Edit tour

Windows Analysis Report
xdPdkPMD8u.exe

Overview

General Information

Sample Name:	xdPdkPMD8u.exe
Original Sample Name:	1f4b7d2f534977627fa2a529013a5b58.exe
Analysis ID:	1347485
MD5:	1f4b7d2f534977627fa2a529013a5b58
SHA1:	88077cc48814bc2743ab721f4ae6a5a09724e6ee
SHA256:	dfe9486e22f4ff0d0c02ec2b0db5c50ee4e3b1c5309f0a39043640e19bada517
Tags:	exenjratRAT
Infos:

Detection

Njrat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected Njrat

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Snort IDS alert for network traffic

Uses netsh to modify the Windows network and firewall settings

Connects to many ports of the same IP (likely port scanning)

Protects its processes via BreakOnTermination flag

.NET source code references suspicious native API functions

Contains functionality to log keystrokes (.Net Source)

Machine Learning detection for sample

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Modifies the windows firewall

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

May infect USB drives

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

IP address seen in connection with other malware

Abnormal high CPU Usage

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Detected TCP or UDP traffic on non-standard ports

Classification

Process Tree

System is w10x64

xdPdkPMD8u.exe (PID: 5712 cmdline: C:\Users\user\Desktop\xdPdkPMD8u.exe MD5: 1F4B7D2F534977627FA2A529013A5B58)

netsh.exe (PID: 1488 cmdline: netsh firewall add allowedprogram "C:\Users\user\Desktop\xdPdkPMD8u.exe" "xdPdkPMD8u.exe" ENABLE MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

conhost.exe (PID: 2960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
NjRAT	RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.	AQUATIC PANDA Earth Lusca Operation C-Major The Gorgon Group	http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/ http://blogs.360.cn/post/analysis-of-apt-c-37.html http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/ https://asec.ahnlab.com/1369	https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

Malware Configuration

Threatname: Njrat

{"Host": "2.tcp.eu.ngrok.io", "Port": "10759", "Version": "im523", "Campaign ID": "HacKed", "Install Name": "server.exe", "Install Dir": "TEMP"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
xdPdkPMD8u.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
xdPdkPMD8u.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x64c1:$a1: get_Registry 0x7efa:$a3: Download ERROR 0x81ec:$a5: netsh firewall delete allowedprogram "
xdPdkPMD8u.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x80e2:$a1: netsh firewall add allowedprogram 0x82dc:$b1: [TAP] 0x8282:$b2: & exit 0x824e:$c1: md.exe /k ping 0 & del
xdPdkPMD8u.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x81ec:$s1: netsh firewall delete allowedprogram 0x80e2:$s2: netsh firewall add allowedprogram 0x824c:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 6B 00 20 00 70 00 69 00 6E 00 67 0x7ed6:$s4: Execute ERROR 0x7f36:$s4: Execute ERROR 0x7efa:$s5: Download ERROR 0x8292:$s6: [kl]

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.2078917135.0000000000D22000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000000.00000000.2078917135.0000000000D22000.00000002.00000001.01000000.00000003.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x62c1:$a1: get_Registry 0x7cfa:$a3: Download ERROR 0x7fec:$a5: netsh firewall delete allowedprogram "
00000000.00000000.2078917135.0000000000D22000.00000002.00000001.01000000.00000003.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x7ee2:$a1: netsh firewall add allowedprogram 0x80dc:$b1: [TAP] 0x8082:$b2: & exit 0x804e:$c1: md.exe /k ping 0 & del
00000000.00000002.4525404561.0000000003401000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: xdPdkPMD8u.exe PID: 5712	JoeSecurity_Njrat	Yara detected Njrat	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.xdPdkPMD8u.exe.d20000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0.0.xdPdkPMD8u.exe.d20000.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x64c1:$a1: get_Registry 0x7efa:$a3: Download ERROR 0x81ec:$a5: netsh firewall delete allowedprogram "
0.0.xdPdkPMD8u.exe.d20000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x80e2:$a1: netsh firewall add allowedprogram 0x82dc:$b1: [TAP] 0x8282:$b2: & exit 0x824e:$c1: md.exe /k ping 0 & del
0.0.xdPdkPMD8u.exe.d20000.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x81ec:$s1: netsh firewall delete allowedprogram 0x80e2:$s2: netsh firewall add allowedprogram 0x824c:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 6B 00 20 00 70 00 69 00 6E 00 67 0x7ed6:$s4: Execute ERROR 0x7f36:$s4: Execute ERROR 0x7efa:$s5: Download ERROR 0x8292:$s6: [kl]

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.6 - Destination IP: 3.126.37.18

Timestamp:	192.168.2.63.126.37.1849718107592033132 11/24/23-16:13:05.300630
SID:	2033132
Source Port:	49718
Destination Port:	10759
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.6 - Destination IP: 3.126.37.18

Timestamp:	192.168.2.63.126.37.1849722107592814856 11/24/23-16:15:13.194642
SID:	2814856
Source Port:	49722
Destination Port:	10759
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) - Source IP: 192.168.2.6 - Destination IP: 3.126.37.18

Timestamp:	192.168.2.63.126.37.1849718107592825564 11/24/23-16:13:56.460259
SID:	2825564
Source Port:	49718
Destination Port:	10759
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) - Source IP: 192.168.2.6 - Destination IP: 18.197.239.5

Timestamp:	192.168.2.618.197.239.549721107592825564 11/24/23-16:14:49.393658
SID:	2825564
Source Port:	49721
Destination Port:	10759
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) - Source IP: 192.168.2.6 - Destination IP: 18.192.93.86

Timestamp:	192.168.2.618.192.93.8649709107592814860 11/24/23-16:13:00.582714
SID:	2814860
Source Port:	49709
Destination Port:	10759
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) - Source IP: 192.168.2.6 - Destination IP: 18.197.239.5

Timestamp:	192.168.2.618.197.239.549721107592825563 11/24/23-16:14:09.436462
SID:	2825563
Source Port:	49721
Destination Port:	10759
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.6 - Destination IP: 18.197.239.5

Timestamp:	192.168.2.618.197.239.549721107592033132 11/24/23-16:14:09.256486
SID:	2033132
Source Port:	49721
Destination Port:	10759
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) - Source IP: 192.168.2.6 - Destination IP: 18.197.239.5

Timestamp:	192.168.2.618.197.239.549721107592814860 11/24/23-16:14:51.164181
SID:	2814860
Source Port:	49721
Destination Port:	10759
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) - Source IP: 192.168.2.6 - Destination IP: 3.126.37.18

Timestamp:	192.168.2.63.126.37.1849722107592825564 11/24/23-16:15:56.549651
SID:	2825564
Source Port:	49722
Destination Port:	10759
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.6 - Destination IP: 18.192.93.86

Timestamp:	192.168.2.618.192.93.8649709107592814856 11/24/23-16:12:01.760226
SID:	2814856
Source Port:	49709
Destination Port:	10759
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) - Source IP: 192.168.2.6 - Destination IP: 3.126.37.18

Timestamp:	192.168.2.63.126.37.1849722107592825563 11/24/23-16:15:13.194642
SID:	2825563
Source Port:	49722
Destination Port:	10759
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.6 - Destination IP: 18.197.239.5

Timestamp:	192.168.2.618.197.239.549721107592814856 11/24/23-16:14:09.436462
SID:	2814856
Source Port:	49721
Destination Port:	10759
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.6 - Destination IP: 3.126.37.18

Timestamp:	192.168.2.63.126.37.1849718107592814856 11/24/23-16:13:05.487198
SID:	2814856
Source Port:	49718
Destination Port:	10759
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) - Source IP: 192.168.2.6 - Destination IP: 18.192.93.86

Timestamp:	192.168.2.618.192.93.8649709107592825564 11/24/23-16:13:00.582714
SID:	2825564
Source Port:	49709
Destination Port:	10759
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.6 - Destination IP: 18.192.93.86

Timestamp:	192.168.2.618.192.93.8649709107592033132 11/24/23-16:12:01.576847
SID:	2033132
Source Port:	49709
Destination Port:	10759
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) - Source IP: 192.168.2.6 - Destination IP: 18.192.93.86

Timestamp:	192.168.2.618.192.93.8649709107592825563 11/24/23-16:12:01.760226
SID:	2825563
Source Port:	49709
Destination Port:	10759
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) - Source IP: 192.168.2.6 - Destination IP: 3.126.37.18

Timestamp:	192.168.2.63.126.37.1849722107592814860 11/24/23-16:15:57.286440
SID:	2814860
Source Port:	49722
Destination Port:	10759
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) - Source IP: 192.168.2.6 - Destination IP: 3.126.37.18

Timestamp:	192.168.2.63.126.37.1849718107592814860 11/24/23-16:13:56.460259
SID:	2814860
Source Port:	49718
Destination Port:	10759
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.6 - Destination IP: 3.126.37.18

Timestamp:	192.168.2.63.126.37.1849722107592033132 11/24/23-16:15:13.011312
SID:	2033132
Source Port:	49722
Destination Port:	10759
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000000.2078917135.0000000000D22000.00000002.00000001.01000000.00000003.sdmp

Malware Configuration Extractor: Njrat {"Host": "2.tcp.eu.ngrok.io", "Port": "10759", "Version": "im523", "Campaign ID": "HacKed", "Install Name": "server.exe", "Install Dir": "TEMP"}

Multi AV Scanner detection for submitted file

Source: xdPdkPMD8u.exe	ReversingLabs: Detection: 94%
Source: xdPdkPMD8u.exe	Virustotal: Detection: 88%			Perma Link

Yara detected Njrat

Source: Yara match	File source: xdPdkPMD8u.exe, type: SAMPLE
Source: Yara match	File source: 0.0.xdPdkPMD8u.exe.d20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2078917135.0000000000D22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4525404561.0000000003401000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: xdPdkPMD8u.exe PID: 5712, type: MEMORYSTR

Antivirus / Scanner detection for submitted sample

Source: xdPdkPMD8u.exe

Avira: detected

Antivirus detection for URL or domain

Source: 2.tcp.eu.ngrok.io

Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: 2.tcp.eu.ngrok.io	Virustotal: Detection: 15%			Perma Link
Source: 2.tcp.eu.ngrok.io	Virustotal: Detection: 15%			Perma Link

Machine Learning detection for sample

Source: xdPdkPMD8u.exe

Joe Sandbox ML: detected

Source: xdPdkPMD8u.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\xdPdkPMD8u.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: xdPdkPMD8u.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: xdPdkPMD8u.exe, 00000000.00000000.2078917135.0000000000D22000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: autorun.inf
Source: xdPdkPMD8u.exe, 00000000.00000000.2078917135.0000000000D22000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: [autorun]
Source: xdPdkPMD8u.exe, 00000000.00000002.4525404561.0000000003401000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: xdPdkPMD8u.exe, 00000000.00000002.4525404561.0000000003401000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: xdPdkPMD8u.exe	Binary or memory string: autorun.inf
Source: xdPdkPMD8u.exe	Binary or memory string: [autorun]

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.6:49709 -> 18.192.93.86:10759
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.6:49709 -> 18.192.93.86:10759
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.6:49709 -> 18.192.93.86:10759
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.6:49709 -> 18.192.93.86:10759
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.6:49709 -> 18.192.93.86:10759
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.6:49718 -> 3.126.37.18:10759
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.6:49718 -> 3.126.37.18:10759
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.6:49718 -> 3.126.37.18:10759
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.6:49718 -> 3.126.37.18:10759
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.6:49721 -> 18.197.239.5:10759
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.6:49721 -> 18.197.239.5:10759
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.6:49721 -> 18.197.239.5:10759
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.6:49721 -> 18.197.239.5:10759
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.6:49721 -> 18.197.239.5:10759
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.6:49722 -> 3.126.37.18:10759
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.6:49722 -> 3.126.37.18:10759
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.6:49722 -> 3.126.37.18:10759
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.6:49722 -> 3.126.37.18:10759
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.6:49722 -> 3.126.37.18:10759

Connects to many ports of the same IP (likely port scanning)

Source: global traffic	TCP traffic: 18.192.93.86 ports 0,1,5,10759,7,9
Source: global traffic	TCP traffic: 3.126.37.18 ports 0,1,5,10759,7,9
Source: global traffic	TCP traffic: 18.197.239.5 ports 0,1,5,10759,7,9

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 2.tcp.eu.ngrok.io

Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US

Source: Joe Sandbox View	IP Address: 18.192.93.86 18.192.93.86
Source: Joe Sandbox View	IP Address: 3.126.37.18 3.126.37.18
Source: Joe Sandbox View	IP Address: 18.197.239.5 18.197.239.5

Source: global traffic	TCP traffic: 192.168.2.6:49709 -> 18.192.93.86:10759
Source: global traffic	TCP traffic: 192.168.2.6:49718 -> 3.126.37.18:10759
Source: global traffic	TCP traffic: 192.168.2.6:49721 -> 18.197.239.5:10759

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: xdPdkPMD8u.exe

String found in binary or memory: https://dl.dropbox.com/s/p84aaz28t0hepul/Pass.exe?dl=0

Source: unknown

DNS traffic detected: queries for: 2.tcp.eu.ngrok.io

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: xdPdkPMD8u.exe, kl.cs

.Net Code: VKCodeToUnicode

E-Banking Fraud

Yara detected Njrat

Source: Yara match	File source: xdPdkPMD8u.exe, type: SAMPLE
Source: Yara match	File source: 0.0.xdPdkPMD8u.exe.d20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2078917135.0000000000D22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4525404561.0000000003401000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: xdPdkPMD8u.exe PID: 5712, type: MEMORYSTR

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\Desktop\xdPdkPMD8u.exe

Process information set: 01 00 00 00

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: xdPdkPMD8u.exe, type: SAMPLE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: xdPdkPMD8u.exe, type: SAMPLE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: xdPdkPMD8u.exe, type: SAMPLE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.0.xdPdkPMD8u.exe.d20000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.0.xdPdkPMD8u.exe.d20000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.0.xdPdkPMD8u.exe.d20000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 00000000.00000000.2078917135.0000000000D22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000000.00000000.2078917135.0000000000D22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter

Source: xdPdkPMD8u.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: xdPdkPMD8u.exe, type: SAMPLE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: xdPdkPMD8u.exe, type: SAMPLE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: xdPdkPMD8u.exe, type: SAMPLE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.0.xdPdkPMD8u.exe.d20000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.0.xdPdkPMD8u.exe.d20000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.0.xdPdkPMD8u.exe.d20000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 00000000.00000000.2078917135.0000000000D22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000000.00000000.2078917135.0000000000D22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net

Source: C:\Users\user\Desktop\xdPdkPMD8u.exe

Code function: 0_2_0163169F

0_2_0163169F

Source: C:\Users\user\Desktop\xdPdkPMD8u.exe	Code function: 0_2_0151B74A NtSetInformationProcess,	0_2_0151B74A
Source: C:\Users\user\Desktop\xdPdkPMD8u.exe	Code function: 0_2_0151BB66 NtQuerySystemInformation,	0_2_0151BB66
Source: C:\Users\user\Desktop\xdPdkPMD8u.exe	Code function: 0_2_0151B728 NtSetInformationProcess,	0_2_0151B728
Source: C:\Users\user\Desktop\xdPdkPMD8u.exe	Code function: 0_2_0151BB2B NtQuerySystemInformation,	0_2_0151BB2B

Source: C:\Users\user\Desktop\xdPdkPMD8u.exe

Process Stats: CPU usage > 49%

Source: xdPdkPMD8u.exe, 00000000.00000002.4524433667.000000000118E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenamemscorwks.dllT vs xdPdkPMD8u.exe

Source: xdPdkPMD8u.exe	ReversingLabs: Detection: 94%
Source: xdPdkPMD8u.exe	Virustotal: Detection: 88%

Source: xdPdkPMD8u.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\xdPdkPMD8u.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\xdPdkPMD8u.exe C:\Users\user\Desktop\xdPdkPMD8u.exe
Source: C:\Users\user\Desktop\xdPdkPMD8u.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\Desktop\xdPdkPMD8u.exe" "xdPdkPMD8u.exe" ENABLE
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\xdPdkPMD8u.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\Desktop\xdPdkPMD8u.exe" "xdPdkPMD8u.exe" ENABLE	Jump to behavior

Source: C:\Users\user\Desktop\xdPdkPMD8u.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\xdPdkPMD8u.exe	Code function: 0_2_0151B3FA AdjustTokenPrivileges,		0_2_0151B3FA
Source: C:\Users\user\Desktop\xdPdkPMD8u.exe	Code function: 0_2_0151B3C3 AdjustTokenPrivileges,		0_2_0151B3C3

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/1@4/3

Source: xdPdkPMD8u.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\xdPdkPMD8u.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\276d7f4a20a3c21c3bf6fc9bfc1915a2\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\xdPdkPMD8u.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\xdPdkPMD8u.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Users\user\Desktop\xdPdkPMD8u.exe	Mutant created: \Sessions\1\BaseNamedObjects\661b6ea41f1ed0c4de944947a67f44a1
Source: C:\Users\user\Desktop\xdPdkPMD8u.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2960:120:WilError_03

Source: C:\Users\user\Desktop\xdPdkPMD8u.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\xdPdkPMD8u.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: xdPdkPMD8u.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: xdPdkPMD8u.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: xdPdkPMD8u.exe, OK.cs

