Edit tour

Windows Analysis Report
pQBmVoyRnw.exe

Overview

General Information

Sample name:	pQBmVoyRnw.exe renamed because original name is a hash value
Original sample name:	16c7b2832ce255d5da4a5d85a4089758.exe
Analysis ID:	1361720
MD5:	16c7b2832ce255d5da4a5d85a4089758
SHA1:	80ed8b75ae30bc4df6671c5bca8084aba2148ef4
SHA256:	fd13ed8d469c4cb5507716feee5c7139c38957b48a4ebff2d40d7a9269884387
Tags:	exenjratRAT
Infos:

Detection

Njrat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Sigma detected: Drops fake system file at system root drive

Snort IDS alert for network traffic

Yara detected Njrat

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Contains functionality to log keystrokes (.Net Source)

Creates autorun.inf (USB autostart)

Drops PE files to the user root directory

Drops PE files with benign system names

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies the windows firewall

Protects its processes via BreakOnTermination flag

Uses netsh to modify the Windows network and firewall settings

Abnormal high CPU Usage

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Drops PE files

Drops PE files to the user directory

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May infect USB drives

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

pQBmVoyRnw.exe (PID: 5408 cmdline: C:\Users\user\Desktop\pQBmVoyRnw.exe MD5: 16C7B2832CE255D5DA4A5D85A4089758)

System.exe (PID: 4488 cmdline: "C:\Users\user\System.exe" MD5: 16C7B2832CE255D5DA4A5D85A4089758)

netsh.exe (PID: 5764 cmdline: netsh firewall add allowedprogram "C:\Users\user\System.exe" "System.exe" ENABLE MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

conhost.exe (PID: 2844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
NjRAT	RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.	AQUATIC PANDA Earth Lusca Operation C-Major The Gorgon Group	http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/ http://blogs.360.cn/post/analysis-of-apt-c-37.html http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/ https://asec.ahnlab.com/1369	https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

Malware Configuration

Threatname: Njrat

{"Host": "2.tcp.eu.ngrok.io", "Port": "18490", "Version": "im523", "Campaign ID": "GODLI", "Install Name": "System.exe", "Install Dir": "UserProfile"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
pQBmVoyRnw.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
pQBmVoyRnw.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x64c1:$a1: get_Registry 0x7f08:$a3: Download ERROR 0x81fa:$a5: netsh firewall delete allowedprogram "
pQBmVoyRnw.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x80f0:$a1: netsh firewall add allowedprogram 0x82ea:$b1: [TAP] 0x8290:$b2: & exit 0x825c:$c1: md.exe /k ping 0 & del
pQBmVoyRnw.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x81fa:$s1: netsh firewall delete allowedprogram 0x80f0:$s2: netsh firewall add allowedprogram 0x825a:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 6B 00 20 00 70 00 69 00 6E 00 67 0x7ee4:$s4: Execute ERROR 0x7f44:$s4: Execute ERROR 0x7f08:$s5: Download ERROR 0x82a0:$s6: [kl]

Dropped Files

Source	Rule	Description	Author	Strings
C:\svchost.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\svchost.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x64c1:$a1: get_Registry 0x7f08:$a3: Download ERROR 0x81fa:$a5: netsh firewall delete allowedprogram "
C:\svchost.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x80f0:$a1: netsh firewall add allowedprogram 0x82ea:$b1: [TAP] 0x8290:$b2: & exit 0x825c:$c1: md.exe /k ping 0 & del
C:\svchost.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x81fa:$s1: netsh firewall delete allowedprogram 0x80f0:$s2: netsh firewall add allowedprogram 0x825a:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 6B 00 20 00 70 00 69 00 6E 00 67 0x7ee4:$s4: Execute ERROR 0x7f44:$s4: Execute ERROR 0x7f08:$s5: Download ERROR 0x82a0:$s6: [kl]
C:\Users\user\System.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Users\user\System.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x64c1:$a1: get_Registry 0x7f08:$a3: Download ERROR 0x81fa:$a5: netsh firewall delete allowedprogram "
C:\Users\user\System.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x80f0:$a1: netsh firewall add allowedprogram 0x82ea:$b1: [TAP] 0x8290:$b2: & exit 0x825c:$c1: md.exe /k ping 0 & del
C:\Users\user\System.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x81fa:$s1: netsh firewall delete allowedprogram 0x80f0:$s2: netsh firewall add allowedprogram 0x825a:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 6B 00 20 00 70 00 69 00 6E 00 67 0x7ee4:$s4: Execute ERROR 0x7f44:$s4: Execute ERROR 0x7f08:$s5: Download ERROR 0x82a0:$s6: [kl]
Click to see the 3 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1651277682.0000000000EE2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000000.00000000.1651277682.0000000000EE2000.00000002.00000001.01000000.00000003.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x62c1:$a1: get_Registry 0x7d08:$a3: Download ERROR 0x7ffa:$a5: netsh firewall delete allowedprogram "
00000000.00000000.1651277682.0000000000EE2000.00000002.00000001.01000000.00000003.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x7ef0:$a1: netsh firewall add allowedprogram 0x80ea:$b1: [TAP] 0x8090:$b2: & exit 0x805c:$c1: md.exe /k ping 0 & del
00000001.00000002.4111124324.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: pQBmVoyRnw.exe PID: 5408	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: System.exe PID: 4488	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.pQBmVoyRnw.exe.ee0000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0.0.pQBmVoyRnw.exe.ee0000.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x64c1:$a1: get_Registry 0x7f08:$a3: Download ERROR 0x81fa:$a5: netsh firewall delete allowedprogram "
0.0.pQBmVoyRnw.exe.ee0000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x80f0:$a1: netsh firewall add allowedprogram 0x82ea:$b1: [TAP] 0x8290:$b2: & exit 0x825c:$c1: md.exe /k ping 0 & del
0.0.pQBmVoyRnw.exe.ee0000.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x81fa:$s1: netsh firewall delete allowedprogram 0x80f0:$s2: netsh firewall add allowedprogram 0x825a:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 6B 00 20 00 70 00 69 00 6E 00 67 0x7ee4:$s4: Execute ERROR 0x7f44:$s4: Execute ERROR 0x7f08:$s5: Download ERROR 0x82a0:$s6: [kl]

Sigma Signatures

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Drops fake system file at system root drive

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\System.exe, ProcessId: 4488, TargetFilename: C:\svchost.exe

Snort Signatures

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.4 - Destination IP: 18.192.93.86

Timestamp:	192.168.2.418.192.93.8649742184902814856 12/13/23-20:59:05.476604
SID:	2814856
Source Port:	49742
Destination Port:	18490
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.4 - Destination IP: 18.192.93.86

Timestamp:	192.168.2.418.192.93.8649741184902814856 12/13/23-20:58:48.936323
SID:	2814856
Source Port:	49741
Destination Port:	18490
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.4 - Destination IP: 18.156.13.209

Timestamp:	192.168.2.418.156.13.20949745184902814856 12/13/23-21:00:01.573922
SID:	2814856
Source Port:	49745
Destination Port:	18490
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.4 - Destination IP: 18.156.13.209

Timestamp:	192.168.2.418.156.13.20949744184902814856 12/13/23-20:59:39.970423
SID:	2814856
Source Port:	49744
Destination Port:	18490
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.4 - Destination IP: 18.192.93.86

Timestamp:	192.168.2.418.192.93.8649740184902814856 12/13/23-20:58:31.218361
SID:	2814856
Source Port:	49740
Destination Port:	18490
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.4 - Destination IP: 18.156.13.209

Timestamp:	192.168.2.418.156.13.20949746184902814856 12/13/23-21:00:14.421142
SID:	2814856
Source Port:	49746
Destination Port:	18490
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 18.156.13.209

Timestamp:	192.168.2.418.156.13.20949735184902033132 12/13/23-20:57:35.118070
SID:	2033132
Source Port:	49735
Destination Port:	18490
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 18.156.13.209

Timestamp:	192.168.2.418.156.13.20949736184902033132 12/13/23-20:57:37.678304
SID:	2033132
Source Port:	49736
Destination Port:	18490
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) - Source IP: 192.168.2.4 - Destination IP: 18.156.13.209

Timestamp:	192.168.2.418.156.13.20949735184902825563 12/13/23-20:57:35.360179
SID:	2825563
Source Port:	49735
Destination Port:	18490
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 3.126.37.18

Timestamp:	192.168.2.43.126.37.1849748184902033132 12/13/23-21:00:35.097288
SID:	2033132
Source Port:	49748
Destination Port:	18490
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) - Source IP: 192.168.2.4 - Destination IP: 18.156.13.209

Timestamp:	192.168.2.418.156.13.20949736184902825563 12/13/23-20:57:37.919447
SID:	2825563
Source Port:	49736
Destination Port:	18490
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.4 - Destination IP: 18.156.13.209

Timestamp:	192.168.2.418.156.13.20949729184902814856 12/13/23-20:57:12.551556
SID:	2814856
Source Port:	49729
Destination Port:	18490
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) - Source IP: 192.168.2.4 - Destination IP: 18.156.13.209

Timestamp:	192.168.2.418.156.13.20949745184902814860 12/13/23-21:00:04.191355
SID:	2814860
Source Port:	49745
Destination Port:	18490
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) - Source IP: 192.168.2.4 - Destination IP: 18.156.13.209

Timestamp:	192.168.2.418.156.13.20949736184902825564 12/13/23-20:57:41.941315
SID:	2825564
Source Port:	49736
Destination Port:	18490
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) - Source IP: 192.168.2.4 - Destination IP: 18.156.13.209

Timestamp:	192.168.2.418.156.13.20949738184902825564 12/13/23-20:58:06.222500
SID:	2825564
Source Port:	49738
Destination Port:	18490
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 3.126.37.18

Timestamp:	192.168.2.43.126.37.1849749184902033132 12/13/23-21:00:49.784107
SID:	2033132
Source Port:	49749
Destination Port:	18490
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) - Source IP: 192.168.2.4 - Destination IP: 18.156.13.209

Timestamp:	192.168.2.418.156.13.20949738184902825563 12/13/23-20:57:57.039800
SID:	2825563
Source Port:	49738
Destination Port:	18490
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 18.156.13.209

Timestamp:	192.168.2.418.156.13.20949729184902033132 12/13/23-20:57:12.311856
SID:	2033132
Source Port:	49729
Destination Port:	18490
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) - Source IP: 192.168.2.4 - Destination IP: 18.192.93.86

Timestamp:	192.168.2.418.192.93.8649740184902814860 12/13/23-20:58:34.292329
SID:	2814860
Source Port:	49740
Destination Port:	18490
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) - Source IP: 192.168.2.4 - Destination IP: 3.126.37.18

Timestamp:	192.168.2.43.126.37.1849748184902825563 12/13/23-21:00:35.340154
SID:	2825563
Source Port:	49748
Destination Port:	18490
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) - Source IP: 192.168.2.4 - Destination IP: 18.156.13.209

Timestamp:	192.168.2.418.156.13.20949746184902814860 12/13/23-21:00:20.521339
SID:	2814860
Source Port:	49746
Destination Port:	18490
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 18.156.13.209

Timestamp:	192.168.2.418.156.13.20949738184902033132 12/13/23-20:57:56.798992
SID:	2033132
Source Port:	49738
Destination Port:	18490
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) - Source IP: 192.168.2.4 - Destination IP: 18.192.93.86

Timestamp:	192.168.2.418.192.93.8649742184902814860 12/13/23-20:59:22.207993
SID:	2814860
Source Port:	49742
Destination Port:	18490
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) - Source IP: 192.168.2.4 - Destination IP: 3.126.37.18

Timestamp:	192.168.2.43.126.37.1849748184902825564 12/13/23-21:00:43.961202
SID:	2825564
Source Port:	49748
Destination Port:	18490
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) - Source IP: 192.168.2.4 - Destination IP: 18.156.13.209

Timestamp:	192.168.2.418.156.13.20949736184902814860 12/13/23-20:57:41.941315
SID:	2814860
Source Port:	49736
Destination Port:	18490
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) - Source IP: 192.168.2.4 - Destination IP: 18.156.13.209

Timestamp:	192.168.2.418.156.13.20949745184902825563 12/13/23-21:00:01.573922
SID:	2825563
Source Port:	49745
Destination Port:	18490
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) - Source IP: 192.168.2.4 - Destination IP: 18.192.93.86

Timestamp:	192.168.2.418.192.93.8649741184902814860 12/13/23-20:58:50.550982
SID:	2814860
Source Port:	49741
Destination Port:	18490
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 18.192.93.86

Timestamp:	192.168.2.418.192.93.8649742184902033132 12/13/23-20:59:05.233882
SID:	2033132
Source Port:	49742
Destination Port:	18490
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) - Source IP: 192.168.2.4 - Destination IP: 18.156.13.209

Timestamp:	192.168.2.418.156.13.20949744184902825563 12/13/23-20:59:39.970423
SID:	2825563
Source Port:	49744
Destination Port:	18490
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) - Source IP: 192.168.2.4 - Destination IP: 18.156.13.209

Timestamp:	192.168.2.418.156.13.20949743184902825564 12/13/23-20:59:36.738003
SID:	2825564
Source Port:	49743
Destination Port:	18490
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) - Source IP: 192.168.2.4 - Destination IP: 18.156.13.209

Timestamp:	192.168.2.418.156.13.20949738184902814860 12/13/23-20:58:06.222500
SID:	2814860
Source Port:	49738
Destination Port:	18490
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) - Source IP: 192.168.2.4 - Destination IP: 18.156.13.209

Timestamp:	192.168.2.418.156.13.20949729184902814860 12/13/23-20:57:17.144904
SID:	2814860
Source Port:	49729
Destination Port:	18490
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 18.192.93.86

Timestamp:	192.168.2.418.192.93.8649741184902033132 12/13/23-20:58:48.693931
SID:	2033132
Source Port:	49741
Destination Port:	18490
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) - Source IP: 192.168.2.4 - Destination IP: 18.156.13.209

Timestamp:	192.168.2.418.156.13.20949743184902825563 12/13/23-20:59:29.420656
SID:	2825563
Source Port:	49743
Destination Port:	18490
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 18.192.93.86

Timestamp:	192.168.2.418.192.93.8649740184902033132 12/13/23-20:58:30.976409
SID:	2033132
Source Port:	49740
Destination Port:	18490
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) - Source IP: 192.168.2.4 - Destination IP: 3.126.37.18

Timestamp:	192.168.2.43.126.37.1849747184902825563 12/13/23-21:00:31.845369
SID:	2825563
Source Port:	49747
Destination Port:	18490
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) - Source IP: 192.168.2.4 - Destination IP: 3.126.37.18

Timestamp:	192.168.2.43.126.37.1849747184902825564 12/13/23-21:00:32.601428
SID:	2825564
Source Port:	49747
Destination Port:	18490
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.4 - Destination IP: 3.126.37.18

Timestamp:	192.168.2.43.126.37.1849747184902814856 12/13/23-21:00:31.845369
SID:	2814856
Source Port:	49747
Destination Port:	18490
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.4 - Destination IP: 18.156.13.209

