Edit tour

Windows Analysis Report
QsKtlzYaKF.exe

Overview

General Information

Sample Name:	QsKtlzYaKF.exe
Original Sample Name:	85AA59199316A48AE26E32A9A674D2AE.exe
Analysis ID:	1352747
MD5:	85aa59199316a48ae26e32a9a674d2ae
SHA1:	e7ebf981bc84c76fdb0f7b77f4067212ff70421d
SHA256:	04009681685f9366286233d718166ff7de75c6149aba12fb4e913daa52ffb445
Tags:	exenjratRAT
Infos:

Detection

Njrat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Sigma detected: Drops fake system file at system root drive

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected Njrat

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Snort IDS alert for network traffic

Uses netsh to modify the Windows network and firewall settings

Drops PE files to the startup folder

Protects its processes via BreakOnTermination flag

.NET source code references suspicious native API functions

Contains functionality to log keystrokes (.Net Source)

Machine Learning detection for sample

.NET source code contains potential unpacker

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Creates autostart registry keys with suspicious names

Modifies the windows firewall

Creates autorun.inf (USB autostart)

Drops PE files with benign system names

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

May infect USB drives

Internet Provider seen in connection with other malware

Sample execution stops while process was sleeping (likely an evasion)

Stores files to the Windows start menu directory

Contains functionality to call native functions

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Abnormal high CPU Usage

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Creates a start menu entry (Start Menu\Programs\Startup)

Classification

Process Tree

System is w10x64

QsKtlzYaKF.exe (PID: 6856 cmdline: C:\Users\user\Desktop\QsKtlzYaKF.exe MD5: 85AA59199316A48AE26E32A9A674D2AE)

netsh.exe (PID: 7044 cmdline: netsh firewall add allowedprogram "C:\Users\user\Desktop\QsKtlzYaKF.exe" "QsKtlzYaKF.exe" ENABLE MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

conhost.exe (PID: 7072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

QsKtlzYaKF.exe (PID: 4284 cmdline: "C:\Users\user\Desktop\QsKtlzYaKF.exe" .. MD5: 85AA59199316A48AE26E32A9A674D2AE)

QsKtlzYaKF.exe (PID: 6184 cmdline: "C:\Users\user\Desktop\QsKtlzYaKF.exe" .. MD5: 85AA59199316A48AE26E32A9A674D2AE)

QsKtlzYaKF.exe (PID: 1608 cmdline: "C:\Users\user\Desktop\QsKtlzYaKF.exe" .. MD5: 85AA59199316A48AE26E32A9A674D2AE)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
NjRAT	RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.	AQUATIC PANDA Earth Lusca Operation C-Major The Gorgon Group	http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/ http://blogs.360.cn/post/analysis-of-apt-c-37.html http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/ https://asec.ahnlab.com/1369	https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

Malware Configuration

Threatname: Njrat

{"Host": "6.tcp.eu.ngrok.io", "Port": "19220", "Version": "im523", "Campaign ID": "mark", "Install Name": "server.exe", "Install Dir": "TEMP"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
QsKtlzYaKF.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
QsKtlzYaKF.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x64c1:$a1: get_Registry 0x7efc:$a3: Download ERROR 0x81ee:$a5: netsh firewall delete allowedprogram "
QsKtlzYaKF.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x80e4:$a1: netsh firewall add allowedprogram 0x82de:$b1: [TAP] 0x8284:$b2: & exit 0x8250:$c1: md.exe /k ping 0 & del
QsKtlzYaKF.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x81ee:$s1: netsh firewall delete allowedprogram 0x80e4:$s2: netsh firewall add allowedprogram 0x824e:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 6B 00 20 00 70 00 69 00 6E 00 67 0x7ed8:$s4: Execute ERROR 0x7f38:$s4: Execute ERROR 0x7efc:$s5: Download ERROR 0x8294:$s6: [kl]

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a502d6936d522819db45a43677dc3f7c.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a502d6936d522819db45a43677dc3f7c.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x64c1:$a1: get_Registry 0x7efc:$a3: Download ERROR 0x81ee:$a5: netsh firewall delete allowedprogram "
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a502d6936d522819db45a43677dc3f7c.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x80e4:$a1: netsh firewall add allowedprogram 0x82de:$b1: [TAP] 0x8284:$b2: & exit 0x8250:$c1: md.exe /k ping 0 & del
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a502d6936d522819db45a43677dc3f7c.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x81ee:$s1: netsh firewall delete allowedprogram 0x80e4:$s2: netsh firewall add allowedprogram 0x824e:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 6B 00 20 00 70 00 69 00 6E 00 67 0x7ed8:$s4: Execute ERROR 0x7f38:$s4: Execute ERROR 0x7efc:$s5: Download ERROR 0x8294:$s6: [kl]
C:\svchost.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\svchost.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x64c1:$a1: get_Registry 0x7efc:$a3: Download ERROR 0x81ee:$a5: netsh firewall delete allowedprogram "
C:\svchost.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x80e4:$a1: netsh firewall add allowedprogram 0x82de:$b1: [TAP] 0x8284:$b2: & exit 0x8250:$c1: md.exe /k ping 0 & del
C:\svchost.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x81ee:$s1: netsh firewall delete allowedprogram 0x80e4:$s2: netsh firewall add allowedprogram 0x824e:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 6B 00 20 00 70 00 69 00 6E 00 67 0x7ed8:$s4: Execute ERROR 0x7f38:$s4: Execute ERROR 0x7efc:$s5: Download ERROR 0x8294:$s6: [kl]
Click to see the 3 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1657947199.0000000000E32000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000000.00000000.1657947199.0000000000E32000.00000002.00000001.01000000.00000003.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x62c1:$a1: get_Registry 0x7cfc:$a3: Download ERROR 0x7fee:$a5: netsh firewall delete allowedprogram "
00000000.00000000.1657947199.0000000000E32000.00000002.00000001.01000000.00000003.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x7ee4:$a1: netsh firewall add allowedprogram 0x80de:$b1: [TAP] 0x8084:$b2: & exit 0x8050:$c1: md.exe /k ping 0 & del
00000000.00000002.4110826869.00000000033F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: QsKtlzYaKF.exe PID: 6856	JoeSecurity_Njrat	Yara detected Njrat	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.QsKtlzYaKF.exe.e30000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0.0.QsKtlzYaKF.exe.e30000.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x64c1:$a1: get_Registry 0x7efc:$a3: Download ERROR 0x81ee:$a5: netsh firewall delete allowedprogram "
0.0.QsKtlzYaKF.exe.e30000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x80e4:$a1: netsh firewall add allowedprogram 0x82de:$b1: [TAP] 0x8284:$b2: & exit 0x8250:$c1: md.exe /k ping 0 & del
0.0.QsKtlzYaKF.exe.e30000.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x81ee:$s1: netsh firewall delete allowedprogram 0x80e4:$s2: netsh firewall add allowedprogram 0x824e:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 6B 00 20 00 70 00 69 00 6E 00 67 0x7ed8:$s4: Execute ERROR 0x7f38:$s4: Execute ERROR 0x7efc:$s5: Download ERROR 0x8294:$s6: [kl]

Sigma Signatures

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Drops fake system file at system root drive

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\QsKtlzYaKF.exe, ProcessId: 6856, TargetFilename: C:\svchost.exe

Snort Signatures

ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) - Source IP: 192.168.2.4 - Destination IP: 52.28.247.255

Timestamp:	192.168.2.452.28.247.25549739192202814860 12/03/23-20:22:51.251780
SID:	2814860
Source Port:	49739
Destination Port:	19220
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 3.66.38.117

Timestamp:	192.168.2.43.66.38.11749746192202033132 12/03/23-20:24:22.591862
SID:	2033132
Source Port:	49746
Destination Port:	19220
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) - Source IP: 192.168.2.4 - Destination IP: 3.69.157.220

Timestamp:	192.168.2.43.69.157.22049730192202825563 12/03/23-20:21:23.688164
SID:	2825563
Source Port:	49730
Destination Port:	19220
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.4 - Destination IP: 3.69.157.220

Timestamp:	192.168.2.43.69.157.22049729192202814856 12/03/23-20:21:17.448214
SID:	2814856
Source Port:	49729
Destination Port:	19220
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) - Source IP: 192.168.2.4 - Destination IP: 3.66.38.117

Timestamp:	192.168.2.43.66.38.11749748192202825564 12/03/23-20:25:13.193068
SID:	2825564
Source Port:	49748
Destination Port:	19220
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) - Source IP: 192.168.2.4 - Destination IP: 3.66.38.117

Timestamp:	192.168.2.43.66.38.11749748192202825563 12/03/23-20:24:57.283768
SID:	2825563
Source Port:	49748
Destination Port:	19220
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 52.28.247.255

Timestamp:	192.168.2.452.28.247.25549739192202033132 12/03/23-20:22:42.761128
SID:	2033132
Source Port:	49739
Destination Port:	19220
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) - Source IP: 192.168.2.4 - Destination IP: 3.66.38.117

Timestamp:	192.168.2.43.66.38.11749747192202825563 12/03/23-20:24:37.860433
SID:	2825563
Source Port:	49747
Destination Port:	19220
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) - Source IP: 192.168.2.4 - Destination IP: 3.66.38.117

Timestamp:	192.168.2.43.66.38.11749746192202825563 12/03/23-20:24:22.776536
SID:	2825563
Source Port:	49746
Destination Port:	19220
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) - Source IP: 192.168.2.4 - Destination IP: 3.66.38.117

Timestamp:	192.168.2.43.66.38.11749746192202825564 12/03/23-20:24:29.426575
SID:	2825564
Source Port:	49746
Destination Port:	19220
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 3.69.157.220

Timestamp:	192.168.2.43.69.157.22049737192202033132 12/03/23-20:22:05.018671
SID:	2033132
Source Port:	49737
Destination Port:	19220
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) - Source IP: 192.168.2.4 - Destination IP: 52.28.247.255

Timestamp:	192.168.2.452.28.247.25549741192202825563 12/03/23-20:23:14.946007
SID:	2825563
Source Port:	49741
Destination Port:	19220
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) - Source IP: 192.168.2.4 - Destination IP: 52.28.247.255

Timestamp:	192.168.2.452.28.247.25549740192202825563 12/03/23-20:22:53.706955
SID:	2825563
Source Port:	49740
Destination Port:	19220
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) - Source IP: 192.168.2.4 - Destination IP: 52.28.247.255

Timestamp:	192.168.2.452.28.247.25549742192202825563 12/03/23-20:23:26.344895
SID:	2825563
Source Port:	49742
Destination Port:	19220
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) - Source IP: 192.168.2.4 - Destination IP: 52.28.247.255

Timestamp:	192.168.2.452.28.247.25549740192202825564 12/03/23-20:22:59.051727
SID:	2825564
Source Port:	49740
Destination Port:	19220
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) - Source IP: 192.168.2.4 - Destination IP: 52.28.247.255

Timestamp:	192.168.2.452.28.247.25549742192202825564 12/03/23-20:23:30.911166
SID:	2825564
Source Port:	49742
Destination Port:	19220
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 3.69.157.220

Timestamp:	192.168.2.43.69.157.22049729192202033132 12/03/23-20:21:17.262929
SID:	2033132
Source Port:	49729
Destination Port:	19220
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) - Source IP: 192.168.2.4 - Destination IP: 52.28.247.255

Timestamp:	192.168.2.452.28.247.25549743192202825563 12/03/23-20:23:37.605690
SID:	2825563
Source Port:	49743
Destination Port:	19220
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) - Source IP: 192.168.2.4 - Destination IP: 3.69.115.178

Timestamp:	192.168.2.43.69.115.17849744192202825564 12/03/23-20:24:02.368608
SID:	2825564
Source Port:	49744
Destination Port:	19220
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) - Source IP: 192.168.2.4 - Destination IP: 3.69.115.178

Timestamp:	192.168.2.43.69.115.17849744192202825563 12/03/23-20:23:48.158065
SID:	2825563
Source Port:	49744
Destination Port:	19220
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) - Source IP: 192.168.2.4 - Destination IP: 3.69.157.220

Timestamp:	192.168.2.43.69.157.22049729192202825563 12/03/23-20:21:17.448214
SID:	2825563
Source Port:	49729
Destination Port:	19220
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) - Source IP: 192.168.2.4 - Destination IP: 52.28.247.255

Timestamp:	192.168.2.452.28.247.25549743192202825564 12/03/23-20:23:40.973464
SID:	2825564
Source Port:	49743
Destination Port:	19220
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) - Source IP: 192.168.2.4 - Destination IP: 3.69.115.178

Timestamp:	192.168.2.43.69.115.17849745192202825563 12/03/23-20:24:12.746923
SID:	2825563
Source Port:	49745
Destination Port:	19220
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) - Source IP: 192.168.2.4 - Destination IP: 3.69.157.220

Timestamp:	192.168.2.43.69.157.22049737192202825564 12/03/23-20:22:34.323672
SID:	2825564
Source Port:	49737
Destination Port:	19220
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) - Source IP: 192.168.2.4 - Destination IP: 3.69.115.178

Timestamp:	192.168.2.43.69.115.17849745192202825564 12/03/23-20:24:13.178120
SID:	2825564
Source Port:	49745
Destination Port:	19220
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) - Source IP: 192.168.2.4 - Destination IP: 3.69.157.220

Timestamp:	192.168.2.43.69.157.22049737192202825563 12/03/23-20:22:05.210462
SID:	2825563
Source Port:	49737
Destination Port:	19220
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) - Source IP: 192.168.2.4 - Destination IP: 52.28.247.255

Timestamp:	192.168.2.452.28.247.25549741192202825564 12/03/23-20:23:15.348399
SID:	2825564
Source Port:	49741
Destination Port:	19220
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.4 - Destination IP: 3.69.157.220

Timestamp:	192.168.2.43.69.157.22049737192202814856 12/03/23-20:22:05.210462
SID:	2814856
Source Port:	49737
Destination Port:	19220
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.4 - Destination IP: 3.66.38.117

Timestamp:	192.168.2.43.66.38.11749748192202814856 12/03/23-20:24:57.283768
SID:	2814856
Source Port:	49748
Destination Port:	19220
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.4 - Destination IP: 52.28.247.255

Timestamp:	192.168.2.452.28.247.25549743192202814856 12/03/23-20:23:37.605690
SID:	2814856
Source Port:	49743
Destination Port:	19220
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.4 - Destination IP: 52.28.247.255

Timestamp:	192.168.2.452.28.247.25549742192202814856 12/03/23-20:23:26.344895
SID:	2814856
Source Port:	49742
Destination Port:	19220
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.4 - Destination IP: 3.69.157.220

Timestamp:	192.168.2.43.69.157.22049730192202814856 12/03/23-20:21:23.688164
SID:	2814856
Source Port:	49730
Destination Port:	19220
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.4 - Destination IP: 52.28.247.255

Timestamp:	192.168.2.452.28.247.25549741192202814856 12/03/23-20:23:14.946007
SID:	2814856
Source Port:	49741
Destination Port:	19220
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.4 - Destination IP: 52.28.247.255

Timestamp:	192.168.2.452.28.247.25549740192202814856 12/03/23-20:22:53.706955
SID:	2814856
Source Port:	49740
Destination Port:	19220
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.4 - Destination IP: 3.66.38.117

Timestamp:	192.168.2.43.66.38.11749747192202814856 12/03/23-20:24:37.860433
SID:	2814856
Source Port:	49747
Destination Port:	19220
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) - Source IP: 192.168.2.4 - Destination IP: 3.69.115.178

Timestamp:	192.168.2.43.69.115.17849744192202814860 12/03/23-20:24:03.120602
SID:	2814860
Source Port:	49744
Destination Port:	19220
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) - Source IP: 192.168.2.4 - Destination IP: 3.69.115.178

Timestamp:	192.168.2.43.69.115.17849745192202814860 12/03/23-20:24:13.178120
SID:	2814860
Source Port:	49745
Destination Port:	19220
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 3.69.115.178

Timestamp:	192.168.2.43.69.115.17849745192202033132 12/03/23-20:24:12.557531
SID:	2033132
Source Port:	49745
Destination Port:	19220
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) - Source IP: 192.168.2.4 - Destination IP: 3.69.157.220

Timestamp:	192.168.2.43.69.157.22049737192202814860 12/03/23-20:22:39.270213
SID:	2814860
Source Port:	49737
Destination Port:	19220
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.4 - Destination IP: 3.66.38.117

Timestamp:	192.168.2.43.66.38.11749746192202814856 12/03/23-20:24:22.776536
SID:	2814856
Source Port:	49746
Destination Port:	19220
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 52.28.247.255

Timestamp:	192.168.2.452.28.247.25549742192202033132 12/03/23-20:23:26.153978
SID:	2033132
Source Port:	49742
Destination Port:	19220
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 52.28.247.255

Timestamp:	192.168.2.452.28.247.25549743192202033132 12/03/23-20:23:37.416476
SID:	2033132
Source Port:	49743
Destination Port:	19220
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.4 - Destination IP: 52.28.247.255

Timestamp:	192.168.2.452.28.247.25549739192202814856 12/03/23-20:22:43.464095
SID:	2814856
Source Port:	49739
Destination Port:	19220
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 52.28.247.255

Timestamp:	192.168.2.452.28.247.25549740192202033132 12/03/23-20:22:53.517449
SID:	2033132
Source Port:	49740
Destination Port:	19220
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 3.69.115.178

Timestamp:	192.168.2.43.69.115.17849744192202033132 12/03/23-20:23:47.970103
SID:	2033132
Source Port:	49744
Destination Port:	19220
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) - Source IP: 192.168.2.4 - Destination IP: 3.66.38.117

Timestamp:	192.168.2.43.66.38.11749746192202814860 12/03/23-20:24:29.426575
SID:	2814860
Source Port:	49746
Destination Port:	19220
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.4 - Destination IP: 3.69.115.178

Timestamp:	192.168.2.43.69.115.17849744192202814856 12/03/23-20:23:48.158065
SID:	2814856
Source Port:	49744
Destination Port:	19220
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.4 - Destination IP: 3.69.115.178

Timestamp:	192.168.2.43.69.115.17849745192202814856 12/03/23-20:24:12.746923
SID:	2814856
Source Port:	49745
Destination Port:	19220
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) - Source IP: 192.168.2.4 - Destination IP: 52.28.247.255

Timestamp:	192.168.2.452.28.247.25549740192202814860 12/03/23-20:22:59.051727
SID:	2814860
Source Port:	49740
Destination Port:	19220
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) - Source IP: 192.168.2.4 - Destination IP: 52.28.247.255

Timestamp:	192.168.2.452.28.247.25549742192202814860 12/03/23-20:23:30.911166
SID:	2814860
Source Port:	49742
Destination Port:	19220
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 3.66.38.117

Timestamp:	192.168.2.43.66.38.11749747192202033132 12/03/23-20:24:37.669337
SID:	2033132
Source Port:	49747
Destination Port:	19220
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) - Source IP: 192.168.2.4 - Destination IP: 52.28.247.255

Timestamp:	192.168.2.452.28.247.25549743192202814860 12/03/23-20:23:40.973464
SID:	2814860
Source Port:	49743
Destination Port:	19220
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 52.28.247.255

Timestamp:	192.168.2.452.28.247.25549741192202033132 12/03/23-20:23:14.759488
SID:	2033132
Source Port:	49741
Destination Port:	19220
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 3.66.38.117

Timestamp:	192.168.2.43.66.38.11749748192202033132 12/03/23-20:24:57.092638
SID:	2033132
Source Port:	49748
Destination Port:	19220
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 3.69.157.220

Timestamp:	192.168.2.43.69.157.22049730192202033132 12/03/23-20:21:23.501095
SID:	2033132
Source Port:	49730
Destination Port:	19220
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) - Source IP: 192.168.2.4 - Destination IP: 52.28.247.255

Timestamp:	192.168.2.452.28.247.25549741192202814860 12/03/23-20:23:15.348399
SID:	2814860
Source Port:	49741
Destination Port:	19220
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) - Source IP: 192.168.2.4 - Destination IP: 3.66.38.117

Timestamp:	192.168.2.43.66.38.11749748192202814860 12/03/23-20:25:13.193068
SID:	2814860
Source Port:	49748
Destination Port:	19220
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000000.1657947199.0000000000E32000.00000002.00000001.01000000.00000003.sdmp

Malware Configuration Extractor: Njrat {"Host": "6.tcp.eu.ngrok.io", "Port": "19220", "Version": "im523", "Campaign ID": "mark", "Install Name": "server.exe", "Install Dir": "TEMP"}

Multi AV Scanner detection for submitted file

Source: QsKtlzYaKF.exe	Virustotal: Detection: 80%			Perma Link
Source: QsKtlzYaKF.exe	ReversingLabs: Detection: 86%

Yara detected Njrat

Source: Yara match	File source: QsKtlzYaKF.exe, type: SAMPLE
Source: Yara match	File source: 0.0.QsKtlzYaKF.exe.e30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1657947199.0000000000E32000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4110826869.00000000033F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QsKtlzYaKF.exe PID: 6856, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a502d6936d522819db45a43677dc3f7c.exe, type: DROPPED
Source: Yara match	File source: C:\svchost.exe, type: DROPPED

Antivirus / Scanner detection for submitted sample

Source: QsKtlzYaKF.exe

Avira: detected

Antivirus detection for URL or domain

Source: 6.tcp.eu.ngrok.io

Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: 6.tcp.eu.ngrok.io	Virustotal: Detection: 11%			Perma Link
Source: 6.tcp.eu.ngrok.io	Virustotal: Detection: 11%			Perma Link

Antivirus detection for dropped file

Source: C:\svchost.exe	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a502d6936d522819db45a43677dc3f7c.exe	Avira: detection malicious, Label: TR/ATRAPS.Gen

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a502d6936d522819db45a43677dc3f7c.exe	ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a502d6936d522819db45a43677dc3f7c.exe	Virustotal: Detection: 80%	Perma Link
Source: C:\svchost.exe	ReversingLabs: Detection: 86%
Source: C:\svchost.exe	Virustotal: Detection: 80%	Perma Link

Machine Learning detection for sample

Source: QsKtlzYaKF.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\svchost.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a502d6936d522819db45a43677dc3f7c.exe	Joe Sandbox ML: detected

Source: QsKtlzYaKF.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\QsKtlzYaKF.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: QsKtlzYaKF.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Spreading

Creates autorun.inf (USB autostart)

Source: C:\Users\user\Desktop\QsKtlzYaKF.exe

File created: C:\autorun.inf

Jump to behavior

Source: QsKtlzYaKF.exe, 00000000.00000000.1657947199.0000000000E32000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: autorun.inf
Source: QsKtlzYaKF.exe, 00000000.00000000.1657947199.0000000000E32000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: [autorun]
Source: QsKtlzYaKF.exe, 00000000.00000002.4110826869.00000000033F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: QsKtlzYaKF.exe, 00000000.00000002.4110826869.00000000033F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: QsKtlzYaKF.exe	Binary or memory string: autorun.inf
Source: QsKtlzYaKF.exe	Binary or memory string: [autorun]
Source: svchost.exe.0.dr	Binary or memory string: autorun.inf
Source: svchost.exe.0.dr	Binary or memory string: [autorun]
Source: a502d6936d522819db45a43677dc3f7c.exe.0.dr	Binary or memory string: autorun.inf
Source: a502d6936d522819db45a43677dc3f7c.exe.0.dr	Binary or memory string: [autorun]
Source: autorun.inf.0.dr	Binary or memory string: [autorun]

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49729 -> 3.69.157.220:19220
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49729 -> 3.69.157.220:19220
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49729 -> 3.69.157.220:19220
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49730 -> 3.69.157.220:19220
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49730 -> 3.69.157.220:19220
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49730 -> 3.69.157.220:19220
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49737 -> 3.69.157.220:19220
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49737 -> 3.69.157.220:19220
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49737 -> 3.69.157.220:19220
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49737 -> 3.69.157.220:19220
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49737 -> 3.69.157.220:19220
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49739 -> 52.28.247.255:19220
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49739 -> 52.28.247.255:19220
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49739 -> 52.28.247.255:19220
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49740 -> 52.28.247.255:19220
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49740 -> 52.28.247.255:19220
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49740 -> 52.28.247.255:19220
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49740 -> 52.28.247.255:19220
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49740 -> 52.28.247.255:19220
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49741 -> 52.28.247.255:19220
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49741 -> 52.28.247.255:19220
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49741 -> 52.28.247.255:19220
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49741 -> 52.28.247.255:19220
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49741 -> 52.28.247.255:19220
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49742 -> 52.28.247.255:19220
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49742 -> 52.28.247.255:19220
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49742 -> 52.28.247.255:19220
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49742 -> 52.28.247.255:19220
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49742 -> 52.28.247.255:19220
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49743 -> 52.28.247.255:19220
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49743 -> 52.28.247.255:19220
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49743 -> 52.28.247.255:19220
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49743 -> 52.28.247.255:19220
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49743 -> 52.28.247.255:19220
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49744 -> 3.69.115.178:19220
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49744 -> 3.69.115.178:19220
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49744 -> 3.69.115.178:19220
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49744 -> 3.69.115.178:19220
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49744 -> 3.69.115.178:19220
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49745 -> 3.69.115.178:19220
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49745 -> 3.69.115.178:19220
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49745 -> 3.69.115.178:19220
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49745 -> 3.69.115.178:19220
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49745 -> 3.69.115.178:19220
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49746 -> 3.66.38.117:19220
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49746 -> 3.66.38.117:19220
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49746 -> 3.66.38.117:19220
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49746 -> 3.66.38.117:19220
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49746 -> 3.66.38.117:19220
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49747 -> 3.66.38.117:19220
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49747 -> 3.66.38.117:19220
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49747 -> 3.66.38.117:19220
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49748 -> 3.66.38.117:19220
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49748 -> 3.66.38.117:19220
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49748 -> 3.66.38.117:19220
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49748 -> 3.66.38.117:19220
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49748 -> 3.66.38.117:19220

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 6.tcp.eu.ngrok.io

Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US

Source: Joe Sandbox View	IP Address: 3.66.38.117 3.66.38.117
Source: Joe Sandbox View	IP Address: 52.28.247.255 52.28.247.255

Source: global traffic	TCP traffic: 192.168.2.4:49729 -> 3.69.157.220:19220
Source: global traffic	TCP traffic: 192.168.2.4:49739 -> 52.28.247.255:19220
Source: global traffic	TCP traffic: 192.168.2.4:49744 -> 3.69.115.178:19220
Source: global traffic	TCP traffic: 192.168.2.4:49746 -> 3.66.38.117:19220

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: QsKtlzYaKF.exe, svchost.exe.0.dr, a502d6936d522819db45a43677dc3f7c.exe.0.dr

String found in binary or memory: https://dl.dropbox.com/s/p84aaz28t0hepul/Pass.exe?dl=0

Source: unknown

DNS traffic detected: queries for: 6.tcp.eu.ngrok.io

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: QsKtlzYaKF.exe, kl.cs	.Net Code: VKCodeToUnicode
Source: a502d6936d522819db45a43677dc3f7c.exe.0.dr, kl.cs	.Net Code: VKCodeToUnicode
Source: svchost.exe.0.dr, kl.cs	.Net Code: VKCodeToUnicode

E-Banking Fraud

Yara detected Njrat

Source: Yara match	File source: QsKtlzYaKF.exe, type: SAMPLE
Source: Yara match	File source: 0.0.QsKtlzYaKF.exe.e30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1657947199.0000000000E32000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4110826869.00000000033F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QsKtlzYaKF.exe PID: 6856, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a502d6936d522819db45a43677dc3f7c.exe, type: DROPPED
Source: Yara match	File source: C:\svchost.exe, type: DROPPED