.Net Code: Plugin System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\xdPdkPMD8u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xdPdkPMD8u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xdPdkPMD8u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xdPdkPMD8u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xdPdkPMD8u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xdPdkPMD8u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xdPdkPMD8u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xdPdkPMD8u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xdPdkPMD8u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xdPdkPMD8u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xdPdkPMD8u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xdPdkPMD8u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xdPdkPMD8u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xdPdkPMD8u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xdPdkPMD8u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xdPdkPMD8u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xdPdkPMD8u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xdPdkPMD8u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xdPdkPMD8u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xdPdkPMD8u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xdPdkPMD8u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xdPdkPMD8u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xdPdkPMD8u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xdPdkPMD8u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xdPdkPMD8u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xdPdkPMD8u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xdPdkPMD8u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xdPdkPMD8u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xdPdkPMD8u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xdPdkPMD8u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xdPdkPMD8u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xdPdkPMD8u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xdPdkPMD8u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xdPdkPMD8u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xdPdkPMD8u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xdPdkPMD8u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xdPdkPMD8u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xdPdkPMD8u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xdPdkPMD8u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xdPdkPMD8u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xdPdkPMD8u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xdPdkPMD8u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xdPdkPMD8u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xdPdkPMD8u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\xdPdkPMD8u.exe TID: 2056	Thread sleep time: -570000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\xdPdkPMD8u.exe TID: 2056	Thread sleep time: -4714000s >= -30000s			Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\xdPdkPMD8u.exe	Window / User API: threadDelayed 570	Jump to behavior
Source: C:\Users\user\Desktop\xdPdkPMD8u.exe	Window / User API: threadDelayed 3332	Jump to behavior
Source: C:\Users\user\Desktop\xdPdkPMD8u.exe	Window / User API: threadDelayed 4714	Jump to behavior
Source: C:\Users\user\Desktop\xdPdkPMD8u.exe	Window / User API: foregroundWindowGot 404	Jump to behavior
Source: C:\Users\user\Desktop\xdPdkPMD8u.exe	Window / User API: foregroundWindowGot 1351	Jump to behavior

Source: C:\Users\user\Desktop\xdPdkPMD8u.exe

Process information queried: ProcessInformation

Jump to behavior

Source: xdPdkPMD8u.exe, 00000000.00000002.4524433667.0000000001216000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllt
Source: netsh.exe, 00000002.00000003.2146103829.00000000031D2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\xdPdkPMD8u.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\xdPdkPMD8u.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: xdPdkPMD8u.exe, kl.cs	Reference to suspicious API methods: MapVirtualKey(a, 0u)
Source: xdPdkPMD8u.exe, kl.cs	Reference to suspicious API methods: GetAsyncKeyState(num2)
Source: xdPdkPMD8u.exe, OK.cs	Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)

Source: xdPdkPMD8u.exe, 00000000.00000002.4525404561.00000000036D9000.00000004.00000800.00020000.00000000.sdmp, xdPdkPMD8u.exe, 00000000.00000002.4525404561.0000000003751000.00000004.00000800.00020000.00000000.sdmp, xdPdkPMD8u.exe, 00000000.00000002.4525404561.0000000003614000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: xdPdkPMD8u.exe, 00000000.00000002.4525404561.00000000036D9000.00000004.00000800.00020000.00000000.sdmp, xdPdkPMD8u.exe, 00000000.00000002.4525404561.0000000003751000.00000004.00000800.00020000.00000000.sdmp, xdPdkPMD8u.exe, 00000000.00000002.4525404561.0000000003614000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@9Ll
Source: xdPdkPMD8u.exe, 00000000.00000002.4525404561.0000000003401000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: program managerL.Llt
Source: xdPdkPMD8u.exe, 00000000.00000002.4525404561.0000000003546000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: program managerL.Ll-Z
Source: xdPdkPMD8u.exe, 00000000.00000002.4525404561.00000000036D9000.00000004.00000800.00020000.00000000.sdmp, xdPdkPMD8u.exe, 00000000.00000002.4525404561.0000000003664000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: program managerL.LlTg
Source: xdPdkPMD8u.exe, 00000000.00000002.4524433667.00000000011BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .EXEProgram Manager
Source: xdPdkPMD8u.exe, 00000000.00000002.4525404561.0000000003401000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: program managerL.Llx
Source: xdPdkPMD8u.exe, 00000000.00000002.4525404561.0000000003546000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: program manager
Source: xdPdkPMD8u.exe, 00000000.00000002.4525404561.00000000036D9000.00000004.00000800.00020000.00000000.sdmp, xdPdkPMD8u.exe, 00000000.00000002.4525404561.0000000003614000.00000004.00000800.00020000.00000000.sdmp, xdPdkPMD8u.exe, 00000000.00000002.4525404561.000000000375D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: program managerL.Ll
Source: xdPdkPMD8u.exe, 00000000.00000002.4525404561.0000000003401000.00000004.00000800.00020000.00000000.sdmp, xdPdkPMD8u.exe, 00000000.00000002.4525404561.0000000003546000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: program managerL.Ll<
Source: xdPdkPMD8u.exe, 00000000.00000002.4525404561.00000000037D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: program managerL.Ll,y.

Source: C:\Users\user\Desktop\xdPdkPMD8u.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xdPdkPMD8u.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xdPdkPMD8u.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\xdPdkPMD8u.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Uses netsh to modify the Windows network and firewall settings

Source: C:\Users\user\Desktop\xdPdkPMD8u.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\Desktop\xdPdkPMD8u.exe" "xdPdkPMD8u.exe" ENABLE

Modifies the windows firewall

Source: C:\Users\user\Desktop\xdPdkPMD8u.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\Desktop\xdPdkPMD8u.exe" "xdPdkPMD8u.exe" ENABLE

Stealing of Sensitive Information

Yara detected Njrat

Source: Yara match	File source: xdPdkPMD8u.exe, type: SAMPLE
Source: Yara match	File source: 0.0.xdPdkPMD8u.exe.d20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2078917135.0000000000D22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4525404561.0000000003401000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: xdPdkPMD8u.exe PID: 5712, type: MEMORYSTR

Remote Access Functionality

Yara detected Njrat

Source: Yara match	File source: xdPdkPMD8u.exe, type: SAMPLE
Source: Yara match	File source: 0.0.xdPdkPMD8u.exe.d20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2078917135.0000000000D22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4525404561.0000000003401000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: xdPdkPMD8u.exe PID: 5712, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
1 Replication Through Removable Media	1 Native API	Path Interception	1 Access Token Manipulation	1 Virtualization/Sandbox Evasion	1 Input Capture	1 Security Software Discovery	1 Replication Through Removable Media	1 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Abuse Accessibility Features	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	2 Process Injection	21 Disable or Modify Tools	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	1 Non-Standard Port	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials
Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Access Token Manipulation	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Non-Application Layer Protocol			Data Encrypted for Impact	DNS Server	Email Addresses
Local Accounts	Cron	Login Hook	Login Hook	2 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Traffic Duplication	11 Application Layer Protocol			Data Destruction	Virtual Private Server	Employee Names
Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	1 Peripheral Device Discovery	SSH	Keylogging	Scheduled Transfer	Fallback Channels			Data Encrypted for Impact	Server	Gather Victim Network Information
Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Data Transfer Size Limits	Multiband Communication			Service Stop	Botnet	Domain Properties

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
xdPdkPMD8u.exe	95%	ReversingLabs	ByteCode-MSIL.Backdoor.Ratenjay
xdPdkPMD8u.exe	89%	Virustotal		Browse
xdPdkPMD8u.exe	100%	Avira	TR/ATRAPS.Gen
xdPdkPMD8u.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
2.tcp.eu.ngrok.io	16%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
2.tcp.eu.ngrok.io	100%	Avira URL Cloud	malware
2.tcp.eu.ngrok.io	16%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
2.tcp.eu.ngrok.io	18.192.93.86	true	true	16%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
2.tcp.eu.ngrok.io	true	16%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://dl.dropbox.com/s/p84aaz28t0hepul/Pass.exe?dl=0	xdPdkPMD8u.exe	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
18.192.93.86	2.tcp.eu.ngrok.io	United States	16509	AMAZON-02US	true
3.126.37.18	unknown	United States	16509	AMAZON-02US	true
18.197.239.5	unknown	United States	16509	AMAZON-02US	true

General Information

Joe Sandbox Version:	38.0.0 Ammolite
Analysis ID:	1347485
Start date and time:	2023-11-24 16:11:05 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	xdPdkPMD8u.exe renamed because original name is a hash value
Original Sample Name:	1f4b7d2f534977627fa2a529013a5b58.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@4/1@4/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 89 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
16:12:33	API Interceptor	239089x Sleep call for process: xdPdkPMD8u.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
18.192.93.86	P90GT_Invoice_Related_Property_Tax_P800.exe	Get hash	malicious	RedLine	Browse	2.tcp.eu.ngrok.io:17685/
18.192.93.86	http://www.sdrclm.cn/vendor/phpdocumentor/P800/P90GT_Invoice_Related_Property_Tax_P800.exe	Get hash	malicious	RedLine	Browse	2.tcp.eu.ngrok.io:17685/
3.126.37.18	VBUXm77rfL.exe	Get hash	malicious	Njrat	Browse
	gEuhLHV0.posh.ps1	Get hash	malicious	Metasploit	Browse
	MibKbjH4.posh.ps1	Get hash	malicious	Unknown	Browse
	kXghM8bJcm.exe	Get hash	malicious	Njrat	Browse
	OUXkIxeP6k.exe	Get hash	malicious	Njrat	Browse
	eI43OwXSvq.exe	Get hash	malicious	Njrat	Browse
	p0zYXkMETE.exe	Get hash	malicious	Njrat	Browse
	i9z1c1OtFb.exe	Get hash	malicious	Njrat	Browse
	7XyFhq6BDj.exe	Get hash	malicious	Njrat	Browse
	JYGc3o49WE.exe	Get hash	malicious	Njrat	Browse
	J6VIiRgq3w.exe	Get hash	malicious	Njrat	Browse
	cTUu5Po5Hy.exe	Get hash	malicious	Njrat	Browse
	KcWQQO3nZP.exe	Get hash	malicious	Njrat	Browse
	zep8vTa4sg.exe	Get hash	malicious	Njrat	Browse
	u1LwUkKDIF.exe	Get hash	malicious	Njrat	Browse
	QBEgLAO40T.exe	Get hash	malicious	Njrat	Browse
	yPGBUzqVE3.exe	Get hash	malicious	Njrat	Browse
	LMva1J8Xkv.exe	Get hash	malicious	Njrat	Browse
	XlNjZS4E8x.exe	Get hash	malicious	Njrat	Browse
	YQAqWBVnuI.exe	Get hash	malicious	Njrat	Browse
18.197.239.5	P90GT_Invoice_Related_Property_Tax_P800.exe	Get hash	malicious	RedLine	Browse	2.tcp.eu.ngrok.io:17685/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
2.tcp.eu.ngrok.io	VBUXm77rfL.exe	Get hash	malicious	Njrat	Browse	18.192.93.86
	1UGdjTlX5v.exe	Get hash	malicious	Njrat	Browse	18.157.68.73
	kXghM8bJcm.exe	Get hash	malicious	Njrat	Browse	18.192.93.86
	OUXkIxeP6k.exe	Get hash	malicious	Njrat	Browse	3.126.37.18
	QzzmZiGinp.exe	Get hash	malicious	Njrat	Browse	18.156.13.209
	eI43OwXSvq.exe	Get hash	malicious	Njrat	Browse	18.197.239.5
	p0zYXkMETE.exe	Get hash	malicious	Njrat	Browse	18.157.68.73
	i9z1c1OtFb.exe	Get hash	malicious	Njrat	Browse	18.157.68.73
	aF73k2XwGj.exe	Get hash	malicious	Njrat	Browse	18.192.93.86
	7XyFhq6BDj.exe	Get hash	malicious	Njrat	Browse	3.126.37.18
	JYGc3o49WE.exe	Get hash	malicious	Njrat	Browse	18.157.68.73
	J6VIiRgq3w.exe	Get hash	malicious	Njrat	Browse	3.126.37.18
	cTUu5Po5Hy.exe	Get hash	malicious	Njrat	Browse	3.126.37.18
	7JdbeSrZ6s.exe	Get hash	malicious	Njrat	Browse	3.127.138.57
	KcWQQO3nZP.exe	Get hash	malicious	Njrat	Browse	3.126.37.18
	zep8vTa4sg.exe	Get hash	malicious	Njrat	Browse	18.156.13.209
	umyExrpkSF.exe	Get hash	malicious	Njrat	Browse	18.192.93.86
	u1LwUkKDIF.exe	Get hash	malicious	Njrat	Browse	18.192.93.86
	QBEgLAO40T.exe	Get hash	malicious	Njrat	Browse	3.126.37.18
	ps2ZmIdNTG.exe	Get hash	malicious	Njrat	Browse	18.157.68.73

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	https://events.bizzabo.com/auth/emailAssociatedLogin/verify=%20TokenAndRedirect?token=3DS9NcmjZghhHTu-K8Bn2uA9CkNhbMdZVLD_YG9HzIwMWMvvRTd-=%20dklFn2bExx7385&eventGroupId=3D26969&redirectUrl=3Dhttps://elladobue=%20nodecadadia.com/...hummm/606prime/dave.cox11/24/2023/dave.cox@midlandcomput=%20ers.com/	Get hash	malicious	Unknown	Browse	52.85.132.103
	https://login-rnicrosotfonline-serviceportal-servercommon-oauth2.necfc.com/?document=ZWRpbmJ1cmdoLm1vdGlvbnNAc2xhdGVyZ29yZG9uLmNvLnVr	Get hash	malicious	Unknown	Browse	99.84.191.44
	xpKemuNsr6Zc.exe	Get hash	malicious	Remcos	Browse	3.16.65.63
	https://edwinvierhout.us9.list-manage.com/track/click?u=41b8e69db17efd4828bbb0f5c&id=ce66fc9a35&e=46b299a450	Get hash	malicious	HTMLPhisher	Browse	44.233.8.190
	https://docsend.com/view/cetxcrfsj2p6kdnz	Get hash	malicious	HTMLPhisher	Browse	99.84.191.24
	https://theperfectgifts.info/check_balance.php	Get hash	malicious	Unknown	Browse	52.85.151.65
	skid.x86.elf	Get hash	malicious	Moobot	Browse	44.239.110.214
	skid.arm.elf	Get hash	malicious	Moobot	Browse	52.41.52.85
	Factura_F464F.html	Get hash	malicious	HTMLPhisher	Browse	108.138.119.56
	nf.msi	Get hash	malicious	Unknown	Browse	108.138.85.22
	https://app.permislib.fr/inscription-stagiaire/	Get hash	malicious	Unknown	Browse	52.85.132.25
	arm7.elf	Get hash	malicious	Mirai, Moobot	Browse	35.181.243.47
	http://url9956.onlineregistration.cc/ls/click?upn=CfbsCNqJa51AuutfvOpXE1Mq9MsGPmr8ThwF84QBOrGXQjp8ceUkDNekhgCQgkLy6yTE1rOL915x-2BjR2KMmk7tOOpDG5j9A2oWmKaFjNX7c-3DSl2A_zf6F8qk8KC9gvavchGXMu6UDLZaxClTGKSUc238Tq3vZMMm4rIacYYjuryPerleP5V7USSofg6mi6MEqMENHbXZjIsMTXjEC6Hw16MaI4uvq9DjJCCVxDvRFdVJPWki7oUCjYiuA7TxghQxHYMs-2Bww-2Fm1Fprl-2FKP2BazwhjoRuprsgKUthZ2QNdXfNkgO5nmR-2FcLAj7HLetpaqF5q7a78Q-3D-3D	Get hash	malicious	HTMLPhisher	Browse	52.85.151.98
	https://publuu.com/flip-book/307907/720507	Get hash	malicious	HTMLPhisher	Browse	99.84.216.16
	SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf	Get hash	malicious	Mirai	Browse	52.32.127.121
	bWZQRQVOya.elf	Get hash	malicious	Mirai, Moobot	Browse	18.181.13.127
	XiXfibRqWs.elf	Get hash	malicious	Mirai	Browse	54.247.62.1
	NNzDMQ4j.posh.ps1	Get hash	malicious	Metasploit	Browse	18.176.183.3
	WiwGPyCg.posh.ps1	Get hash	malicious	Metasploit	Browse	18.177.60.68
	pRTxEBSE.posh.ps1	Get hash	malicious	Metasploit	Browse	18.177.76.42
AMAZON-02US	https://events.bizzabo.com/auth/emailAssociatedLogin/verify=%20TokenAndRedirect?token=3DS9NcmjZghhHTu-K8Bn2uA9CkNhbMdZVLD_YG9HzIwMWMvvRTd-=%20dklFn2bExx7385&eventGroupId=3D26969&redirectUrl=3Dhttps://elladobue=%20nodecadadia.com/...hummm/606prime/dave.cox11/24/2023/dave.cox@midlandcomput=%20ers.com/	Get hash	malicious	Unknown	Browse	52.85.132.103
	https://login-rnicrosotfonline-serviceportal-servercommon-oauth2.necfc.com/?document=ZWRpbmJ1cmdoLm1vdGlvbnNAc2xhdGVyZ29yZG9uLmNvLnVr	Get hash	malicious	Unknown	Browse	99.84.191.44
	xpKemuNsr6Zc.exe	Get hash	malicious	Remcos	Browse	3.16.65.63
	https://edwinvierhout.us9.list-manage.com/track/click?u=41b8e69db17efd4828bbb0f5c&id=ce66fc9a35&e=46b299a450	Get hash	malicious	HTMLPhisher	Browse	44.233.8.190
	https://docsend.com/view/cetxcrfsj2p6kdnz	Get hash	malicious	HTMLPhisher	Browse	99.84.191.24
	https://theperfectgifts.info/check_balance.php	Get hash	malicious	Unknown	Browse	52.85.151.65
	skid.x86.elf	Get hash	malicious	Moobot	Browse	44.239.110.214
	skid.arm.elf	Get hash	malicious	Moobot	Browse	52.41.52.85
	Factura_F464F.html	Get hash	malicious	HTMLPhisher	Browse	108.138.119.56
	nf.msi	Get hash	malicious	Unknown	Browse	108.138.85.22
	https://app.permislib.fr/inscription-stagiaire/	Get hash	malicious	Unknown	Browse	52.85.132.25
	arm7.elf	Get hash	malicious	Mirai, Moobot	Browse	35.181.243.47
	http://url9956.onlineregistration.cc/ls/click?upn=CfbsCNqJa51AuutfvOpXE1Mq9MsGPmr8ThwF84QBOrGXQjp8ceUkDNekhgCQgkLy6yTE1rOL915x-2BjR2KMmk7tOOpDG5j9A2oWmKaFjNX7c-3DSl2A_zf6F8qk8KC9gvavchGXMu6UDLZaxClTGKSUc238Tq3vZMMm4rIacYYjuryPerleP5V7USSofg6mi6MEqMENHbXZjIsMTXjEC6Hw16MaI4uvq9DjJCCVxDvRFdVJPWki7oUCjYiuA7TxghQxHYMs-2Bww-2Fm1Fprl-2FKP2BazwhjoRuprsgKUthZ2QNdXfNkgO5nmR-2FcLAj7HLetpaqF5q7a78Q-3D-3D	Get hash	malicious	HTMLPhisher	Browse	52.85.151.98
	https://publuu.com/flip-book/307907/720507	Get hash	malicious	HTMLPhisher	Browse	99.84.216.16
	SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf	Get hash	malicious	Mirai	Browse	52.32.127.121
	bWZQRQVOya.elf	Get hash	malicious	Mirai, Moobot	Browse	18.181.13.127
	XiXfibRqWs.elf	Get hash	malicious	Mirai	Browse	54.247.62.1
	NNzDMQ4j.posh.ps1	Get hash	malicious	Metasploit	Browse	18.176.183.3
	WiwGPyCg.posh.ps1	Get hash	malicious	Metasploit	Browse	18.177.60.68
	pRTxEBSE.posh.ps1	Get hash	malicious	Metasploit	Browse	18.177.76.42
AMAZON-02US	https://events.bizzabo.com/auth/emailAssociatedLogin/verify=%20TokenAndRedirect?token=3DS9NcmjZghhHTu-K8Bn2uA9CkNhbMdZVLD_YG9HzIwMWMvvRTd-=%20dklFn2bExx7385&eventGroupId=3D26969&redirectUrl=3Dhttps://elladobue=%20nodecadadia.com/...hummm/606prime/dave.cox11/24/2023/dave.cox@midlandcomput=%20ers.com/	Get hash	malicious	Unknown	Browse	52.85.132.103
	https://login-rnicrosotfonline-serviceportal-servercommon-oauth2.necfc.com/?document=ZWRpbmJ1cmdoLm1vdGlvbnNAc2xhdGVyZ29yZG9uLmNvLnVr	Get hash	malicious	Unknown	Browse	99.84.191.44
	xpKemuNsr6Zc.exe	Get hash	malicious	Remcos	Browse	3.16.65.63
	https://edwinvierhout.us9.list-manage.com/track/click?u=41b8e69db17efd4828bbb0f5c&id=ce66fc9a35&e=46b299a450	Get hash	malicious	HTMLPhisher	Browse	44.233.8.190
	https://docsend.com/view/cetxcrfsj2p6kdnz	Get hash	malicious	HTMLPhisher	Browse	99.84.191.24
	https://theperfectgifts.info/check_balance.php	Get hash	malicious	Unknown	Browse	52.85.151.65
	skid.x86.elf	Get hash	malicious	Moobot	Browse	44.239.110.214
	skid.arm.elf	Get hash	malicious	Moobot	Browse	52.41.52.85
	Factura_F464F.html	Get hash	malicious	HTMLPhisher	Browse	108.138.119.56
	nf.msi	Get hash	malicious	Unknown	Browse	108.138.85.22
	https://app.permislib.fr/inscription-stagiaire/	Get hash	malicious	Unknown	Browse	52.85.132.25
	arm7.elf	Get hash	malicious	Mirai, Moobot	Browse	35.181.243.47
	http://url9956.onlineregistration.cc/ls/click?upn=CfbsCNqJa51AuutfvOpXE1Mq9MsGPmr8ThwF84QBOrGXQjp8ceUkDNekhgCQgkLy6yTE1rOL915x-2BjR2KMmk7tOOpDG5j9A2oWmKaFjNX7c-3DSl2A_zf6F8qk8KC9gvavchGXMu6UDLZaxClTGKSUc238Tq3vZMMm4rIacYYjuryPerleP5V7USSofg6mi6MEqMENHbXZjIsMTXjEC6Hw16MaI4uvq9DjJCCVxDvRFdVJPWki7oUCjYiuA7TxghQxHYMs-2Bww-2Fm1Fprl-2FKP2BazwhjoRuprsgKUthZ2QNdXfNkgO5nmR-2FcLAj7HLetpaqF5q7a78Q-3D-3D	Get hash	malicious	HTMLPhisher	Browse	52.85.151.98
	https://publuu.com/flip-book/307907/720507	Get hash	malicious	HTMLPhisher	Browse	99.84.216.16
	SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf	Get hash	malicious	Mirai	Browse	52.32.127.121
	bWZQRQVOya.elf	Get hash	malicious	Mirai, Moobot	Browse	18.181.13.127
	XiXfibRqWs.elf	Get hash	malicious	Mirai	Browse	54.247.62.1
	NNzDMQ4j.posh.ps1	Get hash	malicious	Metasploit	Browse	18.176.183.3
	WiwGPyCg.posh.ps1	Get hash	malicious	Metasploit	Browse	18.177.60.68
	pRTxEBSE.posh.ps1	Get hash	malicious	Metasploit	Browse	18.177.76.42