Timestamp:	192.168.2.418.156.13.20949736184902814856 12/13/23-20:57:37.919447
SID:	2814856
Source Port:	49736
Destination Port:	18490
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) - Source IP: 192.168.2.4 - Destination IP: 18.192.93.86

Timestamp:	192.168.2.418.192.93.8649739184902814860 12/13/23-20:58:28.703174
SID:	2814860
Source Port:	49739
Destination Port:	18490
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.4 - Destination IP: 18.156.13.209

Timestamp:	192.168.2.418.156.13.20949735184902814856 12/13/23-20:57:35.360179
SID:	2814856
Source Port:	49735
Destination Port:	18490
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 18.156.13.209

Timestamp:	192.168.2.418.156.13.20949744184902033132 12/13/23-20:59:39.730343
SID:	2033132
Source Port:	49744
Destination Port:	18490
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 18.156.13.209

Timestamp:	192.168.2.418.156.13.20949743184902033132 12/13/23-20:59:29.178728
SID:	2033132
Source Port:	49743
Destination Port:	18490
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 18.156.13.209

Timestamp:	192.168.2.418.156.13.20949745184902033132 12/13/23-21:00:01.333423
SID:	2033132
Source Port:	49745
Destination Port:	18490
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) - Source IP: 192.168.2.4 - Destination IP: 18.156.13.209

Timestamp:	192.168.2.418.156.13.20949745184902825564 12/13/23-21:00:04.191355
SID:	2825564
Source Port:	49745
Destination Port:	18490
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 18.156.13.209

Timestamp:	192.168.2.418.156.13.20949746184902033132 12/13/23-21:00:14.180570
SID:	2033132
Source Port:	49746
Destination Port:	18490
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) - Source IP: 192.168.2.4 - Destination IP: 3.126.37.18

Timestamp:	192.168.2.43.126.37.1849748184902814860 12/13/23-21:00:46.399246
SID:	2814860
Source Port:	49748
Destination Port:	18490
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) - Source IP: 192.168.2.4 - Destination IP: 18.156.13.209

Timestamp:	192.168.2.418.156.13.20949746184902825564 12/13/23-21:00:20.521339
SID:	2825564
Source Port:	49746
Destination Port:	18490
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.4 - Destination IP: 18.192.93.86

Timestamp:	192.168.2.418.192.93.8649739184902814856 12/13/23-20:58:12.572286
SID:	2814856
Source Port:	49739
Destination Port:	18490
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) - Source IP: 192.168.2.4 - Destination IP: 18.156.13.209

Timestamp:	192.168.2.418.156.13.20949746184902825563 12/13/23-21:00:14.421142
SID:	2825563
Source Port:	49746
Destination Port:	18490
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.4 - Destination IP: 18.156.13.209

Timestamp:	192.168.2.418.156.13.20949738184902814856 12/13/23-20:57:57.039800
SID:	2814856
Source Port:	49738
Destination Port:	18490
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) - Source IP: 192.168.2.4 - Destination IP: 18.192.93.86

Timestamp:	192.168.2.418.192.93.8649739184902825564 12/13/23-20:58:28.503388
SID:	2825564
Source Port:	49739
Destination Port:	18490
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) - Source IP: 192.168.2.4 - Destination IP: 18.156.13.209

Timestamp:	192.168.2.418.156.13.20949729184902825563 12/13/23-20:57:12.551556
SID:	2825563
Source Port:	49729
Destination Port:	18490
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) - Source IP: 192.168.2.4 - Destination IP: 18.156.13.209

Timestamp:	192.168.2.418.156.13.20949729184902825564 12/13/23-20:57:17.144904
SID:	2825564
Source Port:	49729
Destination Port:	18490
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) - Source IP: 192.168.2.4 - Destination IP: 18.156.13.209

Timestamp:	192.168.2.418.156.13.20949743184902814860 12/13/23-20:59:37.308006
SID:	2814860
Source Port:	49743
Destination Port:	18490
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) - Source IP: 192.168.2.4 - Destination IP: 3.126.37.18

Timestamp:	192.168.2.43.126.37.1849747184902814860 12/13/23-21:00:32.601428
SID:	2814860
Source Port:	49747
Destination Port:	18490
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 3.126.37.18

Timestamp:	192.168.2.43.126.37.1849747184902033132 12/13/23-21:00:31.603382
SID:	2033132
Source Port:	49747
Destination Port:	18490
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 18.192.93.86

Timestamp:	192.168.2.418.192.93.8649739184902033132 12/13/23-20:58:12.331562
SID:	2033132
Source Port:	49739
Destination Port:	18490
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) - Source IP: 192.168.2.4 - Destination IP: 18.192.93.86

Timestamp:	192.168.2.418.192.93.8649740184902825564 12/13/23-20:58:34.292329
SID:	2825564
Source Port:	49740
Destination Port:	18490
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) - Source IP: 192.168.2.4 - Destination IP: 18.192.93.86

Timestamp:	192.168.2.418.192.93.8649741184902825564 12/13/23-20:58:50.550982
SID:	2825564
Source Port:	49741
Destination Port:	18490
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) - Source IP: 192.168.2.4 - Destination IP: 18.192.93.86

Timestamp:	192.168.2.418.192.93.8649741184902825563 12/13/23-20:58:48.936323
SID:	2825563
Source Port:	49741
Destination Port:	18490
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) - Source IP: 192.168.2.4 - Destination IP: 18.192.93.86

Timestamp:	192.168.2.418.192.93.8649740184902825563 12/13/23-20:58:31.218361
SID:	2825563
Source Port:	49740
Destination Port:	18490
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.4 - Destination IP: 3.126.37.18

Timestamp:	192.168.2.43.126.37.1849749184902814856 12/13/23-21:00:50.028478
SID:	2814856
Source Port:	49749
Destination Port:	18490
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.4 - Destination IP: 18.156.13.209

Timestamp:	192.168.2.418.156.13.20949743184902814856 12/13/23-20:59:29.420656
SID:	2814856
Source Port:	49743
Destination Port:	18490
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) - Source IP: 192.168.2.4 - Destination IP: 18.192.93.86

Timestamp:	192.168.2.418.192.93.8649742184902825564 12/13/23-20:59:22.207993
SID:	2825564
Source Port:	49742
Destination Port:	18490
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.4 - Destination IP: 3.126.37.18

Timestamp:	192.168.2.43.126.37.1849748184902814856 12/13/23-21:00:35.340154
SID:	2814856
Source Port:	49748
Destination Port:	18490
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) - Source IP: 192.168.2.4 - Destination IP: 18.192.93.86

Timestamp:	192.168.2.418.192.93.8649742184902825563 12/13/23-20:59:05.476604
SID:	2825563
Source Port:	49742
Destination Port:	18490
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: pQBmVoyRnw.exe

Avira: detected

Antivirus detection for URL or domain

Source: 2.tcp.eu.ngrok.io

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\System.exe	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\svchost.exe	Avira: detection malicious, Label: TR/ATRAPS.Gen

Found malware configuration

Source: 00000001.00000002.4111124324.0000000002E71000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Njrat {"Host": "2.tcp.eu.ngrok.io", "Port": "18490", "Version": "im523", "Campaign ID": "GODLI", "Install Name": "System.exe", "Install Dir": "UserProfile"}

Yara detected Njrat

Source: Yara match	File source: pQBmVoyRnw.exe, type: SAMPLE
Source: Yara match	File source: 0.0.pQBmVoyRnw.exe.ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1651277682.0000000000EE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4111124324.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pQBmVoyRnw.exe PID: 5408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: System.exe PID: 4488, type: MEMORYSTR
Source: Yara match	File source: C:\svchost.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\System.exe, type: DROPPED

Machine Learning detection for dropped file

Source: C:\Users\user\System.exe	Joe Sandbox ML: detected
Source: C:\svchost.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: pQBmVoyRnw.exe

Joe Sandbox ML: detected

Source: pQBmVoyRnw.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\pQBmVoyRnw.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: pQBmVoyRnw.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Spreading

Creates autorun.inf (USB autostart)

Source: C:\Users\user\System.exe

File created: C:\autorun.inf

Jump to behavior

Source: pQBmVoyRnw.exe, 00000000.00000002.1719583733.0000000003711000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: pQBmVoyRnw.exe, 00000000.00000002.1719583733.0000000003711000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: pQBmVoyRnw.exe, 00000000.00000000.1651277682.0000000000EE2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: autorun.inf
Source: pQBmVoyRnw.exe, 00000000.00000000.1651277682.0000000000EE2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: [autorun]
Source: System.exe, 00000001.00000002.4111124324.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: System.exe, 00000001.00000002.4111124324.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: pQBmVoyRnw.exe	Binary or memory string: autorun.inf
Source: pQBmVoyRnw.exe	Binary or memory string: [autorun]
Source: autorun.inf.1.dr	Binary or memory string: [autorun]
Source: System.exe.0.dr	Binary or memory string: autorun.inf
Source: System.exe.0.dr	Binary or memory string: [autorun]
Source: svchost.exe.1.dr	Binary or memory string: autorun.inf
Source: svchost.exe.1.dr	Binary or memory string: [autorun]

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49729 -> 18.156.13.209:18490
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49729 -> 18.156.13.209:18490
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49729 -> 18.156.13.209:18490
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49729 -> 18.156.13.209:18490
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49729 -> 18.156.13.209:18490
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49735 -> 18.156.13.209:18490
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49735 -> 18.156.13.209:18490
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49735 -> 18.156.13.209:18490
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49736 -> 18.156.13.209:18490
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49736 -> 18.156.13.209:18490
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49736 -> 18.156.13.209:18490
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49736 -> 18.156.13.209:18490
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49736 -> 18.156.13.209:18490
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49738 -> 18.156.13.209:18490
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49738 -> 18.156.13.209:18490
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49738 -> 18.156.13.209:18490
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49738 -> 18.156.13.209:18490
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49738 -> 18.156.13.209:18490
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49739 -> 18.192.93.86:18490
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49739 -> 18.192.93.86:18490
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49739 -> 18.192.93.86:18490
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49739 -> 18.192.93.86:18490
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49740 -> 18.192.93.86:18490
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49740 -> 18.192.93.86:18490
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49740 -> 18.192.93.86:18490
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49740 -> 18.192.93.86:18490
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49740 -> 18.192.93.86:18490
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49741 -> 18.192.93.86:18490
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49741 -> 18.192.93.86:18490
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49741 -> 18.192.93.86:18490
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49741 -> 18.192.93.86:18490
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49741 -> 18.192.93.86:18490
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49742 -> 18.192.93.86:18490
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49742 -> 18.192.93.86:18490
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49742 -> 18.192.93.86:18490
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49742 -> 18.192.93.86:18490
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49742 -> 18.192.93.86:18490
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49743 -> 18.156.13.209:18490
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49743 -> 18.156.13.209:18490
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49743 -> 18.156.13.209:18490
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49743 -> 18.156.13.209:18490
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49743 -> 18.156.13.209:18490
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49744 -> 18.156.13.209:18490
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49744 -> 18.156.13.209:18490
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49744 -> 18.156.13.209:18490
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49745 -> 18.156.13.209:18490
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49745 -> 18.156.13.209:18490
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49745 -> 18.156.13.209:18490
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49745 -> 18.156.13.209:18490
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49745 -> 18.156.13.209:18490
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49746 -> 18.156.13.209:18490
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49746 -> 18.156.13.209:18490
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49746 -> 18.156.13.209:18490
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49746 -> 18.156.13.209:18490
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49746 -> 18.156.13.209:18490
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49747 -> 3.126.37.18:18490
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49747 -> 3.126.37.18:18490
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49747 -> 3.126.37.18:18490
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49747 -> 3.126.37.18:18490
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49747 -> 3.126.37.18:18490
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49748 -> 3.126.37.18:18490
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49748 -> 3.126.37.18:18490
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49748 -> 3.126.37.18:18490
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49748 -> 3.126.37.18:18490
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49748 -> 3.126.37.18:18490
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49749 -> 3.126.37.18:18490
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49749 -> 3.126.37.18:18490

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 2.tcp.eu.ngrok.io

Connects to many ports of the same IP (likely port scanning)

Source: global traffic	TCP traffic: 18.192.93.86 ports 18490,0,1,4,8,9
Source: global traffic	TCP traffic: 18.156.13.209 ports 18490,0,1,4,8,9
Source: global traffic	TCP traffic: 3.126.37.18 ports 18490,0,1,4,8,9

Source: global traffic	TCP traffic: 192.168.2.4:49729 -> 18.156.13.209:18490
Source: global traffic	TCP traffic: 192.168.2.4:49739 -> 18.192.93.86:18490
Source: global traffic	TCP traffic: 192.168.2.4:49747 -> 3.126.37.18:18490

Source: Joe Sandbox View	IP Address: 18.156.13.209 18.156.13.209
Source: Joe Sandbox View	IP Address: 18.192.93.86 18.192.93.86

Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: 2.tcp.eu.ngrok.io

Source: pQBmVoyRnw.exe, System.exe.0.dr, svchost.exe.1.dr

String found in binary or memory: https://dl.dropbox.com/s/p84aaz28t0hepul/Pass.exe?dl=0

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: pQBmVoyRnw.exe, kl.cs	.Net Code: VKCodeToUnicode
Source: System.exe.0.dr, kl.cs	.Net Code: VKCodeToUnicode
Source: svchost.exe.1.dr, kl.cs	.Net Code: VKCodeToUnicode

E-Banking Fraud

Yara detected Njrat

Source: Yara match	File source: pQBmVoyRnw.exe, type: SAMPLE
Source: Yara match	File source: 0.0.pQBmVoyRnw.exe.ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1651277682.0000000000EE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4111124324.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pQBmVoyRnw.exe PID: 5408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: System.exe PID: 4488, type: MEMORYSTR
Source: Yara match	File source: C:\svchost.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\System.exe, type: DROPPED

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\System.exe

Process information set: 01 00 00 00

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: pQBmVoyRnw.exe, type: SAMPLE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: pQBmVoyRnw.exe, type: SAMPLE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: pQBmVoyRnw.exe, type: SAMPLE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.0.pQBmVoyRnw.exe.ee0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.0.pQBmVoyRnw.exe.ee0000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.0.pQBmVoyRnw.exe.ee0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 00000000.00000000.1651277682.0000000000EE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000000.00000000.1651277682.0000000000EE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\svchost.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\svchost.exe, type: DROPPED	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\svchost.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\System.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Users\user\System.exe, type: DROPPED	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\Users\user\System.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen

Source: C:\Users\user\System.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\System.exe	Code function: 1_2_00E7BEF2 NtSetInformationProcess,	1_2_00E7BEF2
Source: C:\Users\user\System.exe	Code function: 1_2_00E7BED0 NtSetInformationProcess,	1_2_00E7BED0
Source: C:\Users\user\System.exe	Code function: 1_2_053603CA NtQuerySystemInformation,	1_2_053603CA
Source: C:\Users\user\System.exe	Code function: 1_2_0536038F NtQuerySystemInformation,	1_2_0536038F

Source: pQBmVoyRnw.exe, 00000000.00000002.1719025183.00000000013FE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenamemscorwks.dllT vs pQBmVoyRnw.exe