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\Desktop\QsKtlzYaKF.exe

Process information set: 01 00 00 00

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: QsKtlzYaKF.exe, type: SAMPLE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: QsKtlzYaKF.exe, type: SAMPLE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: QsKtlzYaKF.exe, type: SAMPLE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.0.QsKtlzYaKF.exe.e30000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.0.QsKtlzYaKF.exe.e30000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.0.QsKtlzYaKF.exe.e30000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 00000000.00000000.1657947199.0000000000E32000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000000.00000000.1657947199.0000000000E32000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a502d6936d522819db45a43677dc3f7c.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a502d6936d522819db45a43677dc3f7c.exe, type: DROPPED	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a502d6936d522819db45a43677dc3f7c.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\svchost.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\svchost.exe, type: DROPPED	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\svchost.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen

Source: QsKtlzYaKF.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: QsKtlzYaKF.exe, type: SAMPLE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: QsKtlzYaKF.exe, type: SAMPLE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: QsKtlzYaKF.exe, type: SAMPLE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.0.QsKtlzYaKF.exe.e30000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.0.QsKtlzYaKF.exe.e30000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.0.QsKtlzYaKF.exe.e30000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 00000000.00000000.1657947199.0000000000E32000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000000.00000000.1657947199.0000000000E32000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a502d6936d522819db45a43677dc3f7c.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a502d6936d522819db45a43677dc3f7c.exe, type: DROPPED	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a502d6936d522819db45a43677dc3f7c.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\svchost.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\svchost.exe, type: DROPPED	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\svchost.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi

Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Code function: 0_2_0173BE26 NtSetInformationProcess,	0_2_0173BE26
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Code function: 0_2_0173BE04 NtSetInformationProcess,	0_2_0173BE04
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Code function: 0_2_0576019E NtQuerySystemInformation,	0_2_0576019E
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Code function: 0_2_05760163 NtQuerySystemInformation,	0_2_05760163

Source: C:\Users\user\Desktop\QsKtlzYaKF.exe

Process Stats: CPU usage > 49%

Source: QsKtlzYaKF.exe, 00000000.00000002.4109924762.000000000135E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenamemscorwks.dllT vs QsKtlzYaKF.exe

Source: QsKtlzYaKF.exe	Virustotal: Detection: 80%
Source: QsKtlzYaKF.exe	ReversingLabs: Detection: 86%

Source: C:\Users\user\Desktop\QsKtlzYaKF.exe

File read: C:\Users\user\Desktop\QsKtlzYaKF.exe

Jump to behavior

Source: QsKtlzYaKF.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\QsKtlzYaKF.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\QsKtlzYaKF.exe C:\Users\user\Desktop\QsKtlzYaKF.exe
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\Desktop\QsKtlzYaKF.exe" "QsKtlzYaKF.exe" ENABLE
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\QsKtlzYaKF.exe "C:\Users\user\Desktop\QsKtlzYaKF.exe" ..
Source: unknown	Process created: C:\Users\user\Desktop\QsKtlzYaKF.exe "C:\Users\user\Desktop\QsKtlzYaKF.exe" ..
Source: unknown	Process created: C:\Users\user\Desktop\QsKtlzYaKF.exe "C:\Users\user\Desktop\QsKtlzYaKF.exe" ..
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\Desktop\QsKtlzYaKF.exe" "QsKtlzYaKF.exe" ENABLE	Jump to behavior

Source: C:\Users\user\Desktop\QsKtlzYaKF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Code function: 0_2_0173BAD6 AdjustTokenPrivileges,		0_2_0173BAD6
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Code function: 0_2_0173BA9F AdjustTokenPrivileges,		0_2_0173BA9F

Source: C:\Users\user\Desktop\QsKtlzYaKF.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a502d6936d522819db45a43677dc3f7c.exe

Jump to behavior

Source: classification engine

Classification label: mal100.spre.troj.adwa.spyw.evad.winEXE@7/7@4/4

Source: QsKtlzYaKF.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\276d7f4a20a3c21c3bf6fc9bfc1915a2\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\276d7f4a20a3c21c3bf6fc9bfc1915a2\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\276d7f4a20a3c21c3bf6fc9bfc1915a2\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\276d7f4a20a3c21c3bf6fc9bfc1915a2\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7072:120:WilError_03
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Mutant created: \Sessions\1\BaseNamedObjects\a502d6936d522819db45a43677dc3f7c

Source: C:\Users\user\Desktop\QsKtlzYaKF.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\QsKtlzYaKF.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: QsKtlzYaKF.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: QsKtlzYaKF.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: QsKtlzYaKF.exe, OK.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: a502d6936d522819db45a43677dc3f7c.exe.0.dr, OK.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: svchost.exe.0.dr, OK.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])

Persistence and Installation Behavior

Drops PE files with benign system names

Source: C:\Users\user\Desktop\QsKtlzYaKF.exe

File created: C:\svchost.exe

Jump to dropped file

Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	File created: C:\svchost.exe			Jump to dropped file
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a502d6936d522819db45a43677dc3f7c.exe			Jump to dropped file

Boot Survival

Drops PE files to the startup folder

Source: C:\Users\user\Desktop\QsKtlzYaKF.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a502d6936d522819db45a43677dc3f7c.exe

Jump to dropped file

Creates autostart registry keys with suspicious names

Source: C:\Users\user\Desktop\QsKtlzYaKF.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run a502d6936d522819db45a43677dc3f7c

Jump to behavior

Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a502d6936d522819db45a43677dc3f7c.exe			Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a502d6936d522819db45a43677dc3f7c.exe\:Zone.Identifier:$DATA			Jump to behavior

Source: C:\Users\user\Desktop\QsKtlzYaKF.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a502d6936d522819db45a43677dc3f7c.exe

Jump to behavior

Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run a502d6936d522819db45a43677dc3f7c	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run a502d6936d522819db45a43677dc3f7c	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run a502d6936d522819db45a43677dc3f7c	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run a502d6936d522819db45a43677dc3f7c	Jump to behavior

Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\QsKtlzYaKF.exe TID: 6880	Thread sleep time: -734000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe TID: 6880	Thread sleep time: -4409000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe TID: 2836	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe TID: 2696	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe TID: 6016	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Window / User API: threadDelayed 3261	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Window / User API: threadDelayed 734	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Window / User API: threadDelayed 4409	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Window / User API: foregroundWindowGot 426	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Window / User API: foregroundWindowGot 1272	Jump to behavior

Source: C:\Users\user\Desktop\QsKtlzYaKF.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: netsh.exe, 00000001.00000003.1726236933.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll[
Source: QsKtlzYaKF.exe, 00000000.00000002.4109924762.00000000013BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\QsKtlzYaKF.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\QsKtlzYaKF.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: QsKtlzYaKF.exe, kl.cs	Reference to suspicious API methods: MapVirtualKey(a, 0u)
Source: QsKtlzYaKF.exe, kl.cs	Reference to suspicious API methods: GetAsyncKeyState(num2)
Source: QsKtlzYaKF.exe, OK.cs	Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)

Source: QsKtlzYaKF.exe, 00000000.00000002.4110826869.000000000361C000.00000004.00000800.00020000.00000000.sdmp, QsKtlzYaKF.exe, 00000000.00000002.4110826869.00000000038CE000.00000004.00000800.00020000.00000000.sdmp, QsKtlzYaKF.exe, 00000000.00000002.4110826869.0000000003901000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: QsKtlzYaKF.exe, 00000000.00000002.4109924762.00000000013BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Rh Program Manager
Source: QsKtlzYaKF.exe, 00000000.00000002.4110826869.000000000361C000.00000004.00000800.00020000.00000000.sdmp, QsKtlzYaKF.exe, 00000000.00000002.4110826869.00000000036E9000.00000004.00000800.00020000.00000000.sdmp, QsKtlzYaKF.exe, 00000000.00000002.4110826869.00000000036DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: program managerL.
Source: QsKtlzYaKF.exe, 00000000.00000002.4110826869.00000000033F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: program manager
Source: QsKtlzYaKF.exe, 00000000.00000002.4110826869.00000000038CE000.00000004.00000800.00020000.00000000.sdmp, QsKtlzYaKF.exe, 00000000.00000002.4110826869.0000000003901000.00000004.00000800.00020000.00000000.sdmp, QsKtlzYaKF.exe, 00000000.00000002.4110826869.00000000036E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@9

Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QsKtlzYaKF.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\QsKtlzYaKF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Uses netsh to modify the Windows network and firewall settings

Source: C:\Users\user\Desktop\QsKtlzYaKF.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\Desktop\QsKtlzYaKF.exe" "QsKtlzYaKF.exe" ENABLE

Modifies the windows firewall

Source: C:\Users\user\Desktop\QsKtlzYaKF.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\Desktop\QsKtlzYaKF.exe" "QsKtlzYaKF.exe" ENABLE

Stealing of Sensitive Information

Yara detected Njrat

Source: Yara match	File source: QsKtlzYaKF.exe, type: SAMPLE
Source: Yara match	File source: 0.0.QsKtlzYaKF.exe.e30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1657947199.0000000000E32000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4110826869.00000000033F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QsKtlzYaKF.exe PID: 6856, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a502d6936d522819db45a43677dc3f7c.exe, type: DROPPED
Source: Yara match	File source: C:\svchost.exe, type: DROPPED

Remote Access Functionality

Yara detected Njrat

Source: Yara match	File source: QsKtlzYaKF.exe, type: SAMPLE
Source: Yara match	File source: 0.0.QsKtlzYaKF.exe.e30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1657947199.0000000000E32000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4110826869.00000000033F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QsKtlzYaKF.exe PID: 6856, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a502d6936d522819db45a43677dc3f7c.exe, type: DROPPED
Source: Yara match	File source: C:\svchost.exe, type: DROPPED

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
11 Replication Through Removable Media	1 Native API	221 Registry Run Keys / Startup Folder	1 Access Token Manipulation	11 Masquerading	1 Input Capture	11 Security Software Discovery	11 Replication Through Removable Media	1 Input Capture	Exfiltration Over Other Network Medium	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Abuse Accessibility Features	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	2 Process Injection	21 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Non-Application Layer Protocol	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials
Domain Accounts	At	Logon Script (Windows)	221 Registry Run Keys / Startup Folder	21 Virtualization/Sandbox Evasion	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	11 Application Layer Protocol			Data Encrypted for Impact	DNS Server	Email Addresses
Local Accounts	Cron	Login Hook	Login Hook	1 Access Token Manipulation	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Traffic Duplication	Protocol Impersonation			Data Destruction	Virtual Private Server	Employee Names
Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Process Injection	LSA Secrets	1 Peripheral Device Discovery	SSH	Keylogging	Scheduled Transfer	Fallback Channels			Data Encrypted for Impact	Server	Gather Victim Network Information
Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Data Transfer Size Limits	Multiband Communication			Service Stop	Botnet	Domain Properties

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
QsKtlzYaKF.exe	81%	Virustotal		Browse
QsKtlzYaKF.exe	86%	ReversingLabs	ByteCode-MSIL.Trojan.NjRAT
QsKtlzYaKF.exe	100%	Avira	TR/ATRAPS.Gen
QsKtlzYaKF.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\svchost.exe	100%	Avira	TR/ATRAPS.Gen
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a502d6936d522819db45a43677dc3f7c.exe	100%	Avira	TR/ATRAPS.Gen
C:\svchost.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a502d6936d522819db45a43677dc3f7c.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a502d6936d522819db45a43677dc3f7c.exe	86%	ReversingLabs	ByteCode-MSIL.Trojan.NjRAT
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a502d6936d522819db45a43677dc3f7c.exe	81%	Virustotal		Browse
C:\svchost.exe	86%	ReversingLabs	ByteCode-MSIL.Trojan.NjRAT
C:\svchost.exe	81%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
6.tcp.eu.ngrok.io	11%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
6.tcp.eu.ngrok.io	100%	Avira URL Cloud	malware
6.tcp.eu.ngrok.io	11%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
6.tcp.eu.ngrok.io	3.69.157.220	true	true	11%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
6.tcp.eu.ngrok.io	true	11%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://dl.dropbox.com/s/p84aaz28t0hepul/Pass.exe?dl=0	QsKtlzYaKF.exe, svchost.exe.0.dr, a502d6936d522819db45a43677dc3f7c.exe.0.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
3.66.38.117	unknown	United States	16509	AMAZON-02US	true
52.28.247.255	unknown	United States	16509	AMAZON-02US	true
3.69.115.178	unknown	United States	16509	AMAZON-02US	true
3.69.157.220	6.tcp.eu.ngrok.io	United States	16509	AMAZON-02US	true

General Information

Joe Sandbox Version:	38.0.0 Ammolite
Analysis ID:	1352747
Start date and time:	2023-12-03 20:20:17 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	QsKtlzYaKF.exe renamed because original name is a hash value
Original Sample Name:	85AA59199316A48AE26E32A9A674D2AE.exe
Detection:	MAL
Classification:	mal100.spre.troj.adwa.spyw.evad.winEXE@7/7@4/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 141 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
19:21:14	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run a502d6936d522819db45a43677dc3f7c "C:\Users\user\Desktop\QsKtlzYaKF.exe" ..
19:21:24	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run a502d6936d522819db45a43677dc3f7c "C:\Users\user\Desktop\QsKtlzYaKF.exe" ..
19:21:32	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run a502d6936d522819db45a43677dc3f7c "C:\Users\user\Desktop\QsKtlzYaKF.exe" ..
19:21:43	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a502d6936d522819db45a43677dc3f7c.exe
20:21:50	API Interceptor	123102x Sleep call for process: QsKtlzYaKF.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
3.66.38.117	dKe1GfZOs1.exe	Get hash	malicious	Njrat	Browse
	bRxR.exe	Get hash	malicious	AsyncRAT, DcRat	Browse
	X5eo58PPCB.exe	Get hash	malicious	Njrat	Browse
	ZuXcnAYgVp.exe	Get hash	malicious	Njrat	Browse
	8AKGdJOQ8N.exe	Get hash	malicious	Njrat	Browse
	uPMGLG7QnV.exe	Get hash	malicious	Njrat	Browse
	X3vWrCoPG6.exe	Get hash	malicious	Njrat	Browse
	7U23YeVgmF.exe	Get hash	malicious	Njrat	Browse
	KD9rMPUEBM.exe	Get hash	malicious	Njrat	Browse
	8fZNpRy9pN.exe	Get hash	malicious	Njrat	Browse
	2CVeP16GYU.exe	Get hash	malicious	Njrat	Browse
	QuX5A6qz9G.exe	Get hash	malicious	Njrat	Browse
	OperaSetup.exe	Get hash	malicious	Quasar	Browse
	g8XyWsa2b6.exe	Get hash	malicious	Njrat	Browse
	887F546123CD59024356557175BD77FE1144BA5C56D93.exe	Get hash	malicious	Njrat	Browse
	r0EX1ZWE8C.exe	Get hash	malicious	Njrat	Browse
	Android_USB_Jailbreaker.exe	Get hash	malicious	Njrat	Browse
	NNUqIKtjza.exe	Get hash	malicious	Unknown	Browse
	bLtN.exe	Get hash	malicious	Njrat	Browse
	bLtK.exe	Get hash	malicious	Njrat	Browse
52.28.247.255	dKe1GfZOs1.exe	Get hash	malicious	Njrat	Browse
	X5eo58PPCB.exe	Get hash	malicious	Njrat	Browse
	ZuXcnAYgVp.exe	Get hash	malicious	Njrat	Browse
	wiUnP1h5Ex.exe	Get hash	malicious	Njrat	Browse
	BqFosj9Wcb.exe	Get hash	malicious	Njrat	Browse
	d09l64ZAW6.exe	Get hash	malicious	Njrat	Browse
	8AKGdJOQ8N.exe	Get hash	malicious	Njrat	Browse
	uPMGLG7QnV.exe	Get hash	malicious	Njrat	Browse
	X3vWrCoPG6.exe	Get hash	malicious	Njrat	Browse
	8fZNpRy9pN.exe	Get hash	malicious	Njrat	Browse
	2CVeP16GYU.exe	Get hash	malicious	Njrat	Browse
	QuX5A6qz9G.exe	Get hash	malicious	Njrat	Browse
	TdxWv8SpDq.exe	Get hash	malicious	Njrat	Browse
	OperaSetup.exe	Get hash	malicious	Quasar	Browse
	HR0Hh3FsOH.exe	Get hash	malicious	njRat	Browse
	r0EX1ZWE8C.exe	Get hash	malicious	Njrat	Browse
	Android_USB_Jailbreaker.exe	Get hash	malicious	Njrat	Browse
	NNUqIKtjza.exe	Get hash	malicious	Unknown	Browse
	CxVNNetrEI.exe	Get hash	malicious	Njrat	Browse
	gAtrO34ote.exe	Get hash	malicious	njRat	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
6.tcp.eu.ngrok.io	xZLQ8X9Cxo.exe	Get hash	malicious	Njrat	Browse	3.69.157.220
	sCXwkZrcZ3.exe	Get hash	malicious	Njrat	Browse	3.68.171.119
	dKe1GfZOs1.exe	Get hash	malicious	Njrat	Browse	3.69.157.220
	bRxR.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	18.197.239.109
	X5eo58PPCB.exe	Get hash	malicious	Njrat	Browse	3.69.157.220
	ZuXcnAYgVp.exe	Get hash	malicious	Njrat	Browse	52.28.247.255
	wiUnP1h5Ex.exe	Get hash	malicious	Njrat	Browse	3.69.115.178
	BqFosj9Wcb.exe	Get hash	malicious	Njrat	Browse	52.28.247.255
	d09l64ZAW6.exe	Get hash	malicious	Njrat	Browse	52.28.247.255
	8AKGdJOQ8N.exe	Get hash	malicious	Njrat	Browse	3.68.171.119
	uPMGLG7QnV.exe	Get hash	malicious	Njrat	Browse	3.66.38.117
	X3vWrCoPG6.exe	Get hash	malicious	Njrat	Browse	3.68.171.119
	7U23YeVgmF.exe	Get hash	malicious	Njrat	Browse	3.69.115.178
	KD9rMPUEBM.exe	Get hash	malicious	Njrat	Browse	3.68.171.119
	8fZNpRy9pN.exe	Get hash	malicious	Njrat	Browse	52.28.247.255
	2CVeP16GYU.exe	Get hash	malicious	Njrat	Browse	3.66.38.117
	64EithtAyN.exe	Get hash	malicious	Njrat	Browse	3.68.171.119
	QuX5A6qz9G.exe	Get hash	malicious	Njrat	Browse	3.69.115.178
	TdxWv8SpDq.exe	Get hash	malicious	Njrat	Browse	3.69.157.220
	g8XyWsa2b6.exe	Get hash	malicious	Njrat	Browse	3.68.171.119

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	xZLQ8X9Cxo.exe	Get hash	malicious	Njrat	Browse	3.69.157.220
	https://rasulcllc.com/captcha/	Get hash	malicious	Unknown	Browse	108.138.64.52
	Znuvgbtsedoszb.exe	Get hash	malicious	DBatLoader, FormBook	Browse	3.64.163.50
	Ylvjcujvcjtsqv.exe	Get hash	malicious	DBatLoader, FormBook	Browse	3.64.163.50
	INVOICE_PO.exe	Get hash	malicious	FormBook	Browse	52.60.87.163
	New_Order.exe	Get hash	malicious	FormBook	Browse	52.68.224.126
	rZjqwGvi9i.exe	Get hash	malicious	Unknown	Browse	3.14.182.203
	SecuriteInfo.com.Trojan.Linux.Mirai.29744.17563.elf	Get hash	malicious	Unknown	Browse	34.249.145.219
	rQaPktWHyt.exe	Get hash	malicious	Njrat	Browse	35.157.111.131
	https://xllt-103158.square.site/	Get hash	malicious	Unknown	Browse	3.162.111.130
	base_(2).apk	Get hash	malicious	Unknown	Browse	54.192.100.188
	5b5erB7O9O.exe	Get hash	malicious	FormBook	Browse	52.60.87.163
	5lFjzZyN2w.exe	Get hash	malicious	FormBook	Browse	52.60.87.163
	file.exe	Get hash	malicious	RedLine, SmokeLoader	Browse	3.18.7.81
	sCXwkZrcZ3.exe	Get hash	malicious	Njrat	Browse	3.68.171.119
	piHWNOmnbm.elf	Get hash	malicious	Mirai	Browse	18.132.89.202
	lp0YqkzL1X.elf	Get hash	malicious	Mirai	Browse	54.105.25.28
	Ma0hVedIX4.exe	Get hash	malicious	RedLine, SmokeLoader	Browse	3.18.7.81
	xJB9fCeYZjet.exe	Get hash	malicious	Remcos	Browse	18.190.57.209
	file.exe	Get hash	malicious	RedLine, SmokeLoader	Browse	3.64.163.50
AMAZON-02US	xZLQ8X9Cxo.exe	Get hash	malicious	Njrat	Browse	3.69.157.220
	https://rasulcllc.com/captcha/	Get hash	malicious	Unknown	Browse	108.138.64.52
	Znuvgbtsedoszb.exe	Get hash	malicious	DBatLoader, FormBook	Browse	3.64.163.50
	Ylvjcujvcjtsqv.exe	Get hash	malicious	DBatLoader, FormBook	Browse	3.64.163.50
	INVOICE_PO.exe	Get hash	malicious	FormBook	Browse	52.60.87.163
	New_Order.exe	Get hash	malicious	FormBook	Browse	52.68.224.126
	rZjqwGvi9i.exe	Get hash	malicious	Unknown	Browse	3.14.182.203
	SecuriteInfo.com.Trojan.Linux.Mirai.29744.17563.elf	Get hash	malicious	Unknown	Browse	34.249.145.219
	rQaPktWHyt.exe	Get hash	malicious	Njrat	Browse	35.157.111.131
	https://xllt-103158.square.site/	Get hash	malicious	Unknown	Browse	3.162.111.130
	base_(2).apk	Get hash	malicious	Unknown	Browse	54.192.100.188
	5b5erB7O9O.exe	Get hash	malicious	FormBook	Browse	52.60.87.163
	5lFjzZyN2w.exe	Get hash	malicious	FormBook	Browse	52.60.87.163
	file.exe	Get hash	malicious	RedLine, SmokeLoader	Browse	3.18.7.81
	sCXwkZrcZ3.exe	Get hash	malicious	Njrat	Browse	3.68.171.119
	piHWNOmnbm.elf	Get hash	malicious	Mirai	Browse	18.132.89.202
	lp0YqkzL1X.elf	Get hash	malicious	Mirai	Browse	54.105.25.28
	Ma0hVedIX4.exe	Get hash	malicious	RedLine, SmokeLoader	Browse	3.18.7.81
	xJB9fCeYZjet.exe	Get hash	malicious	Remcos	Browse	18.190.57.209
	file.exe	Get hash	malicious	RedLine, SmokeLoader	Browse	3.64.163.50

Process:	C:\Users\user\Desktop\QsKtlzYaKF.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	525
Entropy (8bit):	5.259753436570609
Encrypted:	false
SSDEEP:	12:Q3LaJU2C9XAn10Ug+9pfu9t0U29xtUz1B0U2uk71K6xhk7v:MLF2CpI3zffup29Iz52Ve
MD5:	260E01CC001F9C4643CA7A62F395D747
SHA1:	492AD0ACE3A9C8736909866EEA168962D418BE5A
SHA-256:	4BC52CCF866F489772A6919A0CC2C55B1432729D6BDF29E17E5853ABDFAB6030
SHA-512:	01AF7D75257E3DBD460E328F5C057D0367B83D3D9397E89CA3AE54AB9B2842D62352D8CCB4BE98ACE0C5667846759D32C199DE39ECCD0CF9CD6A83267D27E7C4
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7d443c6c007fe8696f9aa6ff1da53ef7\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a502d6936d522819db45a43677dc3f7c.exe

Download File

Process:	C:\Users\user\Desktop\QsKtlzYaKF.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	105472
Entropy (8bit):	6.101513159941245
Encrypted:	false
SSDEEP:	384:89uBz6dgibXjpPu7w9qyMTA3/r6s2cLrrAF+rMRTyN/0L+EcoinblneHQM3epzXh:5+NN9ZMTA3W1cvrM+rMRa8NuZqtxcf
MD5:	85AA59199316A48AE26E32A9A674D2AE
SHA1:	E7EBF981BC84C76FDB0F7B77F4067212FF70421D
SHA-256:	04009681685F9366286233D718166FF7DE75C6149ABA12FB4E913DAA52FFB445
SHA-512:	88A5571C84B64FAD280173FA4859B4FF915019C47AD67F36971703EC3764A54BDB0CF669F207F98604FF363C0E24AE203AE6F0859F331D8BCEF225DFCF7C99DF
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a502d6936d522819db45a43677dc3f7c.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a502d6936d522819db45a43677dc3f7c.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a502d6936d522819db45a43677dc3f7c.exe, Author: Brian Wallace @botnet_hunter Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a502d6936d522819db45a43677dc3f7c.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 86% Antivirus: Virustotal, Detection: 81%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....ee................................ ........@.. ....................................@.................................t...W.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........e...E..........................................................&.(......*..(.......s.........s.........s.........s...........0...........~....o.....+...0...........~....o.....+...0...........~....o.....+...0...........~....o.....+...0.............(....(.....+.....0............(.....+...0................(.....+...0............(.....+...0.. ...................,.(...+.+.+....+....0...........................*..(..........0..&........~..............,.(...+.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a502d6936d522819db45a43677dc3f7c.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\QsKtlzYaKF.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\autorun.inf

Download File

Process:	C:\Users\user\Desktop\QsKtlzYaKF.exe
File Type:	Microsoft Windows Autorun file
Category:	dropped
Size (bytes):	50
Entropy (8bit):	4.320240000427043
Encrypted:	false
SSDEEP:	3:It1KV2LKMACovK0x:e1KzxvD
MD5:	5B0B50BADE67C5EC92D42E971287A5D9
SHA1:	90D5C99143E7A56AD6E5EE401015F8ECC093D95A
SHA-256:	04DDE2489D2D2E6846D42250D813AB90B5CA847D527F8F2C022E6C327DC6DB53
SHA-512:	C064DC3C4185A38D1CAEBD069ACB9FDBB85DFB650D6A241036E501A09BC89FD06E267BE9D400D20E6C14B4068473D1C6557962E8D82FDFD191DB7EABB6E66821
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	[autorun]..open=C:\svchost.exe..shellexecute=C:\..

C:\svchost.exe

Download File

Process:	C:\Users\user\Desktop\QsKtlzYaKF.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	105472
Entropy (8bit):	6.101513159941245
Encrypted:	false
SSDEEP:	384:89uBz6dgibXjpPu7w9qyMTA3/r6s2cLrrAF+rMRTyN/0L+EcoinblneHQM3epzXh:5+NN9ZMTA3W1cvrM+rMRa8NuZqtxcf
MD5:	85AA59199316A48AE26E32A9A674D2AE
SHA1:	E7EBF981BC84C76FDB0F7B77F4067212FF70421D
SHA-256:	04009681685F9366286233D718166FF7DE75C6149ABA12FB4E913DAA52FFB445
SHA-512:	88A5571C84B64FAD280173FA4859B4FF915019C47AD67F36971703EC3764A54BDB0CF669F207F98604FF363C0E24AE203AE6F0859F331D8BCEF225DFCF7C99DF
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\svchost.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\svchost.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\svchost.exe, Author: Brian Wallace @botnet_hunter Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\svchost.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 86% Antivirus: Virustotal, Detection: 81%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....ee................................ ........@.. ....................................@.................................t...W.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........e...E..........................................................&.(......*..(.......s.........s.........s.........s...........0...........~....o.....+...0...........~....o.....+...0...........~....o.....+...0...........~....o.....+...0.............(....(.....+.....0............(.....+...0................(.....+...0............(.....+...0.. ...................,.(...+.+.+....+....0...........................*..(..........0..&........~..............,.(...+.