Process:	C:\Windows\SysWOW64\netsh.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	313
Entropy (8bit):	4.971939296804078
Encrypted:	false
SSDEEP:	6:/ojfKsUTGN8Ypox42k9L+DbGMKeQE+vigqAZs2E+AYeDPO+Yswyha:wjPIGNrkHk9iaeIM6ADDPOHyha
MD5:	689E2126A85BF55121488295EE068FA1
SHA1:	09BAAA253A49D80C18326DFBCA106551EBF22DD6
SHA-256:	D968A966EF474068E41256321F77807A042F1965744633D37A203A705662EC25
SHA-512:	C3736A8FC7E6573FA1B26FE6A901C05EE85C55A4A276F8F569D9EADC9A58BEC507D1BB90DBF9EA62AE79A6783178C69304187D6B90441D82E46F5F56172B5C5C
Malicious:	false
Reputation:	high, very likely benign file
Preview:	..IMPORTANT: Command executed successfully...However, "netsh firewall" is deprecated;..use "netsh advfirewall firewall" instead...For more information on using "netsh advfirewall firewall" commands..instead of "netsh firewall", see KB article 947709..at https://go.microsoft.com/fwlink/?linkid=121488 .....Ok.....

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.577235591194959
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	xdPdkPMD8u.exe
File size:	37'888 bytes
MD5:	1f4b7d2f534977627fa2a529013a5b58
SHA1:	88077cc48814bc2743ab721f4ae6a5a09724e6ee
SHA256:	dfe9486e22f4ff0d0c02ec2b0db5c50ee4e3b1c5309f0a39043640e19bada517
SHA512:	739d25226f323c141fbda2dbf5cf7f98787487be36621186b6815f147bd1e8c04dfc0cbc057a3f5bf83aa676f1c939a3e571f324142528dbc5e0a9ceeb207186
SSDEEP:	384:FuSvEiTbTvpWNcZ0y8fvCv3v3cLkacpjrAF+rMRTyN/0L+EcoinblneHQM3epzXz:4S7TZ38fvCv3E1c1rM+rMRa8NuUet
TLSH:	59032A4D7FE18168D5FD067B05B2D412077AE04B6E23D90E8EF664AA37636C18B50EF2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...9.Ze................................. ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x40abbe
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x655A1439 [Sun Nov 19 13:57:13 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xab6c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc000	0x240	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x8bc4	0x8c00	False	0.4635602678571429	data	5.608984899605422	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xc000	0x240	0x400	False	0.3134765625	data	4.968771659524424	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xe000	0xc	0x200	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0xc058	0x1e7	XML 1.0 document, ASCII text, with CRLF line terminators			0.5338809034907598

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.63.126.37.1849718107592033132 11/24/23-16:13:05.300630	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49718	10759	192.168.2.6	3.126.37.18
192.168.2.63.126.37.1849722107592814856 11/24/23-16:15:13.194642	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49722	10759	192.168.2.6	3.126.37.18
192.168.2.63.126.37.1849718107592825564 11/24/23-16:13:56.460259	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49718	10759	192.168.2.6	3.126.37.18
192.168.2.618.197.239.549721107592825564 11/24/23-16:14:49.393658	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49721	10759	192.168.2.6	18.197.239.5
192.168.2.618.192.93.8649709107592814860 11/24/23-16:13:00.582714	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49709	10759	192.168.2.6	18.192.93.86
192.168.2.618.197.239.549721107592825563 11/24/23-16:14:09.436462	TCP	2825563	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)	49721	10759	192.168.2.6	18.197.239.5
192.168.2.618.197.239.549721107592033132 11/24/23-16:14:09.256486	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49721	10759	192.168.2.6	18.197.239.5
192.168.2.618.197.239.549721107592814860 11/24/23-16:14:51.164181	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49721	10759	192.168.2.6	18.197.239.5
192.168.2.63.126.37.1849722107592825564 11/24/23-16:15:56.549651	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49722	10759	192.168.2.6	3.126.37.18
192.168.2.618.192.93.8649709107592814856 11/24/23-16:12:01.760226	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49709	10759	192.168.2.6	18.192.93.86
192.168.2.63.126.37.1849722107592825563 11/24/23-16:15:13.194642	TCP	2825563	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)	49722	10759	192.168.2.6	3.126.37.18
192.168.2.618.197.239.549721107592814856 11/24/23-16:14:09.436462	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49721	10759	192.168.2.6	18.197.239.5
192.168.2.63.126.37.1849718107592814856 11/24/23-16:13:05.487198	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49718	10759	192.168.2.6	3.126.37.18
192.168.2.618.192.93.8649709107592825564 11/24/23-16:13:00.582714	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49709	10759	192.168.2.6	18.192.93.86
192.168.2.618.192.93.8649709107592033132 11/24/23-16:12:01.576847	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49709	10759	192.168.2.6	18.192.93.86
192.168.2.618.192.93.8649709107592825563 11/24/23-16:12:01.760226	TCP	2825563	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)	49709	10759	192.168.2.6	18.192.93.86
192.168.2.63.126.37.1849722107592814860 11/24/23-16:15:57.286440	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49722	10759	192.168.2.6	3.126.37.18
192.168.2.63.126.37.1849718107592814860 11/24/23-16:13:56.460259	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49718	10759	192.168.2.6	3.126.37.18
192.168.2.63.126.37.1849722107592033132 11/24/23-16:15:13.011312	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49722	10759	192.168.2.6	3.126.37.18