Source: pQBmVoyRnw.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: pQBmVoyRnw.exe, type: SAMPLE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: pQBmVoyRnw.exe, type: SAMPLE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: pQBmVoyRnw.exe, type: SAMPLE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.0.pQBmVoyRnw.exe.ee0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.0.pQBmVoyRnw.exe.ee0000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.0.pQBmVoyRnw.exe.ee0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 00000000.00000000.1651277682.0000000000EE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000000.00000000.1651277682.0000000000EE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\svchost.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\svchost.exe, type: DROPPED	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\svchost.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Users\user\System.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\Users\user\System.exe, type: DROPPED	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\Users\user\System.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi

Source: classification engine

Classification label: mal100.spre.troj.spyw.evad.winEXE@6/7@4/3

Source: C:\Users\user\System.exe	Code function: 1_2_00E7BBA2 AdjustTokenPrivileges,		1_2_00E7BBA2
Source: C:\Users\user\System.exe	Code function: 1_2_00E7BB6B AdjustTokenPrivileges,		1_2_00E7BB6B

Source: C:\Users\user\Desktop\pQBmVoyRnw.exe

File created: C:\Users\user\System.exe

Jump to behavior

Source: C:\Users\user\System.exe	Mutant created: \Sessions\1\BaseNamedObjects\d5ffed427806ca0dc3382688f90c0697
Source: C:\Users\user\System.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2844:120:WilError_03

Source: pQBmVoyRnw.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: pQBmVoyRnw.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\pQBmVoyRnw.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\276d7f4a20a3c21c3bf6fc9bfc1915a2\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\pQBmVoyRnw.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\pQBmVoyRnw.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\System.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\276d7f4a20a3c21c3bf6fc9bfc1915a2\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\System.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\System.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Users\user\Desktop\pQBmVoyRnw.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\pQBmVoyRnw.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\pQBmVoyRnw.exe

File read: C:\Users\user\Desktop\pQBmVoyRnw.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\pQBmVoyRnw.exe C:\Users\user\Desktop\pQBmVoyRnw.exe
Source: C:\Users\user\Desktop\pQBmVoyRnw.exe	Process created: C:\Users\user\System.exe "C:\Users\user\System.exe"
Source: C:\Users\user\System.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\System.exe" "System.exe" ENABLE
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\pQBmVoyRnw.exe	Process created: C:\Users\user\System.exe "C:\Users\user\System.exe"	Jump to behavior
Source: C:\Users\user\System.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\System.exe" "System.exe" ENABLE	Jump to behavior

Source: C:\Users\user\System.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\System.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: pQBmVoyRnw.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\pQBmVoyRnw.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: pQBmVoyRnw.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: pQBmVoyRnw.exe, OK.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: System.exe.0.dr, OK.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: svchost.exe.1.dr, OK.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\pQBmVoyRnw.exe	Code function: 0_2_01872684 push dword ptr [edx]; retf	0_2_0187268E
Source: C:\Users\user\System.exe	Code function: 1_2_00E72FC5 push FFFFFFE4h; ret	1_2_00E73002
Source: C:\Users\user\System.exe	Code function: 1_2_00E72C21 pushad ; retf	1_2_00E72C2A
Source: C:\Users\user\System.exe	Code function: 1_2_00E73005 push edx; retf	1_2_00E7300E
Source: C:\Users\user\System.exe	Code function: 1_2_00E72684 push dword ptr [edx]; retf	1_2_00E7268E
Source: C:\Users\user\System.exe	Code function: 1_2_00E72F08 push esi; iretd	1_2_00E72F12

Persistence and Installation Behavior

Drops PE files with benign system names

Source: C:\Users\user\System.exe

File created: C:\svchost.exe

Jump to dropped file

Source: C:\Users\user\Desktop\pQBmVoyRnw.exe	File created: C:\Users\user\System.exe			Jump to dropped file
Source: C:\Users\user\System.exe	File created: C:\svchost.exe			Jump to dropped file

Source: C:\Users\user\Desktop\pQBmVoyRnw.exe

File created: C:\Users\user\System.exe

Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Users\user\Desktop\pQBmVoyRnw.exe

File created: C:\Users\user\System.exe

Jump to dropped file

Source: C:\Users\user\Desktop\pQBmVoyRnw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pQBmVoyRnw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pQBmVoyRnw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pQBmVoyRnw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pQBmVoyRnw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pQBmVoyRnw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pQBmVoyRnw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pQBmVoyRnw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pQBmVoyRnw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pQBmVoyRnw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pQBmVoyRnw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pQBmVoyRnw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pQBmVoyRnw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pQBmVoyRnw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pQBmVoyRnw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pQBmVoyRnw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pQBmVoyRnw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pQBmVoyRnw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pQBmVoyRnw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pQBmVoyRnw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pQBmVoyRnw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\pQBmVoyRnw.exe

Code function: 0_2_018B026D rdtsc

0_2_018B026D

Source: C:\Users\user\Desktop\pQBmVoyRnw.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\System.exe	Window / User API: threadDelayed 3270	Jump to behavior
Source: C:\Users\user\System.exe	Window / User API: threadDelayed 5090	Jump to behavior
Source: C:\Users\user\System.exe	Window / User API: foregroundWindowGot 382	Jump to behavior
Source: C:\Users\user\System.exe	Window / User API: foregroundWindowGot 1368	Jump to behavior

Source: C:\Users\user\Desktop\pQBmVoyRnw.exe TID: 6784	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\System.exe TID: 2852	Thread sleep time: -275000s >= -30000s	Jump to behavior
Source: C:\Users\user\System.exe TID: 2852	Thread sleep time: -5090000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\pQBmVoyRnw.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: System.exe, 00000001.00000002.4110539339.000000000102F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWpersistenceProvider" type="System.ServiceModel.Configuration.PersistenceProviderElement, System.WorkflowServices, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
Source: System.exe, 00000001.00000002.4110539339.000000000102F000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000003.00000002.1785140830.0000000000FD8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\System.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\pQBmVoyRnw.exe

Code function: 0_2_018B026D rdtsc

0_2_018B026D

Source: C:\Users\user\System.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\pQBmVoyRnw.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: pQBmVoyRnw.exe, kl.cs	Reference to suspicious API methods: MapVirtualKey(a, 0u)
Source: pQBmVoyRnw.exe, kl.cs	Reference to suspicious API methods: GetAsyncKeyState(num2)
Source: pQBmVoyRnw.exe, OK.cs	Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)

Source: C:\Users\user\Desktop\pQBmVoyRnw.exe

Process created: C:\Users\user\System.exe "C:\Users\user\System.exe"

Jump to behavior

Source: System.exe, 00000001.00000002.4111124324.000000000326C000.00000004.00000800.00020000.00000000.sdmp, System.exe, 00000001.00000002.4111124324.00000000030D8000.00000004.00000800.00020000.00000000.sdmp, System.exe, 00000001.00000002.4111124324.0000000003212000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: System.exe, 00000001.00000002.4111124324.000000000309E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: program managerL.*lL
Source: System.exe, 00000001.00000002.4111124324.0000000002EDF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: program managerL.*lP
Source: System.exe, 00000001.00000002.4110539339.000000000102F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Rh Program Manager
Source: System.exe, 00000001.00000002.4111124324.000000000326C000.00000004.00000800.00020000.00000000.sdmp, System.exe, 00000001.00000002.4111124324.00000000030D8000.00000004.00000800.00020000.00000000.sdmp, System.exe, 00000001.00000002.4111124324.0000000003212000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@9*l
Source: System.exe, 00000001.00000002.4111124324.00000000030AB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: program managerL.*lt
Source: System.exe, 00000001.00000002.4111124324.000000000326C000.00000004.00000800.00020000.00000000.sdmp, System.exe, 00000001.00000002.4111124324.00000000032A2000.00000004.00000800.00020000.00000000.sdmp, System.exe, 00000001.00000002.4111124324.0000000002EDF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: program manager
Source: System.exe, 00000001.00000002.4111124324.00000000030D8000.00000004.00000800.00020000.00000000.sdmp, System.exe, 00000001.00000002.4111124324.0000000003096000.00000004.00000800.00020000.00000000.sdmp, System.exe, 00000001.00000002.4111124324.0000000003168000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: program managerL.*l
Source: System.exe, 00000001.00000002.4111124324.0000000002EDF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: program managerL.*lD

Source: C:\Users\user\System.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\System.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\System.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\System.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\System.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\System.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\System.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Modifies the windows firewall

Source: C:\Users\user\System.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\System.exe" "System.exe" ENABLE

Uses netsh to modify the Windows network and firewall settings

Source: C:\Users\user\System.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\System.exe" "System.exe" ENABLE

Stealing of Sensitive Information

Yara detected Njrat

Source: Yara match	File source: pQBmVoyRnw.exe, type: SAMPLE
Source: Yara match	File source: 0.0.pQBmVoyRnw.exe.ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1651277682.0000000000EE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4111124324.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pQBmVoyRnw.exe PID: 5408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: System.exe PID: 4488, type: MEMORYSTR
Source: Yara match	File source: C:\svchost.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\System.exe, type: DROPPED

Remote Access Functionality

Yara detected Njrat

Source: Yara match	File source: pQBmVoyRnw.exe, type: SAMPLE
Source: Yara match	File source: 0.0.pQBmVoyRnw.exe.ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1651277682.0000000000EE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4111124324.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pQBmVoyRnw.exe PID: 5408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: System.exe PID: 4488, type: MEMORYSTR
Source: Yara match	File source: C:\svchost.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\System.exe, type: DROPPED

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
11 Replication Through Removable Media	1 Native API	Path Interception	1 Access Token Manipulation	211 Masquerading	1 Input Capture	11 Security Software Discovery	11 Replication Through Removable Media	1 Input Capture	Exfiltration Over Other Network Medium	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Abuse Accessibility Features	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	12 Process Injection	21 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Non-Application Layer Protocol	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials
Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	21 Virtualization/Sandbox Evasion	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	11 Application Layer Protocol			Data Encrypted for Impact	DNS Server	Email Addresses
Local Accounts	Cron	Login Hook	Login Hook	1 Access Token Manipulation	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Traffic Duplication	Protocol Impersonation			Data Destruction	Virtual Private Server	Employee Names
Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Process Injection	LSA Secrets	1 Peripheral Device Discovery	SSH	Keylogging	Scheduled Transfer	Fallback Channels			Data Encrypted for Impact	Server	Gather Victim Network Information
Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Data Transfer Size Limits	Multiband Communication			Service Stop	Botnet	Domain Properties
External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Software Packing	DCSync	12 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over C2 Channel	Commonly Used Port			Inhibit System Recovery	Web Services	DNS

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
pQBmVoyRnw.exe	100%	Avira	TR/ATRAPS.Gen
pQBmVoyRnw.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\System.exe	100%	Avira	TR/ATRAPS.Gen
C:\svchost.exe	100%	Avira	TR/ATRAPS.Gen
C:\Users\user\System.exe	100%	Joe Sandbox ML
C:\svchost.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
2.tcp.eu.ngrok.io	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
2.tcp.eu.ngrok.io	18.156.13.209	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
2.tcp.eu.ngrok.io	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://dl.dropbox.com/s/p84aaz28t0hepul/Pass.exe?dl=0	pQBmVoyRnw.exe, System.exe.0.dr, svchost.exe.1.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
18.156.13.209	2.tcp.eu.ngrok.io	United States	16509	AMAZON-02US	true
18.192.93.86	unknown	United States	16509	AMAZON-02US	true
3.126.37.18	unknown	United States	16509	AMAZON-02US	true

General Information

Joe Sandbox version:	38.0.0 Ammolite
Analysis ID:	1361720
Start date and time:	2023-12-13 20:56:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	pQBmVoyRnw.exe renamed because original name is a hash value
Original Sample Name:	16c7b2832ce255d5da4a5d85a4089758.exe
Detection:	MAL
Classification:	mal100.spre.troj.spyw.evad.winEXE@6/7@4/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 159 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: pQBmVoyRnw.exe

Simulations

Behavior and APIs

Time	Type	Description
20:57:41	API Interceptor	165956x Sleep call for process: System.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
18.156.13.209	http://www.sdrclm.cn/vendor/phpdocumentor/P800/P90GT_Invoice_Related_Property_Tax_P800.exe	Get hash	malicious	RedLine	Browse	2.tcp.eu.ngrok.io:17685/
18.192.93.86	P90GT_Invoice_Related_Property_Tax_P800.exe	Get hash	malicious	RedLine	Browse	2.tcp.eu.ngrok.io:17685/
18.192.93.86	http://www.sdrclm.cn/vendor/phpdocumentor/P800/P90GT_Invoice_Related_Property_Tax_P800.exe	Get hash	malicious	RedLine	Browse	2.tcp.eu.ngrok.io:17685/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
2.tcp.eu.ngrok.io	RWqHoCWEPI.exe	Get hash	malicious	Njrat	Browse	18.192.93.86
	EB4B6878310B1E2843C964E02EC1782AACB518E32777A.exe	Get hash	malicious	Njrat	Browse	18.192.93.86
	NezbdhNgwG.exe	Get hash	malicious	Njrat	Browse	18.192.93.86
	xdPdkPMD8u.exe	Get hash	malicious	Njrat	Browse	18.192.93.86
	VBUXm77rfL.exe	Get hash	malicious	Njrat	Browse	18.192.93.86
	1UGdjTlX5v.exe	Get hash	malicious	Njrat	Browse	18.157.68.73
	kXghM8bJcm.exe	Get hash	malicious	Njrat	Browse	18.192.93.86
	OUXkIxeP6k.exe	Get hash	malicious	Njrat	Browse	3.126.37.18
	QzzmZiGinp.exe	Get hash	malicious	Njrat	Browse	18.156.13.209
	eI43OwXSvq.exe	Get hash	malicious	Njrat	Browse	18.197.239.5
	p0zYXkMETE.exe	Get hash	malicious	Njrat	Browse	18.157.68.73
	i9z1c1OtFb.exe	Get hash	malicious	Njrat	Browse	18.157.68.73
	aF73k2XwGj.exe	Get hash	malicious	Njrat	Browse	18.192.93.86
	7XyFhq6BDj.exe	Get hash	malicious	Njrat	Browse	3.126.37.18
	JYGc3o49WE.exe	Get hash	malicious	Njrat	Browse	18.157.68.73
	J6VIiRgq3w.exe	Get hash	malicious	Njrat	Browse	3.126.37.18
	cTUu5Po5Hy.exe	Get hash	malicious	Njrat	Browse	3.126.37.18
	7JdbeSrZ6s.exe	Get hash	malicious	Njrat	Browse	3.127.138.57
	KcWQQO3nZP.exe	Get hash	malicious	Njrat	Browse	3.126.37.18
	zep8vTa4sg.exe	Get hash	malicious	Njrat	Browse	18.156.13.209