C:\svchost.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\QsKtlzYaKF.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

\Device\ConDrv

Download File

Process:	C:\Windows\SysWOW64\netsh.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	313
Entropy (8bit):	4.971939296804078
Encrypted:	false
SSDEEP:	6:/ojfKsUTGN8Ypox42k9L+DbGMKeQE+vigqAZs2E+AYeDPO+Yswyha:wjPIGNrkHk9iaeIM6ADDPOHyha
MD5:	689E2126A85BF55121488295EE068FA1
SHA1:	09BAAA253A49D80C18326DFBCA106551EBF22DD6
SHA-256:	D968A966EF474068E41256321F77807A042F1965744633D37A203A705662EC25
SHA-512:	C3736A8FC7E6573FA1B26FE6A901C05EE85C55A4A276F8F569D9EADC9A58BEC507D1BB90DBF9EA62AE79A6783178C69304187D6B90441D82E46F5F56172B5C5C
Malicious:	false
Preview:	..IMPORTANT: Command executed successfully...However, "netsh firewall" is deprecated;..use "netsh advfirewall firewall" instead...For more information on using "netsh advfirewall firewall" commands..instead of "netsh firewall", see KB article 947709..at https://go.microsoft.com/fwlink/?linkid=121488 .....Ok.....

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.101513159941245
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	QsKtlzYaKF.exe
File size:	105'472 bytes
MD5:	85aa59199316a48ae26e32a9a674d2ae
SHA1:	e7ebf981bc84c76fdb0f7b77f4067212ff70421d
SHA256:	04009681685f9366286233d718166ff7de75c6149aba12fb4e913daa52ffb445
SHA512:	88a5571c84b64fad280173fa4859b4ff915019c47ad67f36971703ec3764a54bdb0cf669f207f98604ff363c0e24ae203ae6f0859f331d8bcef225dfcf7c99df
SSDEEP:	384:89uBz6dgibXjpPu7w9qyMTA3/r6s2cLrrAF+rMRTyN/0L+EcoinblneHQM3epzXh:5+NN9ZMTA3W1cvrM+rMRa8NuZqtxcf
TLSH:	51A38244DB40BD4FE2FA75718E161F9847B27125CC6927142BFAC6DF0B9EA015E20BE2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....ee................................. ........@.. ....................................@................................

File Icon


Icon Hash:	6d92b28e8696d069

Static PE Info

General

Entrypoint:	0x40abce
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6565EEBD [Tue Nov 28 13:44:29 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xab74	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc000	0x10b0c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1e000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x8bd4	0x8c00	False	0.46378348214285714	data	5.608042578085843	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xc000	0x10b0c	0x10c00	False	0.07984491604477612	data	5.827905252515968	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x1e000	0xc	0x200	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xc0e8	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	0.07501774517922631
RT_GROUP_ICON	0x1c910	0x14	data	1.0
RT_MANIFEST	0x1c924	0x1e7	XML 1.0 document, ASCII text, with CRLF line terminators	0.5338809034907598

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.452.28.247.25549739192202814860 12/03/23-20:22:51.251780	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49739	19220	192.168.2.4	52.28.247.255
192.168.2.43.66.38.11749746192202033132 12/03/23-20:24:22.591862	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49746	19220	192.168.2.4	3.66.38.117
192.168.2.43.69.157.22049730192202825563 12/03/23-20:21:23.688164	TCP	2825563	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)	49730	19220	192.168.2.4	3.69.157.220
192.168.2.43.69.157.22049729192202814856 12/03/23-20:21:17.448214	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49729	19220	192.168.2.4	3.69.157.220
192.168.2.43.66.38.11749748192202825564 12/03/23-20:25:13.193068	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49748	19220	192.168.2.4	3.66.38.117
192.168.2.43.66.38.11749748192202825563 12/03/23-20:24:57.283768	TCP	2825563	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)	49748	19220	192.168.2.4	3.66.38.117
192.168.2.452.28.247.25549739192202033132 12/03/23-20:22:42.761128	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49739	19220	192.168.2.4	52.28.247.255
192.168.2.43.66.38.11749747192202825563 12/03/23-20:24:37.860433	TCP	2825563	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)	49747	19220	192.168.2.4	3.66.38.117
192.168.2.43.66.38.11749746192202825563 12/03/23-20:24:22.776536	TCP	2825563	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)	49746	19220	192.168.2.4	3.66.38.117
192.168.2.43.66.38.11749746192202825564 12/03/23-20:24:29.426575	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49746	19220	192.168.2.4	3.66.38.117
192.168.2.43.69.157.22049737192202033132 12/03/23-20:22:05.018671	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49737	19220	192.168.2.4	3.69.157.220
192.168.2.452.28.247.25549741192202825563 12/03/23-20:23:14.946007	TCP	2825563	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)	49741	19220	192.168.2.4	52.28.247.255
192.168.2.452.28.247.25549740192202825563 12/03/23-20:22:53.706955	TCP	2825563	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)	49740	19220	192.168.2.4	52.28.247.255
192.168.2.452.28.247.25549742192202825563 12/03/23-20:23:26.344895	TCP	2825563	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)	49742	19220	192.168.2.4	52.28.247.255
192.168.2.452.28.247.25549740192202825564 12/03/23-20:22:59.051727	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49740	19220	192.168.2.4	52.28.247.255
192.168.2.452.28.247.25549742192202825564 12/03/23-20:23:30.911166	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49742	19220	192.168.2.4	52.28.247.255
192.168.2.43.69.157.22049729192202033132 12/03/23-20:21:17.262929	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49729	19220	192.168.2.4	3.69.157.220
192.168.2.452.28.247.25549743192202825563 12/03/23-20:23:37.605690	TCP	2825563	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)	49743	19220	192.168.2.4	52.28.247.255
192.168.2.43.69.115.17849744192202825564 12/03/23-20:24:02.368608	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49744	19220	192.168.2.4	3.69.115.178
192.168.2.43.69.115.17849744192202825563 12/03/23-20:23:48.158065	TCP	2825563	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)	49744	19220	192.168.2.4	3.69.115.178
192.168.2.43.69.157.22049729192202825563 12/03/23-20:21:17.448214	TCP	2825563	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)	49729	19220	192.168.2.4	3.69.157.220
192.168.2.452.28.247.25549743192202825564 12/03/23-20:23:40.973464	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49743	19220	192.168.2.4	52.28.247.255
192.168.2.43.69.115.17849745192202825563 12/03/23-20:24:12.746923	TCP	2825563	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)	49745	19220	192.168.2.4	3.69.115.178
192.168.2.43.69.157.22049737192202825564 12/03/23-20:22:34.323672	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49737	19220	192.168.2.4	3.69.157.220
192.168.2.43.69.115.17849745192202825564 12/03/23-20:24:13.178120	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49745	19220	192.168.2.4	3.69.115.178
192.168.2.43.69.157.22049737192202825563 12/03/23-20:22:05.210462	TCP	2825563	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)	49737	19220	192.168.2.4	3.69.157.220
192.168.2.452.28.247.25549741192202825564 12/03/23-20:23:15.348399	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49741	19220	192.168.2.4	52.28.247.255
192.168.2.43.69.157.22049737192202814856 12/03/23-20:22:05.210462	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49737	19220	192.168.2.4	3.69.157.220
192.168.2.43.66.38.11749748192202814856 12/03/23-20:24:57.283768	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49748	19220	192.168.2.4	3.66.38.117
192.168.2.452.28.247.25549743192202814856 12/03/23-20:23:37.605690	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49743	19220	192.168.2.4	52.28.247.255
192.168.2.452.28.247.25549742192202814856 12/03/23-20:23:26.344895	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49742	19220	192.168.2.4	52.28.247.255
192.168.2.43.69.157.22049730192202814856 12/03/23-20:21:23.688164	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49730	19220	192.168.2.4	3.69.157.220
192.168.2.452.28.247.25549741192202814856 12/03/23-20:23:14.946007	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49741	19220	192.168.2.4	52.28.247.255
192.168.2.452.28.247.25549740192202814856 12/03/23-20:22:53.706955	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49740	19220	192.168.2.4	52.28.247.255
192.168.2.43.66.38.11749747192202814856 12/03/23-20:24:37.860433	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49747	19220	192.168.2.4	3.66.38.117
192.168.2.43.69.115.17849744192202814860 12/03/23-20:24:03.120602	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49744	19220	192.168.2.4	3.69.115.178
192.168.2.43.69.115.17849745192202814860 12/03/23-20:24:13.178120	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49745	19220	192.168.2.4	3.69.115.178
192.168.2.43.69.115.17849745192202033132 12/03/23-20:24:12.557531	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49745	19220	192.168.2.4	3.69.115.178
192.168.2.43.69.157.22049737192202814860 12/03/23-20:22:39.270213	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49737	19220	192.168.2.4	3.69.157.220
192.168.2.43.66.38.11749746192202814856 12/03/23-20:24:22.776536	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49746	19220	192.168.2.4	3.66.38.117
192.168.2.452.28.247.25549742192202033132 12/03/23-20:23:26.153978	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49742	19220	192.168.2.4	52.28.247.255
192.168.2.452.28.247.25549743192202033132 12/03/23-20:23:37.416476	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49743	19220	192.168.2.4	52.28.247.255
192.168.2.452.28.247.25549739192202814856 12/03/23-20:22:43.464095	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49739	19220	192.168.2.4	52.28.247.255
192.168.2.452.28.247.25549740192202033132 12/03/23-20:22:53.517449	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49740	19220	192.168.2.4	52.28.247.255
192.168.2.43.69.115.17849744192202033132 12/03/23-20:23:47.970103	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49744	19220	192.168.2.4	3.69.115.178
192.168.2.43.66.38.11749746192202814860 12/03/23-20:24:29.426575	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49746	19220	192.168.2.4	3.66.38.117
192.168.2.43.69.115.17849744192202814856 12/03/23-20:23:48.158065	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49744	19220	192.168.2.4	3.69.115.178
192.168.2.43.69.115.17849745192202814856 12/03/23-20:24:12.746923	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49745	19220	192.168.2.4	3.69.115.178
192.168.2.452.28.247.25549740192202814860 12/03/23-20:22:59.051727	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49740	19220	192.168.2.4	52.28.247.255
192.168.2.452.28.247.25549742192202814860 12/03/23-20:23:30.911166	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49742	19220	192.168.2.4	52.28.247.255
192.168.2.43.66.38.11749747192202033132 12/03/23-20:24:37.669337	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49747	19220	192.168.2.4	3.66.38.117
192.168.2.452.28.247.25549743192202814860 12/03/23-20:23:40.973464	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49743	19220	192.168.2.4	52.28.247.255
192.168.2.452.28.247.25549741192202033132 12/03/23-20:23:14.759488	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49741	19220	192.168.2.4	52.28.247.255
192.168.2.43.66.38.11749748192202033132 12/03/23-20:24:57.092638	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49748	19220	192.168.2.4	3.66.38.117
192.168.2.43.69.157.22049730192202033132 12/03/23-20:21:23.501095	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49730	19220	192.168.2.4	3.69.157.220
192.168.2.452.28.247.25549741192202814860 12/03/23-20:23:15.348399	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49741	19220	192.168.2.4	52.28.247.255
192.168.2.43.66.38.11749748192202814860 12/03/23-20:25:13.193068	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49748	19220	192.168.2.4	3.66.38.117