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 24, 2023 16:12:01.291573048 CET	49709	10759	192.168.2.6	18.192.93.86
Nov 24, 2023 16:12:01.476730108 CET	10759	49709	18.192.93.86	192.168.2.6
Nov 24, 2023 16:12:01.476804018 CET	49709	10759	192.168.2.6	18.192.93.86
Nov 24, 2023 16:12:01.576847076 CET	49709	10759	192.168.2.6	18.192.93.86
Nov 24, 2023 16:12:01.760145903 CET	10759	49709	18.192.93.86	192.168.2.6
Nov 24, 2023 16:12:01.760226011 CET	49709	10759	192.168.2.6	18.192.93.86
Nov 24, 2023 16:12:01.943500996 CET	10759	49709	18.192.93.86	192.168.2.6
Nov 24, 2023 16:12:07.431555986 CET	49709	10759	192.168.2.6	18.192.93.86
Nov 24, 2023 16:12:07.614938974 CET	10759	49709	18.192.93.86	192.168.2.6
Nov 24, 2023 16:12:22.708616018 CET	10759	49709	18.192.93.86	192.168.2.6
Nov 24, 2023 16:12:22.708726883 CET	49709	10759	192.168.2.6	18.192.93.86
Nov 24, 2023 16:12:37.892636061 CET	10759	49709	18.192.93.86	192.168.2.6
Nov 24, 2023 16:12:37.892791033 CET	49709	10759	192.168.2.6	18.192.93.86
Nov 24, 2023 16:12:53.080646038 CET	10759	49709	18.192.93.86	192.168.2.6
Nov 24, 2023 16:12:53.080806971 CET	49709	10759	192.168.2.6	18.192.93.86
Nov 24, 2023 16:12:59.161017895 CET	49709	10759	192.168.2.6	18.192.93.86
Nov 24, 2023 16:12:59.344480991 CET	10759	49709	18.192.93.86	192.168.2.6
Nov 24, 2023 16:13:00.582714081 CET	49709	10759	192.168.2.6	18.192.93.86
Nov 24, 2023 16:13:00.766163111 CET	10759	49709	18.192.93.86	192.168.2.6
Nov 24, 2023 16:13:02.676112890 CET	10759	49709	18.192.93.86	192.168.2.6
Nov 24, 2023 16:13:02.676204920 CET	49709	10759	192.168.2.6	18.192.93.86
Nov 24, 2023 16:13:04.958550930 CET	49709	10759	192.168.2.6	18.192.93.86
Nov 24, 2023 16:13:05.107918978 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:05.142328978 CET	10759	49709	18.192.93.86	192.168.2.6
Nov 24, 2023 16:13:05.294492006 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:05.294614077 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:05.300630093 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:05.487104893 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:05.487198114 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:05.673639059 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:06.723203897 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:06.909702063 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:06.909859896 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:07.096249104 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:07.770040035 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:07.956500053 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:07.956566095 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:08.143142939 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:08.326354027 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:08.512862921 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:08.512974977 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:08.699595928 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:08.699722052 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:08.886147976 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:08.886241913 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:09.072802067 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:09.072887897 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:09.259371996 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:09.259485006 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:09.446831942 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:09.446994066 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:09.633495092 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:09.633673906 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:09.823419094 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:09.823580980 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:10.010212898 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:10.010348082 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:10.197004080 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:10.197249889 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:10.383733988 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:10.383857012 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:10.570379019 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:10.570602894 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:10.757055998 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:10.757265091 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:10.943730116 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:10.943867922 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:11.130964041 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:11.131135941 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:11.318819046 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:11.318933964 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:11.505637884 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:11.505744934 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:11.692279100 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:11.692437887 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:11.878906012 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:11.879273891 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:12.066077948 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:12.066173077 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:12.254960060 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:12.255114079 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:12.441931009 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:12.442203045 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:12.628755093 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:12.628958941 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:12.815498114 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:12.815702915 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:13.002147913 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:13.002341032 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:13.230673075 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:13.230837107 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:13.466697931 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:13.498670101 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:13.498766899 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:13.654079914 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:13.654186010 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:13.685127974 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:13.685189962 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:13.840631008 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:13.840810061 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:13.871546984 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:13.871653080 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:14.027285099 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:14.027416945 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:14.058027029 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:14.058119059 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:14.213844061 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:14.213994026 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:14.244630098 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:14.244685888 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:14.400392056 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:14.400505066 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:14.431113958 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:14.431181908 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:14.587078094 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:14.587176085 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:14.617816925 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:14.617903948 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:14.773761034 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:14.773957968 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:14.805587053 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:14.805641890 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:14.960659027 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:14.960858107 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:14.992070913 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:14.992211103 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:15.147403955 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:15.147525072 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:15.178809881 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:15.179085016 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:15.334084988 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:15.334297895 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:15.365602970 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:15.365700006 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:15.520831108 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:15.521069050 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:15.552145004 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:15.552314997 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:15.707575083 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:15.707688093 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:15.739594936 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:15.739666939 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:15.894399881 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:15.894498110 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:15.926160097 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:15.926223993 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:16.081013918 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:16.081120014 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:16.112723112 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:16.112891912 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:16.267744064 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:16.267910957 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:16.299379110 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:16.299601078 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:16.454473972 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:16.454607010 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:16.486043930 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:16.486134052 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:16.641169071 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:16.641388893 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:16.672522068 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:16.672630072 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:16.827867985 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:16.828017950 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:16.859034061 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:16.859123945 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:17.014501095 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:17.014616966 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:17.045567989 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:17.045864105 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:17.201172113 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:17.201376915 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:17.232212067 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:17.232302904 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:17.387856960 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:17.387989998 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:17.418831110 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:17.418941021 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:17.574454069 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:17.574635029 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:17.605485916 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:17.605679989 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:17.761153936 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:17.761384010 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:17.792159081 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:17.792376995 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:17.948224068 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:17.948385954 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:17.978879929 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:17.979047060 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:18.134918928 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:18.135075092 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:18.165472031 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:18.165539980 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:18.321508884 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:18.321609020 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:18.351963997 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:18.510951996 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:18.511153936 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:18.699048996 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:18.699162006 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:18.887418985 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:18.887484074 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:19.076417923 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:19.076533079 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:19.263138056 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:19.263338089 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:19.449990034 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:20.632078886 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:20.818567038 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:20.818661928 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:21.005095005 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:21.005213022 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:21.191757917 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:21.191952944 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:21.378382921 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:21.378520012 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:21.565045118 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:21.565356970 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:21.751946926 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:21.752171040 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:21.938884974 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:21.939024925 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:22.125641108 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:22.125788927 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:22.312333107 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:22.312578917 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:22.499074936 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:22.499196053 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:22.686475992 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:22.686749935 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:22.874443054 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:22.874631882 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:23.061368942 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:23.061562061 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:23.248218060 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:23.248527050 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:23.434968948 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:23.435077906 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:23.621520042 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:23.621663094 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:23.808301926 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:23.808387041 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:23.994821072 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:23.994991064 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:24.181514025 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:24.181736946 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:24.368206978 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:24.368366957 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:24.554970980 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:24.555140018 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:24.741677999 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:24.741815090 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:24.928291082 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:24.928504944 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:25.114967108 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:25.115056992 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:25.301543951 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:25.301726103 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:25.488234043 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:25.488415956 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:25.675049067 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:25.675199986 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:25.861745119 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:25.861857891 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:26.048377991 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:26.048505068 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:26.234983921 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:26.235081911 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:26.421564102 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:26.421648979 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:26.608252048 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:26.608403921 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:26.795088053 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:26.795228958 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:26.981714010 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:26.981794119 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:27.169836998 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:27.170011044 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:27.356571913 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:27.356667042 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:27.543126106 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:27.543225050 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:27.731117010 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:27.731220961 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:27.921464920 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:27.921571016 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:28.111444950 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:28.111519098 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:28.297962904 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:28.298120022 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:28.485375881 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:28.485505104 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:28.671960115 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:28.672035933 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:28.859452963 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:28.859591961 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:29.046010017 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:29.046235085 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:29.232865095 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:29.232935905 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:29.419595003 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:29.419743061 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:29.606364965 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:29.606473923 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:29.792989016 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:29.793093920 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:29.979799986 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:29.979964972 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:30.166639090 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:30.166790009 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:30.353338003 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:30.353439093 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:30.540524960 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:30.540914059 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:30.727466106 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:30.727633953 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:30.915438890 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:30.915555000 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:31.102052927 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:31.102174997 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:31.288702011 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:31.288831949 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:31.475878954 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:31.475960970 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:31.664494991 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:31.664726973 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:31.851640940 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:31.851763964 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:32.038676023 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:32.038775921 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:32.225353003 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:32.225512981 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:32.411998987 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:32.412085056 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:32.598599911 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:32.598694086 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:32.786984921 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:32.787060976 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:32.973527908 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:32.973664999 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:33.160167933 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:33.160280943 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:33.346867085 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:33.347029924 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:33.533574104 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:33.533734083 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:33.720413923 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:33.720552921 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:33.908970118 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:33.909126043 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:34.095592976 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:34.095706940 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:34.282191038 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:34.282272100 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:34.469674110 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:34.469795942 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:34.656332970 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:34.656430960 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:34.842945099 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:34.843039036 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:35.029692888 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:35.029819012 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:35.258840084 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:35.258980036 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:35.526763916 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:35.526864052 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:35.713793039 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:47.723784924 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:47.910219908 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:13:56.460258961 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:13:56.646872997 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:14:06.685956001 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:14:06.686022043 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:14:08.698332071 CET	49718	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:14:08.839617968 CET	49721	10759	192.168.2.6	18.197.239.5
Nov 24, 2023 16:14:08.885643959 CET	10759	49718	3.126.37.18	192.168.2.6
Nov 24, 2023 16:14:09.019901037 CET	10759	49721	18.197.239.5	192.168.2.6
Nov 24, 2023 16:14:09.020006895 CET	49721	10759	192.168.2.6	18.197.239.5
Nov 24, 2023 16:14:09.256485939 CET	49721	10759	192.168.2.6	18.197.239.5
Nov 24, 2023 16:14:09.436296940 CET	10759	49721	18.197.239.5	192.168.2.6
Nov 24, 2023 16:14:09.436461926 CET	49721	10759	192.168.2.6	18.197.239.5
Nov 24, 2023 16:14:09.619472980 CET	10759	49721	18.197.239.5	192.168.2.6
Nov 24, 2023 16:14:13.785722971 CET	49721	10759	192.168.2.6	18.197.239.5
Nov 24, 2023 16:14:13.965447903 CET	10759	49721	18.197.239.5	192.168.2.6
Nov 24, 2023 16:14:29.165889025 CET	10759	49721	18.197.239.5	192.168.2.6
Nov 24, 2023 16:14:29.165963888 CET	49721	10759	192.168.2.6	18.197.239.5
Nov 24, 2023 16:14:34.519962072 CET	49721	10759	192.168.2.6	18.197.239.5
Nov 24, 2023 16:14:34.699728966 CET	10759	49721	18.197.239.5	192.168.2.6
Nov 24, 2023 16:14:35.770215988 CET	49721	10759	192.168.2.6	18.197.239.5
Nov 24, 2023 16:14:35.950679064 CET	10759	49721	18.197.239.5	192.168.2.6
Nov 24, 2023 16:14:39.832438946 CET	49721	10759	192.168.2.6	18.197.239.5
Nov 24, 2023 16:14:40.012125969 CET	10759	49721	18.197.239.5	192.168.2.6
Nov 24, 2023 16:14:40.012243986 CET	49721	10759	192.168.2.6	18.197.239.5
Nov 24, 2023 16:14:40.191957951 CET	10759	49721	18.197.239.5	192.168.2.6
Nov 24, 2023 16:14:40.832525015 CET	49721	10759	192.168.2.6	18.197.239.5
Nov 24, 2023 16:14:41.012186050 CET	10759	49721	18.197.239.5	192.168.2.6
Nov 24, 2023 16:14:41.012242079 CET	49721	10759	192.168.2.6	18.197.239.5
Nov 24, 2023 16:14:41.191807032 CET	10759	49721	18.197.239.5	192.168.2.6
Nov 24, 2023 16:14:41.215214968 CET	49721	10759	192.168.2.6	18.197.239.5
Nov 24, 2023 16:14:41.397747040 CET	10759	49721	18.197.239.5	192.168.2.6
Nov 24, 2023 16:14:41.397830009 CET	49721	10759	192.168.2.6	18.197.239.5
Nov 24, 2023 16:14:41.577528000 CET	10759	49721	18.197.239.5	192.168.2.6
Nov 24, 2023 16:14:41.589725018 CET	49721	10759	192.168.2.6	18.197.239.5
Nov 24, 2023 16:14:41.769323111 CET	10759	49721	18.197.239.5	192.168.2.6
Nov 24, 2023 16:14:41.769397974 CET	49721	10759	192.168.2.6	18.197.239.5
Nov 24, 2023 16:14:41.949026108 CET	10759	49721	18.197.239.5	192.168.2.6
Nov 24, 2023 16:14:41.970452070 CET	49721	10759	192.168.2.6	18.197.239.5
Nov 24, 2023 16:14:42.150019884 CET	10759	49721	18.197.239.5	192.168.2.6
Nov 24, 2023 16:14:42.150080919 CET	49721	10759	192.168.2.6	18.197.239.5
Nov 24, 2023 16:14:42.329746008 CET	10759	49721	18.197.239.5	192.168.2.6
Nov 24, 2023 16:14:43.502747059 CET	49721	10759	192.168.2.6	18.197.239.5
Nov 24, 2023 16:14:43.682446957 CET	10759	49721	18.197.239.5	192.168.2.6
Nov 24, 2023 16:14:43.714786053 CET	49721	10759	192.168.2.6	18.197.239.5
Nov 24, 2023 16:14:43.894462109 CET	10759	49721	18.197.239.5	192.168.2.6
Nov 24, 2023 16:14:43.894612074 CET	49721	10759	192.168.2.6	18.197.239.5
Nov 24, 2023 16:14:44.074210882 CET	10759	49721	18.197.239.5	192.168.2.6
Nov 24, 2023 16:14:44.074384928 CET	49721	10759	192.168.2.6	18.197.239.5
Nov 24, 2023 16:14:44.253981113 CET	10759	49721	18.197.239.5	192.168.2.6
Nov 24, 2023 16:14:44.254084110 CET	49721	10759	192.168.2.6	18.197.239.5
Nov 24, 2023 16:14:44.433999062 CET	10759	49721	18.197.239.5	192.168.2.6
Nov 24, 2023 16:14:44.434149981 CET	49721	10759	192.168.2.6	18.197.239.5
Nov 24, 2023 16:14:44.613723993 CET	10759	49721	18.197.239.5	192.168.2.6
Nov 24, 2023 16:14:44.613867044 CET	49721	10759	192.168.2.6	18.197.239.5
Nov 24, 2023 16:14:44.793544054 CET	10759	49721	18.197.239.5	192.168.2.6
Nov 24, 2023 16:14:44.793694973 CET	49721	10759	192.168.2.6	18.197.239.5
Nov 24, 2023 16:14:44.973310947 CET	10759	49721	18.197.239.5	192.168.2.6
Nov 24, 2023 16:14:44.973417044 CET	49721	10759	192.168.2.6	18.197.239.5
Nov 24, 2023 16:14:45.153064013 CET	10759	49721	18.197.239.5	192.168.2.6
Nov 24, 2023 16:14:45.153160095 CET	49721	10759	192.168.2.6	18.197.239.5
Nov 24, 2023 16:14:45.333014965 CET	10759	49721	18.197.239.5	192.168.2.6
Nov 24, 2023 16:14:45.333228111 CET	49721	10759	192.168.2.6	18.197.239.5
Nov 24, 2023 16:14:45.513056040 CET	10759	49721	18.197.239.5	192.168.2.6
Nov 24, 2023 16:14:45.513212919 CET	49721	10759	192.168.2.6	18.197.239.5
Nov 24, 2023 16:14:45.692873955 CET	10759	49721	18.197.239.5	192.168.2.6
Nov 24, 2023 16:14:45.693026066 CET	49721	10759	192.168.2.6	18.197.239.5
Nov 24, 2023 16:14:45.874181986 CET	10759	49721	18.197.239.5	192.168.2.6
Nov 24, 2023 16:14:45.874360085 CET	49721	10759	192.168.2.6	18.197.239.5
Nov 24, 2023 16:14:46.053936958 CET	10759	49721	18.197.239.5	192.168.2.6
Nov 24, 2023 16:14:46.054013014 CET	49721	10759	192.168.2.6	18.197.239.5
Nov 24, 2023 16:14:46.233639956 CET	10759	49721	18.197.239.5	192.168.2.6
Nov 24, 2023 16:14:46.233792067 CET	49721	10759	192.168.2.6	18.197.239.5
Nov 24, 2023 16:14:46.413578987 CET	10759	49721	18.197.239.5	192.168.2.6
Nov 24, 2023 16:14:46.413681030 CET	49721	10759	192.168.2.6	18.197.239.5
Nov 24, 2023 16:14:46.593317986 CET	10759	49721	18.197.239.5	192.168.2.6
Nov 24, 2023 16:14:46.593409061 CET	49721	10759	192.168.2.6	18.197.239.5
Nov 24, 2023 16:14:46.773422956 CET	10759	49721	18.197.239.5	192.168.2.6
Nov 24, 2023 16:14:46.773504972 CET	49721	10759	192.168.2.6	18.197.239.5
Nov 24, 2023 16:14:46.953169107 CET	10759	49721	18.197.239.5	192.168.2.6
Nov 24, 2023 16:14:46.953267097 CET	49721	10759	192.168.2.6	18.197.239.5
Nov 24, 2023 16:14:47.132950068 CET	10759	49721	18.197.239.5	192.168.2.6
Nov 24, 2023 16:14:47.133090973 CET	49721	10759	192.168.2.6	18.197.239.5
Nov 24, 2023 16:14:47.312740088 CET	10759	49721	18.197.239.5	192.168.2.6
Nov 24, 2023 16:14:47.312855005 CET	49721	10759	192.168.2.6	18.197.239.5
Nov 24, 2023 16:14:47.533947945 CET	10759	49721	18.197.239.5	192.168.2.6
Nov 24, 2023 16:14:47.534066916 CET	49721	10759	192.168.2.6	18.197.239.5
Nov 24, 2023 16:14:47.794045925 CET	10759	49721	18.197.239.5	192.168.2.6
Nov 24, 2023 16:14:47.794193029 CET	49721	10759	192.168.2.6	18.197.239.5
Nov 24, 2023 16:14:47.973948002 CET	10759	49721	18.197.239.5	192.168.2.6
Nov 24, 2023 16:14:47.974050999 CET	49721	10759	192.168.2.6	18.197.239.5
Nov 24, 2023 16:14:48.153753042 CET	10759	49721	18.197.239.5	192.168.2.6
Nov 24, 2023 16:14:48.153970003 CET	49721	10759	192.168.2.6	18.197.239.5
Nov 24, 2023 16:14:48.333722115 CET	10759	49721	18.197.239.5	192.168.2.6
Nov 24, 2023 16:14:48.333916903 CET	49721	10759	192.168.2.6	18.197.239.5
Nov 24, 2023 16:14:48.513650894 CET	10759	49721	18.197.239.5	192.168.2.6
Nov 24, 2023 16:14:48.513839960 CET	49721	10759	192.168.2.6	18.197.239.5
Nov 24, 2023 16:14:48.693496943 CET	10759	49721	18.197.239.5	192.168.2.6
Nov 24, 2023 16:14:48.693603992 CET	49721	10759	192.168.2.6	18.197.239.5
Nov 24, 2023 16:14:48.873331070 CET	10759	49721	18.197.239.5	192.168.2.6
Nov 24, 2023 16:14:48.873462915 CET	49721	10759	192.168.2.6	18.197.239.5
Nov 24, 2023 16:14:49.173993111 CET	49721	10759	192.168.2.6	18.197.239.5
Nov 24, 2023 16:14:49.213956118 CET	10759	49721	18.197.239.5	192.168.2.6
Nov 24, 2023 16:14:49.214068890 CET	49721	10759	192.168.2.6	18.197.239.5
Nov 24, 2023 16:14:49.353755951 CET	10759	49721	18.197.239.5	192.168.2.6
Nov 24, 2023 16:14:49.353862047 CET	49721	10759	192.168.2.6	18.197.239.5
Nov 24, 2023 16:14:49.393606901 CET	10759	49721	18.197.239.5	192.168.2.6
Nov 24, 2023 16:14:49.393657923 CET	49721	10759	192.168.2.6	18.197.239.5
Nov 24, 2023 16:14:49.533478022 CET	10759	49721	18.197.239.5	192.168.2.6
Nov 24, 2023 16:14:49.533600092 CET	49721	10759	192.168.2.6	18.197.239.5
Nov 24, 2023 16:14:49.573313951 CET	10759	49721	18.197.239.5	192.168.2.6
Nov 24, 2023 16:14:49.573424101 CET	49721	10759	192.168.2.6	18.197.239.5
Nov 24, 2023 16:14:49.713212967 CET	10759	49721	18.197.239.5	192.168.2.6
Nov 24, 2023 16:14:49.713329077 CET	49721	10759	192.168.2.6	18.197.239.5
Nov 24, 2023 16:14:49.753133059 CET	10759	49721	18.197.239.5	192.168.2.6
Nov 24, 2023 16:14:49.753226995 CET	49721	10759	192.168.2.6	18.197.239.5
Nov 24, 2023 16:14:49.892982006 CET	10759	49721	18.197.239.5	192.168.2.6
Nov 24, 2023 16:14:49.893100977 CET	49721	10759	192.168.2.6	18.197.239.5
Nov 24, 2023 16:14:49.932828903 CET	10759	49721	18.197.239.5	192.168.2.6
Nov 24, 2023 16:14:49.932879925 CET	49721	10759	192.168.2.6	18.197.239.5
Nov 24, 2023 16:14:50.072784901 CET	10759	49721	18.197.239.5	192.168.2.6
Nov 24, 2023 16:14:50.072880030 CET	49721	10759	192.168.2.6	18.197.239.5
Nov 24, 2023 16:14:50.112462997 CET	10759	49721	18.197.239.5	192.168.2.6
Nov 24, 2023 16:14:50.252561092 CET	10759	49721	18.197.239.5	192.168.2.6
Nov 24, 2023 16:14:50.252724886 CET	49721	10759	192.168.2.6	18.197.239.5
Nov 24, 2023 16:14:50.432324886 CET	10759	49721	18.197.239.5	192.168.2.6
Nov 24, 2023 16:14:50.432420015 CET	49721	10759	192.168.2.6	18.197.239.5
Nov 24, 2023 16:14:50.612059116 CET	10759	49721	18.197.239.5	192.168.2.6
Nov 24, 2023 16:14:50.612158060 CET	49721	10759	192.168.2.6	18.197.239.5
Nov 24, 2023 16:14:50.791790009 CET	10759	49721	18.197.239.5	192.168.2.6
Nov 24, 2023 16:14:50.791893005 CET	49721	10759	192.168.2.6	18.197.239.5
Nov 24, 2023 16:14:51.160543919 CET	49721	10759	192.168.2.6	18.197.239.5
Nov 24, 2023 16:14:51.164006948 CET	10759	49721	18.197.239.5	192.168.2.6
Nov 24, 2023 16:14:51.164180994 CET	49721	10759	192.168.2.6	18.197.239.5
Nov 24, 2023 16:14:51.343780994 CET	10759	49721	18.197.239.5	192.168.2.6
Nov 24, 2023 16:15:06.538047075 CET	10759	49721	18.197.239.5	192.168.2.6
Nov 24, 2023 16:15:06.538108110 CET	49721	10759	192.168.2.6	18.197.239.5
Nov 24, 2023 16:15:10.674084902 CET	10759	49721	18.197.239.5	192.168.2.6
Nov 24, 2023 16:15:10.674289942 CET	49721	10759	192.168.2.6	18.197.239.5
Nov 24, 2023 16:15:12.676276922 CET	49721	10759	192.168.2.6	18.197.239.5
Nov 24, 2023 16:15:12.818769932 CET	49722	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:15:12.855918884 CET	10759	49721	18.197.239.5	192.168.2.6
Nov 24, 2023 16:15:13.002007008 CET	10759	49722	3.126.37.18	192.168.2.6
Nov 24, 2023 16:15:13.002221107 CET	49722	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:15:13.011312008 CET	49722	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:15:13.194571972 CET	10759	49722	3.126.37.18	192.168.2.6
Nov 24, 2023 16:15:13.194642067 CET	49722	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:15:13.378468037 CET	10759	49722	3.126.37.18	192.168.2.6
Nov 24, 2023 16:15:28.377998114 CET	10759	49722	3.126.37.18	192.168.2.6
Nov 24, 2023 16:15:28.378060102 CET	49722	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:15:28.879525900 CET	49722	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:15:29.062827110 CET	10759	49722	3.126.37.18	192.168.2.6
Nov 24, 2023 16:15:34.789910078 CET	49722	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:15:34.973201036 CET	10759	49722	3.126.37.18	192.168.2.6
Nov 24, 2023 16:15:50.090080976 CET	10759	49722	3.126.37.18	192.168.2.6
Nov 24, 2023 16:15:50.090176105 CET	49722	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:15:53.411487103 CET	49722	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:15:53.595354080 CET	10759	49722	3.126.37.18	192.168.2.6
Nov 24, 2023 16:15:53.879502058 CET	49722	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:15:54.062731981 CET	10759	49722	3.126.37.18	192.168.2.6
Nov 24, 2023 16:15:55.489115953 CET	49722	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:15:55.672398090 CET	10759	49722	3.126.37.18	192.168.2.6
Nov 24, 2023 16:15:55.672535896 CET	49722	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:15:55.857778072 CET	10759	49722	3.126.37.18	192.168.2.6
Nov 24, 2023 16:15:56.549650908 CET	49722	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:15:56.733010054 CET	10759	49722	3.126.37.18	192.168.2.6
Nov 24, 2023 16:15:56.733092070 CET	49722	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:15:56.916524887 CET	10759	49722	3.126.37.18	192.168.2.6
Nov 24, 2023 16:15:56.916788101 CET	49722	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:15:57.100435972 CET	10759	49722	3.126.37.18	192.168.2.6
Nov 24, 2023 16:15:57.100749969 CET	49722	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:15:57.286329985 CET	10759	49722	3.126.37.18	192.168.2.6
Nov 24, 2023 16:15:57.286439896 CET	49722	10759	192.168.2.6	3.126.37.18
Nov 24, 2023 16:15:57.471527100 CET	10759	49722	3.126.37.18	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 24, 2023 16:12:01.152734995 CET	50430	53	192.168.2.6	1.1.1.1
Nov 24, 2023 16:12:01.288690090 CET	53	50430	1.1.1.1	192.168.2.6
Nov 24, 2023 16:13:04.960685968 CET	58552	53	192.168.2.6	1.1.1.1
Nov 24, 2023 16:13:05.098140001 CET	53	58552	1.1.1.1	192.168.2.6
Nov 24, 2023 16:14:08.702658892 CET	57958	53	192.168.2.6	1.1.1.1
Nov 24, 2023 16:14:08.835743904 CET	53	57958	1.1.1.1	192.168.2.6
Nov 24, 2023 16:15:12.678206921 CET	57869	53	192.168.2.6	1.1.1.1
Nov 24, 2023 16:15:12.817239046 CET	53	57869	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 24, 2023 16:12:01.152734995 CET	192.168.2.6	1.1.1.1	0xe13b	Standard query (0)	2.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false
Nov 24, 2023 16:13:04.960685968 CET	192.168.2.6	1.1.1.1	0x8bab	Standard query (0)	2.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false
Nov 24, 2023 16:14:08.702658892 CET	192.168.2.6	1.1.1.1	0x6232	Standard query (0)	2.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false
Nov 24, 2023 16:15:12.678206921 CET	192.168.2.6	1.1.1.1	0x4d68	Standard query (0)	2.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Nov 24, 2023 16:12:01.288690090 CET	1.1.1.1	192.168.2.6	0xe13b	No error (0)	2.tcp.eu.ngrok.io	18.192.93.86	A (IP address)	IN (0x0001)	false
Nov 24, 2023 16:13:05.098140001 CET	1.1.1.1	192.168.2.6	0x8bab	No error (0)	2.tcp.eu.ngrok.io	3.126.37.18	A (IP address)	IN (0x0001)	false
Nov 24, 2023 16:14:08.835743904 CET	1.1.1.1	192.168.2.6	0x6232	No error (0)	2.tcp.eu.ngrok.io	18.197.239.5	A (IP address)	IN (0x0001)	false
Nov 24, 2023 16:15:12.817239046 CET	1.1.1.1	192.168.2.6	0x4d68	No error (0)	2.tcp.eu.ngrok.io	3.126.37.18	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	16:11:51
Start date:	24/11/2023
Path:	C:\Users\user\Desktop\xdPdkPMD8u.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\xdPdkPMD8u.exe
Imagebase:	0xd20000
File size:	37'888 bytes
MD5 hash:	1F4B7D2F534977627FA2A529013A5B58
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000000.2078917135.0000000000D22000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000000.00000000.2078917135.0000000000D22000.00000002.00000001.01000000.00000003.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000000.00000000.2078917135.0000000000D22000.00000002.00000001.01000000.00000003.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000002.4525404561.0000000003401000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	16:11:58
Start date:	24/11/2023
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh firewall add allowedprogram "C:\Users\user\Desktop\xdPdkPMD8u.exe" "xdPdkPMD8u.exe" ENABLE
Imagebase:	0xa60000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	16:11:58
Start date:	24/11/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	16.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	13.6%
Total number of Nodes:	169
Total number of Limit Nodes:	7