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	https://u4922463.ct.sendgrid.net/ls/click?upn=EB1qBpEZOb0BeY3tFaEyZfbXNl0dzqCPs4IuBvxtn-2F8-3DBHSV_h9nYqBb8GTsRYM3XAu-2F7B3Zz9iJrBjlG6gAH4RrjXu04CxVIgslWhpFkLLOpnrDIxZdKkXtB0dsi4uCFiwXe-2BQuDcHYiOhVmiiGVX2UJrKAriQ2bhMzb3GHHCkgidjzlGWZXL8e3C2KMNQf6Q9oOiJZG5kFCMY00KCJ589z8lox3yd2Wd4fgbhfYLKnoZmDbSrIN1z12kWhP-2FNNvM47oHj6AF02MfILuyLAatTZfpYA-3D	Get hash	malicious	Unknown	Browse	18.141.17.51
	https://u4922463.ct.sendgrid.net/ls/click?upn=EB1qBpEZOb0BeY3tFaEyZfbXNl0dzqCPs4IuBvxtn-2F8-3DBHSV_h9nYqBb8GTsRYM3XAu-2F7B3Zz9iJrBjlG6gAH4RrjXu04CxVIgslWhpFkLLOpnrDIxZdKkXtB0dsi4uCFiwXe-2BQuDcHYiOhVmiiGVX2UJrKAriQ2bhMzb3GHHCkgidjzlGWZXL8e3C2KMNQf6Q9oOiJZG5kFCMY00KCJ589z8lox3yd2Wd4fgbhfYLKnoZmDbSrIN1z12kWhP-2FNNvM47oHj6AF02MfILuyLAatTZfpYA-3D	Get hash	malicious	Unknown	Browse	13.250.153.115
	https://t.dripemail2.com/c/eyJhbGciOiJIUzI1NiJ9.eyJhdWQiOiJkZXRvdXIiLCJpc3MiOiJtb25vbGl0aCIsInN1YiI6ImRldG91cl9saW5rIiwiaWF0IjoxNzAyNDg0OTkzLCJuYmYiOjE3MDI0ODQ5OTMsImFjY291bnRfaWQiOiIxODU3MTU0IiwiZGVsaXZlcnlfaWQiOiJ2bWd1NDk3bzE4bHd2NHhwMG8xeSIsInVybCI6Imh0dHBzOi8vdmVyMWYtY2RpLXIudmVyY2VsLmFwcC8_X19zPW11ZXJ3NTZxc29wcnpkdmZtcGhjJnV0bV9zb3VyY2U9ZHJpcCZ1dG1fbWVkaXVtPWVtYWlsJnV0bV9jYW1wYWlnbj1DYW4rd2UrZ2V0K3lvdXIrZGlnaXRzJTNGKyVFMiU5OCU4RSVFRiVCOCU4RiJ9.K-V9EywgyWnNsZeXCjIqP8VTrvXpXlkLvFaVr2xbnc0#YW5uYS55YXRlc0B6YmV0YS5jb20=	Get hash	malicious	HTMLPhisher	Browse	76.76.21.164
	https://hallmark.greetingsweb.com/08d8bbb695d1c570?l=30	Get hash	malicious	Unknown	Browse	52.217.203.65
	http://tracker.axsproductions.com/f/a/p1kBCojaDpnjnEXy1Uh7Dg~~/AAQn0QA~/RgRnWvrdPxRENGh0dHBzOi8vd3d3LmFnZW5jeWFjY2Vzcy5jb20vcHJlZmVyZW5jZXM_b3B0b3V0PXRydWVXA3NwY0IKZXPddXhliWF7klIcY2FybG9zLmdpcmFsZG9AYm9hcnNoZWFkLmNvbVgEAAADVw~~	Get hash	malicious	HTMLPhisher	Browse	13.226.52.58
	http://padlet.com/hobbs3/my-spreadsheet927_rich-hobbs638_dec23_crosbie-real-estate-gr-wc7qyx1bvhqn3t4t	Get hash	malicious	Unknown	Browse	65.8.178.10
	https://app.standards.site/login	Get hash	malicious	Unknown	Browse	65.8.178.47
	https://repairit.wondershare.com/video-repair/cut-video-in-windows-media-player.html	Get hash	malicious	Unknown	Browse	13.35.116.98
	http://taxrxgroup.com	Get hash	malicious	Unknown	Browse	108.157.162.124
	https://cs.mytheresa.com/mix/c3/?tc_id=202311201201523757380094&tcs=3504&cid_vcms=6664627&ag=category&lg=2&tar=tgt&src=newsletter&cmp=mw_42_231016_category&tarea=07&csf=23350070&user_id=507fd0bb65c9f08e7b4b1a0ac732a5d6&kwd=mw&ptyp=namemyt&chn=email&url=//shabirsons.com/new/auth?register=raven@triton-partners.com	Get hash	malicious	Unknown	Browse	35.181.29.184
	https://cs.mytheresa.com/mix/c3/?tc_id=202311201201523757380094&tcs=3504&cid_vcms=6664627&ag=Category&lg=2&tar=TGT&src=newsletter&cmp=mw_42_231016_category&tarea=07&csf=23350070&user_id=507fd0bb65c9f08e7b4b1a0ac732a5d6&kwd=mw&ptyp=namemyt&chn=email&url=//baidu.com///link?url=vC4GC64ae4I9wzsoHp-V0ah20Me1UflwnvmnxUC9BRkuYSMm7qYp63-dMYBSTRdK&wd#.am9obm55X2RhdmlzQGFvLnVzY291cnRzLmdvdg==	Get hash	malicious	Unknown	Browse	35.181.29.184
	http://www.laapsa.com.ar	Get hash	malicious	Unknown	Browse	54.76.77.238
	http://click.web.teachmecompliance.com/?qs=af20cf96ffd191e17d152373cdae26d0ed28e24c074a7e1033bca0a42143e91780d4be587d8ec066caddbb83143e7a87fcf8e2f86a2189e5fa34aac6211ab659	Get hash	malicious	Unknown	Browse	65.8.184.131
	https://link.mail.beehiiv.com/ss/c/SFMS2DGC_3bR2eTtelyfFUzhcGs9TWsEeQw8nQp279J9B9upNohe5IND2DzRg4GfFe3uzMCkwl0VCcFF4p9tdZ71PSC4SlxBXIoR6qgai_e9KXQu46yVwLcidRn-ax90dry5wHpUbN5t2kTBuqVHtjiUR148OM6f2kzv0FbM9-j2d8Pfv1aAiA8m-jIRZ1qPGcwv7cKHtg7zS7k4vguTCgqcLvbDJq61ZPMm3FUyJbd-2ROdV-1aYJVxlO48nGuxkYE6PJ8AjBLfTrwxiX4S2X3JBdpAgH-S1qPrWFIUFnwhW_rcr9w0IZhVJg2k6UwPe0XxcmVm_hXa3Zy0nKOCBvO11zW3IuzS0wT0aqoeUGhUZL_BJAovHWU-78ta_hn0kcmqrlBzh66Yb9lBLgDUfmEypG1yBWRlXPRZ1w7redaJaooKiPuwr2V5n8bXDS9_yWg2USHIOqCrcsTtBGYogmSv3HnV9rD8TCUiXo47xhMBVMzr7StZWjjgT4kZsxK7CX-zIn8YCCC8lkjyOEp6xgdXFjETIB4df5tQm7lBbPlCZ99btsVwezxOnJZ4MV1piJOH9CONfmhGD5405v_OGQ0ddDY5d31qqadrUj9T5uo/422/2hUrqrZHQZSMSqb_7MA2RQ/h1/bXAkiKjrMazQzzpENtDvosiaH2ZRcmZd0aMxcbDunvM	Get hash	malicious	Unknown	Browse	35.163.144.222
	SecuriteInfo.com.FileRepMalware.6852.1526.exe	Get hash	malicious	Unknown	Browse	3.64.163.50
	https://docsend.com/view/i29287mwb9t9qm96	Get hash	malicious	HTMLPhisher	Browse	13.35.116.32
	https://2fa.com-token-auth.com/XUnpsalIwZFhSekV3Ums0MVVWQndhVWd4VG1SamQxRk5XRkozZWtOd0wyNXVXVXhHVTBoR2RFaHhRVlZ0VkdkM09VWXdNbE0xUVVoa2MydzBNbE5aV0ZOR1dIaFlkMVpGTDFaTFExaEViMWM0WTBSSlQxZFhlVWhWZHpVeFNUWlVXVTl6TXl0YWVucG1MMDh4UkVrMFEzUmFlV1YwUzJWb1JuSjFTak5KVlVZM1VuSnlWa3hoTm5sSFZ5czVibk5yY21wd1drOW1SMHBtU1ZCQ2RHMDBibWROVTA0eFIwZzFSbTVrZEZWU1pUZDVlVWw1UXl0UFFXVjJNbEZpY1d4NGFFUXhkblpHTkZoQ2NFRldVMGxuU1dOMlZUUXJVVDA5TFMxUmNtcFVNbXRpWmxsVWRqVk5SRWR4T1ZBemRTOW5QVDA9LS1mNjBiNDI4NzljODhhYjI4ZTNlZTFjM2JiZGVhNTNiZjVkY2M2NGYz?cid=1839839752	Get hash	malicious	Unknown	Browse	52.217.16.54
	REnfXF7686.exe	Get hash	malicious	PrivateLoader, RisePro Stealer	Browse	108.157.162.69
	https://demandtechreports.com/reports/Flexential-TheEvolved922Download.jsp	Get hash	malicious	Unknown	Browse	65.8.178.94
	https://cocojonss.tumblr.com/	Get hash	malicious	Porn Scam	Browse	76.223.105.51
AMAZON-02US	https://u4922463.ct.sendgrid.net/ls/click?upn=EB1qBpEZOb0BeY3tFaEyZfbXNl0dzqCPs4IuBvxtn-2F8-3DBHSV_h9nYqBb8GTsRYM3XAu-2F7B3Zz9iJrBjlG6gAH4RrjXu04CxVIgslWhpFkLLOpnrDIxZdKkXtB0dsi4uCFiwXe-2BQuDcHYiOhVmiiGVX2UJrKAriQ2bhMzb3GHHCkgidjzlGWZXL8e3C2KMNQf6Q9oOiJZG5kFCMY00KCJ589z8lox3yd2Wd4fgbhfYLKnoZmDbSrIN1z12kWhP-2FNNvM47oHj6AF02MfILuyLAatTZfpYA-3D	Get hash	malicious	Unknown	Browse	18.141.17.51
	https://u4922463.ct.sendgrid.net/ls/click?upn=EB1qBpEZOb0BeY3tFaEyZfbXNl0dzqCPs4IuBvxtn-2F8-3DBHSV_h9nYqBb8GTsRYM3XAu-2F7B3Zz9iJrBjlG6gAH4RrjXu04CxVIgslWhpFkLLOpnrDIxZdKkXtB0dsi4uCFiwXe-2BQuDcHYiOhVmiiGVX2UJrKAriQ2bhMzb3GHHCkgidjzlGWZXL8e3C2KMNQf6Q9oOiJZG5kFCMY00KCJ589z8lox3yd2Wd4fgbhfYLKnoZmDbSrIN1z12kWhP-2FNNvM47oHj6AF02MfILuyLAatTZfpYA-3D	Get hash	malicious	Unknown	Browse	13.250.153.115
	https://t.dripemail2.com/c/eyJhbGciOiJIUzI1NiJ9.eyJhdWQiOiJkZXRvdXIiLCJpc3MiOiJtb25vbGl0aCIsInN1YiI6ImRldG91cl9saW5rIiwiaWF0IjoxNzAyNDg0OTkzLCJuYmYiOjE3MDI0ODQ5OTMsImFjY291bnRfaWQiOiIxODU3MTU0IiwiZGVsaXZlcnlfaWQiOiJ2bWd1NDk3bzE4bHd2NHhwMG8xeSIsInVybCI6Imh0dHBzOi8vdmVyMWYtY2RpLXIudmVyY2VsLmFwcC8_X19zPW11ZXJ3NTZxc29wcnpkdmZtcGhjJnV0bV9zb3VyY2U9ZHJpcCZ1dG1fbWVkaXVtPWVtYWlsJnV0bV9jYW1wYWlnbj1DYW4rd2UrZ2V0K3lvdXIrZGlnaXRzJTNGKyVFMiU5OCU4RSVFRiVCOCU4RiJ9.K-V9EywgyWnNsZeXCjIqP8VTrvXpXlkLvFaVr2xbnc0#YW5uYS55YXRlc0B6YmV0YS5jb20=	Get hash	malicious	HTMLPhisher	Browse	76.76.21.164
	https://hallmark.greetingsweb.com/08d8bbb695d1c570?l=30	Get hash	malicious	Unknown	Browse	52.217.203.65
	http://tracker.axsproductions.com/f/a/p1kBCojaDpnjnEXy1Uh7Dg~~/AAQn0QA~/RgRnWvrdPxRENGh0dHBzOi8vd3d3LmFnZW5jeWFjY2Vzcy5jb20vcHJlZmVyZW5jZXM_b3B0b3V0PXRydWVXA3NwY0IKZXPddXhliWF7klIcY2FybG9zLmdpcmFsZG9AYm9hcnNoZWFkLmNvbVgEAAADVw~~	Get hash	malicious	HTMLPhisher	Browse	13.226.52.58
	http://padlet.com/hobbs3/my-spreadsheet927_rich-hobbs638_dec23_crosbie-real-estate-gr-wc7qyx1bvhqn3t4t	Get hash	malicious	Unknown	Browse	65.8.178.10
	https://app.standards.site/login	Get hash	malicious	Unknown	Browse	65.8.178.47
	https://repairit.wondershare.com/video-repair/cut-video-in-windows-media-player.html	Get hash	malicious	Unknown	Browse	13.35.116.98
	http://taxrxgroup.com	Get hash	malicious	Unknown	Browse	108.157.162.124
	https://cs.mytheresa.com/mix/c3/?tc_id=202311201201523757380094&tcs=3504&cid_vcms=6664627&ag=category&lg=2&tar=tgt&src=newsletter&cmp=mw_42_231016_category&tarea=07&csf=23350070&user_id=507fd0bb65c9f08e7b4b1a0ac732a5d6&kwd=mw&ptyp=namemyt&chn=email&url=//shabirsons.com/new/auth?register=raven@triton-partners.com	Get hash	malicious	Unknown	Browse	35.181.29.184
	https://cs.mytheresa.com/mix/c3/?tc_id=202311201201523757380094&tcs=3504&cid_vcms=6664627&ag=Category&lg=2&tar=TGT&src=newsletter&cmp=mw_42_231016_category&tarea=07&csf=23350070&user_id=507fd0bb65c9f08e7b4b1a0ac732a5d6&kwd=mw&ptyp=namemyt&chn=email&url=//baidu.com///link?url=vC4GC64ae4I9wzsoHp-V0ah20Me1UflwnvmnxUC9BRkuYSMm7qYp63-dMYBSTRdK&wd#.am9obm55X2RhdmlzQGFvLnVzY291cnRzLmdvdg==	Get hash	malicious	Unknown	Browse	35.181.29.184
	http://www.laapsa.com.ar	Get hash	malicious	Unknown	Browse	54.76.77.238
	http://click.web.teachmecompliance.com/?qs=af20cf96ffd191e17d152373cdae26d0ed28e24c074a7e1033bca0a42143e91780d4be587d8ec066caddbb83143e7a87fcf8e2f86a2189e5fa34aac6211ab659	Get hash	malicious	Unknown	Browse	65.8.184.131
	https://link.mail.beehiiv.com/ss/c/SFMS2DGC_3bR2eTtelyfFUzhcGs9TWsEeQw8nQp279J9B9upNohe5IND2DzRg4GfFe3uzMCkwl0VCcFF4p9tdZ71PSC4SlxBXIoR6qgai_e9KXQu46yVwLcidRn-ax90dry5wHpUbN5t2kTBuqVHtjiUR148OM6f2kzv0FbM9-j2d8Pfv1aAiA8m-jIRZ1qPGcwv7cKHtg7zS7k4vguTCgqcLvbDJq61ZPMm3FUyJbd-2ROdV-1aYJVxlO48nGuxkYE6PJ8AjBLfTrwxiX4S2X3JBdpAgH-S1qPrWFIUFnwhW_rcr9w0IZhVJg2k6UwPe0XxcmVm_hXa3Zy0nKOCBvO11zW3IuzS0wT0aqoeUGhUZL_BJAovHWU-78ta_hn0kcmqrlBzh66Yb9lBLgDUfmEypG1yBWRlXPRZ1w7redaJaooKiPuwr2V5n8bXDS9_yWg2USHIOqCrcsTtBGYogmSv3HnV9rD8TCUiXo47xhMBVMzr7StZWjjgT4kZsxK7CX-zIn8YCCC8lkjyOEp6xgdXFjETIB4df5tQm7lBbPlCZ99btsVwezxOnJZ4MV1piJOH9CONfmhGD5405v_OGQ0ddDY5d31qqadrUj9T5uo/422/2hUrqrZHQZSMSqb_7MA2RQ/h1/bXAkiKjrMazQzzpENtDvosiaH2ZRcmZd0aMxcbDunvM	Get hash	malicious	Unknown	Browse	35.163.144.222
	SecuriteInfo.com.FileRepMalware.6852.1526.exe	Get hash	malicious	Unknown	Browse	3.64.163.50
	https://docsend.com/view/i29287mwb9t9qm96	Get hash	malicious	HTMLPhisher	Browse	13.35.116.32
	https://2fa.com-token-auth.com/XUnpsalIwZFhSekV3Ums0MVVWQndhVWd4VG1SamQxRk5XRkozZWtOd0wyNXVXVXhHVTBoR2RFaHhRVlZ0VkdkM09VWXdNbE0xUVVoa2MydzBNbE5aV0ZOR1dIaFlkMVpGTDFaTFExaEViMWM0WTBSSlQxZFhlVWhWZHpVeFNUWlVXVTl6TXl0YWVucG1MMDh4UkVrMFEzUmFlV1YwUzJWb1JuSjFTak5KVlVZM1VuSnlWa3hoTm5sSFZ5czVibk5yY21wd1drOW1SMHBtU1ZCQ2RHMDBibWROVTA0eFIwZzFSbTVrZEZWU1pUZDVlVWw1UXl0UFFXVjJNbEZpY1d4NGFFUXhkblpHTkZoQ2NFRldVMGxuU1dOMlZUUXJVVDA5TFMxUmNtcFVNbXRpWmxsVWRqVk5SRWR4T1ZBemRTOW5QVDA9LS1mNjBiNDI4NzljODhhYjI4ZTNlZTFjM2JiZGVhNTNiZjVkY2M2NGYz?cid=1839839752	Get hash	malicious	Unknown	Browse	52.217.16.54
	REnfXF7686.exe	Get hash	malicious	PrivateLoader, RisePro Stealer	Browse	108.157.162.69
	https://demandtechreports.com/reports/Flexential-TheEvolved922Download.jsp	Get hash	malicious	Unknown	Browse	65.8.178.94
	https://cocojonss.tumblr.com/	Get hash	malicious	Porn Scam	Browse	76.223.105.51
AMAZON-02US	https://u4922463.ct.sendgrid.net/ls/click?upn=EB1qBpEZOb0BeY3tFaEyZfbXNl0dzqCPs4IuBvxtn-2F8-3DBHSV_h9nYqBb8GTsRYM3XAu-2F7B3Zz9iJrBjlG6gAH4RrjXu04CxVIgslWhpFkLLOpnrDIxZdKkXtB0dsi4uCFiwXe-2BQuDcHYiOhVmiiGVX2UJrKAriQ2bhMzb3GHHCkgidjzlGWZXL8e3C2KMNQf6Q9oOiJZG5kFCMY00KCJ589z8lox3yd2Wd4fgbhfYLKnoZmDbSrIN1z12kWhP-2FNNvM47oHj6AF02MfILuyLAatTZfpYA-3D	Get hash	malicious	Unknown	Browse	18.141.17.51
	https://u4922463.ct.sendgrid.net/ls/click?upn=EB1qBpEZOb0BeY3tFaEyZfbXNl0dzqCPs4IuBvxtn-2F8-3DBHSV_h9nYqBb8GTsRYM3XAu-2F7B3Zz9iJrBjlG6gAH4RrjXu04CxVIgslWhpFkLLOpnrDIxZdKkXtB0dsi4uCFiwXe-2BQuDcHYiOhVmiiGVX2UJrKAriQ2bhMzb3GHHCkgidjzlGWZXL8e3C2KMNQf6Q9oOiJZG5kFCMY00KCJ589z8lox3yd2Wd4fgbhfYLKnoZmDbSrIN1z12kWhP-2FNNvM47oHj6AF02MfILuyLAatTZfpYA-3D	Get hash	malicious	Unknown	Browse	13.250.153.115
	https://t.dripemail2.com/c/eyJhbGciOiJIUzI1NiJ9.eyJhdWQiOiJkZXRvdXIiLCJpc3MiOiJtb25vbGl0aCIsInN1YiI6ImRldG91cl9saW5rIiwiaWF0IjoxNzAyNDg0OTkzLCJuYmYiOjE3MDI0ODQ5OTMsImFjY291bnRfaWQiOiIxODU3MTU0IiwiZGVsaXZlcnlfaWQiOiJ2bWd1NDk3bzE4bHd2NHhwMG8xeSIsInVybCI6Imh0dHBzOi8vdmVyMWYtY2RpLXIudmVyY2VsLmFwcC8_X19zPW11ZXJ3NTZxc29wcnpkdmZtcGhjJnV0bV9zb3VyY2U9ZHJpcCZ1dG1fbWVkaXVtPWVtYWlsJnV0bV9jYW1wYWlnbj1DYW4rd2UrZ2V0K3lvdXIrZGlnaXRzJTNGKyVFMiU5OCU4RSVFRiVCOCU4RiJ9.K-V9EywgyWnNsZeXCjIqP8VTrvXpXlkLvFaVr2xbnc0#YW5uYS55YXRlc0B6YmV0YS5jb20=	Get hash	malicious	HTMLPhisher	Browse	76.76.21.164
	https://hallmark.greetingsweb.com/08d8bbb695d1c570?l=30	Get hash	malicious	Unknown	Browse	52.217.203.65
	http://tracker.axsproductions.com/f/a/p1kBCojaDpnjnEXy1Uh7Dg~~/AAQn0QA~/RgRnWvrdPxRENGh0dHBzOi8vd3d3LmFnZW5jeWFjY2Vzcy5jb20vcHJlZmVyZW5jZXM_b3B0b3V0PXRydWVXA3NwY0IKZXPddXhliWF7klIcY2FybG9zLmdpcmFsZG9AYm9hcnNoZWFkLmNvbVgEAAADVw~~	Get hash	malicious	HTMLPhisher	Browse	13.226.52.58
	http://padlet.com/hobbs3/my-spreadsheet927_rich-hobbs638_dec23_crosbie-real-estate-gr-wc7qyx1bvhqn3t4t	Get hash	malicious	Unknown	Browse	65.8.178.10
	https://app.standards.site/login	Get hash	malicious	Unknown	Browse	65.8.178.47
	https://repairit.wondershare.com/video-repair/cut-video-in-windows-media-player.html	Get hash	malicious	Unknown	Browse	13.35.116.98
	http://taxrxgroup.com	Get hash	malicious	Unknown	Browse	108.157.162.124
	https://cs.mytheresa.com/mix/c3/?tc_id=202311201201523757380094&tcs=3504&cid_vcms=6664627&ag=category&lg=2&tar=tgt&src=newsletter&cmp=mw_42_231016_category&tarea=07&csf=23350070&user_id=507fd0bb65c9f08e7b4b1a0ac732a5d6&kwd=mw&ptyp=namemyt&chn=email&url=//shabirsons.com/new/auth?register=raven@triton-partners.com	Get hash	malicious	Unknown	Browse	35.181.29.184
	https://cs.mytheresa.com/mix/c3/?tc_id=202311201201523757380094&tcs=3504&cid_vcms=6664627&ag=Category&lg=2&tar=TGT&src=newsletter&cmp=mw_42_231016_category&tarea=07&csf=23350070&user_id=507fd0bb65c9f08e7b4b1a0ac732a5d6&kwd=mw&ptyp=namemyt&chn=email&url=//baidu.com///link?url=vC4GC64ae4I9wzsoHp-V0ah20Me1UflwnvmnxUC9BRkuYSMm7qYp63-dMYBSTRdK&wd#.am9obm55X2RhdmlzQGFvLnVzY291cnRzLmdvdg==	Get hash	malicious	Unknown	Browse	35.181.29.184
	http://www.laapsa.com.ar	Get hash	malicious	Unknown	Browse	54.76.77.238
	http://click.web.teachmecompliance.com/?qs=af20cf96ffd191e17d152373cdae26d0ed28e24c074a7e1033bca0a42143e91780d4be587d8ec066caddbb83143e7a87fcf8e2f86a2189e5fa34aac6211ab659	Get hash	malicious	Unknown	Browse	65.8.184.131
	https://link.mail.beehiiv.com/ss/c/SFMS2DGC_3bR2eTtelyfFUzhcGs9TWsEeQw8nQp279J9B9upNohe5IND2DzRg4GfFe3uzMCkwl0VCcFF4p9tdZ71PSC4SlxBXIoR6qgai_e9KXQu46yVwLcidRn-ax90dry5wHpUbN5t2kTBuqVHtjiUR148OM6f2kzv0FbM9-j2d8Pfv1aAiA8m-jIRZ1qPGcwv7cKHtg7zS7k4vguTCgqcLvbDJq61ZPMm3FUyJbd-2ROdV-1aYJVxlO48nGuxkYE6PJ8AjBLfTrwxiX4S2X3JBdpAgH-S1qPrWFIUFnwhW_rcr9w0IZhVJg2k6UwPe0XxcmVm_hXa3Zy0nKOCBvO11zW3IuzS0wT0aqoeUGhUZL_BJAovHWU-78ta_hn0kcmqrlBzh66Yb9lBLgDUfmEypG1yBWRlXPRZ1w7redaJaooKiPuwr2V5n8bXDS9_yWg2USHIOqCrcsTtBGYogmSv3HnV9rD8TCUiXo47xhMBVMzr7StZWjjgT4kZsxK7CX-zIn8YCCC8lkjyOEp6xgdXFjETIB4df5tQm7lBbPlCZ99btsVwezxOnJZ4MV1piJOH9CONfmhGD5405v_OGQ0ddDY5d31qqadrUj9T5uo/422/2hUrqrZHQZSMSqb_7MA2RQ/h1/bXAkiKjrMazQzzpENtDvosiaH2ZRcmZd0aMxcbDunvM	Get hash	malicious	Unknown	Browse	35.163.144.222
	SecuriteInfo.com.FileRepMalware.6852.1526.exe	Get hash	malicious	Unknown	Browse	3.64.163.50
	https://docsend.com/view/i29287mwb9t9qm96	Get hash	malicious	HTMLPhisher	Browse	13.35.116.32
	https://2fa.com-token-auth.com/XUnpsalIwZFhSekV3Ums0MVVWQndhVWd4VG1SamQxRk5XRkozZWtOd0wyNXVXVXhHVTBoR2RFaHhRVlZ0VkdkM09VWXdNbE0xUVVoa2MydzBNbE5aV0ZOR1dIaFlkMVpGTDFaTFExaEViMWM0WTBSSlQxZFhlVWhWZHpVeFNUWlVXVTl6TXl0YWVucG1MMDh4UkVrMFEzUmFlV1YwUzJWb1JuSjFTak5KVlVZM1VuSnlWa3hoTm5sSFZ5czVibk5yY21wd1drOW1SMHBtU1ZCQ2RHMDBibWROVTA0eFIwZzFSbTVrZEZWU1pUZDVlVWw1UXl0UFFXVjJNbEZpY1d4NGFFUXhkblpHTkZoQ2NFRldVMGxuU1dOMlZUUXJVVDA5TFMxUmNtcFVNbXRpWmxsVWRqVk5SRWR4T1ZBemRTOW5QVDA9LS1mNjBiNDI4NzljODhhYjI4ZTNlZTFjM2JiZGVhNTNiZjVkY2M2NGYz?cid=1839839752	Get hash	malicious	Unknown	Browse	52.217.16.54
	REnfXF7686.exe	Get hash	malicious	PrivateLoader, RisePro Stealer	Browse	108.157.162.69
	https://demandtechreports.com/reports/Flexential-TheEvolved922Download.jsp	Get hash	malicious	Unknown	Browse	65.8.178.94
	https://cocojonss.tumblr.com/	Get hash	malicious	Porn Scam	Browse	76.223.105.51