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 3, 2023 20:21:16.949775934 CET	49729	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:21:17.134910107 CET	19220	49729	3.69.157.220	192.168.2.4
Dec 3, 2023 20:21:17.135025978 CET	49729	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:21:17.262928963 CET	49729	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:21:17.448121071 CET	19220	49729	3.69.157.220	192.168.2.4
Dec 3, 2023 20:21:17.448214054 CET	49729	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:21:17.633409023 CET	19220	49729	3.69.157.220	192.168.2.4
Dec 3, 2023 20:21:21.268573999 CET	19220	49729	3.69.157.220	192.168.2.4
Dec 3, 2023 20:21:21.317231894 CET	49729	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:21:23.307272911 CET	49729	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:21:23.309146881 CET	49730	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:21:23.496160030 CET	19220	49730	3.69.157.220	192.168.2.4
Dec 3, 2023 20:21:23.496252060 CET	49730	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:21:23.501095057 CET	49730	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:21:23.688019037 CET	19220	49730	3.69.157.220	192.168.2.4
Dec 3, 2023 20:21:23.688163996 CET	49730	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:21:23.875531912 CET	19220	49730	3.69.157.220	192.168.2.4
Dec 3, 2023 20:21:38.882241964 CET	19220	49730	3.69.157.220	192.168.2.4
Dec 3, 2023 20:21:38.882302999 CET	49730	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:21:54.106287956 CET	19220	49730	3.69.157.220	192.168.2.4
Dec 3, 2023 20:21:54.106359959 CET	49730	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:21:55.754508018 CET	19220	49730	3.69.157.220	192.168.2.4
Dec 3, 2023 20:21:55.754642010 CET	49730	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:21:56.372534990 CET	19220	49730	3.69.157.220	192.168.2.4
Dec 3, 2023 20:21:56.372643948 CET	49730	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:21:56.919554949 CET	19220	49730	3.69.157.220	192.168.2.4
Dec 3, 2023 20:21:56.919667006 CET	49730	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:21:57.770504951 CET	49730	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:21:57.772375107 CET	49737	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:21:58.192100048 CET	49730	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:21:58.786004066 CET	49737	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:21:59.020189047 CET	49730	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:21:59.210483074 CET	19220	49730	3.69.157.220	192.168.2.4
Dec 3, 2023 20:22:00.801556110 CET	49737	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:22:04.817079067 CET	49737	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:22:05.013024092 CET	19220	49737	3.69.157.220	192.168.2.4
Dec 3, 2023 20:22:05.013180017 CET	49737	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:22:05.018671036 CET	49737	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:22:05.210298061 CET	19220	49737	3.69.157.220	192.168.2.4
Dec 3, 2023 20:22:05.210462093 CET	49737	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:22:05.440330982 CET	19220	49737	3.69.157.220	192.168.2.4
Dec 3, 2023 20:22:07.473679066 CET	49737	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:22:07.973304987 CET	49737	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:22:08.165543079 CET	19220	49737	3.69.157.220	192.168.2.4
Dec 3, 2023 20:22:12.989212036 CET	49737	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:22:13.179318905 CET	19220	49737	3.69.157.220	192.168.2.4
Dec 3, 2023 20:22:14.822344065 CET	49737	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:22:15.270222902 CET	49737	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:22:15.466408014 CET	19220	49737	3.69.157.220	192.168.2.4
Dec 3, 2023 20:22:20.802325010 CET	49737	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:22:20.989144087 CET	19220	49737	3.69.157.220	192.168.2.4
Dec 3, 2023 20:22:21.052205086 CET	49737	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:22:21.442179918 CET	49737	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:22:21.630619049 CET	19220	49737	3.69.157.220	192.168.2.4
Dec 3, 2023 20:22:22.270541906 CET	49737	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:22:22.660804987 CET	49737	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:22:22.852292061 CET	19220	49737	3.69.157.220	192.168.2.4
Dec 3, 2023 20:22:22.956238985 CET	49737	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:22:23.143481970 CET	19220	49737	3.69.157.220	192.168.2.4
Dec 3, 2023 20:22:23.143630981 CET	49737	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:22:23.333961010 CET	19220	49737	3.69.157.220	192.168.2.4
Dec 3, 2023 20:22:23.334083080 CET	49737	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:22:23.645296097 CET	49737	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:22:23.915687084 CET	19220	49737	3.69.157.220	192.168.2.4
Dec 3, 2023 20:22:23.915954113 CET	49737	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:22:24.223280907 CET	49737	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:22:24.413630962 CET	19220	49737	3.69.157.220	192.168.2.4
Dec 3, 2023 20:22:24.413908005 CET	49737	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:22:24.602298021 CET	19220	49737	3.69.157.220	192.168.2.4
Dec 3, 2023 20:22:24.602399111 CET	49737	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:22:24.792716980 CET	19220	49737	3.69.157.220	192.168.2.4
Dec 3, 2023 20:22:24.792851925 CET	49737	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:22:25.098526001 CET	49737	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:22:25.288453102 CET	19220	49737	3.69.157.220	192.168.2.4
Dec 3, 2023 20:22:25.288737059 CET	49737	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:22:25.598288059 CET	49737	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:22:25.910887957 CET	49737	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:22:26.166167021 CET	19220	49737	3.69.157.220	192.168.2.4
Dec 3, 2023 20:22:26.166420937 CET	49737	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:22:26.402553082 CET	19220	49737	3.69.157.220	192.168.2.4
Dec 3, 2023 20:22:26.402745008 CET	49737	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:22:26.707741976 CET	49737	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:22:27.020246983 CET	49737	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:22:27.629523993 CET	49737	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:22:27.825870991 CET	19220	49737	3.69.157.220	192.168.2.4
Dec 3, 2023 20:22:27.825995922 CET	49737	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:22:28.016659975 CET	19220	49737	3.69.157.220	192.168.2.4
Dec 3, 2023 20:22:28.016915083 CET	49737	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:22:28.317030907 CET	49737	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:22:28.506978989 CET	19220	49737	3.69.157.220	192.168.2.4
Dec 3, 2023 20:22:28.507194996 CET	49737	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:22:28.817128897 CET	49737	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:22:29.129551888 CET	49737	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:22:29.738996983 CET	49737	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:22:30.942008018 CET	49737	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:22:32.145179033 CET	49737	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:22:33.348423004 CET	49737	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:22:33.535439968 CET	19220	49737	3.69.157.220	192.168.2.4
Dec 3, 2023 20:22:33.535578966 CET	49737	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:22:33.726258993 CET	19220	49737	3.69.157.220	192.168.2.4
Dec 3, 2023 20:22:33.726280928 CET	19220	49737	3.69.157.220	192.168.2.4
Dec 3, 2023 20:22:33.726432085 CET	49737	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:22:33.928352118 CET	19220	49737	3.69.157.220	192.168.2.4
Dec 3, 2023 20:22:33.928369045 CET	19220	49737	3.69.157.220	192.168.2.4
Dec 3, 2023 20:22:33.928611994 CET	49737	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:22:34.119138002 CET	19220	49737	3.69.157.220	192.168.2.4
Dec 3, 2023 20:22:34.119153023 CET	19220	49737	3.69.157.220	192.168.2.4
Dec 3, 2023 20:22:34.119497061 CET	49737	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:22:34.320122957 CET	19220	49737	3.69.157.220	192.168.2.4
Dec 3, 2023 20:22:34.323672056 CET	49737	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:22:34.629626989 CET	49737	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:22:34.942003012 CET	49737	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:22:35.551486969 CET	49737	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:22:36.679214001 CET	49737	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:22:36.770126104 CET	49737	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:22:36.869585991 CET	19220	49737	3.69.157.220	192.168.2.4
Dec 3, 2023 20:22:37.311872005 CET	19220	49737	3.69.157.220	192.168.2.4
Dec 3, 2023 20:22:37.312237024 CET	49737	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:22:37.972639084 CET	19220	49737	3.69.157.220	192.168.2.4
Dec 3, 2023 20:22:37.972867966 CET	49737	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:22:38.586900949 CET	19220	49737	3.69.157.220	192.168.2.4
Dec 3, 2023 20:22:38.587107897 CET	49737	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:22:39.270212889 CET	49737	19220	192.168.2.4	3.69.157.220
Dec 3, 2023 20:22:39.460273981 CET	49739	19220	192.168.2.4	52.28.247.255
Dec 3, 2023 20:22:39.462500095 CET	19220	49737	3.69.157.220	192.168.2.4
Dec 3, 2023 20:22:40.567006111 CET	49739	19220	192.168.2.4	52.28.247.255
Dec 3, 2023 20:22:42.566996098 CET	49739	19220	192.168.2.4	52.28.247.255
Dec 3, 2023 20:22:42.758126974 CET	19220	49739	52.28.247.255	192.168.2.4
Dec 3, 2023 20:22:42.758285046 CET	49739	19220	192.168.2.4	52.28.247.255
Dec 3, 2023 20:22:42.761127949 CET	49739	19220	192.168.2.4	52.28.247.255
Dec 3, 2023 20:22:43.464095116 CET	49739	19220	192.168.2.4	52.28.247.255
Dec 3, 2023 20:22:43.765878916 CET	19220	49739	52.28.247.255	192.168.2.4
Dec 3, 2023 20:22:43.765963078 CET	49739	19220	192.168.2.4	52.28.247.255
Dec 3, 2023 20:22:45.770144939 CET	49739	19220	192.168.2.4	52.28.247.255
Dec 3, 2023 20:22:45.781192064 CET	19220	49739	52.28.247.255	192.168.2.4
Dec 3, 2023 20:22:45.781469107 CET	49739	19220	192.168.2.4	52.28.247.255
Dec 3, 2023 20:22:45.960856915 CET	19220	49739	52.28.247.255	192.168.2.4
Dec 3, 2023 20:22:48.770220041 CET	49739	19220	192.168.2.4	52.28.247.255
Dec 3, 2023 20:22:48.960946083 CET	19220	49739	52.28.247.255	192.168.2.4
Dec 3, 2023 20:22:48.961095095 CET	49739	19220	192.168.2.4	52.28.247.255
Dec 3, 2023 20:22:49.151853085 CET	19220	49739	52.28.247.255	192.168.2.4
Dec 3, 2023 20:22:49.151949883 CET	19220	49739	52.28.247.255	192.168.2.4
Dec 3, 2023 20:22:49.151979923 CET	49739	19220	192.168.2.4	52.28.247.255
Dec 3, 2023 20:22:49.151981115 CET	49739	19220	192.168.2.4	52.28.247.255
Dec 3, 2023 20:22:49.152045012 CET	49739	19220	192.168.2.4	52.28.247.255
Dec 3, 2023 20:22:49.342631102 CET	19220	49739	52.28.247.255	192.168.2.4
Dec 3, 2023 20:22:49.342654943 CET	19220	49739	52.28.247.255	192.168.2.4
Dec 3, 2023 20:22:49.342668056 CET	19220	49739	52.28.247.255	192.168.2.4
Dec 3, 2023 20:22:49.343024969 CET	49739	19220	192.168.2.4	52.28.247.255
Dec 3, 2023 20:22:49.533610106 CET	19220	49739	52.28.247.255	192.168.2.4
Dec 3, 2023 20:22:49.533626080 CET	19220	49739	52.28.247.255	192.168.2.4
Dec 3, 2023 20:22:49.533787966 CET	49739	19220	192.168.2.4	52.28.247.255
Dec 3, 2023 20:22:49.724266052 CET	19220	49739	52.28.247.255	192.168.2.4
Dec 3, 2023 20:22:49.724348068 CET	49739	19220	192.168.2.4	52.28.247.255
Dec 3, 2023 20:22:49.914793015 CET	19220	49739	52.28.247.255	192.168.2.4
Dec 3, 2023 20:22:49.914922953 CET	49739	19220	192.168.2.4	52.28.247.255
Dec 3, 2023 20:22:50.105473995 CET	19220	49739	52.28.247.255	192.168.2.4
Dec 3, 2023 20:22:50.105592966 CET	49739	19220	192.168.2.4	52.28.247.255
Dec 3, 2023 20:22:50.296475887 CET	19220	49739	52.28.247.255	192.168.2.4
Dec 3, 2023 20:22:50.296597958 CET	49739	19220	192.168.2.4	52.28.247.255
Dec 3, 2023 20:22:50.487565041 CET	19220	49739	52.28.247.255	192.168.2.4
Dec 3, 2023 20:22:50.487714052 CET	49739	19220	192.168.2.4	52.28.247.255
Dec 3, 2023 20:22:50.678436041 CET	19220	49739	52.28.247.255	192.168.2.4
Dec 3, 2023 20:22:50.678685904 CET	49739	19220	192.168.2.4	52.28.247.255
Dec 3, 2023 20:22:50.870069027 CET	19220	49739	52.28.247.255	192.168.2.4
Dec 3, 2023 20:22:50.870312929 CET	49739	19220	192.168.2.4	52.28.247.255
Dec 3, 2023 20:22:51.060883999 CET	19220	49739	52.28.247.255	192.168.2.4
Dec 3, 2023 20:22:51.060991049 CET	49739	19220	192.168.2.4	52.28.247.255
Dec 3, 2023 20:22:51.251543999 CET	19220	49739	52.28.247.255	192.168.2.4
Dec 3, 2023 20:22:51.251780033 CET	49739	19220	192.168.2.4	52.28.247.255
Dec 3, 2023 20:22:51.294357061 CET	19220	49739	52.28.247.255	192.168.2.4
Dec 3, 2023 20:22:51.364042997 CET	49739	19220	192.168.2.4	52.28.247.255
Dec 3, 2023 20:22:51.442313910 CET	19220	49739	52.28.247.255	192.168.2.4
Dec 3, 2023 20:22:53.317111015 CET	49739	19220	192.168.2.4	52.28.247.255
Dec 3, 2023 20:22:53.319341898 CET	49740	19220	192.168.2.4	52.28.247.255
Dec 3, 2023 20:22:53.508790970 CET	19220	49740	52.28.247.255	192.168.2.4
Dec 3, 2023 20:22:53.508929014 CET	49740	19220	192.168.2.4	52.28.247.255
Dec 3, 2023 20:22:53.517448902 CET	49740	19220	192.168.2.4	52.28.247.255
Dec 3, 2023 20:22:53.706727028 CET	19220	49740	52.28.247.255	192.168.2.4
Dec 3, 2023 20:22:53.706954956 CET	49740	19220	192.168.2.4	52.28.247.255
Dec 3, 2023 20:22:53.896482944 CET	19220	49740	52.28.247.255	192.168.2.4
Dec 3, 2023 20:22:59.051727057 CET	49740	19220	192.168.2.4	52.28.247.255
Dec 3, 2023 20:22:59.242485046 CET	19220	49740	52.28.247.255	192.168.2.4
Dec 3, 2023 20:23:12.550096035 CET	19220	49740	52.28.247.255	192.168.2.4
Dec 3, 2023 20:23:12.553606033 CET	49740	19220	192.168.2.4	52.28.247.255
Dec 3, 2023 20:23:14.567168951 CET	49740	19220	192.168.2.4	52.28.247.255
Dec 3, 2023 20:23:14.569583893 CET	49741	19220	192.168.2.4	52.28.247.255
Dec 3, 2023 20:23:14.756047964 CET	19220	49741	52.28.247.255	192.168.2.4
Dec 3, 2023 20:23:14.756153107 CET	49741	19220	192.168.2.4	52.28.247.255
Dec 3, 2023 20:23:14.756515026 CET	19220	49740	52.28.247.255	192.168.2.4
Dec 3, 2023 20:23:14.759488106 CET	49741	19220	192.168.2.4	52.28.247.255
Dec 3, 2023 20:23:14.945910931 CET	19220	49741	52.28.247.255	192.168.2.4
Dec 3, 2023 20:23:14.946007013 CET	49741	19220	192.168.2.4	52.28.247.255
Dec 3, 2023 20:23:15.132476091 CET	19220	49741	52.28.247.255	192.168.2.4
Dec 3, 2023 20:23:15.348398924 CET	49741	19220	192.168.2.4	52.28.247.255
Dec 3, 2023 20:23:15.535921097 CET	19220	49741	52.28.247.255	192.168.2.4
Dec 3, 2023 20:23:23.953702927 CET	19220	49741	52.28.247.255	192.168.2.4
Dec 3, 2023 20:23:23.953886032 CET	49741	19220	192.168.2.4	52.28.247.255
Dec 3, 2023 20:23:25.957556009 CET	49741	19220	192.168.2.4	52.28.247.255
Dec 3, 2023 20:23:25.960640907 CET	49742	19220	192.168.2.4	52.28.247.255
Dec 3, 2023 20:23:26.144543886 CET	19220	49741	52.28.247.255	192.168.2.4
Dec 3, 2023 20:23:26.151465893 CET	19220	49742	52.28.247.255	192.168.2.4
Dec 3, 2023 20:23:26.151573896 CET	49742	19220	192.168.2.4	52.28.247.255
Dec 3, 2023 20:23:26.153978109 CET	49742	19220	192.168.2.4	52.28.247.255
Dec 3, 2023 20:23:26.344763041 CET	19220	49742	52.28.247.255	192.168.2.4
Dec 3, 2023 20:23:26.344894886 CET	49742	19220	192.168.2.4	52.28.247.255
Dec 3, 2023 20:23:26.535407066 CET	19220	49742	52.28.247.255	192.168.2.4
Dec 3, 2023 20:23:30.911165953 CET	49742	19220	192.168.2.4	52.28.247.255
Dec 3, 2023 20:23:31.102243900 CET	19220	49742	52.28.247.255	192.168.2.4
Dec 3, 2023 20:23:35.220310926 CET	19220	49742	52.28.247.255	192.168.2.4
Dec 3, 2023 20:23:35.220398903 CET	49742	19220	192.168.2.4	52.28.247.255
Dec 3, 2023 20:23:37.223190069 CET	49742	19220	192.168.2.4	52.28.247.255
Dec 3, 2023 20:23:37.225099087 CET	49743	19220	192.168.2.4	52.28.247.255
Dec 3, 2023 20:23:37.413831949 CET	19220	49742	52.28.247.255	192.168.2.4
Dec 3, 2023 20:23:37.414048910 CET	19220	49743	52.28.247.255	192.168.2.4
Dec 3, 2023 20:23:37.414171934 CET	49743	19220	192.168.2.4	52.28.247.255
Dec 3, 2023 20:23:37.416476011 CET	49743	19220	192.168.2.4	52.28.247.255
Dec 3, 2023 20:23:37.605428934 CET	19220	49743	52.28.247.255	192.168.2.4
Dec 3, 2023 20:23:37.605690002 CET	49743	19220	192.168.2.4	52.28.247.255
Dec 3, 2023 20:23:37.794634104 CET	19220	49743	52.28.247.255	192.168.2.4
Dec 3, 2023 20:23:40.973464012 CET	49743	19220	192.168.2.4	52.28.247.255
Dec 3, 2023 20:23:41.163177967 CET	19220	49743	52.28.247.255	192.168.2.4
Dec 3, 2023 20:23:45.639605999 CET	19220	49743	52.28.247.255	192.168.2.4
Dec 3, 2023 20:23:45.639770031 CET	49743	19220	192.168.2.4	52.28.247.255
Dec 3, 2023 20:23:47.645221949 CET	49743	19220	192.168.2.4	52.28.247.255
Dec 3, 2023 20:23:47.778893948 CET	49744	19220	192.168.2.4	3.69.115.178
Dec 3, 2023 20:23:47.834372044 CET	19220	49743	52.28.247.255	192.168.2.4
Dec 3, 2023 20:23:47.966825962 CET	19220	49744	3.69.115.178	192.168.2.4
Dec 3, 2023 20:23:47.966962099 CET	49744	19220	192.168.2.4	3.69.115.178
Dec 3, 2023 20:23:47.970103025 CET	49744	19220	192.168.2.4	3.69.115.178
Dec 3, 2023 20:23:48.157918930 CET	19220	49744	3.69.115.178	192.168.2.4
Dec 3, 2023 20:23:48.158065081 CET	49744	19220	192.168.2.4	3.69.115.178
Dec 3, 2023 20:23:48.345854044 CET	19220	49744	3.69.115.178	192.168.2.4
Dec 3, 2023 20:23:48.848876953 CET	49744	19220	192.168.2.4	3.69.115.178
Dec 3, 2023 20:23:49.036758900 CET	19220	49744	3.69.115.178	192.168.2.4
Dec 3, 2023 20:23:50.379810095 CET	49744	19220	192.168.2.4	3.69.115.178
Dec 3, 2023 20:23:50.567684889 CET	19220	49744	3.69.115.178	192.168.2.4
Dec 3, 2023 20:23:54.879775047 CET	49744	19220	192.168.2.4	3.69.115.178
Dec 3, 2023 20:23:55.067888021 CET	19220	49744	3.69.115.178	192.168.2.4
Dec 3, 2023 20:23:55.129679918 CET	49744	19220	192.168.2.4	3.69.115.178
Dec 3, 2023 20:23:55.317837000 CET	19220	49744	3.69.115.178	192.168.2.4
Dec 3, 2023 20:23:56.676548004 CET	49744	19220	192.168.2.4	3.69.115.178
Dec 3, 2023 20:23:56.864823103 CET	19220	49744	3.69.115.178	192.168.2.4
Dec 3, 2023 20:23:56.864995956 CET	49744	19220	192.168.2.4	3.69.115.178
Dec 3, 2023 20:23:57.052654028 CET	19220	49744	3.69.115.178	192.168.2.4
Dec 3, 2023 20:23:57.274096966 CET	49744	19220	192.168.2.4	3.69.115.178
Dec 3, 2023 20:23:57.461885929 CET	19220	49744	3.69.115.178	192.168.2.4
Dec 3, 2023 20:23:57.461976051 CET	49744	19220	192.168.2.4	3.69.115.178
Dec 3, 2023 20:23:57.650003910 CET	19220	49744	3.69.115.178	192.168.2.4
Dec 3, 2023 20:23:57.650407076 CET	49744	19220	192.168.2.4	3.69.115.178
Dec 3, 2023 20:23:57.838366985 CET	19220	49744	3.69.115.178	192.168.2.4
Dec 3, 2023 20:23:57.838587046 CET	49744	19220	192.168.2.4	3.69.115.178
Dec 3, 2023 20:23:58.026408911 CET	19220	49744	3.69.115.178	192.168.2.4
Dec 3, 2023 20:23:58.026501894 CET	49744	19220	192.168.2.4	3.69.115.178
Dec 3, 2023 20:23:58.214497089 CET	19220	49744	3.69.115.178	192.168.2.4
Dec 3, 2023 20:23:58.214557886 CET	49744	19220	192.168.2.4	3.69.115.178
Dec 3, 2023 20:23:58.402410984 CET	19220	49744	3.69.115.178	192.168.2.4
Dec 3, 2023 20:23:58.402560949 CET	49744	19220	192.168.2.4	3.69.115.178
Dec 3, 2023 20:23:58.592919111 CET	19220	49744	3.69.115.178	192.168.2.4
Dec 3, 2023 20:23:58.593038082 CET	49744	19220	192.168.2.4	3.69.115.178
Dec 3, 2023 20:23:58.780709028 CET	19220	49744	3.69.115.178	192.168.2.4
Dec 3, 2023 20:23:58.780796051 CET	49744	19220	192.168.2.4	3.69.115.178
Dec 3, 2023 20:23:58.971077919 CET	19220	49744	3.69.115.178	192.168.2.4
Dec 3, 2023 20:23:58.971215010 CET	49744	19220	192.168.2.4	3.69.115.178
Dec 3, 2023 20:23:59.161885023 CET	19220	49744	3.69.115.178	192.168.2.4
Dec 3, 2023 20:23:59.162148952 CET	49744	19220	192.168.2.4	3.69.115.178
Dec 3, 2023 20:23:59.352740049 CET	19220	49744	3.69.115.178	192.168.2.4
Dec 3, 2023 20:23:59.353081942 CET	49744	19220	192.168.2.4	3.69.115.178
Dec 3, 2023 20:23:59.540802956 CET	19220	49744	3.69.115.178	192.168.2.4
Dec 3, 2023 20:23:59.541050911 CET	49744	19220	192.168.2.4	3.69.115.178
Dec 3, 2023 20:23:59.734560966 CET	19220	49744	3.69.115.178	192.168.2.4
Dec 3, 2023 20:23:59.734832048 CET	49744	19220	192.168.2.4	3.69.115.178
Dec 3, 2023 20:23:59.923034906 CET	19220	49744	3.69.115.178	192.168.2.4
Dec 3, 2023 20:23:59.923295021 CET	49744	19220	192.168.2.4	3.69.115.178
Dec 3, 2023 20:24:00.111478090 CET	19220	49744	3.69.115.178	192.168.2.4
Dec 3, 2023 20:24:00.111562014 CET	49744	19220	192.168.2.4	3.69.115.178
Dec 3, 2023 20:24:00.299525023 CET	19220	49744	3.69.115.178	192.168.2.4
Dec 3, 2023 20:24:00.299715996 CET	49744	19220	192.168.2.4	3.69.115.178
Dec 3, 2023 20:24:00.487644911 CET	19220	49744	3.69.115.178	192.168.2.4
Dec 3, 2023 20:24:00.487771988 CET	49744	19220	192.168.2.4	3.69.115.178
Dec 3, 2023 20:24:00.675805092 CET	19220	49744	3.69.115.178	192.168.2.4
Dec 3, 2023 20:24:00.675987959 CET	49744	19220	192.168.2.4	3.69.115.178
Dec 3, 2023 20:24:00.863692045 CET	19220	49744	3.69.115.178	192.168.2.4
Dec 3, 2023 20:24:00.863795996 CET	49744	19220	192.168.2.4	3.69.115.178
Dec 3, 2023 20:24:01.051656008 CET	19220	49744	3.69.115.178	192.168.2.4
Dec 3, 2023 20:24:01.051767111 CET	49744	19220	192.168.2.4	3.69.115.178
Dec 3, 2023 20:24:01.239571095 CET	19220	49744	3.69.115.178	192.168.2.4
Dec 3, 2023 20:24:01.239680052 CET	49744	19220	192.168.2.4	3.69.115.178
Dec 3, 2023 20:24:01.427635908 CET	19220	49744	3.69.115.178	192.168.2.4
Dec 3, 2023 20:24:01.427762032 CET	49744	19220	192.168.2.4	3.69.115.178
Dec 3, 2023 20:24:01.615495920 CET	19220	49744	3.69.115.178	192.168.2.4
Dec 3, 2023 20:24:01.615741968 CET	49744	19220	192.168.2.4	3.69.115.178
Dec 3, 2023 20:24:01.803407907 CET	19220	49744	3.69.115.178	192.168.2.4
Dec 3, 2023 20:24:01.803620100 CET	49744	19220	192.168.2.4	3.69.115.178
Dec 3, 2023 20:24:01.991267920 CET	19220	49744	3.69.115.178	192.168.2.4
Dec 3, 2023 20:24:01.991456985 CET	49744	19220	192.168.2.4	3.69.115.178
Dec 3, 2023 20:24:02.180299044 CET	19220	49744	3.69.115.178	192.168.2.4
Dec 3, 2023 20:24:02.180401087 CET	49744	19220	192.168.2.4	3.69.115.178
Dec 3, 2023 20:24:02.368284941 CET	19220	49744	3.69.115.178	192.168.2.4
Dec 3, 2023 20:24:02.368607998 CET	49744	19220	192.168.2.4	3.69.115.178
Dec 3, 2023 20:24:02.556571007 CET	19220	49744	3.69.115.178	192.168.2.4
Dec 3, 2023 20:24:02.556754112 CET	49744	19220	192.168.2.4	3.69.115.178
Dec 3, 2023 20:24:02.744575977 CET	19220	49744	3.69.115.178	192.168.2.4
Dec 3, 2023 20:24:02.744684935 CET	49744	19220	192.168.2.4	3.69.115.178
Dec 3, 2023 20:24:02.932421923 CET	19220	49744	3.69.115.178	192.168.2.4
Dec 3, 2023 20:24:02.932637930 CET	49744	19220	192.168.2.4	3.69.115.178
Dec 3, 2023 20:24:03.120343924 CET	19220	49744	3.69.115.178	192.168.2.4
Dec 3, 2023 20:24:03.120601892 CET	49744	19220	192.168.2.4	3.69.115.178
Dec 3, 2023 20:24:03.308280945 CET	19220	49744	3.69.115.178	192.168.2.4
Dec 3, 2023 20:24:10.356204987 CET	19220	49744	3.69.115.178	192.168.2.4
Dec 3, 2023 20:24:10.356293917 CET	49744	19220	192.168.2.4	3.69.115.178
Dec 3, 2023 20:24:12.363707066 CET	49744	19220	192.168.2.4	3.69.115.178
Dec 3, 2023 20:24:12.365601063 CET	49745	19220	192.168.2.4	3.69.115.178
Dec 3, 2023 20:24:12.551891088 CET	19220	49744	3.69.115.178	192.168.2.4
Dec 3, 2023 20:24:12.554701090 CET	19220	49745	3.69.115.178	192.168.2.4
Dec 3, 2023 20:24:12.554819107 CET	49745	19220	192.168.2.4	3.69.115.178
Dec 3, 2023 20:24:12.557531118 CET	49745	19220	192.168.2.4	3.69.115.178
Dec 3, 2023 20:24:12.746862888 CET	19220	49745	3.69.115.178	192.168.2.4
Dec 3, 2023 20:24:12.746922970 CET	49745	19220	192.168.2.4	3.69.115.178
Dec 3, 2023 20:24:12.936227083 CET	19220	49745	3.69.115.178	192.168.2.4
Dec 3, 2023 20:24:13.178119898 CET	49745	19220	192.168.2.4	3.69.115.178
Dec 3, 2023 20:24:13.367867947 CET	19220	49745	3.69.115.178	192.168.2.4
Dec 3, 2023 20:24:20.247921944 CET	19220	49745	3.69.115.178	192.168.2.4
Dec 3, 2023 20:24:20.248073101 CET	49745	19220	192.168.2.4	3.69.115.178
Dec 3, 2023 20:24:22.254416943 CET	49745	19220	192.168.2.4	3.69.115.178
Dec 3, 2023 20:24:22.403251886 CET	49746	19220	192.168.2.4	3.66.38.117
Dec 3, 2023 20:24:22.443695068 CET	19220	49745	3.69.115.178	192.168.2.4
Dec 3, 2023 20:24:22.588119984 CET	19220	49746	3.66.38.117	192.168.2.4
Dec 3, 2023 20:24:22.588332891 CET	49746	19220	192.168.2.4	3.66.38.117
Dec 3, 2023 20:24:22.591861963 CET	49746	19220	192.168.2.4	3.66.38.117
Dec 3, 2023 20:24:22.776458025 CET	19220	49746	3.66.38.117	192.168.2.4
Dec 3, 2023 20:24:22.776535988 CET	49746	19220	192.168.2.4	3.66.38.117
Dec 3, 2023 20:24:22.961366892 CET	19220	49746	3.66.38.117	192.168.2.4
Dec 3, 2023 20:24:29.426574945 CET	49746	19220	192.168.2.4	3.66.38.117
Dec 3, 2023 20:24:29.611269951 CET	19220	49746	3.66.38.117	192.168.2.4
Dec 3, 2023 20:24:35.461355925 CET	19220	49746	3.66.38.117	192.168.2.4
Dec 3, 2023 20:24:35.461476088 CET	49746	19220	192.168.2.4	3.66.38.117
Dec 3, 2023 20:24:37.473115921 CET	49746	19220	192.168.2.4	3.66.38.117
Dec 3, 2023 20:24:37.475626945 CET	49747	19220	192.168.2.4	3.66.38.117
Dec 3, 2023 20:24:37.657643080 CET	19220	49746	3.66.38.117	192.168.2.4
Dec 3, 2023 20:24:37.666692019 CET	19220	49747	3.66.38.117	192.168.2.4
Dec 3, 2023 20:24:37.666918993 CET	49747	19220	192.168.2.4	3.66.38.117
Dec 3, 2023 20:24:37.669337034 CET	49747	19220	192.168.2.4	3.66.38.117
Dec 3, 2023 20:24:37.860342026 CET	19220	49747	3.66.38.117	192.168.2.4
Dec 3, 2023 20:24:37.860433102 CET	49747	19220	192.168.2.4	3.66.38.117
Dec 3, 2023 20:24:38.052303076 CET	19220	49747	3.66.38.117	192.168.2.4
Dec 3, 2023 20:24:53.056881905 CET	19220	49747	3.66.38.117	192.168.2.4
Dec 3, 2023 20:24:53.056994915 CET	49747	19220	192.168.2.4	3.66.38.117
Dec 3, 2023 20:24:54.888999939 CET	19220	49747	3.66.38.117	192.168.2.4
Dec 3, 2023 20:24:54.889108896 CET	49747	19220	192.168.2.4	3.66.38.117
Dec 3, 2023 20:24:56.894916058 CET	49747	19220	192.168.2.4	3.66.38.117
Dec 3, 2023 20:24:56.897814989 CET	49748	19220	192.168.2.4	3.66.38.117
Dec 3, 2023 20:24:57.086370945 CET	19220	49747	3.66.38.117	192.168.2.4
Dec 3, 2023 20:24:57.088749886 CET	19220	49748	3.66.38.117	192.168.2.4
Dec 3, 2023 20:24:57.088845968 CET	49748	19220	192.168.2.4	3.66.38.117
Dec 3, 2023 20:24:57.092638016 CET	49748	19220	192.168.2.4	3.66.38.117
Dec 3, 2023 20:24:57.283690929 CET	19220	49748	3.66.38.117	192.168.2.4
Dec 3, 2023 20:24:57.283767939 CET	49748	19220	192.168.2.4	3.66.38.117
Dec 3, 2023 20:24:57.474797964 CET	19220	49748	3.66.38.117	192.168.2.4
Dec 3, 2023 20:24:57.910748959 CET	49748	19220	192.168.2.4	3.66.38.117
Dec 3, 2023 20:24:58.102027893 CET	19220	49748	3.66.38.117	192.168.2.4
Dec 3, 2023 20:25:00.942502975 CET	49748	19220	192.168.2.4	3.66.38.117
Dec 3, 2023 20:25:01.133606911 CET	19220	49748	3.66.38.117	192.168.2.4
Dec 3, 2023 20:25:01.975742102 CET	49748	19220	192.168.2.4	3.66.38.117
Dec 3, 2023 20:25:02.167280912 CET	19220	49748	3.66.38.117	192.168.2.4
Dec 3, 2023 20:25:05.349498034 CET	49748	19220	192.168.2.4	3.66.38.117
Dec 3, 2023 20:25:05.540647030 CET	19220	49748	3.66.38.117	192.168.2.4
Dec 3, 2023 20:25:05.540735006 CET	49748	19220	192.168.2.4	3.66.38.117
Dec 3, 2023 20:25:05.732065916 CET	19220	49748	3.66.38.117	192.168.2.4
Dec 3, 2023 20:25:06.598191977 CET	49748	19220	192.168.2.4	3.66.38.117
Dec 3, 2023 20:25:06.789596081 CET	19220	49748	3.66.38.117	192.168.2.4
Dec 3, 2023 20:25:06.789690971 CET	49748	19220	192.168.2.4	3.66.38.117
Dec 3, 2023 20:25:06.981138945 CET	19220	49748	3.66.38.117	192.168.2.4
Dec 3, 2023 20:25:06.981232882 CET	49748	19220	192.168.2.4	3.66.38.117
Dec 3, 2023 20:25:07.172255993 CET	19220	49748	3.66.38.117	192.168.2.4
Dec 3, 2023 20:25:07.172365904 CET	49748	19220	192.168.2.4	3.66.38.117
Dec 3, 2023 20:25:07.363415956 CET	19220	49748	3.66.38.117	192.168.2.4
Dec 3, 2023 20:25:07.363632917 CET	49748	19220	192.168.2.4	3.66.38.117
Dec 3, 2023 20:25:07.554811001 CET	19220	49748	3.66.38.117	192.168.2.4
Dec 3, 2023 20:25:07.554912090 CET	49748	19220	192.168.2.4	3.66.38.117
Dec 3, 2023 20:25:07.746007919 CET	19220	49748	3.66.38.117	192.168.2.4
Dec 3, 2023 20:25:07.746174097 CET	49748	19220	192.168.2.4	3.66.38.117
Dec 3, 2023 20:25:07.937393904 CET	19220	49748	3.66.38.117	192.168.2.4
Dec 3, 2023 20:25:07.937505960 CET	49748	19220	192.168.2.4	3.66.38.117
Dec 3, 2023 20:25:08.128639936 CET	19220	49748	3.66.38.117	192.168.2.4
Dec 3, 2023 20:25:08.128767967 CET	49748	19220	192.168.2.4	3.66.38.117
Dec 3, 2023 20:25:08.319890022 CET	19220	49748	3.66.38.117	192.168.2.4
Dec 3, 2023 20:25:08.319974899 CET	49748	19220	192.168.2.4	3.66.38.117
Dec 3, 2023 20:25:08.511137962 CET	19220	49748	3.66.38.117	192.168.2.4
Dec 3, 2023 20:25:08.511254072 CET	49748	19220	192.168.2.4	3.66.38.117
Dec 3, 2023 20:25:08.702349901 CET	19220	49748	3.66.38.117	192.168.2.4
Dec 3, 2023 20:25:08.702469110 CET	49748	19220	192.168.2.4	3.66.38.117
Dec 3, 2023 20:25:08.893496037 CET	19220	49748	3.66.38.117	192.168.2.4
Dec 3, 2023 20:25:08.893584013 CET	49748	19220	192.168.2.4	3.66.38.117
Dec 3, 2023 20:25:09.084820032 CET	19220	49748	3.66.38.117	192.168.2.4
Dec 3, 2023 20:25:09.084924936 CET	49748	19220	192.168.2.4	3.66.38.117
Dec 3, 2023 20:25:09.276422977 CET	19220	49748	3.66.38.117	192.168.2.4
Dec 3, 2023 20:25:09.276628017 CET	49748	19220	192.168.2.4	3.66.38.117
Dec 3, 2023 20:25:09.467864990 CET	19220	49748	3.66.38.117	192.168.2.4
Dec 3, 2023 20:25:09.467957020 CET	49748	19220	192.168.2.4	3.66.38.117
Dec 3, 2023 20:25:09.659207106 CET	19220	49748	3.66.38.117	192.168.2.4
Dec 3, 2023 20:25:09.659342051 CET	49748	19220	192.168.2.4	3.66.38.117
Dec 3, 2023 20:25:09.850552082 CET	19220	49748	3.66.38.117	192.168.2.4
Dec 3, 2023 20:25:09.850660086 CET	49748	19220	192.168.2.4	3.66.38.117
Dec 3, 2023 20:25:10.042017937 CET	19220	49748	3.66.38.117	192.168.2.4
Dec 3, 2023 20:25:10.042164087 CET	49748	19220	192.168.2.4	3.66.38.117
Dec 3, 2023 20:25:10.233202934 CET	19220	49748	3.66.38.117	192.168.2.4
Dec 3, 2023 20:25:10.233304977 CET	49748	19220	192.168.2.4	3.66.38.117
Dec 3, 2023 20:25:10.424410105 CET	19220	49748	3.66.38.117	192.168.2.4
Dec 3, 2023 20:25:10.424628973 CET	49748	19220	192.168.2.4	3.66.38.117
Dec 3, 2023 20:25:10.616070032 CET	19220	49748	3.66.38.117	192.168.2.4
Dec 3, 2023 20:25:10.616204977 CET	49748	19220	192.168.2.4	3.66.38.117
Dec 3, 2023 20:25:10.807468891 CET	19220	49748	3.66.38.117	192.168.2.4
Dec 3, 2023 20:25:10.807693958 CET	49748	19220	192.168.2.4	3.66.38.117
Dec 3, 2023 20:25:10.998960018 CET	19220	49748	3.66.38.117	192.168.2.4
Dec 3, 2023 20:25:10.999052048 CET	49748	19220	192.168.2.4	3.66.38.117
Dec 3, 2023 20:25:11.190244913 CET	19220	49748	3.66.38.117	192.168.2.4
Dec 3, 2023 20:25:11.190496922 CET	49748	19220	192.168.2.4	3.66.38.117
Dec 3, 2023 20:25:11.381627083 CET	19220	49748	3.66.38.117	192.168.2.4
Dec 3, 2023 20:25:11.381701946 CET	49748	19220	192.168.2.4	3.66.38.117
Dec 3, 2023 20:25:11.572830915 CET	19220	49748	3.66.38.117	192.168.2.4
Dec 3, 2023 20:25:11.572973967 CET	49748	19220	192.168.2.4	3.66.38.117
Dec 3, 2023 20:25:11.764123917 CET	19220	49748	3.66.38.117	192.168.2.4
Dec 3, 2023 20:25:11.852426052 CET	49748	19220	192.168.2.4	3.66.38.117
Dec 3, 2023 20:25:12.043586969 CET	19220	49748	3.66.38.117	192.168.2.4
Dec 3, 2023 20:25:12.043672085 CET	49748	19220	192.168.2.4	3.66.38.117
Dec 3, 2023 20:25:12.234942913 CET	19220	49748	3.66.38.117	192.168.2.4
Dec 3, 2023 20:25:12.235169888 CET	49748	19220	192.168.2.4	3.66.38.117
Dec 3, 2023 20:25:12.426347017 CET	19220	49748	3.66.38.117	192.168.2.4
Dec 3, 2023 20:25:12.427202940 CET	49748	19220	192.168.2.4	3.66.38.117
Dec 3, 2023 20:25:12.618493080 CET	19220	49748	3.66.38.117	192.168.2.4
Dec 3, 2023 20:25:12.619110107 CET	49748	19220	192.168.2.4	3.66.38.117
Dec 3, 2023 20:25:12.810370922 CET	19220	49748	3.66.38.117	192.168.2.4
Dec 3, 2023 20:25:13.001749039 CET	49748	19220	192.168.2.4	3.66.38.117
Dec 3, 2023 20:25:13.192990065 CET	19220	49748	3.66.38.117	192.168.2.4
Dec 3, 2023 20:25:13.193068027 CET	49748	19220	192.168.2.4	3.66.38.117
Dec 3, 2023 20:25:13.384098053 CET	19220	49748	3.66.38.117	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 3, 2023 20:21:16.808505058 CET	61612	53	192.168.2.4	1.1.1.1
Dec 3, 2023 20:21:16.946496964 CET	53	61612	1.1.1.1	192.168.2.4
Dec 3, 2023 20:22:39.320367098 CET	64416	53	192.168.2.4	1.1.1.1
Dec 3, 2023 20:22:39.458174944 CET	53	64416	1.1.1.1	192.168.2.4
Dec 3, 2023 20:23:47.646611929 CET	56642	53	192.168.2.4	1.1.1.1
Dec 3, 2023 20:23:47.777641058 CET	53	56642	1.1.1.1	192.168.2.4
Dec 3, 2023 20:24:22.255919933 CET	58031	53	192.168.2.4	1.1.1.1
Dec 3, 2023 20:24:22.401644945 CET	53	58031	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 3, 2023 20:21:16.808505058 CET	192.168.2.4	1.1.1.1	0x5cd6	Standard query (0)	6.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false
Dec 3, 2023 20:22:39.320367098 CET	192.168.2.4	1.1.1.1	0x64d9	Standard query (0)	6.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false
Dec 3, 2023 20:23:47.646611929 CET	192.168.2.4	1.1.1.1	0x9b01	Standard query (0)	6.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false
Dec 3, 2023 20:24:22.255919933 CET	192.168.2.4	1.1.1.1	0xab51	Standard query (0)	6.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 3, 2023 20:21:16.946496964 CET	1.1.1.1	192.168.2.4	0x5cd6	No error (0)	6.tcp.eu.ngrok.io	3.69.157.220	A (IP address)	IN (0x0001)	false
Dec 3, 2023 20:22:39.458174944 CET	1.1.1.1	192.168.2.4	0x64d9	No error (0)	6.tcp.eu.ngrok.io	52.28.247.255	A (IP address)	IN (0x0001)	false
Dec 3, 2023 20:23:47.777641058 CET	1.1.1.1	192.168.2.4	0x9b01	No error (0)	6.tcp.eu.ngrok.io	3.69.115.178	A (IP address)	IN (0x0001)	false
Dec 3, 2023 20:24:22.401644945 CET	1.1.1.1	192.168.2.4	0xab51	No error (0)	6.tcp.eu.ngrok.io	3.66.38.117	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	20:21:07
Start date:	03/12/2023
Path:	C:\Users\user\Desktop\QsKtlzYaKF.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\QsKtlzYaKF.exe
Imagebase:	0xe30000
File size:	105'472 bytes
MD5 hash:	85AA59199316A48AE26E32A9A674D2AE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000000.1657947199.0000000000E32000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000000.00000000.1657947199.0000000000E32000.00000002.00000001.01000000.00000003.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000000.00000000.1657947199.0000000000E32000.00000002.00000001.01000000.00000003.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000002.4110826869.00000000033F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	20:21:13
Start date:	03/12/2023
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh firewall add allowedprogram "C:\Users\user\Desktop\QsKtlzYaKF.exe" "QsKtlzYaKF.exe" ENABLE
Imagebase:	0x1560000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	20:21:14
Start date:	03/12/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	20:21:23
Start date:	03/12/2023
Path:	C:\Users\user\Desktop\QsKtlzYaKF.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\QsKtlzYaKF.exe" ..
Imagebase:	0xb20000
File size:	105'472 bytes
MD5 hash:	85AA59199316A48AE26E32A9A674D2AE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	20:21:32
Start date:	03/12/2023
Path:	C:\Users\user\Desktop\QsKtlzYaKF.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\QsKtlzYaKF.exe" ..
Imagebase:	0x20000
File size:	105'472 bytes
MD5 hash:	85AA59199316A48AE26E32A9A674D2AE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	20:21:43
Start date:	03/12/2023
Path:	C:\Users\user\Desktop\QsKtlzYaKF.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\QsKtlzYaKF.exe" ..
Imagebase:	0x1d0000
File size:	105'472 bytes
MD5 hash:	85AA59199316A48AE26E32A9A674D2AE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	20.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	8%
Total number of Nodes:	175
Total number of Limit Nodes:	8