Executed Functions

Function 0163169F Relevance: 5.7, Strings: 4, Instructions: 684
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

:@%l, xrefs: 01631DC0
L.Ll, xrefs: 0163170B
\OLl, xrefs: 01631CA4
:@%l, xrefs: 01631DAF

Memory Dump Source

Source File: 00000000.00000002.4525196835.0000000001630000.00000040.00000800.00020000.00000000.sdmp, Offset: 01630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1630000_xdPdkPMD8u.jbxd

Similarity

API ID:
String ID: :@%l$:@%l$L.Ll$\OLl
API String ID: 0-3360997018
Opcode ID: 3848356400dc5ba1032b63bd2919e5793a89b5536f6b2e7ff0b379f5b238a884
Instruction ID: 528fc4060bcecf76a099786c6b81a9003865103e1d75023fc5b38885ef0e34e6
Opcode Fuzzy Hash: 3848356400dc5ba1032b63bd2919e5793a89b5536f6b2e7ff0b379f5b238a884
Instruction Fuzzy Hash: 6C32AC707002118BEB19DB78D950BAE77E6EBC9308F108029D506DB7D4DB79DC9ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0151B3C3 Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 0151B443

Memory Dump Source

Source File: 00000000.00000002.4524895985.000000000151A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_151a000_xdPdkPMD8u.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: c7b36953c34c30a4f088b10a8bda3afa0cfbd3e39e1139c4c8b788de6b64952b
Instruction ID: 6979ea6d8082346e3ac81e4124625f95ef328aa73016bf28d98d84d7d066c1ca
Opcode Fuzzy Hash: c7b36953c34c30a4f088b10a8bda3afa0cfbd3e39e1139c4c8b788de6b64952b
Instruction Fuzzy Hash: 5021D176509380AFEB238F25DC44B52BFF4EF06310F0884DAE9848F563D2709908DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0151BB2B Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 0151BBA1

Memory Dump Source

Source File: 00000000.00000002.4524895985.000000000151A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_151a000_xdPdkPMD8u.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 5d0990ec5855338ccb8a5b4426350383efb95607efa48cb0abad72e2e72cc0ac
Instruction ID: d4019376270d6af5ed93ae4ce950232561fc11fe20a53f7321a2a4440bda59c6
Opcode Fuzzy Hash: 5d0990ec5855338ccb8a5b4426350383efb95607efa48cb0abad72e2e72cc0ac
Instruction Fuzzy Hash: 8621AC764097C0AFDB238B20DC45A52FFB4FF16214F0984CBE9848F5A3D265A909CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0151B3FA Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 0151B443

Memory Dump Source

Source File: 00000000.00000002.4524895985.000000000151A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_151a000_xdPdkPMD8u.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 50a1201d5d25728f7febc6739e9b8046c23ec70fb20cde2413620742a8fe6f39
Instruction ID: 7640cb02c8d25038554ee4818f21fdd584b1ad984c9fe014a983d9a86b0a859b
Opcode Fuzzy Hash: 50a1201d5d25728f7febc6739e9b8046c23ec70fb20cde2413620742a8fe6f39
Instruction Fuzzy Hash: 4011A0765002009FEB22CF55D885B66FBF4FF04220F08C8AAED858F666D3B1E418DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0151B728 Relevance: 1.6, APIs: 1, Instructions: 50nativeCOMMON

Download Yara Rule

APIs

NtSetInformationProcess.NTDLL ref: 0151B785

Memory Dump Source

Source File: 00000000.00000002.4524895985.000000000151A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_151a000_xdPdkPMD8u.jbxd

Similarity

API ID: InformationProcess
String ID:
API String ID: 1801817001-0
Opcode ID: 643d4387eaa944dd5f05f120338e9aa242b7b32da741f2b11c967ddec9bb2a54
Instruction ID: 45453a3733dda8493b5287bc47ea66038d36d4062c9f96e4df373266de4cffbf
Opcode Fuzzy Hash: 643d4387eaa944dd5f05f120338e9aa242b7b32da741f2b11c967ddec9bb2a54
Instruction Fuzzy Hash: 1111A075408380AFDB228F15DC45A62FFB4EF46220F0C849AED844B663C275A918CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0151B74A Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtSetInformationProcess.NTDLL ref: 0151B785

Memory Dump Source

Source File: 00000000.00000002.4524895985.000000000151A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_151a000_xdPdkPMD8u.jbxd

Similarity

API ID: InformationProcess
String ID:
API String ID: 1801817001-0
Opcode ID: 2b2ac7a49070a9e4099eb437dd701ae2978913da85284e7d6bb723f4dbffde37
Instruction ID: afdbfdbc4ab798a005fe2adca3ed29d903a31fd694c179463c714d3703757d66
Opcode Fuzzy Hash: 2b2ac7a49070a9e4099eb437dd701ae2978913da85284e7d6bb723f4dbffde37
Instruction Fuzzy Hash: 3401783A4002409FEB229F15D985B65FBF0FF48220F0CC49ADD494F666C375A418CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0151BB66 Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 0151BBA1

Memory Dump Source

Source File: 00000000.00000002.4524895985.000000000151A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_151a000_xdPdkPMD8u.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 2b2ac7a49070a9e4099eb437dd701ae2978913da85284e7d6bb723f4dbffde37
Instruction ID: 9ab9aca54638ac78fee3174b151514d75a6de6cdd81882173d7cc5bc9cdec80c
Opcode Fuzzy Hash: 2b2ac7a49070a9e4099eb437dd701ae2978913da85284e7d6bb723f4dbffde37
Instruction Fuzzy Hash: F0017C394002449FEB228F05D985B65FBF0FF08220F08C89AED454BA6AD375A418CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 01630F90 Relevance: 1.6, APIs: 1, Instructions: 115
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 01630FB7

Memory Dump Source

Source File: 00000000.00000002.4525196835.0000000001630000.00000040.00000800.00020000.00000000.sdmp, Offset: 01630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1630000_xdPdkPMD8u.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: a44fb810e1170a1eae9f875af7c7bdcb1179c258b80976633428f6a100df2aec
Instruction ID: d9a9516e534926b25e6804b4c78d6f4f9148838382e4295966a1d8927cf559b2
Opcode Fuzzy Hash: a44fb810e1170a1eae9f875af7c7bdcb1179c258b80976633428f6a100df2aec
Instruction Fuzzy Hash: F241BF31B002018FDB14DF39C8946AEB7E6EF89208B448479D909DB399DF39DD49CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 056A18FE Relevance: 1.6, APIs: 1, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVolumeInformationA.KERNEL32(?,00000E24,?,?), ref: 056A19E2

Memory Dump Source

Source File: 00000000.00000002.4526953476.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_xdPdkPMD8u.jbxd

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: e4159e1380f46ec38fe107b1c1bbc0e25d0713961891ec302838ac8b677d3402
Instruction ID: 84aac77d7e79ad6b8d18ae52809b653cd204ddc065b0938621c7cc3f71cc4694
Opcode Fuzzy Hash: e4159e1380f46ec38fe107b1c1bbc0e25d0713961891ec302838ac8b677d3402
Instruction Fuzzy Hash: 01416B6150E3C06FD7038B358C61AA2BFB8AF47210F0E84CBD8C4CF5A3D6246959C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 01630F7F Relevance: 1.6, APIs: 1, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 01630FB7

Memory Dump Source

Source File: 00000000.00000002.4525196835.0000000001630000.00000040.00000800.00020000.00000000.sdmp, Offset: 01630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1630000_xdPdkPMD8u.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 92ee80fe9cb686f8f1cd8ec7e7c45db85a634fd6ff623d47560bbe903ed0cca1
Instruction ID: 5a33d24dba58bb1b7728fdde3c84729e5442f76f9d4a264138637a3d77958e3c
Opcode Fuzzy Hash: 92ee80fe9cb686f8f1cd8ec7e7c45db85a634fd6ff623d47560bbe903ed0cca1
Instruction Fuzzy Hash: BD418231B002018FDB14DF39C8946AEBBE6AF85214B548479D809DF399DF39DD46CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 056A04D6 Relevance: 1.6, APIs: 1, Instructions: 103
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(?,?,?,?,?,?), ref: 056A0595

Memory Dump Source

Source File: 00000000.00000002.4526953476.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_xdPdkPMD8u.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: a8f17c93d7b536905c021cf93eeed730f74030bac856b183dfe908074f5ed234
Instruction ID: 8268cccc7f6cd7309160e823bfde832d4d1fb8ff4af34591aeb4b9557d95ab08
Opcode Fuzzy Hash: a8f17c93d7b536905c021cf93eeed730f74030bac856b183dfe908074f5ed234
Instruction Fuzzy Hash: 2C31A571504380AFE722CF65DC45FA2BFE8EF06314F08489AE9858B662D375E909DB71

Uniqueness

Uniqueness Score: -1.00%

Function 056A29AA Relevance: 1.6, APIs: 1, Instructions: 99
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNEL32(?,00000E24), ref: 056A2A71

Memory Dump Source

Source File: 00000000.00000002.4526953476.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_xdPdkPMD8u.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 6e59233f62af04a2a1ee8fbbb16c087c6867f35730ec4e43c5ddc319627b92d0
Instruction ID: 0e8f6aa338e328f251cf24359003f9401da28d64a8ab31300450e969d9e356a3
Opcode Fuzzy Hash: 6e59233f62af04a2a1ee8fbbb16c087c6867f35730ec4e43c5ddc319627b92d0
Instruction Fuzzy Hash: 5F318D76504344AFEB21CF21CC44FA7BFFCEF05210F08859AE9858B662E324E908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 056A0A43 Relevance: 1.6, APIs: 1, Instructions: 98
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNEL32(?,00000E24,?,?), ref: 056A0B0A

Memory Dump Source

Source File: 00000000.00000002.4526953476.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_xdPdkPMD8u.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 884640c6b5a0e98276c5a795741649e80986139b813738033b283883fcddb8a5
Instruction ID: b77ed2051fb7fb7f05d53ed33bd43b9ed22340a5d177b68988d179619cf2d468
Opcode Fuzzy Hash: 884640c6b5a0e98276c5a795741649e80986139b813738033b283883fcddb8a5
Instruction Fuzzy Hash: D3319C6510E7C06FD3138B258C65A61BFB4EF47610F0E45CBD8C48F6A3D229A919C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 056A1670 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32(?,00000E24), ref: 056A1737

Memory Dump Source

Source File: 00000000.00000002.4526953476.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_xdPdkPMD8u.jbxd

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: ebbbc94fb48333f27e93a299e944f9135c717621d5ba2742cad78c74745898c0
Instruction ID: ba7b44c383e2979f1080f05a5f2ec65dff9a6e43a75cb1e7113a840fcdf1c3a2
Opcode Fuzzy Hash: ebbbc94fb48333f27e93a299e944f9135c717621d5ba2742cad78c74745898c0
Instruction Fuzzy Hash: DF31BFB2504340AFEB21CB50CC85FA6FBBCEB04314F14499AFA489B692D375A949CB71

Uniqueness

Uniqueness Score: -1.00%

Function 056A1568 Relevance: 1.6, APIs: 1, Instructions: 91
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessTimes.KERNEL32(?,00000E24,6972C739,00000000,00000000,00000000,00000000), ref: 056A1605

Memory Dump Source

Source File: 00000000.00000002.4526953476.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_xdPdkPMD8u.jbxd

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: a24f7b52bd9594ab37ddc0fdbcb22597db0c7988a56ae74a8ccb399253046739
Instruction ID: 2e56ec471ec3420fa4f9c0a5e9fad11a8ed9da26311723542efe4cfe5a6ecd8d
Opcode Fuzzy Hash: a24f7b52bd9594ab37ddc0fdbcb22597db0c7988a56ae74a8ccb399253046739
Instruction Fuzzy Hash: 5831E8725057806FDB128F60DC45F96BFB8EF06310F08849AE985CB163D3259909DB71

Uniqueness

Uniqueness Score: -1.00%

Function 0151AB12 Relevance: 1.6, APIs: 1, Instructions: 90registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000E24), ref: 0151ABBD

Memory Dump Source

Source File: 00000000.00000002.4524895985.000000000151A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_151a000_xdPdkPMD8u.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: ca594617447c9dcb2ce9bd987029265da5e2583b2da82435b91d288019090ddd
Instruction ID: b39a57ae6f1c72fa85bb041696a91d6306d59b4fea1218c36aa5416d71e45672
Opcode Fuzzy Hash: ca594617447c9dcb2ce9bd987029265da5e2583b2da82435b91d288019090ddd
Instruction Fuzzy Hash: B631B1B2544384AFE722CF15CC45FA7BFBCEF05210F08899AE9458B652D364E549CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0151A612 Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNEL32(?,?), ref: 0151A6B9

Memory Dump Source

Source File: 00000000.00000002.4524895985.000000000151A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_151a000_xdPdkPMD8u.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 06b28745be54b97e688fe8c4a0cf5edd3a366067dee31c520d305fe829ee06d5
Instruction ID: 7e79803285da91dc94fefdac53d8d1428b8f7938b1e67ca129f149425f8a6895
Opcode Fuzzy Hash: 06b28745be54b97e688fe8c4a0cf5edd3a366067dee31c520d305fe829ee06d5
Instruction Fuzzy Hash: 853181B55093806FE712CB25CC45B96BFF8EF06210F08849AE984CF292D375A909C762

Uniqueness

Uniqueness Score: -1.00%

Function 056A0F5C Relevance: 1.6, APIs: 1, Instructions: 89COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 056A0FF3

Memory Dump Source

Source File: 00000000.00000002.4526953476.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_xdPdkPMD8u.jbxd

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 835c97caa885d4328d764e1bb854f1a05be8d944b024a97e135d2924c9329bca
Instruction ID: a55a62a2c4c8b4338e212c46506c5070be6b4085eb560d3ef225137c983b4386
Opcode Fuzzy Hash: 835c97caa885d4328d764e1bb854f1a05be8d944b024a97e135d2924c9329bca
Instruction Fuzzy Hash: B4318E72504384AFEB218F64DC45FA6BFB8EF06210F08849AE945DB662D365A909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 056A29D6 Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.KERNEL32(?,00000E24), ref: 056A2A71