Process:	C:\Users\user\Desktop\pQBmVoyRnw.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	525
Entropy (8bit):	5.259753436570609
Encrypted:	false
SSDEEP:	12:Q3LaJU2C9XAn10Ug+9pfu9t0U29xtUz1B0U2uk71K6xhk7v:MLF2CpI3zffup29Iz52Ve
MD5:	260E01CC001F9C4643CA7A62F395D747
SHA1:	492AD0ACE3A9C8736909866EEA168962D418BE5A
SHA-256:	4BC52CCF866F489772A6919A0CC2C55B1432729D6BDF29E17E5853ABDFAB6030
SHA-512:	01AF7D75257E3DBD460E328F5C057D0367B83D3D9397E89CA3AE54AB9B2842D62352D8CCB4BE98ACE0C5667846759D32C199DE39ECCD0CF9CD6A83267D27E7C4
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7d443c6c007fe8696f9aa6ff1da53ef7\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..

C:\Users\user\System.exe

Download File

Process:	C:\Users\user\Desktop\pQBmVoyRnw.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	308224
Entropy (8bit):	4.94206206452333
Encrypted:	false
SSDEEP:	3072:ONwjqcl+yJ516Vl5m7PF7OE7u/vDR1GK5WwiuGK36yUG9XV/VwMM:wwjqZxl5mQS+mwic3Xv/m
MD5:	16C7B2832CE255D5DA4A5D85A4089758
SHA1:	80ED8B75AE30BC4DF6671C5BCA8084ABA2148EF4
SHA-256:	FD13ED8D469C4CB5507716FEEE5C7139C38957B48A4EBFF2D40D7A9269884387
SHA-512:	65E6F8CE9F39FFCD6042CF0E39EDA1CF9423367F6F98025A896FE2B2D4804F080C70250F568D377DAFB4679CCFBAD98BE1A4974B49911F254E2EE918ACBD3139
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\System.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\System.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\System.exe, Author: Brian Wallace @botnet_hunter Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\System.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....ve.....................&.......... ........@.. ....................... ............@.....................................K........#........................................................................... ............... ..H............text....... ...................... ..`.rsrc....#.......$..................@..@.reloc..............................@..B........................H........e...E..........................................................&.(......*..(.......s.........s.........s.........s...........0...........~....o.....+...0...........~....o.....+...0...........~....o.....+...0...........~....o.....+...0.............(....(.....+.....0............(.....+...0................(.....+...0............(.....+...0.. ...................,.(...+.+.+....+....0...........................*..(..........0..&........~..............,.(...+.

