7da7de5399a7652dacf1aca9158044e89b04934d8b3f79a
Instruction Fuzzy Hash: F9F0E272E501099BEF05DB74C469AEFBFBA9F84300F018926D002BB244DEB06906C6D2

Function 02E33A90 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2933217644.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66e3f0371bd7c7f8a880c31adcf6aa62f9c59b1a10305840993fb4adfca53573
Instruction ID: d3eef3312c5ef7fffd2da7941f1d408888bf1fc800f7d617eee3894525bc6df8
Opcode Fuzzy Hash: 66e3f0371bd7c7f8a880c31adcf6aa62f9c59b1a10305840993fb4adfca53573
Instruction Fuzzy Hash: 6AF08232E5010997DF15DB64C55AAEFBBB69F84301F058926D513B7280DEB15906C6C2

Function 02E313A1 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2933217644.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25e5b6d043626f70d23fa35b85e26d31cfd869a851fa88eee842dc026368cd74
Instruction ID: 9cd10824cfba028235cc8085af99e9bf2771ba8d192ba33de3631cdbb7bd79ff
Opcode Fuzzy Hash: 25e5b6d043626f70d23fa35b85e26d31cfd869a851fa88eee842dc026368cd74
Instruction Fuzzy Hash: 9FE01AB5C453099FCB40EFB988422AEBFF5EF49200F5085AAC908E7301E2306650CFC1

Function 02E32B3D Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2933217644.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffe43d8234043829542036a8aea822baa4dc05f69fc3161bc1dc0d1d0b4e0a74
Instruction ID: a1d56d38482a16d6359b6074a2aea9d2f925915e47e7028bd414b4a63474bbce
Opcode Fuzzy Hash: ffe43d8234043829542036a8aea822baa4dc05f69fc3161bc1dc0d1d0b4e0a74
Instruction Fuzzy Hash: D9D02B31F403248FDB059F6DD8004DCFBA1EFC0630718C2A2C42557266C7B4C602CB91

Function 02E32B4E Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2933217644.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce3dd8dd9230e5edb611ffbbc1f0650933776439f503df17f1faaf60b2c61559
Instruction ID: 3e28ba2782e2dd711d44f45f341c58d66d222be52c48be55296871f8d5ec734d
Opcode Fuzzy Hash: ce3dd8dd9230e5edb611ffbbc1f0650933776439f503df17f1faaf60b2c61559
Instruction Fuzzy Hash: D5D02B71B442058FDB049FBCE8100DCBBA0DBC423071441BAC026D3253C770C5008B21

Function 02E33C62 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2933217644.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 518d99a85aff7e764980898af12d81b5b6a7fb7e62e6d19aa6c68dc7037aa887
Instruction ID: 15c1daa7358624135e3a55d0a230563a7813e5b7223d6b77b7213ed55aa5169b
Opcode Fuzzy Hash: 518d99a85aff7e764980898af12d81b5b6a7fb7e62e6d19aa6c68dc7037aa887
Instruction Fuzzy Hash: 61D05E71B442099FCB589FACA9045DCBFA0EFC523171582ABD45AD72A2DB308592C772

Function 02E30841 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2933217644.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b955fa317cf80d5a9a7a3bc3e87c84742130cbeb272d99b7a0cd9f15fae1c317
Instruction ID: e075254723cd9cee2da89fab294c2254bcf7d21b76827f332e1564842bb06490
Opcode Fuzzy Hash: b955fa317cf80d5a9a7a3bc3e87c84742130cbeb272d99b7a0cd9f15fae1c317
Instruction Fuzzy Hash: 26E08C71844288AFEB16CBF4C55579D3BB4AB05254F6144E5E848CB211D6328E10C781

Function 02E313B0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2933217644.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fef043d575c0f54f122b0501c9fa8b484036c79d8b33f2a125a1e09fb6ee5efe
Instruction ID: b62b7416ca2a5f0ebfbe570725fd742f6eb71ca6a7d9e9e28c84a70a0a3849bc
Opcode Fuzzy Hash: fef043d575c0f54f122b0501c9fa8b484036c79d8b33f2a125a1e09fb6ee5efe
Instruction Fuzzy Hash: 09E042B4D4530E9F8B40EFB988461AEBFF5AB48201F5085AA9908E7600E6705651CFD1

Function 02E30848 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2933217644.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f956aac51a0a11d8ce9cc5a5a2d6d8de7b68e5463cd00c46e2e2551e44aa912d
Instruction ID: e702873138596e10ed4904ea9148a7e3e2b7a118270794ca2532f25a98cebd37
Opcode Fuzzy Hash: f956aac51a0a11d8ce9cc5a5a2d6d8de7b68e5463cd00c46e2e2551e44aa912d
Instruction Fuzzy Hash: DDD01771D45248AFDB12CFF4C90575D7BB8AB05245F604596E448C7205DB329E10C795