Memory Dump Source

Source File: 00000000.00000002.4526953476.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_xdPdkPMD8u.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 5f0f3f1234fae4ddd7330e6b9d3379e594d995ef6aec0c79194b62915a5fa145
Instruction ID: e5d007905ac982cf290b546e34570d73eb92a0fe34ab90425ee58b5187aec95c
Opcode Fuzzy Hash: 5f0f3f1234fae4ddd7330e6b9d3379e594d995ef6aec0c79194b62915a5fa145
Instruction Fuzzy Hash: 0D219E76600604AEEB31CF15CC80FA7BBECEF08214F04895AEA46D7A51E724E909CF71

Uniqueness

Uniqueness Score: -1.00%

Function 0151A361 Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E24,6972C739,00000000,00000000,00000000,00000000), ref: 0151A40C

Memory Dump Source

Source File: 00000000.00000002.4524895985.000000000151A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_151a000_xdPdkPMD8u.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 625348af461b46107a194382913b4d2dd62feda1944448cfeb45432e7db7e793
Instruction ID: 8ea1f886082dc2f531bbfb8a467195730deea872d8ad7103856c68ee32266031
Opcode Fuzzy Hash: 625348af461b46107a194382913b4d2dd62feda1944448cfeb45432e7db7e793
Instruction Fuzzy Hash: 71314C75505780AFE722CF15CC84F96BFB8EF06610F08849AE9458B2A2D364E949CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0151B630 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNEL32(?,00000E24,6972C739,00000000,00000000,00000000,00000000), ref: 0151B6C4

Memory Dump Source

Source File: 00000000.00000002.4524895985.000000000151A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_151a000_xdPdkPMD8u.jbxd

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: 938ce88deb92fdf33164074e59f1823353f7bf8e39c0690c13179d0b89841d01
Instruction ID: 54acf49bc5a6a9f039382d97e8b84c05c23f00dfe6b7aebd07df006be19c143c
Opcode Fuzzy Hash: 938ce88deb92fdf33164074e59f1823353f7bf8e39c0690c13179d0b89841d01
Instruction Fuzzy Hash: 6E21E7725057806FE7128B20DC45B96BFB8EF06324F0884DBE984DF193D2649909C761

Uniqueness

Uniqueness Score: -1.00%

Function 056A2D18 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

GetProcessWorkingSetSize.KERNEL32(?,00000E24,6972C739,00000000,00000000,00000000,00000000), ref: 056A2DAF

Memory Dump Source

Source File: 00000000.00000002.4526953476.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_xdPdkPMD8u.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: d9c85617a861910ded42e33311c5d2175d438841391a78b65c73aea83f5655c9
Instruction ID: f8eb8138060f75a13178f32b6e6dd012cb46444568a13a579ba0e9a26015fa0e
Opcode Fuzzy Hash: d9c85617a861910ded42e33311c5d2175d438841391a78b65c73aea83f5655c9
Instruction Fuzzy Hash: C721D7765097C06FD713CB20CC55B96BFB8AF46214F0884DAE9448F153D2259909CB72

Uniqueness

Uniqueness Score: -1.00%

Function 056A1692 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000E24), ref: 056A1737

Memory Dump Source

Source File: 00000000.00000002.4526953476.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_xdPdkPMD8u.jbxd

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: 6ff74cfbc8f41bfe028bdaeb5ea2a3f427bbcb479d624a9a35bc929d176f13c7
Instruction ID: ca73f37a507c43337a79bda042aa42b9fbe43ccbbdbac30447a448a2d4a300aa
Opcode Fuzzy Hash: 6ff74cfbc8f41bfe028bdaeb5ea2a3f427bbcb479d624a9a35bc929d176f13c7
Instruction Fuzzy Hash: 8B21D1B2100200AEFB21DF10CC85FAAF7ACEF04314F14885AFA489B691D775E949CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 056A2C49 Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

select.WS2_32(?,?,?,?,?), ref: 056A2CD8

Memory Dump Source

Source File: 00000000.00000002.4526953476.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_xdPdkPMD8u.jbxd

Similarity

API ID: select
String ID:
API String ID: 1274211008-0
Opcode ID: d12fdaa5bdf0434dc27dcb68cc6eb9aa7d1ead447499e6a17c17b060f7ebda29
Instruction ID: 41649ded8fec0f3a9ffff223967b063d7dfa1cf7cc88437a716721ae828a90cb
Opcode Fuzzy Hash: d12fdaa5bdf0434dc27dcb68cc6eb9aa7d1ead447499e6a17c17b060f7ebda29
Instruction Fuzzy Hash: BC216D755083809FDB22CF25DC54B62BFF8EF06210F0984DAE985CB663D225E909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 056A05EC Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(?,00000E24,6972C739,00000000,00000000,00000000,00000000), ref: 056A0681

Memory Dump Source

Source File: 00000000.00000002.4526953476.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_xdPdkPMD8u.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: ca93621fdbe52dc30d515c6a25a216054143a7f63ee6779aeb86ae755254a82f
Instruction ID: 68bdca8d1527aa931044b440415fa3a04c725e2226422d0ef8cb1989b07b12b8
Opcode Fuzzy Hash: ca93621fdbe52dc30d515c6a25a216054143a7f63ee6779aeb86ae755254a82f
Instruction Fuzzy Hash: 81212FB55097806FD7128F21DC45BA2BFBCEF47724F0984D6ED808B263D2645909C771

Uniqueness

Uniqueness Score: -1.00%

Function 0151A462 Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNEL32(?,00000E24,6972C739,00000000,00000000,00000000,00000000), ref: 0151A4F8

Memory Dump Source

Source File: 00000000.00000002.4524895985.000000000151A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_151a000_xdPdkPMD8u.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 07554375c7aadd586293f7c94109d801f2c6ef163b1b8ec269039b7331c067b9
Instruction ID: 8d583cb7405c7d7a5887dd8ec6742f1ec6d295696a6caac47dee892961965ec7
Opcode Fuzzy Hash: 07554375c7aadd586293f7c94109d801f2c6ef163b1b8ec269039b7331c067b9
Instruction Fuzzy Hash: 2A2192B65053806FEB228F15DC44F67BFBCEF45210F08849AE945CB662D364E508C771

Uniqueness

Uniqueness Score: -1.00%

Function 056A0B36 Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 056A0BC2

Memory Dump Source

Source File: 00000000.00000002.4526953476.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_xdPdkPMD8u.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 53689136b1605defbf5c8e41211299ee8e07c8b35e420ba50e8f923098274647
Instruction ID: 4184dad261717656f4b21440ff944e3100fa34c561585242d3c7e6c4adb3e0ea
Opcode Fuzzy Hash: 53689136b1605defbf5c8e41211299ee8e07c8b35e420ba50e8f923098274647
Instruction Fuzzy Hash: 04219E71409380AFE721CF51CC45F96FFF8EF05220F08889AE9858B662D375A818CB72

Uniqueness

Uniqueness Score: -1.00%

Function 056A1112 Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNEL32 ref: 056A11A6

Memory Dump Source

Source File: 00000000.00000002.4526953476.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_xdPdkPMD8u.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: c0154a32fd4b4be49471319ce0bfca68a5c22926659eeb0dc4fb5455e20f589f
Instruction ID: 0aed321697f65ff2361e1f287c9b2127436e5b29fd69c16937545a0f746e63f0
Opcode Fuzzy Hash: c0154a32fd4b4be49471319ce0bfca68a5c22926659eeb0dc4fb5455e20f589f
Instruction Fuzzy Hash: 8621A271504340AFE721CF55CC44F96FFF8EF09214F04449AE9848B652D375A908CB72

Uniqueness

Uniqueness Score: -1.00%

Function 056A0E6A Relevance: 1.6, APIs: 1, Instructions: 76registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E24,6972C739,00000000,00000000,00000000,00000000), ref: 056A0F08

Memory Dump Source

Source File: 00000000.00000002.4526953476.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_xdPdkPMD8u.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: f7eb10cd27d13c5d870921228a9799a58f9e970c1d505fa8ef9e49ab570a91c2
Instruction ID: 71505f841e0855c788613f5b9c1c02fabcc3d104ac361df9f8821939681c3779
Opcode Fuzzy Hash: f7eb10cd27d13c5d870921228a9799a58f9e970c1d505fa8ef9e49ab570a91c2
Instruction Fuzzy Hash: 5D217F76509784AFE721CF11CC44F67FFF8AF45220F08849AE9459B6A2D364E908CB72

Uniqueness

Uniqueness Score: -1.00%

Function 056A0516 Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,?,?,?,?,?), ref: 056A0595

Memory Dump Source

Source File: 00000000.00000002.4526953476.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_xdPdkPMD8u.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 265619b9b5415e7e9a16e48d021a4890482a833cac9bffc2a6e6c5a184619533
Instruction ID: e61418346b44a1e2693f464ad125aac44aff4c2f33857666fd71c5615357a689
Opcode Fuzzy Hash: 265619b9b5415e7e9a16e48d021a4890482a833cac9bffc2a6e6c5a184619533
Instruction Fuzzy Hash: A921A176500240AFEB21CF65CD85F66FBE8EF08224F088859ED458B751E771E809DB72

Uniqueness

Uniqueness Score: -1.00%

Function 056A0F82 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 056A0FF3

Memory Dump Source

Source File: 00000000.00000002.4526953476.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_xdPdkPMD8u.jbxd

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 699d07802cbc0d408ad6cccf2251f9f132d2d153837af9fc74f1627dd42b1f72
Instruction ID: 9d5382c7556bbcd2b6d024382ee6bce4cf0b9ef745dbcf94db4ba338a3596579
Opcode Fuzzy Hash: 699d07802cbc0d408ad6cccf2251f9f132d2d153837af9fc74f1627dd42b1f72
Instruction Fuzzy Hash: 4B21F272500200AFEB20CF24CC85FAABBACEF04210F08845AED05DB751D774E909CA71

Uniqueness

Uniqueness Score: -1.00%

Function 0151AB3E Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000E24), ref: 0151ABBD

Memory Dump Source

Source File: 00000000.00000002.4524895985.000000000151A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_151a000_xdPdkPMD8u.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: b26c0aba1ec5c80ced96abd1eedba45e568ab8c740a90d9a8681112af3dd9836
Instruction ID: 17f61905da622e6067e364c663e6a5c19b96aae0d5a59704c70e65ee46eca252
Opcode Fuzzy Hash: b26c0aba1ec5c80ced96abd1eedba45e568ab8c740a90d9a8681112af3dd9836
Instruction Fuzzy Hash: 1A21D4B2500244AEFB22DF15CC45FABFBECFF04214F08885AE9058B656D334E548CA72

Uniqueness

Uniqueness Score: -1.00%

Function 056A2E17 Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetProcessWorkingSetSize.KERNEL32(?,00000E24,6972C739,00000000,00000000,00000000,00000000), ref: 056A2E93

Memory Dump Source

Source File: 00000000.00000002.4526953476.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_xdPdkPMD8u.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: 605db306ae2499556ff47093b6c9960271e4c0ba9d72967c9586148f961b82bc
Instruction ID: 8a686542f46cde57427bb595905102c7fad8532d327ffa4a4038a38e49df1c6a
Opcode Fuzzy Hash: 605db306ae2499556ff47093b6c9960271e4c0ba9d72967c9586148f961b82bc
Instruction Fuzzy Hash: ED21C2725053806FDB11CF11CC45FA6BFACEF45210F08849AE944DB252D374A948CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0151A646 Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNEL32(?,?), ref: 0151A6B9

Memory Dump Source

Source File: 00000000.00000002.4524895985.000000000151A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_151a000_xdPdkPMD8u.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 7bed7e61ef0634153d396308c56c3904219e4f4109ea4ead7556865b569b3625
Instruction ID: fa25e4960c19987b266a4492d88970649122b663718eb22b085b107cc2436b4c
Opcode Fuzzy Hash: 7bed7e61ef0634153d396308c56c3904219e4f4109ea4ead7556865b569b3625
Instruction Fuzzy Hash: C021C1756012409FF712CF25CD85B9AFBE8EF04210F048869E9448F655E771E509CA71

Uniqueness

Uniqueness Score: -1.00%

Function 056A13A9 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

shutdown.WS2_32(?,00000E24,6972C739,00000000,00000000,00000000,00000000), ref: 056A142C

Memory Dump Source

Source File: 00000000.00000002.4526953476.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_xdPdkPMD8u.jbxd

Similarity

API ID: shutdown
String ID:
API String ID: 2510479042-0
Opcode ID: 5aff1f670d07c82307bd8e5ba3491c23f3489a5d30d4c118441866782ff0f964
Instruction ID: 9d5a7b29f85a6cc2a6fae8cfba31b61b7bb059ec71046145cff47e5a5d993d11
Opcode Fuzzy Hash: 5aff1f670d07c82307bd8e5ba3491c23f3489a5d30d4c118441866782ff0f964
Instruction Fuzzy Hash: 762183B15093846FDB128B14DC45F56BFB8EF46214F0885DAE9849F252D368A548CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0151B1AF Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 0151B226

Memory Dump Source

Source File: 00000000.00000002.4524895985.000000000151A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_151a000_xdPdkPMD8u.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: ce6d9aac4855014462acc7577d44df39a655031fa24fafedf17a797ef98e4cec
Instruction ID: 51ebcdb7107c470857c1a78fae8341bb077929660a2af57d0c91eafdafefd514
Opcode Fuzzy Hash: ce6d9aac4855014462acc7577d44df39a655031fa24fafedf17a797ef98e4cec
Instruction Fuzzy Hash: 102181715093805FEB12CF29CC54BA6BFF8EF06610F0884DAED85DF252D265E808CB61

Uniqueness

Uniqueness Score: -1.00%

Function 056A08CE Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,00000E24,6972C739,00000000,00000000,00000000,00000000), ref: 056A094D

Memory Dump Source

Source File: 00000000.00000002.4526953476.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_xdPdkPMD8u.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: a9dc0be067c832be3410907512e98635d7c6c61fb7a90a8729a31f24c817c79b
Instruction ID: c28fbb29421cf2758a46f5e8a38efbd8ccc6821cbba236580fdd8f42f160fa6d
Opcode Fuzzy Hash: a9dc0be067c832be3410907512e98635d7c6c61fb7a90a8729a31f24c817c79b
Instruction Fuzzy Hash: DC219272405340AFDB22CF51DC44F97FFB8EF45320F08849AE9449B662D275A508CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 0151A392 Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E24,6972C739,00000000,00000000,00000000,00000000), ref: 0151A40C

Memory Dump Source

Source File: 00000000.00000002.4524895985.000000000151A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_151a000_xdPdkPMD8u.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: bc642c3d4df1d1186a6a52ed0a7d3c49d3bb58b319b92e5a4cd25db0b0810210
Instruction ID: dff8366c83577eb36f0d1a478b93b6b4d019a51073b1db5a67336209c3577127
Opcode Fuzzy Hash: bc642c3d4df1d1186a6a52ed0a7d3c49d3bb58b319b92e5a4cd25db0b0810210
Instruction Fuzzy Hash: 00219075601644AFFB22CF15CC84FA6FBECEF04610F08845AE945CB656D3B4E949CA71

Uniqueness

Uniqueness Score: -1.00%

Function 056A2B83 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000E24,6972C739,00000000,00000000,00000000,00000000), ref: 056A2BFF

Memory Dump Source

Source File: 00000000.00000002.4526953476.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_xdPdkPMD8u.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: a0e19a7e384d28ba89419d84c3aaf631d47cb1b150caed9a45b86effebf36622
Instruction ID: b891d1295cf4242ced32733da5de137c5af2a0df384a8a4e6be6a5f4bbd5e1be
Opcode Fuzzy Hash: a0e19a7e384d28ba89419d84c3aaf631d47cb1b150caed9a45b86effebf36622
Instruction Fuzzy Hash: 6621A4764093846FDB11CF10CC45F96FFB8EF45210F08849AE9459B652D374A508CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0151A710 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(?,6972C739,00000000,?,?,?,?,?,?,?,?,6CD53C58), ref: 0151A780

Memory Dump Source

Source File: 00000000.00000002.4524895985.000000000151A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_151a000_xdPdkPMD8u.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 23cee5b1345a4758e99a9ecf18e6ee364761b638b8917db7ed897b593bd6fc04
Instruction ID: fe88515c15eece3624f6457eb9c7b526a9e062cd09f00501787bc0d871cf5bf2
Opcode Fuzzy Hash: 23cee5b1345a4758e99a9ecf18e6ee364761b638b8917db7ed897b593bd6fc04
Instruction Fuzzy Hash: F821D2B54093809FDB128F25DD85752BFB8EF02220F0984EBEC858F253D2359909DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0151B490 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(?,6972C739,00000000,?,?,?,?,?,?,?,?,6CD53C58), ref: 0151B4FC

Memory Dump Source

Source File: 00000000.00000002.4524895985.000000000151A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_151a000_xdPdkPMD8u.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 4b31ca80f16fe3b125b05c8c87b029bec9a1538d195642efd0ea53eb8ec3d23e
Instruction ID: 54826ff9f7a2bc1f5105d2b514f725e9cc87b76839df58d33daa264dd080cb8c
Opcode Fuzzy Hash: 4b31ca80f16fe3b125b05c8c87b029bec9a1538d195642efd0ea53eb8ec3d23e
Instruction Fuzzy Hash: 6A21A1725093C05FDB038B25DC55B92BFB4AF07324F0984DAEC858F663D2649908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0151AA52 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNEL32(?,?,6972C739,00000000,?,?,?,?,?,?,?,?,6CD53C58), ref: 0151AAC3

Memory Dump Source

Source File: 00000000.00000002.4524895985.000000000151A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_151a000_xdPdkPMD8u.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 85535d2ff3c15eeebe1af52ac1360fc01b1af42c6e496f90c7a52a8fa74e1ce4
Instruction ID: 3793924b5bb5b03c8e893767f705aefeeafd8ee7c06aca4da1cb0e3c50c8482c
Opcode Fuzzy Hash: 85535d2ff3c15eeebe1af52ac1360fc01b1af42c6e496f90c7a52a8fa74e1ce4
Instruction Fuzzy Hash: F121A1755093C05FEB128B25DC95796BFF8AF07210F0984DAD884CF263D2659849CB61