C:\Users\user\System.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\pQBmVoyRnw.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\autorun.inf

Download File

Process:	C:\Users\user\System.exe
File Type:	Microsoft Windows Autorun file
Category:	dropped
Size (bytes):	50
Entropy (8bit):	4.320240000427043
Encrypted:	false
SSDEEP:	3:It1KV2LKMACovK0x:e1KzxvD
MD5:	5B0B50BADE67C5EC92D42E971287A5D9
SHA1:	90D5C99143E7A56AD6E5EE401015F8ECC093D95A
SHA-256:	04DDE2489D2D2E6846D42250D813AB90B5CA847D527F8F2C022E6C327DC6DB53
SHA-512:	C064DC3C4185A38D1CAEBD069ACB9FDBB85DFB650D6A241036E501A09BC89FD06E267BE9D400D20E6C14B4068473D1C6557962E8D82FDFD191DB7EABB6E66821
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	[autorun]..open=C:\svchost.exe..shellexecute=C:\..

C:\svchost.exe

Download File

Process:	C:\Users\user\System.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	308224
Entropy (8bit):	4.94206206452333
Encrypted:	false
SSDEEP:	3072:ONwjqcl+yJ516Vl5m7PF7OE7u/vDR1GK5WwiuGK36yUG9XV/VwMM:wwjqZxl5mQS+mwic3Xv/m
MD5:	16C7B2832CE255D5DA4A5D85A4089758
SHA1:	80ED8B75AE30BC4DF6671C5BCA8084ABA2148EF4
SHA-256:	FD13ED8D469C4CB5507716FEEE5C7139C38957B48A4EBFF2D40D7A9269884387
SHA-512:	65E6F8CE9F39FFCD6042CF0E39EDA1CF9423367F6F98025A896FE2B2D4804F080C70250F568D377DAFB4679CCFBAD98BE1A4974B49911F254E2EE918ACBD3139
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\svchost.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\svchost.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\svchost.exe, Author: Brian Wallace @botnet_hunter Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\svchost.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....ve.....................&.......... ........@.. ....................... ............@.....................................K........#........................................................................... ............... ..H............text....... ...................... ..`.rsrc....#.......$..................@..@.reloc..............................@..B........................H........e...E..........................................................&.(......*..(.......s.........s.........s.........s...........0...........~....o.....+...0...........~....o.....+...0...........~....o.....+...0...........~....o.....+...0.............(....(.....+.....0............(.....+...0................(.....+...0............(.....+...0.. ...................,.(...+.+.+....+....0...........................*..(..........0..&........~..............,.(...+.

C:\svchost.exe:Zone.Identifier

Download File

Process:	C:\Users\user\System.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

\Device\ConDrv

Download File

Process:	C:\Windows\SysWOW64\netsh.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	313
Entropy (8bit):	4.971939296804078
Encrypted:	false
SSDEEP:	6:/ojfKsUTGN8Ypox42k9L+DbGMKeQE+vigqAZs2E+AYeDPO+Yswyha:wjPIGNrkHk9iaeIM6ADDPOHyha
MD5:	689E2126A85BF55121488295EE068FA1
SHA1:	09BAAA253A49D80C18326DFBCA106551EBF22DD6
SHA-256:	D968A966EF474068E41256321F77807A042F1965744633D37A203A705662EC25
SHA-512:	C3736A8FC7E6573FA1B26FE6A901C05EE85C55A4A276F8F569D9EADC9A58BEC507D1BB90DBF9EA62AE79A6783178C69304187D6B90441D82E46F5F56172B5C5C
Malicious:	false
Preview:	..IMPORTANT: Command executed successfully...However, "netsh firewall" is deprecated;..use "netsh advfirewall firewall" instead...For more information on using "netsh advfirewall firewall" commands..instead of "netsh firewall", see KB article 947709..at https://go.microsoft.com/fwlink/?linkid=121488 .....Ok.....

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	4.94206206452333
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	pQBmVoyRnw.exe
File size:	308'224 bytes
MD5:	16c7b2832ce255d5da4a5d85a4089758
SHA1:	80ed8b75ae30bc4df6671c5bca8084aba2148ef4
SHA256:	fd13ed8d469c4cb5507716feee5c7139c38957b48a4ebff2d40d7a9269884387
SHA512:	65e6f8ce9f39ffcd6042cf0e39eda1cf9423367f6f98025a896fe2b2d4804f080c70250f568d377dafb4679ccfbad98be1a4974b49911f254e2ee918acbd3139
SSDEEP:	3072:ONwjqcl+yJ516Vl5m7PF7OE7u/vDR1GK5WwiuGK36yUG9XV/VwMM:wwjqZxl5mQS+mwic3Xv/m
TLSH:	3B643C572B5A8C87D13667FD0441E3B987132FC8782AC3129AF1EC63F5E2A472D5A6D0
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....ve.....................&........... ........@.. ....................... ............@................................

File Icon


Icon Hash:	787150f4f8f9558e

Static PE Info

General

Entrypoint:	0x40abce
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6576DAEF [Mon Dec 11 09:48:31 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xab80	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc000	0x4230c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x50000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x8bd4	0x8c00	False	0.4638113839285714	data	5.60518222440242	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xc000	0x4230c	0x42400	False	0.36205778301886793	data	4.73198787741136	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x50000	0xc	0x200	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xc0e8	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 262144, resolution 2834 x 2834 px/m	0.3617665769151108
RT_GROUP_ICON	0x4e110	0x14	data	0.9
RT_MANIFEST	0x4e124	0x1e7	XML 1.0 document, ASCII text, with CRLF line terminators	0.5338809034907598

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.418.192.93.8649742184902814856 12/13/23-20:59:05.476604	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49742	18490	192.168.2.4	18.192.93.86
192.168.2.418.192.93.8649741184902814856 12/13/23-20:58:48.936323	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49741	18490	192.168.2.4	18.192.93.86
192.168.2.418.156.13.20949745184902814856 12/13/23-21:00:01.573922	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49745	18490	192.168.2.4	18.156.13.209
192.168.2.418.156.13.20949744184902814856 12/13/23-20:59:39.970423	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49744	18490	192.168.2.4	18.156.13.209
192.168.2.418.192.93.8649740184902814856 12/13/23-20:58:31.218361	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49740	18490	192.168.2.4	18.192.93.86
192.168.2.418.156.13.20949746184902814856 12/13/23-21:00:14.421142	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49746	18490	192.168.2.4	18.156.13.209
192.168.2.418.156.13.20949735184902033132 12/13/23-20:57:35.118070	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49735	18490	192.168.2.4	18.156.13.209
192.168.2.418.156.13.20949736184902033132 12/13/23-20:57:37.678304	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49736	18490	192.168.2.4	18.156.13.209
192.168.2.418.156.13.20949735184902825563 12/13/23-20:57:35.360179	TCP	2825563	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)	49735	18490	192.168.2.4	18.156.13.209
192.168.2.43.126.37.1849748184902033132 12/13/23-21:00:35.097288	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49748	18490	192.168.2.4	3.126.37.18
192.168.2.418.156.13.20949736184902825563 12/13/23-20:57:37.919447	TCP	2825563	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)	49736	18490	192.168.2.4	18.156.13.209
192.168.2.418.156.13.20949729184902814856 12/13/23-20:57:12.551556	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49729	18490	192.168.2.4	18.156.13.209
192.168.2.418.156.13.20949745184902814860 12/13/23-21:00:04.191355	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49745	18490	192.168.2.4	18.156.13.209
192.168.2.418.156.13.20949736184902825564 12/13/23-20:57:41.941315	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49736	18490	192.168.2.4	18.156.13.209
192.168.2.418.156.13.20949738184902825564 12/13/23-20:58:06.222500	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49738	18490	192.168.2.4	18.156.13.209
192.168.2.43.126.37.1849749184902033132 12/13/23-21:00:49.784107	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49749	18490	192.168.2.4	3.126.37.18
192.168.2.418.156.13.20949738184902825563 12/13/23-20:57:57.039800	TCP	2825563	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)	49738	18490	192.168.2.4	18.156.13.209
192.168.2.418.156.13.20949729184902033132 12/13/23-20:57:12.311856	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49729	18490	192.168.2.4	18.156.13.209
192.168.2.418.192.93.8649740184902814860 12/13/23-20:58:34.292329	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49740	18490	192.168.2.4	18.192.93.86
192.168.2.43.126.37.1849748184902825563 12/13/23-21:00:35.340154	TCP	2825563	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)	49748	18490	192.168.2.4	3.126.37.18
192.168.2.418.156.13.20949746184902814860 12/13/23-21:00:20.521339	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49746	18490	192.168.2.4	18.156.13.209
192.168.2.418.156.13.20949738184902033132 12/13/23-20:57:56.798992	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49738	18490	192.168.2.4	18.156.13.209
192.168.2.418.192.93.8649742184902814860 12/13/23-20:59:22.207993	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49742	18490	192.168.2.4	18.192.93.86
192.168.2.43.126.37.1849748184902825564 12/13/23-21:00:43.961202	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49748	18490	192.168.2.4	3.126.37.18
192.168.2.418.156.13.20949736184902814860 12/13/23-20:57:41.941315	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49736	18490	192.168.2.4	18.156.13.209
192.168.2.418.156.13.20949745184902825563 12/13/23-21:00:01.573922	TCP	2825563	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)	49745	18490	192.168.2.4	18.156.13.209
192.168.2.418.192.93.8649741184902814860 12/13/23-20:58:50.550982	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49741	18490	192.168.2.4	18.192.93.86
192.168.2.418.192.93.8649742184902033132 12/13/23-20:59:05.233882	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49742	18490	192.168.2.4	18.192.93.86
192.168.2.418.156.13.20949744184902825563 12/13/23-20:59:39.970423	TCP	2825563	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)	49744	18490	192.168.2.4	18.156.13.209
192.168.2.418.156.13.20949743184902825564 12/13/23-20:59:36.738003	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49743	18490	192.168.2.4	18.156.13.209
192.168.2.418.156.13.20949738184902814860 12/13/23-20:58:06.222500	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49738	18490	192.168.2.4	18.156.13.209
192.168.2.418.156.13.20949729184902814860 12/13/23-20:57:17.144904	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49729	18490	192.168.2.4	18.156.13.209
192.168.2.418.192.93.8649741184902033132 12/13/23-20:58:48.693931	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49741	18490	192.168.2.4	18.192.93.86
192.168.2.418.156.13.20949743184902825563 12/13/23-20:59:29.420656	TCP	2825563	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)	49743	18490	192.168.2.4	18.156.13.209
192.168.2.418.192.93.8649740184902033132 12/13/23-20:58:30.976409	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49740	18490	192.168.2.4	18.192.93.86
192.168.2.43.126.37.1849747184902825563 12/13/23-21:00:31.845369	TCP	2825563	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)	49747	18490	192.168.2.4	3.126.37.18
192.168.2.43.126.37.1849747184902825564 12/13/23-21:00:32.601428	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49747	18490	192.168.2.4	3.126.37.18
192.168.2.43.126.37.1849747184902814856 12/13/23-21:00:31.845369	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49747	18490	192.168.2.4	3.126.37.18
192.168.2.418.156.13.20949736184902814856 12/13/23-20:57:37.919447	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49736	18490	192.168.2.4	18.156.13.209
192.168.2.418.192.93.8649739184902814860 12/13/23-20:58:28.703174	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49739	18490	192.168.2.4	18.192.93.86
192.168.2.418.156.13.20949735184902814856 12/13/23-20:57:35.360179	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49735	18490	192.168.2.4	18.156.13.209
192.168.2.418.156.13.20949744184902033132 12/13/23-20:59:39.730343	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49744	18490	192.168.2.4	18.156.13.209
192.168.2.418.156.13.20949743184902033132 12/13/23-20:59:29.178728	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49743	18490	192.168.2.4	18.156.13.209
192.168.2.418.156.13.20949745184902033132 12/13/23-21:00:01.333423	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49745	18490	192.168.2.4	18.156.13.209
192.168.2.418.156.13.20949745184902825564 12/13/23-21:00:04.191355	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49745	18490	192.168.2.4	18.156.13.209
192.168.2.418.156.13.20949746184902033132 12/13/23-21:00:14.180570	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49746	18490	192.168.2.4	18.156.13.209
192.168.2.43.126.37.1849748184902814860 12/13/23-21:00:46.399246	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49748	18490	192.168.2.4	3.126.37.18
192.168.2.418.156.13.20949746184902825564 12/13/23-21:00:20.521339	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49746	18490	192.168.2.4	18.156.13.209
192.168.2.418.192.93.8649739184902814856 12/13/23-20:58:12.572286	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49739	18490	192.168.2.4	18.192.93.86
192.168.2.418.156.13.20949746184902825563 12/13/23-21:00:14.421142	TCP	2825563	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)	49746	18490	192.168.2.4	18.156.13.209
192.168.2.418.156.13.20949738184902814856 12/13/23-20:57:57.039800	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49738	18490	192.168.2.4	18.156.13.209
192.168.2.418.192.93.8649739184902825564 12/13/23-20:58:28.503388	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49739	18490	192.168.2.4	18.192.93.86
192.168.2.418.156.13.20949729184902825563 12/13/23-20:57:12.551556	TCP	2825563	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)	49729	18490	192.168.2.4	18.156.13.209
192.168.2.418.156.13.20949729184902825564 12/13/23-20:57:17.144904	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49729	18490	192.168.2.4	18.156.13.209
192.168.2.418.156.13.20949743184902814860 12/13/23-20:59:37.308006	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49743	18490	192.168.2.4	18.156.13.209
192.168.2.43.126.37.1849747184902814860 12/13/23-21:00:32.601428	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49747	18490	192.168.2.4	3.126.37.18
192.168.2.43.126.37.1849747184902033132 12/13/23-21:00:31.603382	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49747	18490	192.168.2.4	3.126.37.18
192.168.2.418.192.93.8649739184902033132 12/13/23-20:58:12.331562	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49739	18490	192.168.2.4	18.192.93.86
192.168.2.418.192.93.8649740184902825564 12/13/23-20:58:34.292329	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49740	18490	192.168.2.4	18.192.93.86
192.168.2.418.192.93.8649741184902825564 12/13/23-20:58:50.550982	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49741	18490	192.168.2.4	18.192.93.86
192.168.2.418.192.93.8649741184902825563 12/13/23-20:58:48.936323	TCP	2825563	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)	49741	18490	192.168.2.4	18.192.93.86
192.168.2.418.192.93.8649740184902825563 12/13/23-20:58:31.218361	TCP	2825563	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)	49740	18490	192.168.2.4	18.192.93.86
192.168.2.43.126.37.1849749184902814856 12/13/23-21:00:50.028478	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49749	18490	192.168.2.4	3.126.37.18
192.168.2.418.156.13.20949743184902814856 12/13/23-20:59:29.420656	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49743	18490	192.168.2.4	18.156.13.209
192.168.2.418.192.93.8649742184902825564 12/13/23-20:59:22.207993	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49742	18490	192.168.2.4	18.192.93.86
192.168.2.43.126.37.1849748184902814856 12/13/23-21:00:35.340154	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49748	18490	192.168.2.4	3.126.37.18
192.168.2.418.192.93.8649742184902825563 12/13/23-20:59:05.476604	TCP	2825563	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)	49742	18490	192.168.2.4	18.192.93.86