Executed Functions

Function 0173BA9F Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 0173BB1F

Memory Dump Source

Source File: 00000000.00000002.4110243044.000000000173A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0173A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_173a000_QsKtlzYaKF.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 29f5761f019666d7106c5730751f9b49b1b0ee3a27ab284b59b0541950f2c9c8
Instruction ID: 15f88d7eb5346ede301a4da1cba0c6bcad6ac8d87bda009b967b3989b213ee7a
Opcode Fuzzy Hash: 29f5761f019666d7106c5730751f9b49b1b0ee3a27ab284b59b0541950f2c9c8
Instruction Fuzzy Hash: A221DE755097809FEB238F25DC40B52BFF4EF06310F0884DAE9848B163D230A908DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 05760163 Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 057601D9

Memory Dump Source

Source File: 00000000.00000002.4112981171.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_QsKtlzYaKF.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 3559e01b5638072e7be66152b60ded89bc747addce6fd201af4efb78e23c55bd
Instruction ID: fdd8650e585b5efde709716fda2bb70a0ffea80ade7a2b72e0d1af5ffbddb849
Opcode Fuzzy Hash: 3559e01b5638072e7be66152b60ded89bc747addce6fd201af4efb78e23c55bd
Instruction Fuzzy Hash: 1C21AE714097C0AFDB238B20DC45A52FFB4EF17214F0980CBED848B1A3D265A91DDB62

Uniqueness

Uniqueness Score: -1.00%

Function 0173BAD6 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 0173BB1F

Memory Dump Source

Source File: 00000000.00000002.4110243044.000000000173A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0173A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_173a000_QsKtlzYaKF.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 89322f9e2c3c0425e60b31081ee38318f1fbdcc3b7a78f8fe1156ed014ec30fb
Instruction ID: 7435ff5499e38842ca90a4ccda11c3704af533fb4ca3dfa6c0c240bc2d978809
Opcode Fuzzy Hash: 89322f9e2c3c0425e60b31081ee38318f1fbdcc3b7a78f8fe1156ed014ec30fb
Instruction Fuzzy Hash: 5811A0716002049FEB20CF55D984B62FBE4EF48220F08C4AADD898B656D731E418DF62

Uniqueness

Uniqueness Score: -1.00%

Function 0173BE04 Relevance: 1.6, APIs: 1, Instructions: 50nativeCOMMON

Download Yara Rule

APIs

NtSetInformationProcess.NTDLL ref: 0173BE61

Memory Dump Source

Source File: 00000000.00000002.4110243044.000000000173A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0173A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_173a000_QsKtlzYaKF.jbxd

Similarity

API ID: InformationProcess
String ID:
API String ID: 1801817001-0
Opcode ID: 6d9c9fb2917452d007f97b7c214cd03bccabc370e2b36d3b5a8e65787bd2406b
Instruction ID: 5523435296fbda31430a1e6abfc769022329728cfeda0adbdd32080d9a4eb6ce
Opcode Fuzzy Hash: 6d9c9fb2917452d007f97b7c214cd03bccabc370e2b36d3b5a8e65787bd2406b
Instruction Fuzzy Hash: 3611A3714097809FCB228F15DC44E52FFB4EF46220F08849EED844B563D275A818DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0173BE26 Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtSetInformationProcess.NTDLL ref: 0173BE61

Memory Dump Source

Source File: 00000000.00000002.4110243044.000000000173A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0173A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_173a000_QsKtlzYaKF.jbxd

Similarity

API ID: InformationProcess
String ID:
API String ID: 1801817001-0
Opcode ID: a1d4dfed1868c5a863c3f30ba60689fc45e1e91c9cc6c2acaf2cc1dffa33d7ca
Instruction ID: 8ed86bd8902bf2347c179d7076cdc6c64d5a7423f10bc8fd55920a969ba40920
Opcode Fuzzy Hash: a1d4dfed1868c5a863c3f30ba60689fc45e1e91c9cc6c2acaf2cc1dffa33d7ca
Instruction Fuzzy Hash: E4018B32500644DFDB218F59D984B61FBE0EF48620F08C49ADE494B652D375E458DFB2

Uniqueness

Uniqueness Score: -1.00%

Function 0576019E Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 057601D9

Memory Dump Source

Source File: 00000000.00000002.4112981171.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_QsKtlzYaKF.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: ac818a0a5ef8e36f14d8e4430511836e534a19c685d5a543eaed62103382fe45
Instruction ID: 58f510795fbab83fe5a5a7407d6e2f17381eeb1e53629f1677d77174a389615f
Opcode Fuzzy Hash: ac818a0a5ef8e36f14d8e4430511836e534a19c685d5a543eaed62103382fe45
Instruction Fuzzy Hash: 38018B315006449FDB20CF45D988B66FBE1FF08720F08C09ADE494B662D375A458EFA2

Uniqueness

Uniqueness Score: -1.00%

Function 056010A8 Relevance: 1.6, APIs: 1, Instructions: 115
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 056010CF

Memory Dump Source

Source File: 00000000.00000002.4112895489.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_QsKtlzYaKF.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: e791a133db56fdd1615a37eeaa3583e957d969e4f77cd2863c6beee4a03574af
Instruction ID: acbc8e532d153d87a215b5f8f3a4a750c7873a9c164166fe6dd0a578eee7fe29
Opcode Fuzzy Hash: e791a133db56fdd1615a37eeaa3583e957d969e4f77cd2863c6beee4a03574af
Instruction Fuzzy Hash: 12419F317002018FCB18DF74D9845AEB7E6AF89214B1480B9D809DB399EF38DE45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05601099 Relevance: 1.6, APIs: 1, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 056010CF

Memory Dump Source

Source File: 00000000.00000002.4112895489.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_QsKtlzYaKF.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: a7b8aa65c3206e2838fcc7306328ee29882220065e80928ac6c68f6122ad0e14
Instruction ID: b19a9c1809727f8627ed2cf198162e568085b6c0d55e693506cb0eff0ba498d3
Opcode Fuzzy Hash: a7b8aa65c3206e2838fcc7306328ee29882220065e80928ac6c68f6122ad0e14
Instruction Fuzzy Hash: 303192316002018FCB48DF74CD846AEB6E6AF89314B1890B9980ADB799EF34DE45C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 05761E0A Relevance: 1.6, APIs: 1, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVolumeInformationA.KERNEL32(?,00000E24,?,?), ref: 05761EEE

Memory Dump Source

Source File: 00000000.00000002.4112981171.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_QsKtlzYaKF.jbxd

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: 912bd561103b9e8d5a3b0f26148e6d6613cb90f8db24125bb34900a98265a20a
Instruction ID: 76e1720afd10b3ff9d44c6f632bd0208335c8d4e223d2327e4db0a5c5c7c5991
Opcode Fuzzy Hash: 912bd561103b9e8d5a3b0f26148e6d6613cb90f8db24125bb34900a98265a20a
Instruction Fuzzy Hash: BF416B6150E3C06FD7038B358C61AA2BFB4AF47210F1E84CBD8C4CF5A3D6246959C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 05762DF2 Relevance: 1.6, APIs: 1, Instructions: 99
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNEL32(?,00000E24), ref: 05762EB9

Memory Dump Source

Source File: 00000000.00000002.4112981171.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_QsKtlzYaKF.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: f30de66c11d834a2e32ea3d30e32b2d3011d9095c0cf8e95cfc3a7b812058587
Instruction ID: cdbf3f7b600e46763fa7c8c6191891273322f7afffedd490cddca3202b94b861
Opcode Fuzzy Hash: f30de66c11d834a2e32ea3d30e32b2d3011d9095c0cf8e95cfc3a7b812058587
Instruction Fuzzy Hash: E4317076504784AFEB21CB65CC44FA7BBFCEF05214F08459AE9858B652D324E908DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05760F4F Relevance: 1.6, APIs: 1, Instructions: 98
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNEL32(?,00000E24,?,?), ref: 05761016

Memory Dump Source

Source File: 00000000.00000002.4112981171.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_QsKtlzYaKF.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: a63c96fbf09dc2e01dbde7dd04866f1a121ab21f6afb6cc2c673a44b2b718616
Instruction ID: e76048f8300882ca67f11fb0e55f7315cf4c91900bccaf1309b0711166444c55
Opcode Fuzzy Hash: a63c96fbf09dc2e01dbde7dd04866f1a121ab21f6afb6cc2c673a44b2b718616
Instruction Fuzzy Hash: 7A319C6510E3C06FD3138B258C65A61BFB4EF47610F0E45CBE8C48F6A3D229A909D7B2

Uniqueness

Uniqueness Score: -1.00%

Function 05761B7C Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32(?,00000E24), ref: 05761C43

Memory Dump Source

Source File: 00000000.00000002.4112981171.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_QsKtlzYaKF.jbxd

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: 2eaf3b773abfb59fb8d3ff8abd6a80d7a5427985eaaf04eb9ed0c692815ab91f
Instruction ID: fde3a4c3ead51a88cc505de8b3d48a7a06caeaf1f2183014e147d460a15d645c
Opcode Fuzzy Hash: 2eaf3b773abfb59fb8d3ff8abd6a80d7a5427985eaaf04eb9ed0c692815ab91f
Instruction Fuzzy Hash: D431A471504344AFEB21CB51CC84FAAFBACEF04314F04489AFA899B691D375A949CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0173AA52 Relevance: 1.6, APIs: 1, Instructions: 91
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(?,00000E24), ref: 0173AB05

Memory Dump Source

Source File: 00000000.00000002.4110243044.000000000173A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0173A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_173a000_QsKtlzYaKF.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 25d4cb113f58012d83f81911b7dbf2074f9c00ba3f19e0edb14fb59ca3cdbf2e
Instruction ID: f6b27572f1f04275686313a48adf9e70fb8141dba7b32ad18967a58eb91e805c
Opcode Fuzzy Hash: 25d4cb113f58012d83f81911b7dbf2074f9c00ba3f19e0edb14fb59ca3cdbf2e
Instruction Fuzzy Hash: 433193724083846FE7228B65CC85FA6BFBCEF06214F08849AE984CB593D324A50DC771

Uniqueness

Uniqueness Score: -1.00%

Function 05761A74 Relevance: 1.6, APIs: 1, Instructions: 91
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessTimes.KERNEL32(?,00000E24,F752A6E1,00000000,00000000,00000000,00000000), ref: 05761B11

Memory Dump Source

Source File: 00000000.00000002.4112981171.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_QsKtlzYaKF.jbxd

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: eea3b56a82c34a7c9a62143a8ee807a4e2be70c6d8ce7822ccd235720a38ff9d
Instruction ID: b613fa84b335601c2f67b6f5960031e28d8f75d37a84c1ad93a868a481f49634
Opcode Fuzzy Hash: eea3b56a82c34a7c9a62143a8ee807a4e2be70c6d8ce7822ccd235720a38ff9d
Instruction Fuzzy Hash: F131F7715093806FDB128F60DC44FA6BFB8EF06310F08849AE988CB193D225A949C7B5

Uniqueness

Uniqueness Score: -1.00%

Function 0173A612 Relevance: 1.6, APIs: 1, Instructions: 89
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNEL32(?,?), ref: 0173A6B9

Memory Dump Source

Source File: 00000000.00000002.4110243044.000000000173A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0173A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_173a000_QsKtlzYaKF.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 310aae6bcfbec7ed3f2468cd02925b76cae8b7cdd78805617f052f5d40687816
Instruction ID: 227480eca2220669486d214aa20b3a4321792b1437446c6e76bec8b2720eccd6
Opcode Fuzzy Hash: 310aae6bcfbec7ed3f2468cd02925b76cae8b7cdd78805617f052f5d40687816
Instruction Fuzzy Hash: 603181B15093805FE712CB65CC85B96FFF8EF46214F08849AE984CB293D365A909C772

Uniqueness

Uniqueness Score: -1.00%

Function 05761468 Relevance: 1.6, APIs: 1, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 057614FF

Memory Dump Source

Source File: 00000000.00000002.4112981171.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_QsKtlzYaKF.jbxd

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 4dc89c0a326cd2a155e178da1a2b0b3ed7aa892b16f2dddd51829a41825505cd
Instruction ID: 9f2a33c7beb3b84f01a027d98d80130d2b953e7face4d7c8186d07a536b92d19
Opcode Fuzzy Hash: 4dc89c0a326cd2a155e178da1a2b0b3ed7aa892b16f2dddd51829a41825505cd
Instruction Fuzzy Hash: 58318171504384AFEB21CB65DC45FAABFA8EF05210F08849AE985DB652D364A909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0173ADAD Relevance: 1.6, APIs: 1, Instructions: 86
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(?,?,?,?,?,?), ref: 0173AE51

Memory Dump Source

Source File: 00000000.00000002.4110243044.000000000173A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0173A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_173a000_QsKtlzYaKF.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 36866d909c959d1e116265d1be8b788288ecd9c73d80398b9d9fe6095e21528c
Instruction ID: 327eb90a2f7caa4244f7ead639a2133362fb2b3074e2fc536622def9b01a7413
Opcode Fuzzy Hash: 36866d909c959d1e116265d1be8b788288ecd9c73d80398b9d9fe6095e21528c
Instruction Fuzzy Hash: A8319171504380AFEB21CF65DC85F96FBE8EF09214F08849DE9898B652D375E918CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0173BD0C Relevance: 1.6, APIs: 1, Instructions: 86
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetExitCodeProcess.KERNEL32(?,00000E24,F752A6E1,00000000,00000000,00000000,00000000), ref: 0173BDA0

Memory Dump Source

Source File: 00000000.00000002.4110243044.000000000173A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0173A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_173a000_QsKtlzYaKF.jbxd

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: 5c85e1b7e3aa2f5f86c2685adc5e00b6110bfeb19ac147ba54b3f49c6a46cc65
Instruction ID: 4986a5f7fd4b15e77addb82737d444dfaeb783c5b943136f4f2b5da137b40031
Opcode Fuzzy Hash: 5c85e1b7e3aa2f5f86c2685adc5e00b6110bfeb19ac147ba54b3f49c6a46cc65
Instruction Fuzzy Hash: C121E5715093806FEB12CB64DC45BA6BFB8EF46324F0884DAE984CF193D364A949C7B5

Uniqueness

Uniqueness Score: -1.00%

Function 05762E1E Relevance: 1.6, APIs: 1, Instructions: 86
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNEL32(?,00000E24), ref: 05762EB9

Memory Dump Source

Source File: 00000000.00000002.4112981171.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_QsKtlzYaKF.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 35df17e991ef84eae2f1b0a4c616db6b1fe7248358c1cdf6f4a8bdca06e9ceab
Instruction ID: 1795f07c6d6aaf9a907318616255d60d889ba2a6dc0fe2eaa25a69f5408ca8ee
Opcode Fuzzy Hash: 35df17e991ef84eae2f1b0a4c616db6b1fe7248358c1cdf6f4a8bdca06e9ceab
Instruction Fuzzy Hash: C521AD76600244AFEB21DF55CC48FABBBECEF08614F08856AED45CB652D730E508DAB1

Uniqueness

Uniqueness Score: -1.00%

Function 0173A361 Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E24,F752A6E1,00000000,00000000,00000000,00000000), ref: 0173A40C

Memory Dump Source

Source File: 00000000.00000002.4110243044.000000000173A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0173A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_173a000_QsKtlzYaKF.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 9b46a1621dd2b70425c6774b239145f7f1bc392b1d2c14445679c82710a23901
Instruction ID: a07dd607d64ff731c414fd6911bce60812f5185dd5c7ece66de9be0f24d4891d
Opcode Fuzzy Hash: 9b46a1621dd2b70425c6774b239145f7f1bc392b1d2c14445679c82710a23901
Instruction Fuzzy Hash: 7D317C75509780AFE722CB15CC85F96FBB8EF46210F08849AE985CB293D364E949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05763160 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

GetProcessWorkingSetSize.KERNEL32(?,00000E24,F752A6E1,00000000,00000000,00000000,00000000), ref: 057631F7

Memory Dump Source

Source File: 00000000.00000002.4112981171.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_QsKtlzYaKF.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: 5e1a09b5b6d40119b590fd4823c01208a36afe62ea519f50cbfe1a621218d545
Instruction ID: 552d36061b9fbfb03b7500821f9733c584142cfc09f1298cd6ae2652e0b954c9
Opcode Fuzzy Hash: 5e1a09b5b6d40119b590fd4823c01208a36afe62ea519f50cbfe1a621218d545
Instruction Fuzzy Hash: 9821E6715093C06FE713CB20CC54F96BFB8AF46214F0884DBE9888F193D225A909C775

Uniqueness

Uniqueness Score: -1.00%

Function 05761B9E Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000E24), ref: 05761C43

Memory Dump Source

Source File: 00000000.00000002.4112981171.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_QsKtlzYaKF.jbxd

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: 32d749043bc2140341a1214eb3d97335fe02c08aee8b4cdbc82c89bc5311030b
Instruction ID: 48ba955d933781498b7093afb4c154f661c60cce309abfb9662207c761e1e293
Opcode Fuzzy Hash: 32d749043bc2140341a1214eb3d97335fe02c08aee8b4cdbc82c89bc5311030b
Instruction Fuzzy Hash: 0521A171600244AEEB20DF60CD84FBAFBACEF04714F04485AFA499A681D7B5A54DCBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0173AEA8 Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(?,00000E24,F752A6E1,00000000,00000000,00000000,00000000), ref: 0173AF3D

Memory Dump Source

Source File: 00000000.00000002.4110243044.000000000173A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0173A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_173a000_QsKtlzYaKF.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 02e036e7f35fad291c4209a843cb47e6584904aadf245c3503719aee63a9cf8b
Instruction ID: ef1bb2b215d9463a1136ab68e95c23c49466b6bd5e1146cff30001f23675da7c
Opcode Fuzzy Hash: 02e036e7f35fad291c4209a843cb47e6584904aadf245c3503719aee63a9cf8b
Instruction Fuzzy Hash: 3D2128B55093806FD7128B25DC85BA2BFBCEF47720F0880D6E9848B293D264A90DC775

Uniqueness

Uniqueness Score: -1.00%

Function 05763091 Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

select.WS2_32(?,?,?,?,?), ref: 05763120

Memory Dump Source

Source File: 00000000.00000002.4112981171.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_QsKtlzYaKF.jbxd

Similarity

API ID: select
String ID:
API String ID: 1274211008-0
Opcode ID: 1c1b98d96d10c3a83833942b55dc63d6cc295d0cf5e7da8797a5b0bd6b1b26ae
Instruction ID: 7bfd347db6d4b1b9555f49764640a3394bd5b6e598de452dac822d14ec8c9234
Opcode Fuzzy Hash: 1c1b98d96d10c3a83833942b55dc63d6cc295d0cf5e7da8797a5b0bd6b1b26ae
Instruction Fuzzy Hash: 5B216D755097849FDB12CF25DC84B62BFF8EF06210F0888DAED84CB262D365A909DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0173A462 Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNEL32(?,00000E24,F752A6E1,00000000,00000000,00000000,00000000), ref: 0173A4F8

Memory Dump Source

Source File: 00000000.00000002.4110243044.000000000173A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0173A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_173a000_QsKtlzYaKF.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: f5025ddcba4bfc6c18ebbb6ab961554cfdf07ace3e8f9fd94dc50eb253738c9d
Instruction ID: 7f149e7729b4056ce3b00ce0d599b41287b5ccb5e9220901ea823f18c08aa21a
Opcode Fuzzy Hash: f5025ddcba4bfc6c18ebbb6ab961554cfdf07ace3e8f9fd94dc50eb253738c9d
Instruction Fuzzy Hash: A721AE725043806FEB228B15CC45FA7FFB8EF46210F08849AE985CB693C364E848C7B5

Uniqueness

Uniqueness Score: -1.00%

Function 05761042 Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 057610CE

Memory Dump Source

Source File: 00000000.00000002.4112981171.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_QsKtlzYaKF.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 536d4850827fc72d58d41ee1fd616d5deff2fbfc9fe47890ca9b59fed0578ae7
Instruction ID: ca5cfb5059a680b3e0f37497384e4cc68a651ab33ea8ee8bc768d487f422aa54
Opcode Fuzzy Hash: 536d4850827fc72d58d41ee1fd616d5deff2fbfc9fe47890ca9b59fed0578ae7
Instruction Fuzzy Hash: E321A071505380AFEB22CF55CC45FA6FFB8EF05210F08889EE9858B652D375A518CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0576161E Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNEL32 ref: 057616B2

Memory Dump Source

Source File: 00000000.00000002.4112981171.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_QsKtlzYaKF.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: d5f3662acca038a44f0dd17e953f571b3b9a5fd317ef0167b5c1be5ffb74824a
Instruction ID: 37d2d1f81cf3e9e6a3149b351113cc7445ddc9eda72297277e366a9eefa29213
Opcode Fuzzy Hash: d5f3662acca038a44f0dd17e953f571b3b9a5fd317ef0167b5c1be5ffb74824a
Instruction Fuzzy Hash: 8221B171405380AFE722CF55CC48F96FFF8EF09214F08849EE9898B252D375A508CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0173ADD2 Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,?,?,?,?,?), ref: 0173AE51

Memory Dump Source

Source File: 00000000.00000002.4110243044.000000000173A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0173A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_173a000_QsKtlzYaKF.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d25a7839943401d86dd4ded8c0487f15e3d8e1cc706308500c5ddedbf3400900
Instruction ID: 4096e5fb3622c7d23f0e15d346c6592672eecd641e36856839229a7fa90c3e2b
Opcode Fuzzy Hash: d25a7839943401d86dd4ded8c0487f15e3d8e1cc706308500c5ddedbf3400900
Instruction Fuzzy Hash: 4E21B071600244AFEB21CF65CD86F66FBE8EF08214F04886DE989CB652D375E418CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0173B238 Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,00000E24,F752A6E1,00000000,00000000,00000000,00000000), ref: 0173B2BD

Memory Dump Source

Source File: 00000000.00000002.4110243044.000000000173A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0173A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_173a000_QsKtlzYaKF.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 71be60d06020a4ca3dc72874215b67bdc94c08534256130c55f146997da29991
Instruction ID: 64b7e68187af119f98acac247a911247af75bd10b20a0d348ac3cdfc7a675aab
Opcode Fuzzy Hash: 71be60d06020a4ca3dc72874215b67bdc94c08534256130c55f146997da29991
Instruction Fuzzy Hash: F821C271505384AFEB228F55DC44FA7BFB8EF46310F08849AF9859B553C225A908CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 05761376 Relevance: 1.6, APIs: 1, Instructions: 76registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E24,F752A6E1,00000000,00000000,00000000,00000000), ref: 05761414

Memory Dump Source

Source File: 00000000.00000002.4112981171.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_QsKtlzYaKF.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: b0124dd8b083722f7149721c411a4105ca3fa9ae5f292ad9ce466df767f37c10
Instruction ID: fff86b68170899f2131b63505275dd877fca3f7b07548d8c93afd9672776d094
Opcode Fuzzy Hash: b0124dd8b083722f7149721c411a4105ca3fa9ae5f292ad9ce466df767f37c10
Instruction Fuzzy Hash: BC21B272508380AFE721CB51CC84FA7BFF8EF45310F08849AE9858B692D324E908CB75

Uniqueness

Uniqueness Score: -1.00%

Function 0576148E Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 057614FF

Memory Dump Source

Source File: 00000000.00000002.4112981171.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_QsKtlzYaKF.jbxd

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 2254d91ac5414d325f6a0ef5a0d52a60e91385338662b459fda2f62aabe011c8
Instruction ID: 3a3e7cd0aad5ad52bc238997717dbf36e6259f163b4d14f4dcb7c478fe3c326d
Opcode Fuzzy Hash: 2254d91ac5414d325f6a0ef5a0d52a60e91385338662b459fda2f62aabe011c8
Instruction Fuzzy Hash: 5B21BE72600244AFEB20DF65DC45FAAFBACEF04210F08886AED45DB642D374E508CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 0173AA86 Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000E24), ref: 0173AB05

Memory Dump Source

Source File: 00000000.00000002.4110243044.000000000173A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0173A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_173a000_QsKtlzYaKF.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 42ff08965b4d06a6a65189ee5a9889de5990c039b5d4aadaf1e83c6f58da0d64
Instruction ID: 3b1dcf7fa4133baa09108f10e0cad031b79c7e444de127d7897e09ed83ff8cc6
Opcode Fuzzy Hash: 42ff08965b4d06a6a65189ee5a9889de5990c039b5d4aadaf1e83c6f58da0d64
Instruction Fuzzy Hash: 5421F372500204AEEB21DF55CC45FABFBECEF08214F04885AEA84CB642D764E54D8BB2

Uniqueness

Uniqueness Score: -1.00%

Function 0576325F Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetProcessWorkingSetSize.KERNEL32(?,00000E24,F752A6E1,00000000,00000000,00000000,00000000), ref: 057632DB

Memory Dump Source

Source File: 00000000.00000002.4112981171.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_QsKtlzYaKF.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: 7a40237e62b8a240fd8ff9416ba5e6ee6e3dbf6be8f562a2c526da4cfcf585ea
Instruction ID: 6aa7623c96aceb38cfe5ba4c26beb8cbae35fd5a9dac8b948805ea0ceb5f78e9
Opcode Fuzzy Hash: 7a40237e62b8a240fd8ff9416ba5e6ee6e3dbf6be8f562a2c526da4cfcf585ea
Instruction Fuzzy Hash: 5B21A4715093806FDB11CF65DC44FABBFB8EF45210F08849AE985DB192D364A908CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 0173A646 Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNEL32(?,?), ref: 0173A6B9