Uniqueness

Uniqueness Score: -1.00%

Function 056A1842 Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 056A18BE

Memory Dump Source

Source File: 00000000.00000002.4526953476.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_xdPdkPMD8u.jbxd

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: 3c11dd5ecdc6d67c17fbe6024aeef9d7ed2ed9c45dd6325e6e0d3a47aaf68dd0
Instruction ID: da93db29f9361d1935f0ad4958ffab372bd61d94fda6f78e392ff506c2e6c7bc
Opcode Fuzzy Hash: 3c11dd5ecdc6d67c17fbe6024aeef9d7ed2ed9c45dd6325e6e0d3a47aaf68dd0
Instruction Fuzzy Hash: FE216F76408380AFDB228F55DC44B62BFF8EF06310F0985DAED858B663D375A819DB61

Uniqueness

Uniqueness Score: -1.00%

Function 056A0B56 Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 056A0BC2

Memory Dump Source

Source File: 00000000.00000002.4526953476.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_xdPdkPMD8u.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: a53d03ee9f94522ca3a39de08c0c5b548a6d6f1495f936d8420fe3f86d7d59b3
Instruction ID: b8bac8c778b59047fd9682980f4ca0b7df2d3526bf4159be7e418b84489ee540
Opcode Fuzzy Hash: a53d03ee9f94522ca3a39de08c0c5b548a6d6f1495f936d8420fe3f86d7d59b3
Instruction Fuzzy Hash: 2E21C276504200AFEB21CF51CD85F66FBE8EF08324F04889AE9458B652D376A419CB72

Uniqueness

Uniqueness Score: -1.00%

Function 056A1132 Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNEL32 ref: 056A11A6

Memory Dump Source

Source File: 00000000.00000002.4526953476.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_xdPdkPMD8u.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 78284f0b3e441c49552ede562e2dca66324eccf1997e7cb9d457b85a89d386d9
Instruction ID: dfd762ddc9307c417f8ab43810cb90ebaee23f00c5ccbd3559a3d90b1f592551
Opcode Fuzzy Hash: 78284f0b3e441c49552ede562e2dca66324eccf1997e7cb9d457b85a89d386d9
Instruction Fuzzy Hash: 3C21D176500204AFEB21CF55CC85FA6FBECEF09224F048459E9458B751E375E909CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 056A1BFE Relevance: 1.6, APIs: 1, Instructions: 66libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,00000E24), ref: 056A1C87

Memory Dump Source

Source File: 00000000.00000002.4526953476.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_xdPdkPMD8u.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: b9da1054a33b76939809796e22c134e5e1497f5173831240871b5fa278977e2d
Instruction ID: 1651349108c9ed4a47b79ac54a6d01edf87ed8afc1372228ee702f5813bf98ec
Opcode Fuzzy Hash: b9da1054a33b76939809796e22c134e5e1497f5173831240871b5fa278977e2d
Instruction Fuzzy Hash: F111E4715083406FE721CB11CC85FA6FFBCDF45320F08809AF9448B692D378A948CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0151A486 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNEL32(?,00000E24,6972C739,00000000,00000000,00000000,00000000), ref: 0151A4F8

Memory Dump Source

Source File: 00000000.00000002.4524895985.000000000151A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_151a000_xdPdkPMD8u.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 7fd3fc695226ba5a7ba7dd7882086a59ddd596f387d9ef19c0f32a132305b1a8
Instruction ID: 9010c19ecc78ee69e1acdaef0daec3670061686d6fb06dd33f9ad061e0ccbc22
Opcode Fuzzy Hash: 7fd3fc695226ba5a7ba7dd7882086a59ddd596f387d9ef19c0f32a132305b1a8
Instruction Fuzzy Hash: 28118476500640AFFB228F15DC45F67BBECEF04614F04845AED458B655D374E508CA72

Uniqueness

Uniqueness Score: -1.00%

Function 056A0E96 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E24,6972C739,00000000,00000000,00000000,00000000), ref: 056A0F08

Memory Dump Source

Source File: 00000000.00000002.4526953476.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_xdPdkPMD8u.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 09267498c6b375baabc8b19c5ee16fc67d0af167efc683cbea20b60f43441b71
Instruction ID: f24fdee9c94074eeb1a89262c3e210c1e30d892d753299bb8c2277dcc28768ee
Opcode Fuzzy Hash: 09267498c6b375baabc8b19c5ee16fc67d0af167efc683cbea20b60f43441b71
Instruction Fuzzy Hash: EC11AF76500204AFEB21CF11CC85FA6F7ECEF08624F08845AED459BB52D360E908CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 056A15A6 Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNEL32(?,00000E24,6972C739,00000000,00000000,00000000,00000000), ref: 056A1605

Memory Dump Source

Source File: 00000000.00000002.4526953476.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_xdPdkPMD8u.jbxd

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 3d8ae84b514f5ac4db335952b347f1ccce72e9895714076dbdb107bfdb61d08e
Instruction ID: 9aa4d5f6ae955af7e500341bb7097f63ad3c7dce26d7c3de72b5272f2760cef0
Opcode Fuzzy Hash: 3d8ae84b514f5ac4db335952b347f1ccce72e9895714076dbdb107bfdb61d08e
Instruction Fuzzy Hash: F811D376500200AFEB21CF51DC85FA6BBA8EF44324F08845AE945CB651D374E859DBB2

Uniqueness

Uniqueness Score: -1.00%

Function 056A2D56 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

GetProcessWorkingSetSize.KERNEL32(?,00000E24,6972C739,00000000,00000000,00000000,00000000), ref: 056A2DAF

Memory Dump Source

Source File: 00000000.00000002.4526953476.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_xdPdkPMD8u.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: e7507cf6c1eb26cd1e184ccf71d5b1fb944505662aabd0030b9f6755cc00bd84
Instruction ID: 7a57908f4c69a359b6e22adcfbb86bc2fe73da2058cb6df2deb6825d9a13994e
Opcode Fuzzy Hash: e7507cf6c1eb26cd1e184ccf71d5b1fb944505662aabd0030b9f6755cc00bd84
Instruction Fuzzy Hash: 1B11C476500240AFEB11DF15DC85FA6BBACEF04324F08846AED45CB651D774E909CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 056A2E3A Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SetProcessWorkingSetSize.KERNEL32(?,00000E24,6972C739,00000000,00000000,00000000,00000000), ref: 056A2E93

Memory Dump Source

Source File: 00000000.00000002.4526953476.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_xdPdkPMD8u.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: e7507cf6c1eb26cd1e184ccf71d5b1fb944505662aabd0030b9f6755cc00bd84
Instruction ID: 69310b0479dabeb6d0f20d86d759705cc7500585b805fe7f654d9dcb469ea633
Opcode Fuzzy Hash: e7507cf6c1eb26cd1e184ccf71d5b1fb944505662aabd0030b9f6755cc00bd84
Instruction Fuzzy Hash: 1311E276500200AFEB11CF10CC85BAAB7ECEF44324F08846AED04CB651D374A949CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 0151BBE0 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0151BC52

Memory Dump Source

Source File: 00000000.00000002.4524895985.000000000151A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_151a000_xdPdkPMD8u.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 4d26088ea1fab4411c4d9a96286d4fa187f6e912929b6ae5b4895c594f54f65b
Instruction ID: dbdd7f4091c661c555e9f0379d56e902205ff14b04a2d1f6e4d09b37ae9e05d8
Opcode Fuzzy Hash: 4d26088ea1fab4411c4d9a96286d4fa187f6e912929b6ae5b4895c594f54f65b
Instruction Fuzzy Hash: 61219371409380AFDB228F55DC44A56FFF4EF4A220F0988DAE9858F162C375A819CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0151B66E Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNEL32(?,00000E24,6972C739,00000000,00000000,00000000,00000000), ref: 0151B6C4

Memory Dump Source

Source File: 00000000.00000002.4524895985.000000000151A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_151a000_xdPdkPMD8u.jbxd

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: 727d82a3151fb5ffa8d1188f637d6144275b139863198a74ab5a834b63b44924
Instruction ID: 87fbbccc6d61b787298b6459cb168e14007e35695ab678f8efb132a482dc21db
Opcode Fuzzy Hash: 727d82a3151fb5ffa8d1188f637d6144275b139863198a74ab5a834b63b44924
Instruction Fuzzy Hash: 5211A375600204AFEB12CF15DC85BAAB7ECEF44224F0888AAED05DF655D774E508CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0151BA80 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,6972C739,00000000,?,?,?,?,?,?,?,?,6CD53C58), ref: 0151BAE2

Memory Dump Source

Source File: 00000000.00000002.4524895985.000000000151A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_151a000_xdPdkPMD8u.jbxd

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 371def722d6c261d89b61102e7c65d723d5045714c90327aace065164b1cb727
Instruction ID: 85d7d1501de86f287b3640ad368da50db3af414f116428944ab176c6ae3030a2
Opcode Fuzzy Hash: 371def722d6c261d89b61102e7c65d723d5045714c90327aace065164b1cb727
Instruction Fuzzy Hash: 8F117F755053809FDB22CF65DC85B56BFF8EF05220F0984AAE945CF662D274A808CB61

Uniqueness

Uniqueness Score: -1.00%

Function 056A08EE Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,00000E24,6972C739,00000000,00000000,00000000,00000000), ref: 056A094D

Memory Dump Source

Source File: 00000000.00000002.4526953476.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_xdPdkPMD8u.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 14d5fd3cb2d9c5009f5b62c86d186403c2492bdf1305efaab70c545c7332fcc8
Instruction ID: 4e78d4f05a07f5b26041c763f762847c67f53bb68b6ef6de05201479279fb2ea
Opcode Fuzzy Hash: 14d5fd3cb2d9c5009f5b62c86d186403c2492bdf1305efaab70c545c7332fcc8
Instruction Fuzzy Hash: 8311C176500200AFEB21CF51DC85FA6FBECEF48324F08885AED459B661D375A509CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 056A2BA6 Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000E24,6972C739,00000000,00000000,00000000,00000000), ref: 056A2BFF

Memory Dump Source

Source File: 00000000.00000002.4526953476.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_xdPdkPMD8u.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: 5ce7cc061365125f0df5e991ad36d0038a6dc8437086be8daa01b841b8e648dc
Instruction ID: dec305affde107eb954dcd809c794499d7bba80e26f2a44515e6997bcd96346b
Opcode Fuzzy Hash: 5ce7cc061365125f0df5e991ad36d0038a6dc8437086be8daa01b841b8e648dc
Instruction Fuzzy Hash: A211E37A500200AFEB21CF10CC85FA6FBACEF04324F08885AED059B651D374A909CBB6

Uniqueness

Uniqueness Score: -1.00%

Function 0151A9B5 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(?,6972C739,00000000,?,?,?,?,?,?,?,?,6CD53C58), ref: 0151AA14

Memory Dump Source

Source File: 00000000.00000002.4524895985.000000000151A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_151a000_xdPdkPMD8u.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 232e428b56d0566720bdf3d8c9eea81b896e92ce0f3523cda8ea4d7c9e3009cd
Instruction ID: 6c1e4b5450802593449ec077256c6f580ca3c03ed0155583662fabe70f1a7bf8
Opcode Fuzzy Hash: 232e428b56d0566720bdf3d8c9eea81b896e92ce0f3523cda8ea4d7c9e3009cd
Instruction Fuzzy Hash: 2F1130714093C06FDB138F25DD45B96BFB4EF46220F0984DAED848F263D275A948DB61

Uniqueness

Uniqueness Score: -1.00%

Function 056A13D6 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

shutdown.WS2_32(?,00000E24,6972C739,00000000,00000000,00000000,00000000), ref: 056A142C

Memory Dump Source

Source File: 00000000.00000002.4526953476.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_xdPdkPMD8u.jbxd

Similarity

API ID: shutdown
String ID:
API String ID: 2510479042-0
Opcode ID: e7a8465377c3da0224608964b0baf11b96eea33f23d21088413a6d615aa9fd8a
Instruction ID: 09a0b5a60693e6eb49b2e2055c11f55b1912d97b163365c07475cd83a7a7df2e
Opcode Fuzzy Hash: e7a8465377c3da0224608964b0baf11b96eea33f23d21088413a6d615aa9fd8a
Instruction Fuzzy Hash: B411C276500204AFEB11CF15DC85FA6BBACEF45724F088496ED449F751D374A909CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 0151A2D2 Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,6972C739,00000000,?,?,?,?,?,?,?,?,6CD53C58), ref: 0151A330

Memory Dump Source

Source File: 00000000.00000002.4524895985.000000000151A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_151a000_xdPdkPMD8u.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: f45ea80f8aeff3d13c19eb4fe0042a68339841869fed3637c3995659a8c1cd61
Instruction ID: caec3022185be0c2e0d4cbc208adf1c5f127ade1a9de934ecea7959d592cc1c1
Opcode Fuzzy Hash: f45ea80f8aeff3d13c19eb4fe0042a68339841869fed3637c3995659a8c1cd61
Instruction Fuzzy Hash: 77116D7540A3C06FEB138B159C54B62BFB4AF47220F0880CAED848F263C265A918D772

Uniqueness

Uniqueness Score: -1.00%

Function 056A1C1E Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,00000E24), ref: 056A1C87

Memory Dump Source

Source File: 00000000.00000002.4526953476.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_xdPdkPMD8u.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 43c98e3e6623a5860354fde22f983971577fb1e22d862b09bb95c95d2e2490c0
Instruction ID: 4ac01095a124ff27d05fbc6701fdaaa12c837472ccb45d6668e7354b2599381a
Opcode Fuzzy Hash: 43c98e3e6623a5860354fde22f983971577fb1e22d862b09bb95c95d2e2490c0
Instruction Fuzzy Hash: 2811E576504200AEFB20CF11DD85FB6F7ACDF05724F148499ED058B792D3B9A909CAB6

Uniqueness

Uniqueness Score: -1.00%

Function 056A2C82 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

select.WS2_32(?,?,?,?,?), ref: 056A2CD8

Memory Dump Source

Source File: 00000000.00000002.4526953476.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_xdPdkPMD8u.jbxd

Similarity

API ID: select
String ID:
API String ID: 1274211008-0
Opcode ID: 7e2fbd33f41e315ed6e56e18367d0eb7ff81b75cee54816bbff0cfe41e011240
Instruction ID: 983769583512bc0f7612e3b27f1ddd1ac19f4128ef4046f278ea6cf7d7609ed0
Opcode Fuzzy Hash: 7e2fbd33f41e315ed6e56e18367d0eb7ff81b75cee54816bbff0cfe41e011240
Instruction Fuzzy Hash: C711287A5442409FEB60CF55D884BA6FBE8EF04610F0884AADD4ACB762D335E949CF71

Uniqueness

Uniqueness Score: -1.00%

Function 0151A078 Relevance: 1.6, APIs: 1, Instructions: 54networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,?,?), ref: 0151A0D5

Memory Dump Source

Source File: 00000000.00000002.4524895985.000000000151A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_151a000_xdPdkPMD8u.jbxd

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: c74557831ebcd74893dacfddaf8011caad804ded8650a862714ca9cfd8579520
Instruction ID: 0a26cf02a74ac2050900a1de7fc29737fc673ec269d10e21836187b81fbd3780
Opcode Fuzzy Hash: c74557831ebcd74893dacfddaf8011caad804ded8650a862714ca9cfd8579520
Instruction Fuzzy Hash: 33119175409380AFDB22CF15DD44B56FFB4EF46224F0888DAED848F663C275A918DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0151B1DE Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 0151B226

Memory Dump Source

Source File: 00000000.00000002.4524895985.000000000151A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_151a000_xdPdkPMD8u.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 3717ce79c0528c7ac76abce04f3db6ff5c59dc820897832789d9a6d82520ab99
Instruction ID: bd5ef41c02cb6f6ffb6399a02a2076489e5c84b48c6707e6800a4cbb3d7cd453
Opcode Fuzzy Hash: 3717ce79c0528c7ac76abce04f3db6ff5c59dc820897832789d9a6d82520ab99
Instruction Fuzzy Hash: D51182755002409FEB11CF19D885B9AFBE8EF04710F0884AADD55CF756D274E408CA61

Uniqueness

Uniqueness Score: -1.00%

Function 056A062E Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(?,00000E24,6972C739,00000000,00000000,00000000,00000000), ref: 056A0681

Memory Dump Source

Source File: 00000000.00000002.4526953476.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_xdPdkPMD8u.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 317fa0b3e6fdbbe8c898f14e30ea65a420e915a0e6a074156a067fc44b963b30
Instruction ID: bec272832489989e4a9b9ecfd4d05ca9ff09231e0421c397d85933c4886faa64
Opcode Fuzzy Hash: 317fa0b3e6fdbbe8c898f14e30ea65a420e915a0e6a074156a067fc44b963b30
Instruction Fuzzy Hash: AC01D676500200AEEB20CF12DC89FA6F7ACDF84728F088096ED048B751D374E948CEB6

Uniqueness

Uniqueness Score: -1.00%

Function 0151A918 Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

WaitForInputIdle.USER32(?,?), ref: 0151A96F

Memory Dump Source

Source File: 00000000.00000002.4524895985.000000000151A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_151a000_xdPdkPMD8u.jbxd

Similarity

API ID: IdleInputWait
String ID:
API String ID: 2200289081-0
Opcode ID: 494d340ae0045f90614ac945cefa204762a1888b50c60dfb4f593e7640f9fa61
Instruction ID: 1ea8fa6ae5fd0b83010a00da1b21dcebb20bed50e91da88bde66ef8705a9d3b9
Opcode Fuzzy Hash: 494d340ae0045f90614ac945cefa204762a1888b50c60dfb4f593e7640f9fa61
Instruction Fuzzy Hash: 1211A075409380AFDB12CF15DC85B56FFB4EF46220F0984DAED848F263D275A848CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0151BAA2 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,6972C739,00000000,?,?,?,?,?,?,?,?,6CD53C58), ref: 0151BAE2

Memory Dump Source

Source File: 00000000.00000002.4524895985.000000000151A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_151a000_xdPdkPMD8u.jbxd