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2023 20:57:10.901509047 CET	49729	18490	192.168.2.4	18.156.13.209
Dec 13, 2023 20:57:11.140928984 CET	18490	49729	18.156.13.209	192.168.2.4
Dec 13, 2023 20:57:11.141118050 CET	49729	18490	192.168.2.4	18.156.13.209
Dec 13, 2023 20:57:12.311856031 CET	49729	18490	192.168.2.4	18.156.13.209
Dec 13, 2023 20:57:12.551337004 CET	18490	49729	18.156.13.209	192.168.2.4
Dec 13, 2023 20:57:12.551556110 CET	49729	18490	192.168.2.4	18.156.13.209
Dec 13, 2023 20:57:12.791157007 CET	18490	49729	18.156.13.209	192.168.2.4
Dec 13, 2023 20:57:17.144903898 CET	49729	18490	192.168.2.4	18.156.13.209
Dec 13, 2023 20:57:17.384371042 CET	18490	49729	18.156.13.209	192.168.2.4
Dec 13, 2023 20:57:32.473526001 CET	18490	49729	18.156.13.209	192.168.2.4
Dec 13, 2023 20:57:32.473622084 CET	49729	18490	192.168.2.4	18.156.13.209
Dec 13, 2023 20:57:32.846924067 CET	18490	49729	18.156.13.209	192.168.2.4
Dec 13, 2023 20:57:32.847234964 CET	49729	18490	192.168.2.4	18.156.13.209
Dec 13, 2023 20:57:34.864824057 CET	49729	18490	192.168.2.4	18.156.13.209
Dec 13, 2023 20:57:34.867604017 CET	49735	18490	192.168.2.4	18.156.13.209
Dec 13, 2023 20:57:35.104500055 CET	18490	49729	18.156.13.209	192.168.2.4
Dec 13, 2023 20:57:35.109445095 CET	18490	49735	18.156.13.209	192.168.2.4
Dec 13, 2023 20:57:35.109545946 CET	49735	18490	192.168.2.4	18.156.13.209
Dec 13, 2023 20:57:35.118069887 CET	49735	18490	192.168.2.4	18.156.13.209
Dec 13, 2023 20:57:35.359971046 CET	18490	49735	18.156.13.209	192.168.2.4
Dec 13, 2023 20:57:35.360178947 CET	49735	18490	192.168.2.4	18.156.13.209
Dec 13, 2023 20:57:35.422393084 CET	18490	49735	18.156.13.209	192.168.2.4
Dec 13, 2023 20:57:35.422519922 CET	49735	18490	192.168.2.4	18.156.13.209
Dec 13, 2023 20:57:35.601978064 CET	18490	49735	18.156.13.209	192.168.2.4
Dec 13, 2023 20:57:35.664186954 CET	18490	49735	18.156.13.209	192.168.2.4
Dec 13, 2023 20:57:37.429878950 CET	49736	18490	192.168.2.4	18.156.13.209
Dec 13, 2023 20:57:37.671168089 CET	18490	49736	18.156.13.209	192.168.2.4
Dec 13, 2023 20:57:37.671314001 CET	49736	18490	192.168.2.4	18.156.13.209
Dec 13, 2023 20:57:37.678303957 CET	49736	18490	192.168.2.4	18.156.13.209
Dec 13, 2023 20:57:37.919182062 CET	18490	49736	18.156.13.209	192.168.2.4
Dec 13, 2023 20:57:37.919446945 CET	49736	18490	192.168.2.4	18.156.13.209
Dec 13, 2023 20:57:38.160406113 CET	18490	49736	18.156.13.209	192.168.2.4
Dec 13, 2023 20:57:41.941314936 CET	49736	18490	192.168.2.4	18.156.13.209
Dec 13, 2023 20:57:42.182235956 CET	18490	49736	18.156.13.209	192.168.2.4
Dec 13, 2023 20:57:54.543812037 CET	18490	49736	18.156.13.209	192.168.2.4
Dec 13, 2023 20:57:54.543926001 CET	49736	18490	192.168.2.4	18.156.13.209
Dec 13, 2023 20:57:56.550579071 CET	49736	18490	192.168.2.4	18.156.13.209
Dec 13, 2023 20:57:56.553515911 CET	49738	18490	192.168.2.4	18.156.13.209
Dec 13, 2023 20:57:56.792188883 CET	18490	49736	18.156.13.209	192.168.2.4
Dec 13, 2023 20:57:56.793601990 CET	18490	49738	18.156.13.209	192.168.2.4
Dec 13, 2023 20:57:56.793713093 CET	49738	18490	192.168.2.4	18.156.13.209
Dec 13, 2023 20:57:56.798991919 CET	49738	18490	192.168.2.4	18.156.13.209
Dec 13, 2023 20:57:57.039700985 CET	18490	49738	18.156.13.209	192.168.2.4
Dec 13, 2023 20:57:57.039799929 CET	49738	18490	192.168.2.4	18.156.13.209
Dec 13, 2023 20:57:57.280219078 CET	18490	49738	18.156.13.209	192.168.2.4
Dec 13, 2023 20:57:58.863471031 CET	49738	18490	192.168.2.4	18.156.13.209
Dec 13, 2023 20:57:59.103889942 CET	18490	49738	18.156.13.209	192.168.2.4
Dec 13, 2023 20:58:04.363184929 CET	49738	18490	192.168.2.4	18.156.13.209
Dec 13, 2023 20:58:04.603060961 CET	18490	49738	18.156.13.209	192.168.2.4
Dec 13, 2023 20:58:06.222500086 CET	49738	18490	192.168.2.4	18.156.13.209
Dec 13, 2023 20:58:06.462677002 CET	18490	49738	18.156.13.209	192.168.2.4
Dec 13, 2023 20:58:09.930974007 CET	18490	49738	18.156.13.209	192.168.2.4
Dec 13, 2023 20:58:09.931065083 CET	49738	18490	192.168.2.4	18.156.13.209
Dec 13, 2023 20:58:11.941078901 CET	49738	18490	192.168.2.4	18.156.13.209
Dec 13, 2023 20:58:12.082947969 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:12.181025982 CET	18490	49738	18.156.13.209	192.168.2.4
Dec 13, 2023 20:58:12.323684931 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:12.323796988 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:12.331562042 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:12.572069883 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:12.572285891 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:12.812907934 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:13.254117966 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:13.494761944 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:13.494853020 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:13.736146927 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:13.736285925 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:13.977941990 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:13.978131056 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:14.219233036 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:14.219398022 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:14.460613012 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:14.460778952 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:14.704790115 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:14.713036060 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:14.713182926 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:14.945477962 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:14.945533991 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:14.945681095 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:14.953753948 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:15.169796944 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:15.186440945 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:15.186701059 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:15.411144018 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:15.411273003 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:15.411288977 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:15.428788900 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:15.429052114 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:15.651911974 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:15.652097940 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:15.669529915 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:15.669610023 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:15.875209093 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:15.895200968 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:15.895339966 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:15.912581921 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:15.912646055 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:16.115864038 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:16.115992069 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:16.136182070 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:16.136260033 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:16.153175116 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:16.153268099 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:16.356880903 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:16.357135057 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:16.377103090 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:16.377217054 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:16.396172047 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:16.396264076 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:16.597929955 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:16.598118067 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:16.618135929 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:16.618225098 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:16.637366056 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:16.637554884 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:16.840553045 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:16.840733051 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:16.859939098 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:16.860069036 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:16.879261971 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:16.879466057 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:17.081577063 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:17.081705093 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:17.100591898 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:17.100653887 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:17.119883060 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:17.119942904 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:17.322976112 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:17.323148966 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:17.341845989 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:17.342066050 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:17.360528946 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:17.360615015 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:17.563947916 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:17.564084053 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:17.582652092 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:17.582748890 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:17.601597071 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:17.601758957 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:17.804864883 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:17.805177927 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:17.823177099 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:17.823322058 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:17.842518091 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:17.842931986 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:18.045799017 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:18.045902014 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:18.063874006 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:18.064205885 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:18.083477974 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:18.083571911 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:18.287249088 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:18.287336111 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:18.305883884 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:18.305943012 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:18.325047016 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:18.325105906 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:18.527883053 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:18.528121948 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:18.546380997 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:18.546479940 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:18.565574884 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:18.565661907 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:18.768918037 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:18.769098997 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:18.787081957 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:18.787230968 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:18.806224108 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:18.806302071 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:19.009768009 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:19.009862900 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:19.027837992 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:19.027959108 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:19.046871901 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:19.047060966 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:19.250597954 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:19.250861883 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:19.268507004 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:19.268666029 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:19.287642956 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:19.287801981 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:19.491650105 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:19.491739988 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:19.509202003 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:19.509254932 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:19.528373957 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:19.528429985 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:19.732462883 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:19.732661009 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:19.749831915 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:19.749968052 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:19.768881083 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:19.769110918 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:19.973423004 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:19.973664999 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:19.990678072 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:19.990915060 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:20.009567022 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:20.009706020 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:20.214232922 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:20.214411974 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:20.231498003 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:20.231774092 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:20.250241995 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:20.250543118 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:20.454951048 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:20.455291986 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:20.472173929 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:20.472347975 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:20.491067886 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:20.491255045 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:20.695822954 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:20.696114063 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:20.712800026 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:20.712934017 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:20.732532024 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:20.732749939 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:20.936767101 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:20.936976910 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:20.953495979 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:20.953753948 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:20.973351002 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:20.973526001 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:21.177566051 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:21.177783012 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:21.194268942 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:21.214154959 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:21.214209080 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:21.419270039 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:21.419375896 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:21.456235886 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:21.456384897 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:21.663800001 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:21.663945913 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:21.697432041 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:21.697525978 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:21.943638086 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:21.974059105 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:21.974059105 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:22.003432035 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:22.215030909 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:22.215055943 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:22.243927956 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:22.244132996 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:22.479509115 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:22.484718084 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:22.720546007 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:22.720797062 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:22.962318897 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:22.962424040 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:23.203275919 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:23.203389883 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:23.444027901 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:23.444197893 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:23.685127974 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:23.685334921 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:23.926203012 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:23.926666975 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:24.167313099 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:24.167428017 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:24.408118010 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:24.408329010 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:24.635047913 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:24.649152994 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:24.649255991 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:24.876024961 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:24.876210928 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:24.889792919 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:24.889883041 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:25.117310047 