Function 02E33188 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2933217644.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f383d14a9c4abcfa316af4fb276dee39126fbaf7e5e6db8196dd55cebe7c83b2
Instruction ID: dd0a10d61fae085a5909ee2cc7d4b4cc0b123159df590e2989754259c8d1302b
Opcode Fuzzy Hash: f383d14a9c4abcfa316af4fb276dee39126fbaf7e5e6db8196dd55cebe7c83b2
Instruction Fuzzy Hash: 18D05E76B452198FCB099FACE4044DCBBE0DA8423071581BBD01AC72A2D670C555C721

Function 02E3317F Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2933217644.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4941ab0add9ca7b426143892007bd82fd9be7b848094e601b726f1b0dfe3305b
Instruction ID: 4ef7be9471169b2f5ee54edfcbdc064d967414d9867dddc1492cfccafa3e0d6e
Opcode Fuzzy Hash: 4941ab0add9ca7b426143892007bd82fd9be7b848094e601b726f1b0dfe3305b
Instruction Fuzzy Hash: 70D05E31A552058EDB088BACE8044ECBBA0EBC1231755C1BAD01A8B2A2D6708552C720

Function 02E3399E Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2933217644.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d6a525710553b8dc5f840b788a8296d756bcea9a669abb6bdb6d5f9f9c93bc0
Instruction ID: 6b62e79b7637fac95b9202b6858275dcf012c3d884a85f0d3296c33304164b4d
Opcode Fuzzy Hash: 7d6a525710553b8dc5f840b788a8296d756bcea9a669abb6bdb6d5f9f9c93bc0
Instruction Fuzzy Hash: 9BD0A732B451098FCB119FACA9005DCBBE0DAC513270482A3C555A7165D7208551C732

Function 02E3210D Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2933217644.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f85da6d2e052ea47ed178299c54496db4576fdd2db7f78134600025ef7713b93
Instruction ID: 595a7d7de916bbd3ac4632129cbd00dc45b5861a25aadf23f50c91721b4e71d3
Opcode Fuzzy Hash: f85da6d2e052ea47ed178299c54496db4576fdd2db7f78134600025ef7713b93
Instruction Fuzzy Hash: FDD023317401054FCF05CFE89D000DC77B1D7C413174041F2C21157165C7608953C730

Function 02E32116 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2933217644.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a578f2c55d8aaadf4c0bec6319ad5a0560588096f603280d89468816e3e75cfc
Instruction ID: 199c14a424cc7de82ad5b388155ae16869cf177c569f37610a24aca2761f2b17
Opcode Fuzzy Hash: a578f2c55d8aaadf4c0bec6319ad5a0560588096f603280d89468816e3e75cfc
Instruction Fuzzy Hash: FBD0A932F4020A8FCB159FA8A5000DC7BE09AC813174002B2C62A972A1C760CA55C732

Analysis Process: nQBmwBd90o.exePID: 3696, Parent PID: 1044COMMON

Executed Functions

Function 00750988 Relevance: 3.8, Strings: 3, Instructions: 58COMMON

Download Yara Rule

Strings

Wf, xrefs: 007509A4
LR^q, xrefs: 00750A64
4Xf, xrefs: 007509F5

Memory Dump Source

Source File: 00000004.00000002.1741551683.0000000000750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_750000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID: 4Xf$LR^q$Wf
API String ID: 0-4244044835
Opcode ID: 65fec4caab2899e407e7f80c4dea38605d814fa9f962100d3299571d761b009c
Instruction ID: 207980f53f097d9d1142037ed8664352bddacbd8b1d286374b8d8bc43af35133
Opcode Fuzzy Hash: 65fec4caab2899e407e7f80c4dea38605d814fa9f962100d3299571d761b009c
Instruction Fuzzy Hash: D82138709102099FCF81EFA8E94559DBFF2FB44304F109569D005AF36ADBB55A49CF81

Function 00750990 Relevance: 3.8, Strings: 3, Instructions: 56COMMON

Download Yara Rule

Strings

Wf, xrefs: 007509A4
LR^q, xrefs: 00750A64
4Xf, xrefs: 007509F5

Memory Dump Source

Source File: 00000004.00000002.1741551683.0000000000750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_750000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID: 4Xf$LR^q$Wf
API String ID: 0-4244044835
Opcode ID: d943dd50ecdf7973f88ef37a9840c387eed4b163a72d32f38a4c37145a95624a
Instruction ID: ed52d11f42070fed4c02cd588d67f1c9900907b67de10fd44698582613519177
Opcode Fuzzy Hash: d943dd50ecdf7973f88ef37a9840c387eed4b163a72d32f38a4c37145a95624a
Instruction Fuzzy Hash: 812145709102099FCB81FFA8E94169DBBF2FB44304F009969D005AF36AEBB55A49CF80