Memory Dump Source

Source File: 00000000.00000002.4110243044.000000000173A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0173A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_173a000_QsKtlzYaKF.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: fd7ec8c1db6b173b7e7365adf2370d19b92354b195762bbf2849f8c8107eb095
Instruction ID: bc639a3f2f08bd6add5fa0dc41f370ef79fe9178a8312aba149a57a754be039d
Opcode Fuzzy Hash: fd7ec8c1db6b173b7e7365adf2370d19b92354b195762bbf2849f8c8107eb095
Instruction Fuzzy Hash: DA2180716002449FE721CB65CD85BA6FBE8EF44314F0484A9ED89CB642D375E909CA76

Uniqueness

Uniqueness Score: -1.00%

Function 057618B5 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

shutdown.WS2_32(?,00000E24,F752A6E1,00000000,00000000,00000000,00000000), ref: 05761938

Memory Dump Source

Source File: 00000000.00000002.4112981171.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_QsKtlzYaKF.jbxd

Similarity

API ID: shutdown
String ID:
API String ID: 2510479042-0
Opcode ID: a7b626523047a2174ea7e044d70d2b14d7939aab8fa3acb4011b83de4b63f3f8
Instruction ID: f37f2c78f7ae625796130be85a7ab1fe9798ec4bda6313876051832a5b0f6090
Opcode Fuzzy Hash: a7b626523047a2174ea7e044d70d2b14d7939aab8fa3acb4011b83de4b63f3f8
Instruction Fuzzy Hash: 5B219571509380AFDB12CB50CC44F96BFB8EF46220F0884DAE9849B152C368A548C7B5

Uniqueness

Uniqueness Score: -1.00%

Function 0173B927 Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 0173B99E

Memory Dump Source

Source File: 00000000.00000002.4110243044.000000000173A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0173A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_173a000_QsKtlzYaKF.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c62f60f53afca3f1d6fdca4c76f2d5450f98a1bc558ea897287ddef95e2750fa
Instruction ID: c08e1f7679fa213e0e81ff15927be892e4325267878206a0b0f1c5fe254b24b2
Opcode Fuzzy Hash: c62f60f53afca3f1d6fdca4c76f2d5450f98a1bc558ea897287ddef95e2750fa
Instruction Fuzzy Hash: 1A2162725093809FDB128F29DC55B92FFE8EF46210F0884DAED85CB253D265E408D761

Uniqueness

Uniqueness Score: -1.00%

Function 0173A392 Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E24,F752A6E1,00000000,00000000,00000000,00000000), ref: 0173A40C

Memory Dump Source

Source File: 00000000.00000002.4110243044.000000000173A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0173A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_173a000_QsKtlzYaKF.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 3171902c0caaf1b693ce2d79c1d19ecfd42867255e45df4ca25c3d2717f86faf
Instruction ID: 3c2ff754f54458ef12b43ff9c818c8c7bab4d106e4d37f60330582966244d11e
Opcode Fuzzy Hash: 3171902c0caaf1b693ce2d79c1d19ecfd42867255e45df4ca25c3d2717f86faf
Instruction Fuzzy Hash: 4E21A276600604AFEB21CF19CC85FA6FBECEF44710F04845AE985CB692D364E949CAB5

Uniqueness

Uniqueness Score: -1.00%

Function 05762FCB Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000E24,F752A6E1,00000000,00000000,00000000,00000000), ref: 05763047

Memory Dump Source

Source File: 00000000.00000002.4112981171.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_QsKtlzYaKF.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: 6d1950345a773b69561d0873e9c3771d33654613664e10849c77ea6b68e40f03
Instruction ID: b73c4db6c2351c18091501e5f991a3fe5f7c7c053ce1baf1212f47f8350fb8f4
Opcode Fuzzy Hash: 6d1950345a773b69561d0873e9c3771d33654613664e10849c77ea6b68e40f03
Instruction Fuzzy Hash: 7321D5715093806FDB22CF50CC84FA6FFB8EF45210F08849BE9899B592C375A508CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 0173BB6C Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(?,F752A6E1,00000000,?,?,?,?,?,?,?,?,6CAC3C58), ref: 0173BBD8

Memory Dump Source

Source File: 00000000.00000002.4110243044.000000000173A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0173A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_173a000_QsKtlzYaKF.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 95123ec3efb078fb522b8605e27441ca5bd4aa28a54fce55ce5357b580c324ef
Instruction ID: bb73ce5de7cb2c77e30ec295522acd9e0fb9ef4d25ac011150111449fe5f46fd
Opcode Fuzzy Hash: 95123ec3efb078fb522b8605e27441ca5bd4aa28a54fce55ce5357b580c324ef
Instruction Fuzzy Hash: 7021AE725093C05FDB128B25DC94B92BFB4AF47224F0984DAE8858F663D264A908DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0173AB4D Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNEL32(?,?,F752A6E1,00000000,?,?,?,?,?,?,?,?,6CAC3C58), ref: 0173ABCB

Memory Dump Source

Source File: 00000000.00000002.4110243044.000000000173A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0173A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_173a000_QsKtlzYaKF.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 7917321b1ee099a9d7c25a979535c005ecd888b40491e9210d2216afcbc4e14b
Instruction ID: f65dda7d1911793820458f6407337d08bf576f1d096ff0997764502fcfe21f79
Opcode Fuzzy Hash: 7917321b1ee099a9d7c25a979535c005ecd888b40491e9210d2216afcbc4e14b
Instruction Fuzzy Hash: F021A4715093C09FEB12CB25D885B92BFE8EF46214F0984EAE885CB257D2649849CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0173A710 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(?,F752A6E1,00000000,?,?,?,?,?,?,?,?,6CAC3C58), ref: 0173A780

Memory Dump Source

Source File: 00000000.00000002.4110243044.000000000173A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0173A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_173a000_QsKtlzYaKF.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 1b7436dbff59634943010c79dd3a499992ef823920f5d8c6307f3f8c223ad439
Instruction ID: 265f1454b18c3dccc1fccf32fb5c05069377be89f1f87866c354cf38c863c3f4
Opcode Fuzzy Hash: 1b7436dbff59634943010c79dd3a499992ef823920f5d8c6307f3f8c223ad439
Instruction Fuzzy Hash: 182105B55083809FDB128F25DC85792BFB8EF02220F0880EADC858B253D2359909DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05761062 Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 057610CE

Memory Dump Source

Source File: 00000000.00000002.4112981171.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_QsKtlzYaKF.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 5888bd48513655865de8aff20095c4d0c470e12d880a4f9a3f1663ecbaf1b707
Instruction ID: b5e6a43f0fe2a97ee59aa58663953e9f66c8685de62d627954d7b3938a2fd2d5
Opcode Fuzzy Hash: 5888bd48513655865de8aff20095c4d0c470e12d880a4f9a3f1663ecbaf1b707
Instruction Fuzzy Hash: 9F21CF71500244AFEB21CF55CD45FA6FBE8EF08324F04885AED858B651D375A418DB76

Uniqueness

Uniqueness Score: -1.00%

Function 05761D4E Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 05761DCA

Memory Dump Source

Source File: 00000000.00000002.4112981171.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_QsKtlzYaKF.jbxd

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: 160e6a7cb07cd32fe69ff547fc3f309f083460143fbd687722b23a6d2671ff6b
Instruction ID: 5a1be32f973308dc4f674725dc5dc262ffdbb1b9cdf0f049c06d7e45aa91b60f
Opcode Fuzzy Hash: 160e6a7cb07cd32fe69ff547fc3f309f083460143fbd687722b23a6d2671ff6b
Instruction Fuzzy Hash: C8218E75508780AFDB22CF55DC44FA2BFF8EF06210F08859AED858B162D335A818EB61

Uniqueness

Uniqueness Score: -1.00%

Function 0576163E Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNEL32 ref: 057616B2

Memory Dump Source

Source File: 00000000.00000002.4112981171.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_QsKtlzYaKF.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: d585ee33cf72d15f09f54a275685cce4411905c1905af3b897f62c1a9af7316d
Instruction ID: 221c6649db0fee9f4c1bd9c69e21f6f34538eaff3fae609638368cbc4c6cbbb2
Opcode Fuzzy Hash: d585ee33cf72d15f09f54a275685cce4411905c1905af3b897f62c1a9af7316d
Instruction Fuzzy Hash: 0A21AE71500244AFEB21CF55CD89FAAFBE8EF08324F088459E9498B651D775E44CCBB6

Uniqueness

Uniqueness Score: -1.00%

Function 0576210A Relevance: 1.6, APIs: 1, Instructions: 66libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,00000E24), ref: 05762193

Memory Dump Source

Source File: 00000000.00000002.4112981171.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_QsKtlzYaKF.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 698caaad9a8cf051902a621a3e3af0ffd5c22f15a7fad54c462b66caf52b4343
Instruction ID: e69f53109476d3bf294bda0093e6469f8e44c0ab5fd3f7acec19dbaf0abc5e43
Opcode Fuzzy Hash: 698caaad9a8cf051902a621a3e3af0ffd5c22f15a7fad54c462b66caf52b4343
Instruction Fuzzy Hash: FB11B7755053806FE721CB11DC85FA6FFB8EF45720F04809AFD445B292D364A948CB75

Uniqueness

Uniqueness Score: -1.00%

Function 0173A486 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNEL32(?,00000E24,F752A6E1,00000000,00000000,00000000,00000000), ref: 0173A4F8

Memory Dump Source

Source File: 00000000.00000002.4110243044.000000000173A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0173A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_173a000_QsKtlzYaKF.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 949eb15d8831ccf50cb0e158c75ae8717aafac69ec1725d9966cbf20cf48cefb
Instruction ID: 132ec816623e8c5c989a59c54bc0823125ca15b1722c81ec056e68b226ab02df
Opcode Fuzzy Hash: 949eb15d8831ccf50cb0e158c75ae8717aafac69ec1725d9966cbf20cf48cefb
Instruction Fuzzy Hash: C211D072600604AFEB21CF19CC45FA7FBECEF44610F04845AED89CB682D360E448CAB6

Uniqueness

Uniqueness Score: -1.00%

Function 057613A2 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E24,F752A6E1,00000000,00000000,00000000,00000000), ref: 05761414

Memory Dump Source

Source File: 00000000.00000002.4112981171.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_QsKtlzYaKF.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 235fc7506a6afa5b4f7dd804b324d23cef3ec8ed261489680fcc012ad496612d
Instruction ID: 72a4e0d1dcf241546b226dfd6b4d75c77a75b3b109be5f21ec77da8b424329c8
Opcode Fuzzy Hash: 235fc7506a6afa5b4f7dd804b324d23cef3ec8ed261489680fcc012ad496612d
Instruction Fuzzy Hash: 6F118172600604AFEB21CF55DC84FA6FBE8EF04710F08845AED469B651D360E54CDAB6

Uniqueness

Uniqueness Score: -1.00%

Function 0173ACE8 Relevance: 1.6, APIs: 1, Instructions: 64fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNEL32(?,?,?,F752A6E1,00000000,?,?,?,?,?,?,?,?,6CAC3C58), ref: 0173AD52

Memory Dump Source

Source File: 00000000.00000002.4110243044.000000000173A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0173A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_173a000_QsKtlzYaKF.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 69bc9aabb55d02d5f03fb9213a56a1d06b53900afef6015f644aee93f0a64173
Instruction ID: a4da875a8afe6a4a3863182185281494bdc503948b5aa651588a508dd4909fc4
Opcode Fuzzy Hash: 69bc9aabb55d02d5f03fb9213a56a1d06b53900afef6015f644aee93f0a64173
Instruction Fuzzy Hash: A91172715053809FDB21CF69DC85B57FFE8EF46211F0884AAE985CB657D224E848CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05761AB2 Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNEL32(?,00000E24,F752A6E1,00000000,00000000,00000000,00000000), ref: 05761B11

Memory Dump Source

Source File: 00000000.00000002.4112981171.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_QsKtlzYaKF.jbxd

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 83abfd791f710983ec2f760c38d1ce2d21dbafbc2f734feb8ba646c16e40999d
Instruction ID: 1e58dc66d35af6d593ebcca9fbe87f2be4df1f9280803699d6b06f86d15a01c5
Opcode Fuzzy Hash: 83abfd791f710983ec2f760c38d1ce2d21dbafbc2f734feb8ba646c16e40999d
Instruction Fuzzy Hash: 7611E272600244AFEB21CF55DD84FAAFBE8EF44320F04846AED49CB651D374A948DBB5

Uniqueness

Uniqueness Score: -1.00%

Function 0576319E Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

GetProcessWorkingSetSize.KERNEL32(?,00000E24,F752A6E1,00000000,00000000,00000000,00000000), ref: 057631F7

Memory Dump Source

Source File: 00000000.00000002.4112981171.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_QsKtlzYaKF.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: 8ef6ea29a01f5bec0a79a7c0388a30fe8bafa74684e92ceffd5a6589eea97a10
Instruction ID: 1f9555c7d60e002d4340be897f06123b495abd39b99ce82a2bb604a448d40c2b
Opcode Fuzzy Hash: 8ef6ea29a01f5bec0a79a7c0388a30fe8bafa74684e92ceffd5a6589eea97a10
Instruction Fuzzy Hash: 5211C471600244AFEB21CF55DD45FAAB7E8EF04724F04846AEE45CB641D374A548CAB5

Uniqueness

Uniqueness Score: -1.00%

Function 05763282 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SetProcessWorkingSetSize.KERNEL32(?,00000E24,F752A6E1,00000000,00000000,00000000,00000000), ref: 057632DB

Memory Dump Source

Source File: 00000000.00000002.4112981171.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_QsKtlzYaKF.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: 8ef6ea29a01f5bec0a79a7c0388a30fe8bafa74684e92ceffd5a6589eea97a10
Instruction ID: 0d40a18caafebf667ca31a0f9b3b5f539d10a8af5df975d9d2379fc2ea1d1e6e
Opcode Fuzzy Hash: 8ef6ea29a01f5bec0a79a7c0388a30fe8bafa74684e92ceffd5a6589eea97a10
Instruction Fuzzy Hash: 0C11C471600244AFEB10CF55DC45FAAB7A8EF04324F04846AED45DB641D774A548DAB5

Uniqueness

Uniqueness Score: -1.00%

Function 0173BD4A Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNEL32(?,00000E24,F752A6E1,00000000,00000000,00000000,00000000), ref: 0173BDA0

Memory Dump Source

Source File: 00000000.00000002.4110243044.000000000173A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0173A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_173a000_QsKtlzYaKF.jbxd

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: fc23479f75fb25e373b08cf784ae412f9249e4221c9758a1fd44fbe3bf608bcc
Instruction ID: cc8a732fb1245e8ba94d09ceadd485edbdbd329ad5a3659615c261049cb02f04
Opcode Fuzzy Hash: fc23479f75fb25e373b08cf784ae412f9249e4221c9758a1fd44fbe3bf608bcc
Instruction Fuzzy Hash: 34110671600244AFEB11CF55DC84BAAF7ECEF44324F0484AAED44CB642D374A548CBB6

Uniqueness

Uniqueness Score: -1.00%

Function 0173B25E Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,00000E24,F752A6E1,00000000,00000000,00000000,00000000), ref: 0173B2BD

Memory Dump Source

Source File: 00000000.00000002.4110243044.000000000173A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0173A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_173a000_QsKtlzYaKF.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: d3418537147283eb2fdad0fca641a75feb482c9ec87ad1cb13c99655136ce993
Instruction ID: c7bac3980fb27247744669f5e675251965c2e6d32f6b9a808e85e76c14fd8c8e
Opcode Fuzzy Hash: d3418537147283eb2fdad0fca641a75feb482c9ec87ad1cb13c99655136ce993
Instruction Fuzzy Hash: F4112772500244AFEB21CF55DC44FAAFBE8EF44310F04845AEE458B652C334A50CCBB6

Uniqueness

Uniqueness Score: -1.00%

Function 057600B8 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,F752A6E1,00000000,?,?,?,?,?,?,?,?,6CAC3C58), ref: 0576011A

Memory Dump Source

Source File: 00000000.00000002.4112981171.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_QsKtlzYaKF.jbxd

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 8869e888984e5d544d2810b121a49910747852cbc4aefbacd601df4892f87e3a
Instruction ID: 44c1d987e4f3089646615c2f4c61557a10aa41d03a0e7fc646c6dbf4fdbb7b8c
Opcode Fuzzy Hash: 8869e888984e5d544d2810b121a49910747852cbc4aefbacd601df4892f87e3a
Instruction Fuzzy Hash: 301184715093809FDB11CF65DC84B56FFE8EF06210F0884AAED85CB252D234A818DB61

Uniqueness

Uniqueness Score: -1.00%

Function 05762FEE Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000E24,F752A6E1,00000000,00000000,00000000,00000000), ref: 05763047

Memory Dump Source

Source File: 00000000.00000002.4112981171.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_QsKtlzYaKF.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: e43c5cef4cf73dd8319ac7de6c929692590ac32d3fe15035bfc3c2e67a7b41a3
Instruction ID: 110f275cbbd204d3ba2a0619994036ee2559d1059ed54bfe0f54c4c74a86d70c
Opcode Fuzzy Hash: e43c5cef4cf73dd8319ac7de6c929692590ac32d3fe15035bfc3c2e67a7b41a3
Instruction Fuzzy Hash: 3311E371600244AFEB20CF54CC84FAAFBA8EF44724F04889AED499B641C375A54CCAB5

Uniqueness

Uniqueness Score: -1.00%

Function 0173A9B5 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(?,F752A6E1,00000000,?,?,?,?,?,?,?,?,6CAC3C58), ref: 0173AA14

Memory Dump Source

Source File: 00000000.00000002.4110243044.000000000173A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0173A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_173a000_QsKtlzYaKF.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: e59f1e1ec1498ef405819e44f209fc7bf52c1e7fb633f96a3988b6d237eb82f5
Instruction ID: 2ef9f9d7a8f6623b44f9f9ecd817c072b02e20adf8d48b5246bbd47e5d43dfc1
Opcode Fuzzy Hash: e59f1e1ec1498ef405819e44f209fc7bf52c1e7fb633f96a3988b6d237eb82f5
Instruction Fuzzy Hash: 371160715093C09FDB128B65DC45B92BFB4EF47220F0884DAED848F253C275A548DB62

Uniqueness

Uniqueness Score: -1.00%

Function 057618E2 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

shutdown.WS2_32(?,00000E24,F752A6E1,00000000,00000000,00000000,00000000), ref: 05761938

Memory Dump Source

Source File: 00000000.00000002.4112981171.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_QsKtlzYaKF.jbxd

Similarity

API ID: shutdown
String ID:
API String ID: 2510479042-0
Opcode ID: 2278cdc24d7a18dc7035e4843d15b7b7727f24dc37231c6440c81fada655ee9f
Instruction ID: db69f09ca2498818e82f43bf109ced44cdb1a41409220d25164c8004c4f5acd2
Opcode Fuzzy Hash: 2278cdc24d7a18dc7035e4843d15b7b7727f24dc37231c6440c81fada655ee9f
Instruction Fuzzy Hash: 5111C271600244AFEB10CF55DC88FAABBACEF44724F14849AED489B641D374A548CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 0173A2D2 Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,F752A6E1,00000000,?,?,?,?,?,?,?,?,6CAC3C58), ref: 0173A330

Memory Dump Source

Source File: 00000000.00000002.4110243044.000000000173A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0173A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_173a000_QsKtlzYaKF.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: b1b7c341f60921c094b73a039eec33290853cda80e035f62ecb18c5d1b1f1e63
Instruction ID: bfd7999426def4c2c66849f7b5027d588547f32baf16676af945526269dd91f6
Opcode Fuzzy Hash: b1b7c341f60921c094b73a039eec33290853cda80e035f62ecb18c5d1b1f1e63
Instruction Fuzzy Hash: FB113D7140A3C0AFDB138B259C54A62BFA49F47624F0980DAEDC58B263D2656918D772

Uniqueness

Uniqueness Score: -1.00%

Function 0576042C Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 05760492

Memory Dump Source

Source File: 00000000.00000002.4112981171.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_QsKtlzYaKF.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9b1c9a763c2fa970b36fa6a9b20d25296350e9960b63203867eabb4d9dcfe12d
Instruction ID: b0fb4c7cd8296565d8242021933431eb6e0efbafe0183fb06d1e3962c885d341
Opcode Fuzzy Hash: 9b1c9a763c2fa970b36fa6a9b20d25296350e9960b63203867eabb4d9dcfe12d
Instruction Fuzzy Hash: A8115E71409780AFDB22CF55DD84F56FFF4EF4A220F08889AED898B562C375A418DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0576212A Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,00000E24), ref: 05762193

Memory Dump Source

Source File: 00000000.00000002.4112981171.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_QsKtlzYaKF.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 9eff9106109292d2d9721230031d3ef6f4fb56c89ef2de80e38816a4a9492dde
Instruction ID: a1dc13dd457e0c858a22619c1c865974675de2941d4bbb613c5598da55db2fea
Opcode Fuzzy Hash: 9eff9106109292d2d9721230031d3ef6f4fb56c89ef2de80e38816a4a9492dde
Instruction Fuzzy Hash: 4D110C75604244AEE720CB15DD41FBAF7A8DF04714F148056FE445A781D3B4B54CCAB6

Uniqueness

Uniqueness Score: -1.00%

Function 057630CA Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

select.WS2_32(?,?,?,?,?), ref: 05763120

Memory Dump Source

Source File: 00000000.00000002.4112981171.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_QsKtlzYaKF.jbxd

Similarity

API ID: select
String ID:
API String ID: 1274211008-0
Opcode ID: f4b44b7dcf2a856d7e8475bd63d4d308da796f70c4414d4c732ccb553408392f
Instruction ID: c5649faee2ec58853dc01e0ac672b8435c3fdfe2bc31eb36cc81f411523c07ec
Opcode Fuzzy Hash: f4b44b7dcf2a856d7e8475bd63d4d308da796f70c4414d4c732ccb553408392f
Instruction Fuzzy Hash: A4118F756046049FDB20CF55D884F62FBE8EF04710F0888AADD49CB652D335E448DB72

Uniqueness

Uniqueness Score: -1.00%

Function 0173A078 Relevance: 1.6, APIs: 1, Instructions: 54networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,?,?), ref: 0173A0D5

Memory Dump Source

Source File: 00000000.00000002.4110243044.000000000173A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0173A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_173a000_QsKtlzYaKF.jbxd

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: 60eb7b6387c5075e3909e44d8142e6daf73b07efc9ef2811a1ccff8b1d7079ef
Instruction ID: 99d20dfc26d8327bce8d4e57f6863d16ff3fe60ebce5890408db0ba536462459
Opcode Fuzzy Hash: 60eb7b6387c5075e3909e44d8142e6daf73b07efc9ef2811a1ccff8b1d7079ef
Instruction Fuzzy Hash: 1C119171509780AFDB22CF55DC44F52FFB4EF46224F0884DAED848B553C275A518DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0173B956 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 0173B99E

Memory Dump Source

Source File: 00000000.00000002.4110243044.000000000173A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0173A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_173a000_QsKtlzYaKF.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 04ed1b98d7b8f58c60bed737fe91771a219d18ab2c85cd6aec20f40a28746c11
Instruction ID: 57c82385761b09f77eb1e307dea0f47a75a6f89019978751fbbda69b0a7e31ff
Opcode Fuzzy Hash: 04ed1b98d7b8f58c60bed737fe91771a219d18ab2c85cd6aec20f40a28746c11
Instruction Fuzzy Hash: 43116572604244DFEB10CF69D985B66FBD8EF44610F0884AADD49CB743D775E448CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0173AD0A Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNEL32(?,?,?,F752A6E1,00000000,?,?,?,?,?,?,?,?,6CAC3C58), ref: 0173AD52

Memory Dump Source

Source File: 00000000.00000002.4110243044.000000000173A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0173A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_173a000_QsKtlzYaKF.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 04ed1b98d7b8f58c60bed737fe91771a219d18ab2c85cd6aec20f40a28746c11
Instruction ID: cda7ea88047b1c7d7670582c4f8c93a03e4bc024d5d55ece1950dff05080df7f
Opcode Fuzzy Hash: 04ed1b98d7b8f58c60bed737fe91771a219d18ab2c85cd6aec20f40a28746c11
Instruction Fuzzy Hash: 4011A5726002008FEB20CF29D889B66FBE8EF44211F08C4AADD85CB747D735E448CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0173AEEA Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(?,00000E24,F752A6E1,00000000,00000000,00000000,00000000), ref: 0173AF3D

Memory Dump Source

Source File: 00000000.00000002.4110243044.000000000173A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0173A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_173a000_QsKtlzYaKF.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 8623fd828f7be973aa3c73a9c629b26bd9d43ed9fb6e76483b701dc9afaf3603
Instruction ID: a35f3976593876d9051985304bc24320ed5042f75a096923656767611a58a351
Opcode Fuzzy Hash: 8623fd828f7be973aa3c73a9c629b26bd9d43ed9fb6e76483b701dc9afaf3603
Instruction Fuzzy Hash: 0901D671604244AEEB10CB15DC85FA6F7E8DF44724F04C096ED448B792D375E54C8AB6

Uniqueness

Uniqueness Score: -1.00%

Function 0173B0DC Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

FindClose.KERNEL32(?,F752A6E1,00000000,?,?,?,?,?,?,?,?,6CAC3C58), ref: 0173B130

Memory Dump Source

Source File: 00000000.00000002.4110243044.000000000173A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0173A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_173a000_QsKtlzYaKF.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 21da00cf8921ba8f4717a8c4f43d38529a9c714cc11959e2ce18e148473820fb
Instruction ID: 4ff2910882ffb1155c97d45ec469255056180e7eb39f8498f1e152db6302123a
Opcode Fuzzy Hash: 21da00cf8921ba8f4717a8c4f43d38529a9c714cc11959e2ce18e148473820fb
Instruction Fuzzy Hash: 1B11A5755093C09FDB128F15DC84B52FFB4DF47220F0880DBED858B2A3D265A958DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0173A918 Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

WaitForInputIdle.USER32(?,?), ref: 0173A96F

Memory Dump Source

Source File: 00000000.00000002.4110243044.000000000173A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0173A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_173a000_QsKtlzYaKF.jbxd

Similarity

API ID: IdleInputWait
String ID:
API String ID: 2200289081-0
Opcode ID: d08a0570e6169304c50e71a3f2dc9bc283a9137c12ff5449fd7bc6968242a8bf
Instruction ID: 8404453477365331a6baf020a67f053e65ab2208b4221fbcb857a5bad99cb018
Opcode Fuzzy Hash: d08a0570e6169304c50e71a3f2dc9bc283a9137c12ff5449fd7bc6968242a8bf
Instruction Fuzzy Hash: 5011A0714093809FDB12CF55DC85B52FFA8EF46220F0984DAED848F263D279A808CB72

Uniqueness

Uniqueness Score: -1.00%

Function 05761D7E Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 05761DCA

Memory Dump Source

Source File: 00000000.00000002.4112981171.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_QsKtlzYaKF.jbxd

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: 5618b75d01397b2c7568711bb58e8c55d25f8d6d4940cc3d5ef6416dcbf648ce
Instruction ID: cdfa5b4aa56b8175aecd2dc202c8b9a96b7bdf8b3aeeb9532d7912437caf42d2
Opcode Fuzzy Hash: 5618b75d01397b2c7568711bb58e8c55d25f8d6d4940cc3d5ef6416dcbf648ce
Instruction Fuzzy Hash: 3611A0315006449FDB20CF55C844F62FBE4FF08310F08849ADE458B662D331E418DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 057600DA Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,F752A6E1,00000000,?,?,?,?,?,?,?,?,6CAC3C58), ref: 0576011A