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 5a4875138c4c85690c11c6b03ee9960d8a06ee4bcc9d1b773843d395a5742dc5
Instruction ID: c0d02a34460f494476f58cb60904133e3d500dc09b4d2106654b25bc68c86b56
Opcode Fuzzy Hash: 5a4875138c4c85690c11c6b03ee9960d8a06ee4bcc9d1b773843d395a5742dc5
Instruction Fuzzy Hash: 821161765002449FEB21CF19D885B6AFBE4FF04221F0884AADD49CF656D375E458CF61

Uniqueness

Uniqueness Score: -1.00%

Function 056A1872 Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 056A18BE

Memory Dump Source

Source File: 00000000.00000002.4526953476.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_xdPdkPMD8u.jbxd

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: ebbf64e5d1b43fc3a0dcf9a50cf41f2d15945bc552f91598bca8d449b34dd05d
Instruction ID: 0a060973f74c47d017dc7d5827ebb5bc5abaa80f82293038076113e7734870d9
Opcode Fuzzy Hash: ebbf64e5d1b43fc3a0dcf9a50cf41f2d15945bc552f91598bca8d449b34dd05d
Instruction Fuzzy Hash: 55118E365003409FEB61CF55D884B66FBE5FF09310F0889AAED858BA62D371E819DF61

Uniqueness

Uniqueness Score: -1.00%

Function 0151AA86 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNEL32(?,?,6972C739,00000000,?,?,?,?,?,?,?,?,6CD53C58), ref: 0151AAC3

Memory Dump Source

Source File: 00000000.00000002.4524895985.000000000151A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_151a000_xdPdkPMD8u.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 50be6a5db49ef940693af169b8d4da690aa11aa649dd0b1265dd547aa5bbafd5
Instruction ID: 0717f905d147e6015928e9a4ff6272818c8f75cdc66706eddc0f555fe1f0cf5a
Opcode Fuzzy Hash: 50be6a5db49ef940693af169b8d4da690aa11aa649dd0b1265dd547aa5bbafd5
Instruction Fuzzy Hash: 770192765012809FEB12CF19D98576AFBE8EF04220F0888AADD45CF756D374E848CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 056A1992 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetVolumeInformationA.KERNEL32(?,00000E24,?,?), ref: 056A19E2

Memory Dump Source

Source File: 00000000.00000002.4526953476.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_xdPdkPMD8u.jbxd

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: ca87c4ae47a227109d8cc0518740ff43a31dfa493326bafdad1df3c2a674ab83
Instruction ID: ebff6ea6a2dfe464bee4bcb35dd427f1ec777b53c7807c916d8481afce54a5a6
Opcode Fuzzy Hash: ca87c4ae47a227109d8cc0518740ff43a31dfa493326bafdad1df3c2a674ab83
Instruction Fuzzy Hash: 1A01B171600200AFD310DF16CC46B76FBE8EB88A20F14816AEC089B741D731F916CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 0151BC0E Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0151BC52

Memory Dump Source

Source File: 00000000.00000002.4524895985.000000000151A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_151a000_xdPdkPMD8u.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6dd031cd4f20b68f2bba2da2ff0636f70f8c6c4bf7861e6cb8c13b2eb0fb272d
Instruction ID: 857425fb32871ca047bdde5b474d5fe590aafb0dddaf4ec5b89a305110f1c63c
Opcode Fuzzy Hash: 6dd031cd4f20b68f2bba2da2ff0636f70f8c6c4bf7861e6cb8c13b2eb0fb272d
Instruction Fuzzy Hash: C501A1364002409FEB228F55D885B56FBF0FF08314F08889ADD454F666C331E418DF61

Uniqueness

Uniqueness Score: -1.00%

Function 0151B4CA Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(?,6972C739,00000000,?,?,?,?,?,?,?,?,6CD53C58), ref: 0151B4FC

Memory Dump Source

Source File: 00000000.00000002.4524895985.000000000151A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_151a000_xdPdkPMD8u.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 2543dfee97ee24ef2f1ff2dad25ce5e7a063237abeb0dede6bfc72e4f059dadc
Instruction ID: 779a53e3375dfa3940c4346576b2efb557d93c467d02dd8b8bea17be0b5e34b3
Opcode Fuzzy Hash: 2543dfee97ee24ef2f1ff2dad25ce5e7a063237abeb0dede6bfc72e4f059dadc
Instruction Fuzzy Hash: BF01DF765002408FEB11CF19E885B56FBE4EF04320F08C4AADC498F766D274E408CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 0151A74E Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(?,6972C739,00000000,?,?,?,?,?,?,?,?,6CD53C58), ref: 0151A780

Memory Dump Source

Source File: 00000000.00000002.4524895985.000000000151A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_151a000_xdPdkPMD8u.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: bde4d0934cbfd1999335abd81aaa0511bb7894777370dbaff5066f4fa8f5082e
Instruction ID: 6ab705c9d1e6b48c1d0334d63c3bec105b1743e23dbdd9461880a7b3fc43f00f
Opcode Fuzzy Hash: bde4d0934cbfd1999335abd81aaa0511bb7894777370dbaff5066f4fa8f5082e
Instruction Fuzzy Hash: 0F018F755012809FEB128F59D985766FBE4EF04220F08C8ABDD4A8F756D375E508CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 056A0ABA Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E24,?,?), ref: 056A0B0A

Memory Dump Source

Source File: 00000000.00000002.4526953476.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_xdPdkPMD8u.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 5d18b110b103aa19b440080848da6782f850ca278988ee6d360d34cdb97c317e
Instruction ID: 1e8c672a94cdd38ff7faac5997372b384d431e08bfe3af11d72b89d666a102fe
Opcode Fuzzy Hash: 5d18b110b103aa19b440080848da6782f850ca278988ee6d360d34cdb97c317e
Instruction Fuzzy Hash: F8016271600600ABD210DF16DD46B76FBE8FB88A20F14815AED089BB41D775F916CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 0151A09A Relevance: 1.5, APIs: 1, Instructions: 42networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,?,?), ref: 0151A0D5

Memory Dump Source

Source File: 00000000.00000002.4524895985.000000000151A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_151a000_xdPdkPMD8u.jbxd

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: fe6d5e08d3a65d88167739d711b9f4c571fb27354e6d862e0dfd1f59c417117b
Instruction ID: bf248b2e1edbbb2472427e364708434b7c5e763a1e2c53482ccf15ea3f56712a
Opcode Fuzzy Hash: fe6d5e08d3a65d88167739d711b9f4c571fb27354e6d862e0dfd1f59c417117b
Instruction Fuzzy Hash: 11019E754002809FEB22CF55D985B55FBE4FF04224F08889ADD498F656D375E418CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0151A93A Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

WaitForInputIdle.USER32(?,?), ref: 0151A96F

Memory Dump Source

Source File: 00000000.00000002.4524895985.000000000151A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_151a000_xdPdkPMD8u.jbxd

Similarity

API ID: IdleInputWait
String ID:
API String ID: 2200289081-0
Opcode ID: 49adde1f0f6ba94c63c1ab1bc4a95cf1c6345fdd23757cba4a6d64f41ade7e3f
Instruction ID: 4fc08fae76b0247ed6a3439fefc2d8fcbce099e261f8bbe6a692dd6515dd7735
Opcode Fuzzy Hash: 49adde1f0f6ba94c63c1ab1bc4a95cf1c6345fdd23757cba4a6d64f41ade7e3f
Instruction Fuzzy Hash: BF01A2798052809FEB12CF15D885B65FBE4EF44220F0CC8AADD488F356D375E448CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0151A9E2 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(?,6972C739,00000000,?,?,?,?,?,?,?,?,6CD53C58), ref: 0151AA14

Memory Dump Source

Source File: 00000000.00000002.4524895985.000000000151A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_151a000_xdPdkPMD8u.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 04ff1ec308193b24de5f5eb996a5d55ec79b1d62782696662db7a7f3438160b0
Instruction ID: 99b3522993debd289e152aad3ca97da0b3d9e16ca7a611b9276dd7d28d3c11e7
Opcode Fuzzy Hash: 04ff1ec308193b24de5f5eb996a5d55ec79b1d62782696662db7a7f3438160b0
Instruction Fuzzy Hash: 3201D6764012809FEB12CF15D985755FBE4EF04220F0CC8AADD498F756D3B5E408CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 0151A2FE Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,6972C739,00000000,?,?,?,?,?,?,?,?,6CD53C58), ref: 0151A330

Memory Dump Source

Source File: 00000000.00000002.4524895985.000000000151A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_151a000_xdPdkPMD8u.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: e3cc9458cbf51fc78e6addb1e78ca7c45e9b55569c2fa7f76e4e4f4aebc09e79
Instruction ID: 973082cf5afa451d4dc687bf51ec9f73006ded17c8ee6bf9bff0d07dc5ed0836
Opcode Fuzzy Hash: e3cc9458cbf51fc78e6addb1e78ca7c45e9b55569c2fa7f76e4e4f4aebc09e79
Instruction Fuzzy Hash: 99F0AF39805280DFEB128F09D885765FBE4EF04325F4CC49ADD494F756D3B5E408CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 016408FD Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4525212653.0000000001640000.00000040.00000020.00020000.00000000.sdmp, Offset: 01640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1640000_xdPdkPMD8u.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ab14678e59a43247b8fd1afdd1e79c34719a6bab38792fa826a11a8648d0a34
Instruction ID: 3c8c0f1add7d2bad32409f4f4c494251521c6c0e7ba72422a3a23954ef4a533f
Opcode Fuzzy Hash: 2ab14678e59a43247b8fd1afdd1e79c34719a6bab38792fa826a11a8648d0a34
Instruction Fuzzy Hash: 3021B0351093C0DFD717CB10C950B95BFB1EB4A618F1989EEE5858B793C73A9806CB51

Uniqueness

Uniqueness Score: -1.00%

Function 05D22400 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4527377932.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d20000_xdPdkPMD8u.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f203abe215e2d4beec14ca57d55ced2fed0afdbd38d7a0c12767bff8f9b571cf
Instruction ID: 73ebb3fffd98df1f8708beff87a65c79948cef7ea7b69ed2342abb718322c356
Opcode Fuzzy Hash: f203abe215e2d4beec14ca57d55ced2fed0afdbd38d7a0c12767bff8f9b571cf
Instruction Fuzzy Hash: 8B11B8B5908341AFD740CF19D880A5BFBE4FB98664F04895EF99897311D335EA188FA2

Uniqueness

Uniqueness Score: -1.00%

Function 01640934 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4525212653.0000000001640000.00000040.00000020.00020000.00000000.sdmp, Offset: 01640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1640000_xdPdkPMD8u.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bfdb5ba8c559f0e3b905397c6d7f00c2dc542037f84e76155d8691e592a2f92
Instruction ID: 7bcaafc765e617530e73aff869341482ab41587a98d21f5c14888576c1e7c029
Opcode Fuzzy Hash: 5bfdb5ba8c559f0e3b905397c6d7f00c2dc542037f84e76155d8691e592a2f92
Instruction Fuzzy Hash: 2911B435208240EFE715CB14C940B66FBA5AB89718F28D99CFA494B753C777D813C651

Uniqueness

Uniqueness Score: -1.00%

Function 0152B5A0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4524939498.000000000152A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0152A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_152a000_xdPdkPMD8u.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adc5255b00129aaab63a45a11d3a57d11f2b4ec8850158cb4972e8151644fa14
Instruction ID: 2497431bba32497591968cc790ee3d80ee256e37234395b0b83253d2a8e58687
Opcode Fuzzy Hash: adc5255b00129aaab63a45a11d3a57d11f2b4ec8850158cb4972e8151644fa14
Instruction Fuzzy Hash: 3811FAB5908301AFD750CF09DC80E5BFBE8EB98660F04891EF95897311D335E9188FA2

Uniqueness

Uniqueness Score: -1.00%

Function 016405DF Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4525212653.0000000001640000.00000040.00000020.00020000.00000000.sdmp, Offset: 01640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1640000_xdPdkPMD8u.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78170675cefd216a03f7d10eb5833fb4d511e3ce818b63b4c60826651dc0eb69
Instruction ID: 27e69b41b22c7fcc0236e67f9dafe02b0dc4d0c98257f3e8e802f9802123ac91
Opcode Fuzzy Hash: 78170675cefd216a03f7d10eb5833fb4d511e3ce818b63b4c60826651dc0eb69
Instruction Fuzzy Hash: 5301A2B550D3806FD7128F06AC44862FFB8DF8622070984EFEC498B652D235A908CBB6

Uniqueness

Uniqueness Score: -1.00%

Function 016409F0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4525212653.0000000001640000.00000040.00000020.00020000.00000000.sdmp, Offset: 01640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1640000_xdPdkPMD8u.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bf77a17c3e8da0c4cb46b30df8c31357310a763e4aa26229cc1396c023fce79
Instruction ID: 1130535ff7f0fd778c4c9a13f8f81313522d15793614a37ee293e0479fb5dac5
Opcode Fuzzy Hash: 8bf77a17c3e8da0c4cb46b30df8c31357310a763e4aa26229cc1396c023fce79
Instruction Fuzzy Hash: 10F01D35108645DFC306CF04D940B55FBA2FB89718F24CAADE94907B52C737E813DA81

Uniqueness

Uniqueness Score: -1.00%

Function 01640606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4525212653.0000000001640000.00000040.00000020.00020000.00000000.sdmp, Offset: 01640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1640000_xdPdkPMD8u.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfd3955506a10960d0500d7b159067190ab7a4f7bda7f8b73e9f51c681b47a56
Instruction ID: 81bbaff1c1a1440213f7813bf32229b22e82b08b78fadda689f3b357c3191daa
Opcode Fuzzy Hash: cfd3955506a10960d0500d7b159067190ab7a4f7bda7f8b73e9f51c681b47a56
Instruction Fuzzy Hash: A1E092B66006004B9650CF0BEC81452F7E8EB88630B08C07FDC0D8BB11D235B508CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 05D2246B Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4527377932.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d20000_xdPdkPMD8u.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14ca3e45e37cc48bbf5066a1fe9b98ea4d0ad20989e1ed9ae340bf2e97ee344e
Instruction ID: c61faf69b18b62a33f43ac6d7589bbf3199c47b57e29b5fd015cdfc619101f55
Opcode Fuzzy Hash: 14ca3e45e37cc48bbf5066a1fe9b98ea4d0ad20989e1ed9ae340bf2e97ee344e
Instruction Fuzzy Hash: 69E0D8B255020067D6109F069C45F52FB98DB94931F08C467ED081B741E275B51489F1

Uniqueness

Uniqueness Score: -1.00%

Function 05D21D17 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4527377932.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d20000_xdPdkPMD8u.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 818f9acf12254fcf91cc09f7b4af3dca8bff998489b8eec3bbef1199e4ec5a9e
Instruction ID: 8b16e4607eceddc6d75e5d5a81447fe9446cf4678a9518e9c7af6782a2f592e5
Opcode Fuzzy Hash: 818f9acf12254fcf91cc09f7b4af3dca8bff998489b8eec3bbef1199e4ec5a9e
Instruction Fuzzy Hash: 0FE0D8B251020067D6109F069C45F53FB98DB94931F08C457ED081B701E276B514C9F1

Uniqueness

Uniqueness Score: -1.00%

Function 0152B5EF Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4524939498.000000000152A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0152A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_152a000_xdPdkPMD8u.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1d7b135d76e514a84cb5ed9a6d4df0c0e81eed2e5c0365d45dc1fb267666155
Instruction ID: feca9d76d2d9e8514444880e5815c95e80fdf6ca83cc7d1b7f3cf4c338430511
Opcode Fuzzy Hash: d1d7b135d76e514a84cb5ed9a6d4df0c0e81eed2e5c0365d45dc1fb267666155
Instruction Fuzzy Hash: 32E020B254020467D6109F06AC45F53F79CDB54931F08C557ED081F711E275B514CAF1

Uniqueness

Uniqueness Score: -1.00%

Function 015123F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4524880250.0000000001512000.00000040.00000800.00020000.00000000.sdmp, Offset: 01512000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1512000_xdPdkPMD8u.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4205279257610a071ed83d4e415bfd2803fc22e41fe2bd873c433a538709fb5a
Instruction ID: 3e45bda907b4766363a085b0cfa2401b46551a7cc3fad310c3c7fe4b28f2c43f
Opcode Fuzzy Hash: 4205279257610a071ed83d4e415bfd2803fc22e41fe2bd873c433a538709fb5a
Instruction Fuzzy Hash: E3D02E792426C04FF3139B0CC1A4B893BE4BB40704F4A00F9A8008F777C7A8E4C0C200

Uniqueness

Uniqueness Score: -1.00%

Function 015123BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4524880250.0000000001512000.00000040.00000800.00020000.00000000.sdmp, Offset: 01512000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1512000_xdPdkPMD8u.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e33f493df87d8eddb4c13e57fa428c914ffba81cccf337283d5e18b2ff347e3
Instruction ID: 41363d08cfac8dac04a171a109a6e3f5f44ed5fe5fb61512a192ff925b67e79a
Opcode Fuzzy Hash: 2e33f493df87d8eddb4c13e57fa428c914ffba81cccf337283d5e18b2ff347e3
Instruction Fuzzy Hash: C0D05E342012814FEB16DB0CC6D4F9D3BD4BB44715F1644E8AC108F766C7A4E8C0DA00

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report xdPdkPMD8u.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Njrat

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Operating System Destruction

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Windows Analysis Report
xdPdkPMD8u.exe

Function 0163169F Relevance: 5.7, Strings: 4, Instructions: 684
COMMON

Function 01630F90 Relevance: 1.6, APIs: 1, Instructions: 115
COMMON

Function 056A18FE Relevance: 1.6, APIs: 1, Instructions: 108
COMMON

Function 01630F7F Relevance: 1.6, APIs: 1, Instructions: 108
COMMON

Function 056A04D6 Relevance: 1.6, APIs: 1, Instructions: 103
fileCOMMON

Function 056A29AA Relevance: 1.6, APIs: 1, Instructions: 99
registryCOMMON

Function 056A0A43 Relevance: 1.6, APIs: 1, Instructions: 98
registryCOMMON

Function 056A1670 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Function 056A1568 Relevance: 1.6, APIs: 1, Instructions: 91
timeCOMMON