Function 00750798 Relevance: 1.3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

Strings

xSf, xrefs: 007507D4

Memory Dump Source

Source File: 00000004.00000002.1741551683.0000000000750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_750000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID: xSf
API String ID: 0-2430872064
Opcode ID: 8cc0779db286067f1a5cbca956aebd668bbca6805b69dc95127d5cdeb54ffcf2
Instruction ID: 5fb4b059afa244c70566c3ebe25423c0d1743a82bee2c3a9c83569de4662c28b
Opcode Fuzzy Hash: 8cc0779db286067f1a5cbca956aebd668bbca6805b69dc95127d5cdeb54ffcf2
Instruction Fuzzy Hash: E011886240E7D05FC703DB7899242897FB19F57301F0A04E7D480CB1A3E6A89E4CC3AA

Function 007506C7 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1741551683.0000000000750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_750000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 312499c51d28c7a77434b4da08d467875f6f4390b14af6f296d0bdba4f1c5fcd
Instruction ID: a91af97efbec5c4ab09ec07a39adaf864f12fa37ba15344d9f2121d9a8167310
Opcode Fuzzy Hash: 312499c51d28c7a77434b4da08d467875f6f4390b14af6f296d0bdba4f1c5fcd
Instruction Fuzzy Hash: 993147A281E7C05FDB038B7488652857F719F27345F0A05DBC4C1CB1A3E6A99D1EC3A6

Function 00750877 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1741551683.0000000000750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_750000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8853c700e69ab43e8c285bc9a05afc7d47353fc811b044a97f736bdd23d91a2f
Instruction ID: c62cc9cb35ebe0486c5bf46d0814595309a451054727c6e95a478dafce04a857
Opcode Fuzzy Hash: 8853c700e69ab43e8c285bc9a05afc7d47353fc811b044a97f736bdd23d91a2f
Instruction Fuzzy Hash: 8401B132D1469A9BCF11CBB4CC500DCBB72EED6300F5A0696D001B7160E7B42A9AC761

Function 007508F9 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1741551683.0000000000750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_750000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fa86a31460ee7db9931b16f9c2057f23a4ab6ff47b10668a492a15e3716746c
Instruction ID: 901fcfb529ac4ba3ab147878ea31c900095df4a3aa7139125186fa1274ff844c
Opcode Fuzzy Hash: 1fa86a31460ee7db9931b16f9c2057f23a4ab6ff47b10668a492a15e3716746c
Instruction Fuzzy Hash: D9F02272D105089BDF14DB30C8559EFBFB6AF80300F04852AC867B7294DFB0690A8AC2

Function 00750908 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1741551683.0000000000750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_750000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abb5b8e6297b5dbcb53c0008e9121afa004426d2f45bf95ad55efc863c693001
Instruction ID: 7a94fddeb53988c7dc359c39ebb128a82c68d73eea2c81c1b9c3b5a9c93d5c61
Opcode Fuzzy Hash: abb5b8e6297b5dbcb53c0008e9121afa004426d2f45bf95ad55efc863c693001
Instruction Fuzzy Hash: 04F0E272E101099BDF04DB74C4659EFFFBA9F84300F008526D412BB284DFB0690A86D2

Function 00750848 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1741551683.0000000000750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_750000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 497170c178aa9832d3e9cf4afb6d816b86f0bbbf23327952f19a603491794eb0
Instruction ID: 969f1d61e3bfee23c42f34d13b9255947b7a333420f039bf8764f70ec75e8569
Opcode Fuzzy Hash: 497170c178aa9832d3e9cf4afb6d816b86f0bbbf23327952f19a603491794eb0
Instruction Fuzzy Hash: F2D0C771804208AFDB01CFB4C90479C7BB8AB04240F200096E848C7200DA31AE00C781

Function 007513B0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1741551683.0000000000750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_750000_nQBmwBd90o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fef043d575c0f54f122b0501c9fa8b484036c79d8b33f2a125a1e09fb6ee5efe
Instruction ID: c9d005ef90a3675c648e8fbccab08657d559198cd21f743522fd438f8309e6da
Opcode Fuzzy Hash: fef043d575c0f54f122b0501c9fa8b484036c79d8b33f2a125a1e09fb6ee5efe
Instruction Fuzzy Hash: 9DE042B4D0530E9F8B80EFB988421AEBFF5AB48201F6085AA9908E3201E67456558BD1

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report nQBmwBd90o.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: XenoRAT

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\nQBmwBd90o.exe.log

C:\Users\user\AppData\Local\Temp\tmp86AB.tmp

C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe

C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Windows Analysis Report
nQBmwBd90o.exe