Memory Dump Source

Source File: 00000000.00000002.4112981171.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_QsKtlzYaKF.jbxd

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: cb37e1be54b905d831c6cf23f091dbdad80938377f821a99da565ab4b87f5b17
Instruction ID: ab060f00c0953e14174b5dc2ff3af9cb9f752967f04db76577dbeab9052d647e
Opcode Fuzzy Hash: cb37e1be54b905d831c6cf23f091dbdad80938377f821a99da565ab4b87f5b17
Instruction Fuzzy Hash: 3711AD716002048FDB24CF69D888B6AFBE8EF04220F08C4AADD49CB652D335E448DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0173AB8E Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNEL32(?,?,F752A6E1,00000000,?,?,?,?,?,?,?,?,6CAC3C58), ref: 0173ABCB

Memory Dump Source

Source File: 00000000.00000002.4110243044.000000000173A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0173A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_173a000_QsKtlzYaKF.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: d2e95bef69307d8bc70929987f8fa964645671d9d986c38f11025901a1bd0816
Instruction ID: 47ff66ed8ce867e1823066229fdbd075e4f5002669ec229b89391d734a3054a4
Opcode Fuzzy Hash: d2e95bef69307d8bc70929987f8fa964645671d9d986c38f11025901a1bd0816
Instruction Fuzzy Hash: 9C01B571A042449FEB10CF29D985B66FBE8EF44220F08C4AADD85CB743D375E448CE62

Uniqueness

Uniqueness Score: -1.00%

Function 05761E9E Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetVolumeInformationA.KERNEL32(?,00000E24,?,?), ref: 05761EEE

Memory Dump Source

Source File: 00000000.00000002.4112981171.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_QsKtlzYaKF.jbxd

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: e1a0ad063d0d810027e51150b61fa144195a8087bbd4f47a5c8402efbd788bdf
Instruction ID: 6ec2ebff4c81f022c9f44203d697d5dad7cb9243314f404a98ad0cfe37d77081
Opcode Fuzzy Hash: e1a0ad063d0d810027e51150b61fa144195a8087bbd4f47a5c8402efbd788bdf
Instruction Fuzzy Hash: B101B171A00200AFD310DF16CC45B66FBE8FB88A20F14811AEC089BB41D731B915CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 0576044E Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 05760492

Memory Dump Source

Source File: 00000000.00000002.4112981171.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_QsKtlzYaKF.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 2825e665017c603dbb270b5395170641497c832b7c18ef370fb88cb5023e5690
Instruction ID: 3bf0dc701b7daf3e9bad017ece391c386146c8401d08af41215ecf9184bb5d87
Opcode Fuzzy Hash: 2825e665017c603dbb270b5395170641497c832b7c18ef370fb88cb5023e5690
Instruction Fuzzy Hash: 7601A1315006409FDB20CF51D944B62FFE1EF09320F08889ADE894A652C335E018DF62

Uniqueness

Uniqueness Score: -1.00%

Function 0173A74E Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(?,F752A6E1,00000000,?,?,?,?,?,?,?,?,6CAC3C58), ref: 0173A780

Memory Dump Source

Source File: 00000000.00000002.4110243044.000000000173A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0173A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_173a000_QsKtlzYaKF.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 9de2166e128480f6b0078763de3601f1146e547177b93f4bbea27a045aa44cd1
Instruction ID: 28e2642893a9357f4271a8f79935916f41c36d509cf4b2a7dea55caf3cb6d2a1
Opcode Fuzzy Hash: 9de2166e128480f6b0078763de3601f1146e547177b93f4bbea27a045aa44cd1
Instruction Fuzzy Hash: 6D01BC71A002408FEB118F29D985B66FBA4DF44220F08C4AADD8ACB642D275A448CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 0173BBA6 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(?,F752A6E1,00000000,?,?,?,?,?,?,?,?,6CAC3C58), ref: 0173BBD8

Memory Dump Source

Source File: 00000000.00000002.4110243044.000000000173A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0173A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_173a000_QsKtlzYaKF.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: ff710d672ed9673f31e63f466bee5dad99a0a69622fcc2a08fedfa665a6ca693
Instruction ID: 375636dedaf012fb4e7ebe4786ae4a608854f12d9277b46150ad58e7cf464f99
Opcode Fuzzy Hash: ff710d672ed9673f31e63f466bee5dad99a0a69622fcc2a08fedfa665a6ca693
Instruction Fuzzy Hash: 6201DF71A042408FDB20CF19D984B62FBE4EF84220F08C0AADD499B646C775E458CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 05760FC6 Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E24,?,?), ref: 05761016

Memory Dump Source

Source File: 00000000.00000002.4112981171.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_QsKtlzYaKF.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 99cdb9e7d86e7ad6da80bd54f69f49f3863eba4df9c02a7f11ca6df49fe07ad1
Instruction ID: db6f9cc99846cd2cde03a4ac91e9673e2ff0c94a163dffb90edf6506d61ee482
Opcode Fuzzy Hash: 99cdb9e7d86e7ad6da80bd54f69f49f3863eba4df9c02a7f11ca6df49fe07ad1
Instruction Fuzzy Hash: 6D01A271500600ABD310DF16CC46F66FBE8FB88A20F14811AEC089BB81D771F915CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 0173A09A Relevance: 1.5, APIs: 1, Instructions: 42networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,?,?), ref: 0173A0D5

Memory Dump Source

Source File: 00000000.00000002.4110243044.000000000173A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0173A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_173a000_QsKtlzYaKF.jbxd

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: 4af075f2cecf85c98b9cfa69087999b113ed574fb32f2205c218a4a0583476fb
Instruction ID: 723b5496aae8d98e774d66e1fa7930f296713b62b5cad01546ce7cfc80a054fb
Opcode Fuzzy Hash: 4af075f2cecf85c98b9cfa69087999b113ed574fb32f2205c218a4a0583476fb
Instruction Fuzzy Hash: 4501BC329006409FDB20CF55D985B62FBE4EF48320F08C4AADE898B656D375E458CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 0173A93A Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

WaitForInputIdle.USER32(?,?), ref: 0173A96F

Memory Dump Source

Source File: 00000000.00000002.4110243044.000000000173A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0173A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_173a000_QsKtlzYaKF.jbxd

Similarity

API ID: IdleInputWait
String ID:
API String ID: 2200289081-0
Opcode ID: b8b21790d369b8a6d518bd46569bb1ab43177c17a988dc6aa145807fe0bbc271
Instruction ID: 02b5fadd2012d2e491d96245be7d63d51bf2aab521760f3bcfd953ba828ef331
Opcode Fuzzy Hash: b8b21790d369b8a6d518bd46569bb1ab43177c17a988dc6aa145807fe0bbc271
Instruction Fuzzy Hash: E301F2759042409FDB10CF15D985B65FBE4EF44220F08C4AADD889F257D379A408CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 0173B0FE Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

FindClose.KERNEL32(?,F752A6E1,00000000,?,?,?,?,?,?,?,?,6CAC3C58), ref: 0173B130

Memory Dump Source

Source File: 00000000.00000002.4110243044.000000000173A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0173A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_173a000_QsKtlzYaKF.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 5359d62a3e693670da4d9c24714da37201b60ff812632fe83fdbc49ec5aa1228
Instruction ID: 1631de8f9dc61d21055eb857cf4b589a091dfda189f8dc4635a23b663c11bdfd
Opcode Fuzzy Hash: 5359d62a3e693670da4d9c24714da37201b60ff812632fe83fdbc49ec5aa1228
Instruction Fuzzy Hash: 7801DC75A00244CFDB108F19D984B62FBE4EF45620F08C0AADD098B793D375E848CEA2

Uniqueness

Uniqueness Score: -1.00%

Function 0173A9E2 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(?,F752A6E1,00000000,?,?,?,?,?,?,?,?,6CAC3C58), ref: 0173AA14

Memory Dump Source

Source File: 00000000.00000002.4110243044.000000000173A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0173A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_173a000_QsKtlzYaKF.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 06b748b3846bb1ff8071c2225423bdd7c3e5edd5a0c87ce57f3d1b77644c9903
Instruction ID: ddf5c152a0d6074e8b3ae2c033a26b1ecebb71713b30004c2cd645297641527b
Opcode Fuzzy Hash: 06b748b3846bb1ff8071c2225423bdd7c3e5edd5a0c87ce57f3d1b77644c9903
Instruction Fuzzy Hash: 5C01AD72A042849FDB10CF55DA85B61FBE4EF44220F08C4AADD898F747D379A548CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 0173A2FE Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,F752A6E1,00000000,?,?,?,?,?,?,?,?,6CAC3C58), ref: 0173A330

Memory Dump Source

Source File: 00000000.00000002.4110243044.000000000173A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0173A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_173a000_QsKtlzYaKF.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: ff959ae084b924ad3fba80180a67658607fcd379b99f8c036aeedd88d5c89e13
Instruction ID: 4097d0202a9f6fe7305cd44d6224fb8a816cf8921fcabe907e1a76b763115b21
Opcode Fuzzy Hash: ff959ae084b924ad3fba80180a67658607fcd379b99f8c036aeedd88d5c89e13
Instruction Fuzzy Hash: 5BF08C75904244DFDB108F09D985B61FFA4EF44720F08C09ADD898B753D3B5A448CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 017E08FE Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4110659596.00000000017E0000.00000040.00000020.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17e0000_QsKtlzYaKF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 199b0cfa375368bd7ff4ad681f609d1859377c0e8517b74222edbd913f139d72
Instruction ID: 6226cff08ee612bd22fba7b5670bc03893c8a727a4f6fadab84a5936fd904cac
Opcode Fuzzy Hash: 199b0cfa375368bd7ff4ad681f609d1859377c0e8517b74222edbd913f139d72
Instruction Fuzzy Hash: 6D219D312093C48FD717CF24D990755BFF1AB5B218F2A85DEE4858B6A3C3769806CB52

Uniqueness

Uniqueness Score: -1.00%

Function 05E426C0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4113422228.0000000005E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e40000_QsKtlzYaKF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8ba61418f6b1566e03c7cb668029fe23c576b5f48c718e3ac6f51a369cab50b
Instruction ID: 75d3098c41cb4c69938a7fd2308aec23c36ac061b9f9e6d7a507b437266f1710
Opcode Fuzzy Hash: d8ba61418f6b1566e03c7cb668029fe23c576b5f48c718e3ac6f51a369cab50b
Instruction Fuzzy Hash: 9111BAB5A08341AFD740CF19D980A5BFBE4FB88664F04895EF998D7311D331E9188FA6

Uniqueness

Uniqueness Score: -1.00%

Function 017E0934 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4110659596.00000000017E0000.00000040.00000020.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17e0000_QsKtlzYaKF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 417b329ada406bc2dcd8cfe7c2c2af0653001ca58f681a041f8abb1e3477e265
Instruction ID: 1fcec9a196ca5ed0b904b459ad19f3df360ddeaba24d3cd9bde2a9c2ab38d1a5
Opcode Fuzzy Hash: 417b329ada406bc2dcd8cfe7c2c2af0653001ca58f681a041f8abb1e3477e265
Instruction Fuzzy Hash: 5711DF303082809FE711CF14D984B26FBE5EB8D718F28C99CE9895B752C7BBD842CA41

Uniqueness

Uniqueness Score: -1.00%

Function 0174B858 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4110316035.000000000174A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0174A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_174a000_QsKtlzYaKF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02a92abf83292f2a12d0d80377ba123e63e113f84350caaba217d64d24db4899
Instruction ID: 9fa066c607dc5c9ef012cfd05bf86854d93b9dae7285caaf2b6a887ded93f0e5
Opcode Fuzzy Hash: 02a92abf83292f2a12d0d80377ba123e63e113f84350caaba217d64d24db4899
Instruction Fuzzy Hash: A611FAB5A08301AFD750CF49DC80E57FBE8EB88660F04895EF95997311D231E9088FA2

Uniqueness

Uniqueness Score: -1.00%

Function 017E05DF Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4110659596.00000000017E0000.00000040.00000020.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17e0000_QsKtlzYaKF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e2f1337bd54988243a77f7994931381af886bf67322e181797c02afa0290ce1
Instruction ID: 22c92bf7689ace4bfdd4498f94918b50bd94d7ade6bfd407c093e771b08c0eb3
Opcode Fuzzy Hash: 8e2f1337bd54988243a77f7994931381af886bf67322e181797c02afa0290ce1
Instruction Fuzzy Hash: 7001D6B650D3806FC7118F05AC40862FFA8EB8622070984AFEC4987652D225B908CBB6

Uniqueness

Uniqueness Score: -1.00%

Function 017E09F0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4110659596.00000000017E0000.00000040.00000020.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17e0000_QsKtlzYaKF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53963eade7438ca410e32634de66363e024afaa3f40a7da14d248b9d76a52dc3
Instruction ID: fdf55197fad5c1f031d3a5e03f4fc2a1925c2d5371e954f0899282c2db1d7a25
Opcode Fuzzy Hash: 53963eade7438ca410e32634de66363e024afaa3f40a7da14d248b9d76a52dc3
Instruction Fuzzy Hash: D2F01D35208644DFC306CF04D584B15FBE2EB89718F24CAADE94917752C777E813DA81

Uniqueness

Uniqueness Score: -1.00%

Function 017E0606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4110659596.00000000017E0000.00000040.00000020.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17e0000_QsKtlzYaKF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bfd856325c00ed04aa7ae526bcce8a1cb27a88e38ea607dba257c173ac1a69b
Instruction ID: ad1c2b73260854f651e84083b98d016668aaf8e70f82b051c6ca91aae71ecff4
Opcode Fuzzy Hash: 3bfd856325c00ed04aa7ae526bcce8a1cb27a88e38ea607dba257c173ac1a69b
Instruction Fuzzy Hash: 67E092B6A046448BD750CF0AED81852F7D8EB84630718C07FDC0D8B711D235B508CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 0174B8A7 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4110316035.000000000174A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0174A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_174a000_QsKtlzYaKF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 389a732bb784b2b58668eda8165dc800ac051f9f6e7d92176e115de48147ccc5
Instruction ID: 63b5e3f037f8b14475536c3a4a71d3f3b46455dc24afff4e2d0a9f61275a4a54
Opcode Fuzzy Hash: 389a732bb784b2b58668eda8165dc800ac051f9f6e7d92176e115de48147ccc5
Instruction Fuzzy Hash: D7E020B2A4020467D7108F069C45F63F79CDB50A30F04C557EE0D5B742D171B518CAF5

Uniqueness

Uniqueness Score: -1.00%

Function 05E41FD7 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4113422228.0000000005E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e40000_QsKtlzYaKF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f8491ff14fae4d0d6002176dfe0009e6a3481b1f70d04dd44eec7a2e2de2a72
Instruction ID: 833d7646d0fb687810dbf2614736783c003780cc6c62aed253ba54f6068f9664
Opcode Fuzzy Hash: 6f8491ff14fae4d0d6002176dfe0009e6a3481b1f70d04dd44eec7a2e2de2a72
Instruction Fuzzy Hash: 13E0D8B2A0020067D6109E069C45F63FB98DB40A30F08C457EE085B742D172B518C9E5

Uniqueness

Uniqueness Score: -1.00%

Function 05E4272B Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4113422228.0000000005E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e40000_QsKtlzYaKF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb759d9e11192bd4495606f0ad80943b81bedc6ae21d68b31dca1e2451ac4a25
Instruction ID: 6db64661cc7a5ccea05a95475bc93b9fcff04c7948e69ad128036fd0bcf8f8f3
Opcode Fuzzy Hash: eb759d9e11192bd4495606f0ad80943b81bedc6ae21d68b31dca1e2451ac4a25
Instruction Fuzzy Hash: 11E0D8B2A4020067D7108E069C45F62FB9CDB54A30F04C567EE085B742D171B51889E5

Uniqueness

Uniqueness Score: -1.00%

Function 017323F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4110223582.0000000001732000.00000040.00000800.00020000.00000000.sdmp, Offset: 01732000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1732000_QsKtlzYaKF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a6ccab1fa083ad800696f4b7064b27aab0aaab64e81414281fb3c6660216dfd
Instruction ID: 6da7d29a997e145aa20f6842e0d683e03815580aba28e9aa641d4c65bb8b9229
Opcode Fuzzy Hash: 2a6ccab1fa083ad800696f4b7064b27aab0aaab64e81414281fb3c6660216dfd
Instruction Fuzzy Hash: 26D02E793006C04FE3128A0CC2A8B857BE4AB80704F0A00F9A8008B763C728E8C1C200

Uniqueness

Uniqueness Score: -1.00%

Function 017323BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4110223582.0000000001732000.00000040.00000800.00020000.00000000.sdmp, Offset: 01732000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1732000_QsKtlzYaKF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 443061496d24ba0196d91a6d910e5aa366ce86e5cd94262f4b00ce7124274323
Instruction ID: 4f46cb0f842f2da5a9c497df149cf5d3d84a947b049d51cd07a2dc7c7c739c6f
Opcode Fuzzy Hash: 443061496d24ba0196d91a6d910e5aa366ce86e5cd94262f4b00ce7124274323
Instruction Fuzzy Hash: 2FD05E352406814BD715DA0CC2D4F59BBD4AB80B14F1A44E8BC108B763C7B4D8C5CA00

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: QsKtlzYaKF.exePID: 4284, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	18.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	19
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0112A612 Relevance: 1.6, APIs: 1, Instructions: 89
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0112A6B9

Memory Dump Source

Source File: 00000004.00000002.1873619234.000000000112A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0112A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_112a000_QsKtlzYaKF.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: a6e3c371a95f35266553a91d5201bd173b9b203d05bc82596e8967f12ae3ad72
Instruction ID: ed86c664953299b332cb2b0797f2bf69477d4d7bf7d932c09b60d1a6126d7243
Opcode Fuzzy Hash: a6e3c371a95f35266553a91d5201bd173b9b203d05bc82596e8967f12ae3ad72
Instruction Fuzzy Hash: 0A31B3755097805FE712CB25DC85B96BFF8EF06210F08849AE984CF693D375A909C771

Uniqueness

Uniqueness Score: -1.00%

Function 0112A361 Relevance: 1.6, APIs: 1, Instructions: 85
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,5ABE45A6,00000000,00000000,00000000,00000000), ref: 0112A40C

Memory Dump Source

Source File: 00000004.00000002.1873619234.000000000112A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0112A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_112a000_QsKtlzYaKF.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: b9d771938b723b599b8ab8d16e4c30ca34b26fa07e121f57e81df7e9bb9e7793
Instruction ID: 15758e52f509b9cadbb2d4163b87c7022cdf4bdd78329e9307c38e6d8a1ab1a7
Opcode Fuzzy Hash: b9d771938b723b599b8ab8d16e4c30ca34b26fa07e121f57e81df7e9bb9e7793
Instruction Fuzzy Hash: DD319175509780AFE722CF15DC84F96BFF8EF06210F08849AE985CB692D364E949CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0112A462 Relevance: 1.6, APIs: 1, Instructions: 77
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegSetValueExW.KERNELBASE(?,00000E24,5ABE45A6,00000000,00000000,00000000,00000000), ref: 0112A4F8

Memory Dump Source

Source File: 00000004.00000002.1873619234.000000000112A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0112A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_112a000_QsKtlzYaKF.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 60a3740849d5fd33963ec53150830efaee781816fb66365ff673759356e61764
Instruction ID: fae5bd84631e246b903c70c812f987adac7d990a8bd2fe998a76d84c932f9ea9
Opcode Fuzzy Hash: 60a3740849d5fd33963ec53150830efaee781816fb66365ff673759356e61764
Instruction Fuzzy Hash: 532190725047906FE722CF15DC44FA7BFB8EF46210F08849AE989CB652D364E958CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0112A646 Relevance: 1.6, APIs: 1, Instructions: 72
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0112A6B9

Memory Dump Source

Source File: 00000004.00000002.1873619234.000000000112A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0112A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_112a000_QsKtlzYaKF.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: bdf581710081bb8de7b319ca84c370b50b4764f096d1911cfdb5eafaa45daa75
Instruction ID: 3c2cd9df9b75a39f50b24797cb059c6d1a48d563b8c480f9fb210f584cc33b5d
Opcode Fuzzy Hash: bdf581710081bb8de7b319ca84c370b50b4764f096d1911cfdb5eafaa45daa75
Instruction Fuzzy Hash: 4121D4716002509FE720CF25DD45BA6FBE8EF04214F04846AEE49CBB41D371E819CAB6

Uniqueness

Uniqueness Score: -1.00%

Function 0112A710 Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0112A780

Memory Dump Source

Source File: 00000004.00000002.1873619234.000000000112A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0112A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_112a000_QsKtlzYaKF.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 4b05142c37bd9b92bfc7461f49eb70b5a6f77bfd621ce40dea55655feb467e4e
Instruction ID: 9be169ffcf81a14898b59eb69cff7fbd182b15c6250e6e8b9c45d3e44d5ca99e
Opcode Fuzzy Hash: 4b05142c37bd9b92bfc7461f49eb70b5a6f77bfd621ce40dea55655feb467e4e
Instruction Fuzzy Hash: 0D21F6B55097805FDB128F25DC85751BFB4EF02220F0884DBDD858B653D2259909DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0112A392 Relevance: 1.6, APIs: 1, Instructions: 69
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,5ABE45A6,00000000,00000000,00000000,00000000), ref: 0112A40C

Memory Dump Source

Source File: 00000004.00000002.1873619234.000000000112A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0112A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_112a000_QsKtlzYaKF.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 8dd17dfb78aa92af846cadf6ebd7e3b9ef05de4b83adf27074a17f4a507751d8
Instruction ID: 4557ecdb594677adbec2541de6a8746dbd45ef091ce0cac93e7a3d65c98a7817
Opcode Fuzzy Hash: 8dd17dfb78aa92af846cadf6ebd7e3b9ef05de4b83adf27074a17f4a507751d8
Instruction Fuzzy Hash: C021A275600654AFE721CF15DC84FA6FBECEF04610F08845AEA45CBA51D360E959CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 0112A486 Relevance: 1.6, APIs: 1, Instructions: 65
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegSetValueExW.KERNELBASE(?,00000E24,5ABE45A6,00000000,00000000,00000000,00000000), ref: 0112A4F8

Memory Dump Source

Source File: 00000004.00000002.1873619234.000000000112A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0112A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_112a000_QsKtlzYaKF.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: a84ff1ddff7785d630b17adf3a157cf35c925e6a7a4584a05d889e0e514f75e3
Instruction ID: 444aee001ec8d92f67290a14ddb3f17d16d3d8e6f4acbe700eff03dc43ddc2f5
Opcode Fuzzy Hash: a84ff1ddff7785d630b17adf3a157cf35c925e6a7a4584a05d889e0e514f75e3
Instruction Fuzzy Hash: C911D072600654AFEB21CF15DC44FA7FBECEF04610F08845AEE498BA42D360E558CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 0112A74E Relevance: 1.5, APIs: 1, Instructions: 43
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0112A780

Memory Dump Source

Source File: 00000004.00000002.1873619234.000000000112A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0112A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_112a000_QsKtlzYaKF.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 9d3046de1907025f35db15226fc7aaedb77617e7f051140e98b6bd885f0a9cbd
Instruction ID: aec86d6b52e4b6f2c9666b299745b6e2c1e82b0d46c6572fa2ae6dc24c8b80cf
Opcode Fuzzy Hash: 9d3046de1907025f35db15226fc7aaedb77617e7f051140e98b6bd885f0a9cbd
Instruction Fuzzy Hash: 0901D4716006008FDB14CF15E984765FBE4DF04220F08C4ABDD4A8BB42D376E458CEA2

Uniqueness

Uniqueness Score: -1.00%

Function 052F0310 Relevance: .2, Instructions: 188
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.1874191260.00000000052F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_52f0000_QsKtlzYaKF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33180ed52bae785eef0f43186bf1f9dc54563df8f7e1b7ca9ba8253f7a035b48
Instruction ID: d3f24adf71d8e4e3e5527ad9dc969b2eb0032784ab978403ac79b349501a88e9
Opcode Fuzzy Hash: 33180ed52bae785eef0f43186bf1f9dc54563df8f7e1b7ca9ba8253f7a035b48
Instruction Fuzzy Hash: 7B5111303142018BC718DB7994146AEB6E7AF85608B44407AE00AEF7D5DF3DDC4AC7A6

Uniqueness

Uniqueness Score: -1.00%

Function 052F03BD Relevance: .1, Instructions: 135
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.1874191260.00000000052F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_52f0000_QsKtlzYaKF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 909bad38a9e44969b6ffb0cdf0d1ed010c71e9e3a9b87d2a51b379002a413676
Instruction ID: b178ec1408e421c59b7815120ddb36944b77d2da5e38de5219923e3570f7e8c4
Opcode Fuzzy Hash: 909bad38a9e44969b6ffb0cdf0d1ed010c71e9e3a9b87d2a51b379002a413676
Instruction Fuzzy Hash: 2041E0307101218B9B18ABBA94142BD72D3AFC56487444039E01AFF7D8DF7CDD4A97E6

Uniqueness

Uniqueness Score: -1.00%

Function 052F0080 Relevance: .1, Instructions: 129
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.1874191260.00000000052F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_52f0000_QsKtlzYaKF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f85a7a2d541d71b37033e8f7ab1cb03453b41cbcd13ba6aaf43258f7db1239a
Instruction ID: 2ad4f14c617b901e6269eb03c34d711eda7f26fd464305c82535373e630cd0b7
Opcode Fuzzy Hash: 4f85a7a2d541d71b37033e8f7ab1cb03453b41cbcd13ba6aaf43258f7db1239a
Instruction Fuzzy Hash: 81514E30211246CBC704DF76E58498A77A6FB81A08740857CD014AF7AADF7C5DADDBC1

Uniqueness

Uniqueness Score: -1.00%

Function 052F0006 Relevance: .0, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.1874191260.00000000052F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_52f0000_QsKtlzYaKF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4566ee239d6d5ab16df2c1bfa235fa43047489f83deb0c9bf8762cf7f4b6244
Instruction ID: fbd1b0ffa01e72c891d023ff8a508034aab34b1d6e0ee1f382042c47cb57f0a8
Opcode Fuzzy Hash: c4566ee239d6d5ab16df2c1bfa235fa43047489f83deb0c9bf8762cf7f4b6244
Instruction Fuzzy Hash: FC017AA680E3C28FD7078774ACA66807F70AE2321570F45D7C0D1CF1A7E159895ADB36

Uniqueness

Uniqueness Score: -1.00%

Function 016405E0 Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.1873928310.0000000001640000.00000040.00000020.00020000.00000000.sdmp, Offset: 01640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1640000_QsKtlzYaKF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c9a746a10e567e191cd20ce65acc16259ee1e7d541a932ada60523ae1db0b8d
Instruction ID: bd385f235243d5ce77ccb4ce8aa47f3eada9c60cb94484d2fa8f7d99f37d31fd
Opcode Fuzzy Hash: 9c9a746a10e567e191cd20ce65acc16259ee1e7d541a932ada60523ae1db0b8d
Instruction Fuzzy Hash: 6B01A2B55093805FD711CF15EC40896FFE8EF86230B0984ABE8898B612D235B959CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 01640606 Relevance: .0, Instructions: 27
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.1873928310.0000000001640000.00000040.00000020.00020000.00000000.sdmp, Offset: 01640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1640000_QsKtlzYaKF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe3ba4035d654db4a8362902279053d12b44db091911aa399b55a79edc124721
Instruction ID: 8083f9d28c70b1dd6bb5a9e1b85dabdcf00b0fee4c668341b9dcbee6646f223a
Opcode Fuzzy Hash: fe3ba4035d654db4a8362902279053d12b44db091911aa399b55a79edc124721
Instruction Fuzzy Hash: 3CE092B6A006044BD650CF0AEC41452F7D8EB84630708C07FDD0D8B711D236B508CAA6

Uniqueness

Uniqueness Score: -1.00%

Function 011223F4 Relevance: .0, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.1873602972.0000000001122000.00000040.00000800.00020000.00000000.sdmp, Offset: 01122000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1122000_QsKtlzYaKF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e424efc71014b09b34dd59fbe601055f6d12d18a131fa11f731af8a7498e044
Instruction ID: 88439e73f0235b05e05d71fd0bbe5575f32a4b45c79828f4b7881f3ec0b90ee3
Opcode Fuzzy Hash: 3e424efc71014b09b34dd59fbe601055f6d12d18a131fa11f731af8a7498e044
Instruction Fuzzy Hash: 3DD02E793006D04FE31A8A0CC2A8B893BE4AB40704F0A00FAEC008B763C778D4C1C600

Uniqueness

Uniqueness Score: -1.00%

Function 011223BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1873602972.0000000001122000.00000040.00000800.00020000.00000000.sdmp, Offset: 01122000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1122000_QsKtlzYaKF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f28a23254905a12af34899b9725525e6ee25c4debcdcf7b72c6c5753fdb204c6
Instruction ID: cb79af09e90a813f7fc7e72bd8f4d39b56c11bd7272c33bb87051ef037252173
Opcode Fuzzy Hash: f28a23254905a12af34899b9725525e6ee25c4debcdcf7b72c6c5753fdb204c6
Instruction Fuzzy Hash: 43D05E342046814BD719DA0CC2D4F5D3BD4AF44714F1A44E8BC108B762C7B4D8D5CA00

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: QsKtlzYaKF.exePID: 6184, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	11.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	19
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0094A612 Relevance: 1.6, APIs: 1, Instructions: 89
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0094A6B9

Memory Dump Source

Source File: 00000008.00000002.1954933497.000000000094A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0094A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_94a000_QsKtlzYaKF.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: d69fd4b6e5543d4b9635b53d9d82bbcdb6ea01aa98e4488d83d146875f8d4b8a
Instruction ID: 1fc5cd870ee36d28b768ae0f2899e38b6ae7441bfe98066d6039efe3ae8181b2
Opcode Fuzzy Hash: d69fd4b6e5543d4b9635b53d9d82bbcdb6ea01aa98e4488d83d146875f8d4b8a
Instruction Fuzzy Hash: EA3181715097806FE711CB25CC85F96BFF8EF06314F09849AE984CF292D365A909C776

Uniqueness

Uniqueness Score: -1.00%

Function 0094A361 Relevance: 1.6, APIs: 1, Instructions: 85
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,99F7E1AA,00000000,00000000,00000000,00000000), ref: 0094A40C

Memory Dump Source

Source File: 00000008.00000002.1954933497.000000000094A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0094A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_94a000_QsKtlzYaKF.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 85cdad3dc9a0314f7ab199e8e95108b92af381571ee6e1cd2b865f0735bb7e99
Instruction ID: 731e99a0eb5398d907ba2f273d2a0c60b95e653cb964633ad04dc0c9089b8fd5
Opcode Fuzzy Hash: 85cdad3dc9a0314f7ab199e8e95108b92af381571ee6e1cd2b865f0735bb7e99
Instruction Fuzzy Hash: 98318175505780AFE721CF11CC84F96BBFCEF06310F08849AE9858B2A2D364E949CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0094A462 Relevance: 1.6, APIs: 1, Instructions: 77
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegSetValueExW.KERNELBASE(?,00000E24,99F7E1AA,00000000,00000000,00000000,00000000), ref: 0094A4F8

Memory Dump Source

Source File: 00000008.00000002.1954933497.000000000094A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0094A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_94a000_QsKtlzYaKF.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: bf4b2b2c4ee6c3d4f705b7dd16702b1e34509adf1957845b49a3824246e7c65c
Instruction ID: f35e7ca932495f2d874cd18a3565685ffe6ceee2f486469560567759c095b0fd
Opcode Fuzzy Hash: bf4b2b2c4ee6c3d4f705b7dd16702b1e34509adf1957845b49a3824246e7c65c
Instruction Fuzzy Hash: 432192725447806FD7228F11DC44FA7BFBCEF46220F08849AE985CB652D364E948CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0094A646 Relevance: 1.6, APIs: 1, Instructions: 72
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0094A6B9

Memory Dump Source

Source File: 00000008.00000002.1954933497.000000000094A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0094A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_94a000_QsKtlzYaKF.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: d336fd7fbad23ce5851f2b6d05b4dacd3baf862eb8b60cee234bbdc91d172a72
Instruction ID: 63f058c12db5a72b2411890eab27bd06af6ed8146ef1f3c923172694dbfb91ba
Opcode Fuzzy Hash: d336fd7fbad23ce5851f2b6d05b4dacd3baf862eb8b60cee234bbdc91d172a72
Instruction Fuzzy Hash: 63218071604244AFE720CF25CD45FA6FBE8EF04314F08886AE9488B641D375E909CA76

Uniqueness

Uniqueness Score: -1.00%

Function 0094A710 Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0094A780

Memory Dump Source

Source File: 00000008.00000002.1954933497.000000000094A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0094A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_94a000_QsKtlzYaKF.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 4ea77beb26ded9f12b9318a373774d4c814e9d1bd81d11a734a3d08eade80229
Instruction ID: 6e1fe69c3586b065a7f16a30472718a42e880d884e419195df626742146870e1
Opcode Fuzzy Hash: 4ea77beb26ded9f12b9318a373774d4c814e9d1bd81d11a734a3d08eade80229
Instruction Fuzzy Hash: A721F6B55093805FDB128F25DC85751BFB8EF02320F0880DBDC858B653D2259909CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0094A392 Relevance: 1.6, APIs: 1, Instructions: 69
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,99F7E1AA,00000000,00000000,00000000,00000000), ref: 0094A40C

Memory Dump Source

Source File: 00000008.00000002.1954933497.000000000094A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0094A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_94a000_QsKtlzYaKF.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 404e09b9ad71150d4e62bbbe72ada799ae63f52cb2b49f8a205ab64dedc43d17
Instruction ID: c1b9f21861596ee72d685f7ea91452dab6a54c2be7b128a6362f03217cde2e7f
Opcode Fuzzy Hash: 404e09b9ad71150d4e62bbbe72ada799ae63f52cb2b49f8a205ab64dedc43d17
Instruction Fuzzy Hash: 69219075640604AFE720CF15CC84FA7F7ECEF14710F08845AE9458B661D364E949CAB6

Uniqueness

Uniqueness Score: -1.00%

Function 0094A486 Relevance: 1.6, APIs: 1, Instructions: 65
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegSetValueExW.KERNELBASE(?,00000E24,99F7E1AA,00000000,00000000,00000000,00000000), ref: 0094A4F8

Memory Dump Source

Source File: 00000008.00000002.1954933497.000000000094A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0094A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_94a000_QsKtlzYaKF.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: d332654670e92c62dc0451247661a26a1464c863bb577a520fb3d35d6f6bc54a
Instruction ID: 1e577a208da6a81e526363c9286d9a9a7713a8d17f8a919e90bd4228f8ab882d
Opcode Fuzzy Hash: d332654670e92c62dc0451247661a26a1464c863bb577a520fb3d35d6f6bc54a
Instruction Fuzzy Hash: D211D0B2640604AFEB20CF11CD45FABFBECEF04724F04845AED498A651D364E848CAB6

Uniqueness

Uniqueness Score: -1.00%

Function 0094A74E Relevance: 1.5, APIs: 1, Instructions: 43
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0094A780

Memory Dump Source

Source File: 00000008.00000002.1954933497.000000000094A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0094A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_94a000_QsKtlzYaKF.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 532ab4f166d54ce2c15b71f210a049755de3a5c97aba7519f8d4c39a67d1227a
Instruction ID: bcade653be8b3e88989ea82be69f78227396185b8c39fcfa9524855673bef2db
Opcode Fuzzy Hash: 532ab4f166d54ce2c15b71f210a049755de3a5c97aba7519f8d4c39a67d1227a
Instruction Fuzzy Hash: 6501D475A002008FEB20CF15D985B65FBE8DF04320F08C4ABDD498B756D279E848CEA2

Uniqueness

Uniqueness Score: -1.00%

Function 00B60310 Relevance: .2, Instructions: 193
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.1955172305.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b60000_QsKtlzYaKF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5953fd0f24c15f3538058c4991bff27f2ca0c8591c9cc5889c2c7cf711c3f4e
Instruction ID: 3a6681c6c91a1e388f78c8f3b9bd969fd66b22535e6adadb78d67fad61126a50
Opcode Fuzzy Hash: a5953fd0f24c15f3538058c4991bff27f2ca0c8591c9cc5889c2c7cf711c3f4e
Instruction Fuzzy Hash: 0B5104307243008FC718EB7A94506BE77E2AB85345B84416AE406DB7D9DF39DD0AD7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00B603BD Relevance: .1, Instructions: 135
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.1955172305.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b60000_QsKtlzYaKF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 491c49124031cb39be5bc66a7d19f43d6af4215b678d1ccdf6554244a5421273
Instruction ID: b02ea76a6be0006fcaa03a303a24dda01aa8ff797c8bbc9f3f77c46eb7fc1dc4
Opcode Fuzzy Hash: 491c49124031cb39be5bc66a7d19f43d6af4215b678d1ccdf6554244a5421273
Instruction Fuzzy Hash: 1841E4307142104BCB18FB7A84557BE32D3AFC5349784506AE406EBBD5EF29DD0A97A2

Uniqueness

Uniqueness Score: -1.00%

Function 00B60080 Relevance: .1, Instructions: 130
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.1955172305.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b60000_QsKtlzYaKF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84addd0bea2d6bd4f56753d1965b3d3e32a08ee7440490e19beb58b6989ae858
Instruction ID: c9654aabb3d47db42a2c0378b17316ed46a926e76fc7378a3e46bfa00f2577b0
Opcode Fuzzy Hash: 84addd0bea2d6bd4f56753d1965b3d3e32a08ee7440490e19beb58b6989ae858
Instruction Fuzzy Hash: 6F5122306152468FC708FF75E59598977E2BB86248780EA2ED0048B76EEF34598ECBD1

Uniqueness

Uniqueness Score: -1.00%

Function 00B60006 Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.1955172305.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b60000_QsKtlzYaKF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c719fdfa604481cbdb128b1468738d1cc3ca5fa4a6770069ffeb6decee9ba64
Instruction ID: 2e730683e4dc8ab09902c8cbe8a963485a0d07ff38b969da813fb25a02343dd3
Opcode Fuzzy Hash: 2c719fdfa604481cbdb128b1468738d1cc3ca5fa4a6770069ffeb6decee9ba64
Instruction Fuzzy Hash: 6101529649E3C54FEB5347741C28290BFB06E2322079B42CBC4C1CB6EBE28C194AC326

Uniqueness

Uniqueness Score: -1.00%

Function 00A005E0 Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.1955071135.0000000000A00000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a00000_QsKtlzYaKF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11d2aeaa837a31bbf4550087627f6ddbead8005e4bdd5da96199a0adc32faa95
Instruction ID: 46f67ebafa00627b6fcd02b7d039e3d963a244d0b4afc52cf0a38c0d05804404
Opcode Fuzzy Hash: 11d2aeaa837a31bbf4550087627f6ddbead8005e4bdd5da96199a0adc32faa95
Instruction Fuzzy Hash: FF01867650D7846FD7118B16AC41862FFA8EF86520709C4DFEC898B652D225A809CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00A00606 Relevance: .0, Instructions: 27
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.1955071135.0000000000A00000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a00000_QsKtlzYaKF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5568be3c15376bb6297f69f86572457103e84075f863ec8441dd2384eba88158
Instruction ID: 1a748c86eb28d9a6f6416cbf2acb1e7fa13bc74f1bf84826d8dbf530803d50eb
Opcode Fuzzy Hash: 5568be3c15376bb6297f69f86572457103e84075f863ec8441dd2384eba88158
Instruction Fuzzy Hash: 7FE092B66046044BD750CF0AEC41462F7D8EB84630708C07FDC0D8B711D275B508CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 009423F4 Relevance: .0, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.1954919001.0000000000942000.00000040.00000800.00020000.00000000.sdmp, Offset: 00942000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_942000_QsKtlzYaKF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ee79bde8398fd0b276580aa91a8f02483469bb0738d8afe275998fc7d8e8001
Instruction ID: 72a054d90e571705c3fce6e5e4abda66b22e58eff0724bb9468d4d0806128002
Opcode Fuzzy Hash: 0ee79bde8398fd0b276580aa91a8f02483469bb0738d8afe275998fc7d8e8001
Instruction Fuzzy Hash: D1D05E792096C14FD3169B1CC2A8FA537D8BB51714F8A44F9B8408BBB3CB68D9C5D640

Uniqueness

Uniqueness Score: -1.00%

Function 009423BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1954919001.0000000000942000.00000040.00000800.00020000.00000000.sdmp, Offset: 00942000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_942000_QsKtlzYaKF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d76870e9ae114e5d505f9cbd02ff5c434bd64738faf46f60fa864c0364629fea
Instruction ID: ca640176afc5b99dc4b05758199d7430fd6a4674efa516fcc7bb6f26e997d0f6
Opcode Fuzzy Hash: d76870e9ae114e5d505f9cbd02ff5c434bd64738faf46f60fa864c0364629fea
Instruction Fuzzy Hash: 0FD05E342006814BC715DF0CC2D4F5937E8BB40B14F1A44E8BC108B762C7B8DCC5CA00

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: QsKtlzYaKF.exePID: 1608, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	11.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	19
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 007BA612 Relevance: 1.6, APIs: 1, Instructions: 89
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 007BA6B9

Memory Dump Source

Source File: 00000009.00000002.2065721018.00000000007BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 007BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ba000_QsKtlzYaKF.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 79497cf5580a2fda9f40cb06039e1b227b462100071c9787f0ff9ea24a6424c4
Instruction ID: b5ada96b2cd7d7ff37cf3d646869c9e88c2a6cc830814b80c5616b692ed7cc9b
Opcode Fuzzy Hash: 79497cf5580a2fda9f40cb06039e1b227b462100071c9787f0ff9ea24a6424c4
Instruction Fuzzy Hash: DD3193B15093806FE712CB25CC85B96BFF8EF06314F08849AE984CF292D375A909C772

Uniqueness

Uniqueness Score: -1.00%

Function 007BA361 Relevance: 1.6, APIs: 1, Instructions: 85
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,FB2AD30F,00000000,00000000,00000000,00000000), ref: 007BA40C

Memory Dump Source

Source File: 00000009.00000002.2065721018.00000000007BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 007BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ba000_QsKtlzYaKF.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 162b9d244382cd08d302ce11878c025f87e11b60ab6c28cfb17c2f180fa91ee7
Instruction ID: 3e5c8f91189f34b916ab776283e70606619effb1169ee2a5f301f6da062ab149
Opcode Fuzzy Hash: 162b9d244382cd08d302ce11878c025f87e11b60ab6c28cfb17c2f180fa91ee7
Instruction Fuzzy Hash: C9316175505780AFD721CF15CC84F96BBF8EF06710F08849AE9858B292D364E949CB72

Uniqueness

Uniqueness Score: -1.00%

Function 007BA462 Relevance: 1.6, APIs: 1, Instructions: 77
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegSetValueExW.KERNELBASE(?,00000E24,FB2AD30F,00000000,00000000,00000000,00000000), ref: 007BA4F8

Memory Dump Source

Source File: 00000009.00000002.2065721018.00000000007BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 007BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ba000_QsKtlzYaKF.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 00aa2069626c5c2bff3eb8e71cd85e7bf60145638004562617949fbb33f69c35
Instruction ID: 57054840922ee4af657586739befdeed5be516b94a342993447ea03b6c3c04c7
Opcode Fuzzy Hash: 00aa2069626c5c2bff3eb8e71cd85e7bf60145638004562617949fbb33f69c35
Instruction Fuzzy Hash: A2218EB25043806FDB228F15DC44FA7BFBCEF46210F08849AE985CB652D264E948CB72

Uniqueness

Uniqueness Score: -1.00%

Function 007BA646 Relevance: 1.6, APIs: 1, Instructions: 72
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 007BA6B9

Memory Dump Source

Source File: 00000009.00000002.2065721018.00000000007BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 007BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ba000_QsKtlzYaKF.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: d9bb0935e6f48b6fd598cce21d56e96ad83f3c7472a1b6b6728bc8c5af3bf93f
Instruction ID: 23f6551c71a3dd8021967a2c164d6b1f2bca7031949318c39f6a7b780ef22930
Opcode Fuzzy Hash: d9bb0935e6f48b6fd598cce21d56e96ad83f3c7472a1b6b6728bc8c5af3bf93f
Instruction Fuzzy Hash: B121A4B1604244AFE720DF25CD85BAAFBE8EF04314F088469ED48CB741D775E909CA76

Uniqueness

Uniqueness Score: -1.00%

Function 007BA710 Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 007BA780

Memory Dump Source

Source File: 00000009.00000002.2065721018.00000000007BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 007BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ba000_QsKtlzYaKF.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 335df7d4aba37c251884877d767a0f91162756240106e4265402cdbdf3dc74cb
Instruction ID: 7d5f5fbcec2a9f16f0ef90154c746bdce42a59517a30923a6090363dc35e0ded
Opcode Fuzzy Hash: 335df7d4aba37c251884877d767a0f91162756240106e4265402cdbdf3dc74cb
Instruction Fuzzy Hash: EF21F3B55093809FDB128F25DC85792BFB8EF02320F0880EBDC848B653D2259909CB62

Uniqueness

Uniqueness Score: -1.00%

Function 007BA392 Relevance: 1.6, APIs: 1, Instructions: 69
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,FB2AD30F,00000000,00000000,00000000,00000000), ref: 007BA40C

Memory Dump Source

Source File: 00000009.00000002.2065721018.00000000007BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 007BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ba000_QsKtlzYaKF.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: dc2e6138d9e4a68b4e15cb227035f54fe356ede5e7bc57d04aec07a6c8a51558
Instruction ID: 4e7017f4e44977579fb92be2a69db7e0a92992c9f58e8676b8cad3afaf39a45a
Opcode Fuzzy Hash: dc2e6138d9e4a68b4e15cb227035f54fe356ede5e7bc57d04aec07a6c8a51558
Instruction Fuzzy Hash: 1921AF75600644AFEB20DF15CC84FA6F7ECEF04710F18846AE949CB651D7A4E949CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 007BA486 Relevance: 1.6, APIs: 1, Instructions: 65
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegSetValueExW.KERNELBASE(?,00000E24,FB2AD30F,00000000,00000000,00000000,00000000), ref: 007BA4F8

Memory Dump Source

Source File: 00000009.00000002.2065721018.00000000007BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 007BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ba000_QsKtlzYaKF.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 6616df3084d04e7a0c7515fc5a33fd893b1f5779bf0c8babcf0e7c9d3ad9024e
Instruction ID: f96266775a64da2026bb1c3dac8e22b5a7715ed09e874ca85ed54c42639d018e
Opcode Fuzzy Hash: 6616df3084d04e7a0c7515fc5a33fd893b1f5779bf0c8babcf0e7c9d3ad9024e
Instruction Fuzzy Hash: 5811BEB2600644AFEB30DE15CC44FAABBECEF04710F04845AED498A651D364E9488AB2

Uniqueness

Uniqueness Score: -1.00%

Function 007BA74E Relevance: 1.5, APIs: 1, Instructions: 43
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 007BA780

Memory Dump Source

Source File: 00000009.00000002.2065721018.00000000007BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 007BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ba000_QsKtlzYaKF.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: cc3599a67dd9f794a6b32166fd67b0ea52354359fe8d98efa97428434a472e6e
Instruction ID: 48dd038ecaa9f49552423359d943fdaed75ae9f0f8b41bf774e7eeac92a76e7a
Opcode Fuzzy Hash: cc3599a67dd9f794a6b32166fd67b0ea52354359fe8d98efa97428434a472e6e
Instruction Fuzzy Hash: 5201DF71A04200AFEB10DF25D9847A6FBE4DF04320F08C4ABDD498B756D679E848CEA2

Uniqueness

Uniqueness Score: -1.00%

Function 00C9026D Relevance: .5, Instructions: 522
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.2066277033.0000000000C90000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c90000_QsKtlzYaKF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a19a6083696d808abd87fbb439202754618b76d0bb2c5360e5d50fc232b28c55
Instruction ID: e7e499aae112c8cd34d996f91c6e37f311e6abcbcb0a53257e5b91ca3bbf3a60
Opcode Fuzzy Hash: a19a6083696d808abd87fbb439202754618b76d0bb2c5360e5d50fc232b28c55
Instruction Fuzzy Hash: CB31DDA244E3C04FD7038B359D65161BFB0AE53224B1E81DBD889CF5A3D26D980AC763

Uniqueness

Uniqueness Score: -1.00%

Function 049A0310 Relevance: .2, Instructions: 191
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.2066564745.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_49a0000_QsKtlzYaKF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01fa9ce566ac033187116d9ef320e18f244aa9c4c7315445038bc0c1e44b4c12
Instruction ID: edd2d4a1c0e61a9234b10b3454cc8cad8e9967be5c792f45629ea3355c0cd632
Opcode Fuzzy Hash: 01fa9ce566ac033187116d9ef320e18f244aa9c4c7315445038bc0c1e44b4c12
Instruction Fuzzy Hash: 72512330B042008FC718EB798854ABD77E7AF85304B148579E006DB7D5EF39ED0A97A2

Uniqueness

Uniqueness Score: -1.00%

Function 049A03BD Relevance: .1, Instructions: 135
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.2066564745.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_49a0000_QsKtlzYaKF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33a6db632e6a06f6a65d0f5fcd79f3cbc1ef4f9632374316c1b937b398ea88eb
Instruction ID: fb88c49fee49221851866b945ae84e55ac948c6763b4539beabd5cce390e41e4
Opcode Fuzzy Hash: 33a6db632e6a06f6a65d0f5fcd79f3cbc1ef4f9632374316c1b937b398ea88eb
Instruction Fuzzy Hash: 5241E330B046108BDB18BBBD84187BD76D79FC53487048469E006EB795EF29DD0A97E3

Uniqueness

Uniqueness Score: -1.00%

Function 049A0080 Relevance: .1, Instructions: 129
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.2066564745.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_49a0000_QsKtlzYaKF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54865c8288d39b93c0d8a85d57848eb820eca20b2f45bab5e4b3e3646600a54e
Instruction ID: 5257b49dcaf7318d66061e1f210132024aa535ad947cbcdba45dcc02a27eb32c
Opcode Fuzzy Hash: 54865c8288d39b93c0d8a85d57848eb820eca20b2f45bab5e4b3e3646600a54e
Instruction Fuzzy Hash: A1511130616A46CBC704FF7DE59998A77F2BB85208700CAADD0448B76EDF34595ECB82

Uniqueness

Uniqueness Score: -1.00%

Function 00C905E0 Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.2066277033.0000000000C90000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c90000_QsKtlzYaKF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a66c68a39310c52adf7f123b8f92d0fc48d038c827523b43af8b72f3ddfd11a7
Instruction ID: 928ef855f3228dfc3c6ac0d52b67ae683b42bae703035df7df3af75be72c398d
Opcode Fuzzy Hash: a66c68a39310c52adf7f123b8f92d0fc48d038c827523b43af8b72f3ddfd11a7
Instruction Fuzzy Hash: 5F0186B650D7806FD7118B06AD40862FFB8EF8662070984DFEC498B652D225A808CB76

Uniqueness

Uniqueness Score: -1.00%

Function 049A0006 Relevance: .0, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.2066564745.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_49a0000_QsKtlzYaKF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1fe574b94ee739ceaf6b060472efd3eba34e4ab1d82b386fc0efb06800d51d8
Instruction ID: b4fe6358ddd36010a0a097d87d512e5ffb81ab43056ec46e2c413991e7eb10d2
Opcode Fuzzy Hash: a1fe574b94ee739ceaf6b060472efd3eba34e4ab1d82b386fc0efb06800d51d8
Instruction Fuzzy Hash: 6201FE8544E3C25FE70743701C789947FB0AE47105B4A81DBD990CB9A7D54C298AD762

Uniqueness

Uniqueness Score: -1.00%

Function 00C90606 Relevance: .0, Instructions: 27
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.2066277033.0000000000C90000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c90000_QsKtlzYaKF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62d6db7e43667e2a06cb294b35b439d6add704b0e01bb56cc5bb66e6c8a1d1ec
Instruction ID: 41aeda7d43d9f0bbfb4b20181e1ecc93d4e7e8eed42368d79575b20c294678e9
Opcode Fuzzy Hash: 62d6db7e43667e2a06cb294b35b439d6add704b0e01bb56cc5bb66e6c8a1d1ec
Instruction Fuzzy Hash: 2FE092B6A046044BD650DF0AED81452F7D8EB84630718C07FDC0D8B711D635B508CEA6

Uniqueness

Uniqueness Score: -1.00%

Function 007B23F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2065703116.00000000007B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 007B2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7b2000_QsKtlzYaKF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2aef786ce693c3d126bd91b4d0eae3dcffcb0fe924688e22641edf619e9383d
Instruction ID: 23e2a45a7fad48db60053356d80f01158362849de4ef0d34415c1414ee5cb0a1
Opcode Fuzzy Hash: f2aef786ce693c3d126bd91b4d0eae3dcffcb0fe924688e22641edf619e9383d
Instruction Fuzzy Hash: 75D02E793026C04FD3128A0CC2A8BC53BD4AF40704F0A00F9A8008BB63C72CDCC6C200

Uniqueness

Uniqueness Score: -1.00%

Function 007B23BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2065703116.00000000007B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 007B2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7b2000_QsKtlzYaKF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70fc87ee2b636c064b6ad0cb9b0f30bea8c2d2b44495404c5e717f2ed12bc844
Instruction ID: ad10fde49838663adcd3372d7a2669f13ba491b954095a94261684a72f566f5f
Opcode Fuzzy Hash: 70fc87ee2b636c064b6ad0cb9b0f30bea8c2d2b44495404c5e717f2ed12bc844
Instruction Fuzzy Hash: 14D05E342016814BC715DA0CC2D4F9937D4AB44714F1A44E8BC108B762C7BCD8C6CA00

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report QsKtlzYaKF.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Njrat

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

HIPS / PFW / Operating System Protection Evasion

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\QsKtlzYaKF.exe.log

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a502d6936d522819db45a43677dc3f7c.exe

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a502d6936d522819db45a43677dc3f7c.exe:Zone.Identifier

C:\autorun.inf

C:\svchost.exe

C:\svchost.exe:Zone.Identifier

\Device\ConDrv

Static File Info

Windows Analysis Report
QsKtlzYaKF.exe

Function 056010A8 Relevance: 1.6, APIs: 1, Instructions: 115
COMMON

Function 05601099 Relevance: 1.6, APIs: 1, Instructions: 111
COMMON

Function 05761E0A Relevance: 1.6, APIs: 1, Instructions: 108
COMMON

Function 05762DF2 Relevance: 1.6, APIs: 1, Instructions: 99
registryCOMMON

Function 05760F4F Relevance: 1.6, APIs: 1, Instructions: 98
registryCOMMON

Function 05761B7C Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Function 0173AA52 Relevance: 1.6, APIs: 1, Instructions: 91
registryCOMMON

Function 05761A74 Relevance: 1.6, APIs: 1, Instructions: 91
timeCOMMON

Function 0173A612 Relevance: 1.6, APIs: 1, Instructions: 89
synchronizationCOMMON