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:25.117429018 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:25.130394936 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:25.130472898 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:25.358213902 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:25.358364105 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:25.371115923 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:25.371239901 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:25.599272013 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:25.599622011 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:25.612026930 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:25.612112045 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:25.840692043 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:25.840806961 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:25.852587938 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:25.852657080 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:26.082458973 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:26.082570076 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:26.094795942 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:26.094885111 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:26.323868036 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:26.323992968 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:26.336225033 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:26.336324930 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:26.564932108 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:26.565049887 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:26.576931953 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:26.577002048 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:26.805849075 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:26.805984974 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:26.817564011 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:26.817636013 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:27.046698093 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:27.046801090 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:27.058078051 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:27.058144093 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:27.287436008 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:27.287564993 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:27.298739910 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:27.298860073 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:27.528306961 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:27.528445959 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:27.539463997 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:27.539546967 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:27.769156933 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:27.769339085 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:27.780323982 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:27.780452013 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:28.010613918 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:28.010725021 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:28.021961927 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:28.022041082 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:28.251516104 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:28.251691103 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:28.262594938 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:28.262722015 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:28.492284060 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:28.492415905 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:28.503184080 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:28.503387928 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:28.703078985 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:28.703174114 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:28.733028889 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:28.744060040 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:28.943855047 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:29.057013988 CET	18490	49739	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:29.057101965 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:30.722616911 CET	49739	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:30.726398945 CET	49740	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:30.967379093 CET	18490	49740	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:30.967760086 CET	49740	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:30.976408958 CET	49740	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:31.218096018 CET	18490	49740	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:31.218360901 CET	49740	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:31.460079908 CET	18490	49740	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:34.292329073 CET	49740	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:34.533658028 CET	18490	49740	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:46.426465988 CET	18490	49740	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:46.426562071 CET	49740	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:48.441021919 CET	49740	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:48.444349051 CET	49741	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:48.681973934 CET	18490	49740	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:48.686448097 CET	18490	49741	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:48.686599016 CET	49741	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:48.693931103 CET	49741	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:48.936124086 CET	18490	49741	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:48.936322927 CET	49741	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:49.178491116 CET	18490	49741	18.192.93.86	192.168.2.4
Dec 13, 2023 20:58:50.550981998 CET	49741	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:58:50.793252945 CET	18490	49741	18.192.93.86	192.168.2.4
Dec 13, 2023 20:59:02.885438919 CET	18490	49741	18.192.93.86	192.168.2.4
Dec 13, 2023 20:59:02.885561943 CET	49741	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:59:04.894279957 CET	49741	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:59:04.896042109 CET	49742	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:59:05.135585070 CET	18490	49741	18.192.93.86	192.168.2.4
Dec 13, 2023 20:59:05.138145924 CET	18490	49742	18.192.93.86	192.168.2.4
Dec 13, 2023 20:59:05.138245106 CET	49742	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:59:05.233881950 CET	49742	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:59:05.476506948 CET	18490	49742	18.192.93.86	192.168.2.4
Dec 13, 2023 20:59:05.476603985 CET	49742	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:59:05.718575001 CET	18490	49742	18.192.93.86	192.168.2.4
Dec 13, 2023 20:59:07.394262075 CET	49742	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:59:07.636317968 CET	18490	49742	18.192.93.86	192.168.2.4
Dec 13, 2023 20:59:18.519399881 CET	49742	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:59:18.761509895 CET	18490	49742	18.192.93.86	192.168.2.4
Dec 13, 2023 20:59:22.207993031 CET	49742	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:59:22.449979067 CET	18490	49742	18.192.93.86	192.168.2.4
Dec 13, 2023 20:59:26.756757975 CET	18490	49742	18.192.93.86	192.168.2.4
Dec 13, 2023 20:59:26.756860018 CET	49742	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:59:28.769045115 CET	49742	18490	192.168.2.4	18.192.93.86
Dec 13, 2023 20:59:28.931339979 CET	49743	18490	192.168.2.4	18.156.13.209
Dec 13, 2023 20:59:29.011313915 CET	18490	49742	18.192.93.86	192.168.2.4
Dec 13, 2023 20:59:29.173384905 CET	18490	49743	18.156.13.209	192.168.2.4
Dec 13, 2023 20:59:29.173489094 CET	49743	18490	192.168.2.4	18.156.13.209
Dec 13, 2023 20:59:29.178728104 CET	49743	18490	192.168.2.4	18.156.13.209
Dec 13, 2023 20:59:29.420447111 CET	18490	49743	18.156.13.209	192.168.2.4
Dec 13, 2023 20:59:29.420655966 CET	49743	18490	192.168.2.4	18.156.13.209
Dec 13, 2023 20:59:29.662597895 CET	18490	49743	18.156.13.209	192.168.2.4
Dec 13, 2023 20:59:30.005098104 CET	49743	18490	192.168.2.4	18.156.13.209
Dec 13, 2023 20:59:30.247769117 CET	18490	49743	18.156.13.209	192.168.2.4
Dec 13, 2023 20:59:33.707458973 CET	49743	18490	192.168.2.4	18.156.13.209
Dec 13, 2023 20:59:33.949954033 CET	18490	49743	18.156.13.209	192.168.2.4
Dec 13, 2023 20:59:34.191294909 CET	49743	18490	192.168.2.4	18.156.13.209
Dec 13, 2023 20:59:34.433254957 CET	18490	49743	18.156.13.209	192.168.2.4
Dec 13, 2023 20:59:35.737833023 CET	49743	18490	192.168.2.4	18.156.13.209
Dec 13, 2023 20:59:35.979918003 CET	18490	49743	18.156.13.209	192.168.2.4
Dec 13, 2023 20:59:35.980032921 CET	49743	18490	192.168.2.4	18.156.13.209
Dec 13, 2023 20:59:36.222721100 CET	18490	49743	18.156.13.209	192.168.2.4
Dec 13, 2023 20:59:36.738003016 CET	49743	18490	192.168.2.4	18.156.13.209
Dec 13, 2023 20:59:37.065881968 CET	49743	18490	192.168.2.4	18.156.13.209
Dec 13, 2023 20:59:37.307743073 CET	18490	49743	18.156.13.209	192.168.2.4
Dec 13, 2023 20:59:37.308006048 CET	49743	18490	192.168.2.4	18.156.13.209
Dec 13, 2023 20:59:37.402365923 CET	18490	49743	18.156.13.209	192.168.2.4
Dec 13, 2023 20:59:37.402462006 CET	49743	18490	192.168.2.4	18.156.13.209
Dec 13, 2023 20:59:37.550308943 CET	18490	49743	18.156.13.209	192.168.2.4
Dec 13, 2023 20:59:37.628462076 CET	49743	18490	192.168.2.4	18.156.13.209
Dec 13, 2023 20:59:37.644243002 CET	18490	49743	18.156.13.209	192.168.2.4
Dec 13, 2023 20:59:37.870446920 CET	18490	49743	18.156.13.209	192.168.2.4
Dec 13, 2023 20:59:39.411741018 CET	49744	18490	192.168.2.4	18.156.13.209
Dec 13, 2023 20:59:39.651463032 CET	18490	49744	18.156.13.209	192.168.2.4
Dec 13, 2023 20:59:39.651768923 CET	49744	18490	192.168.2.4	18.156.13.209
Dec 13, 2023 20:59:39.730343103 CET	49744	18490	192.168.2.4	18.156.13.209
Dec 13, 2023 20:59:39.970319033 CET	18490	49744	18.156.13.209	192.168.2.4
Dec 13, 2023 20:59:39.970422983 CET	49744	18490	192.168.2.4	18.156.13.209
Dec 13, 2023 20:59:40.212121010 CET	18490	49744	18.156.13.209	192.168.2.4
Dec 13, 2023 20:59:55.213386059 CET	18490	49744	18.156.13.209	192.168.2.4
Dec 13, 2023 20:59:55.213572979 CET	49744	18490	192.168.2.4	18.156.13.209
Dec 13, 2023 20:59:58.721664906 CET	18490	49744	18.156.13.209	192.168.2.4
Dec 13, 2023 20:59:58.769035101 CET	49744	18490	192.168.2.4	18.156.13.209
Dec 13, 2023 21:00:01.081789970 CET	49744	18490	192.168.2.4	18.156.13.209
Dec 13, 2023 21:00:01.086968899 CET	49745	18490	192.168.2.4	18.156.13.209
Dec 13, 2023 21:00:01.327130079 CET	18490	49745	18.156.13.209	192.168.2.4
Dec 13, 2023 21:00:01.327264071 CET	49745	18490	192.168.2.4	18.156.13.209
Dec 13, 2023 21:00:01.333422899 CET	49745	18490	192.168.2.4	18.156.13.209
Dec 13, 2023 21:00:01.573710918 CET	18490	49745	18.156.13.209	192.168.2.4
Dec 13, 2023 21:00:01.573921919 CET	49745	18490	192.168.2.4	18.156.13.209
Dec 13, 2023 21:00:01.814137936 CET	18490	49745	18.156.13.209	192.168.2.4
Dec 13, 2023 21:00:04.191354990 CET	49745	18490	192.168.2.4	18.156.13.209
Dec 13, 2023 21:00:04.431564093 CET	18490	49745	18.156.13.209	192.168.2.4
Dec 13, 2023 21:00:11.912884951 CET	18490	49745	18.156.13.209	192.168.2.4
Dec 13, 2023 21:00:11.912955999 CET	49745	18490	192.168.2.4	18.156.13.209
Dec 13, 2023 21:00:13.925451994 CET	49745	18490	192.168.2.4	18.156.13.209
Dec 13, 2023 21:00:13.928412914 CET	49746	18490	192.168.2.4	18.156.13.209
Dec 13, 2023 21:00:14.165858984 CET	18490	49745	18.156.13.209	192.168.2.4
Dec 13, 2023 21:00:14.167917967 CET	18490	49746	18.156.13.209	192.168.2.4
Dec 13, 2023 21:00:14.168024063 CET	49746	18490	192.168.2.4	18.156.13.209
Dec 13, 2023 21:00:14.180569887 CET	49746	18490	192.168.2.4	18.156.13.209
Dec 13, 2023 21:00:14.420924902 CET	18490	49746	18.156.13.209	192.168.2.4
Dec 13, 2023 21:00:14.421142101 CET	49746	18490	192.168.2.4	18.156.13.209
Dec 13, 2023 21:00:14.661237001 CET	18490	49746	18.156.13.209	192.168.2.4
Dec 13, 2023 21:00:20.521338940 CET	49746	18490	192.168.2.4	18.156.13.209
Dec 13, 2023 21:00:20.761042118 CET	18490	49746	18.156.13.209	192.168.2.4
Dec 13, 2023 21:00:29.184673071 CET	18490	49746	18.156.13.209	192.168.2.4
Dec 13, 2023 21:00:29.184756994 CET	49746	18490	192.168.2.4	18.156.13.209
Dec 13, 2023 21:00:31.190916061 CET	49746	18490	192.168.2.4	18.156.13.209
Dec 13, 2023 21:00:31.353108883 CET	49747	18490	192.168.2.4	3.126.37.18
Dec 13, 2023 21:00:31.431098938 CET	18490	49746	18.156.13.209	192.168.2.4
Dec 13, 2023 21:00:31.595365047 CET	18490	49747	3.126.37.18	192.168.2.4
Dec 13, 2023 21:00:31.595617056 CET	49747	18490	192.168.2.4	3.126.37.18
Dec 13, 2023 21:00:31.603382111 CET	49747	18490	192.168.2.4	3.126.37.18
Dec 13, 2023 21:00:31.845268011 CET	18490	49747	3.126.37.18	192.168.2.4
Dec 13, 2023 21:00:31.845369101 CET	49747	18490	192.168.2.4	3.126.37.18
Dec 13, 2023 21:00:32.086793900 CET	18490	49747	3.126.37.18	192.168.2.4
Dec 13, 2023 21:00:32.601428032 CET	49747	18490	192.168.2.4	3.126.37.18
Dec 13, 2023 21:00:32.841470003 CET	18490	49747	3.126.37.18	192.168.2.4
Dec 13, 2023 21:00:32.841579914 CET	49747	18490	192.168.2.4	3.126.37.18
Dec 13, 2023 21:00:32.842941046 CET	18490	49747	3.126.37.18	192.168.2.4
Dec 13, 2023 21:00:33.083548069 CET	18490	49747	3.126.37.18	192.168.2.4
Dec 13, 2023 21:00:34.849711895 CET	49748	18490	192.168.2.4	3.126.37.18
Dec 13, 2023 21:00:35.092462063 CET	18490	49748	3.126.37.18	192.168.2.4
Dec 13, 2023 21:00:35.092634916 CET	49748	18490	192.168.2.4	3.126.37.18
Dec 13, 2023 21:00:35.097287893 CET	49748	18490	192.168.2.4	3.126.37.18
Dec 13, 2023 21:00:35.340032101 CET	18490	49748	3.126.37.18	192.168.2.4
Dec 13, 2023 21:00:35.340153933 CET	49748	18490	192.168.2.4	3.126.37.18
Dec 13, 2023 21:00:35.582632065 CET	18490	49748	3.126.37.18	192.168.2.4
Dec 13, 2023 21:00:41.535398960 CET	49748	18490	192.168.2.4	3.126.37.18
Dec 13, 2023 21:00:41.778038979 CET	18490	49748	3.126.37.18	192.168.2.4
Dec 13, 2023 21:00:41.878498077 CET	49748	18490	192.168.2.4	3.126.37.18
Dec 13, 2023 21:00:42.120965004 CET	18490	49748	3.126.37.18	192.168.2.4
Dec 13, 2023 21:00:43.175329924 CET	49748	18490	192.168.2.4	3.126.37.18
Dec 13, 2023 21:00:43.419249058 CET	18490	49748	3.126.37.18	192.168.2.4
Dec 13, 2023 21:00:43.419365883 CET	49748	18490	192.168.2.4	3.126.37.18
Dec 13, 2023 21:00:43.662395954 CET	18490	49748	3.126.37.18	192.168.2.4
Dec 13, 2023 21:00:43.961201906 CET	49748	18490	192.168.2.4	3.126.37.18
Dec 13, 2023 21:00:44.203645945 CET	18490	49748	3.126.37.18	192.168.2.4
Dec 13, 2023 21:00:44.203722954 CET	49748	18490	192.168.2.4	3.126.37.18
Dec 13, 2023 21:00:44.449342966 CET	18490	49748	3.126.37.18	192.168.2.4
Dec 13, 2023 21:00:44.449475050 CET	49748	18490	192.168.2.4	3.126.37.18
Dec 13, 2023 21:00:44.692234039 CET	18490	49748	3.126.37.18	192.168.2.4
Dec 13, 2023 21:00:44.692385912 CET	49748	18490	192.168.2.4	3.126.37.18
Dec 13, 2023 21:00:44.935211897 CET	18490	49748	3.126.37.18	192.168.2.4
Dec 13, 2023 21:00:44.935384035 CET	49748	18490	192.168.2.4	3.126.37.18
Dec 13, 2023 21:00:45.180768013 CET	18490	49748	3.126.37.18	192.168.2.4
Dec 13, 2023 21:00:45.180900097 CET	49748	18490	192.168.2.4	3.126.37.18
Dec 13, 2023 21:00:45.424686909 CET	18490	49748	3.126.37.18	192.168.2.4
Dec 13, 2023 21:00:45.424896002 CET	49748	18490	192.168.2.4	3.126.37.18
Dec 13, 2023 21:00:45.667386055 CET	18490	49748	3.126.37.18	192.168.2.4
Dec 13, 2023 21:00:45.667541981 CET	49748	18490	192.168.2.4	3.126.37.18
Dec 13, 2023 21:00:45.913842916 CET	18490	49748	3.126.37.18	192.168.2.4
Dec 13, 2023 21:00:45.913932085 CET	49748	18490	192.168.2.4	3.126.37.18
Dec 13, 2023 21:00:46.156513929 CET	18490	49748	3.126.37.18	192.168.2.4
Dec 13, 2023 21:00:46.156629086 CET	49748	18490	192.168.2.4	3.126.37.18
Dec 13, 2023 21:00:46.399116993 CET	18490	49748	3.126.37.18	192.168.2.4
Dec 13, 2023 21:00:46.399245977 CET	49748	18490	192.168.2.4	3.126.37.18
Dec 13, 2023 21:00:46.431412935 CET	18490	49748	3.126.37.18	192.168.2.4
Dec 13, 2023 21:00:46.431587934 CET	49748	18490	192.168.2.4	3.126.37.18
Dec 13, 2023 21:00:46.641813993 CET	18490	49748	3.126.37.18	192.168.2.4
Dec 13, 2023 21:00:46.674055099 CET	18490	49748	3.126.37.18	192.168.2.4
Dec 13, 2023 21:00:48.443794012 CET	49749	18490	192.168.2.4	3.126.37.18
Dec 13, 2023 21:00:48.685277939 CET	18490	49749	3.126.37.18	192.168.2.4
Dec 13, 2023 21:00:48.685491085 CET	49749	18490	192.168.2.4	3.126.37.18
Dec 13, 2023 21:00:49.784106970 CET	49749	18490	192.168.2.4	3.126.37.18
Dec 13, 2023 21:00:50.028388977 CET	18490	49749	3.126.37.18	192.168.2.4
Dec 13, 2023 21:00:50.028477907 CET	49749	18490	192.168.2.4	3.126.37.18
Dec 13, 2023 21:00:50.270064116 CET	18490	49749	3.126.37.18	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2023 20:57:10.771677971 CET	55857	53	192.168.2.4	1.1.1.1
Dec 13, 2023 20:57:10.898550987 CET	53	55857	1.1.1.1	192.168.2.4
Dec 13, 2023 20:58:11.942609072 CET	57231	53	192.168.2.4	1.1.1.1
Dec 13, 2023 20:58:12.081834078 CET	53	57231	1.1.1.1	192.168.2.4
Dec 13, 2023 20:59:28.770751953 CET	62649	53	192.168.2.4	1.1.1.1
Dec 13, 2023 20:59:28.930294037 CET	53	62649	1.1.1.1	192.168.2.4
Dec 13, 2023 21:00:31.193830013 CET	50278	53	192.168.2.4	1.1.1.1
Dec 13, 2023 21:00:31.351510048 CET	53	50278	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 13, 2023 20:57:10.771677971 CET	192.168.2.4	1.1.1.1	0xb08c	Standard query (0)	2.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false
Dec 13, 2023 20:58:11.942609072 CET	192.168.2.4	1.1.1.1	0x7630	Standard query (0)	2.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false
Dec 13, 2023 20:59:28.770751953 CET	192.168.2.4	1.1.1.1	0x2154	Standard query (0)	2.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false
Dec 13, 2023 21:00:31.193830013 CET	192.168.2.4	1.1.1.1	0x88ed	Standard query (0)	2.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 13, 2023 20:57:10.898550987 CET	1.1.1.1	192.168.2.4	0xb08c	No error (0)	2.tcp.eu.ngrok.io	18.156.13.209	A (IP address)	IN (0x0001)	false
Dec 13, 2023 20:58:12.081834078 CET	1.1.1.1	192.168.2.4	0x7630	No error (0)	2.tcp.eu.ngrok.io	18.192.93.86	A (IP address)	IN (0x0001)	false
Dec 13, 2023 20:59:28.930294037 CET	1.1.1.1	192.168.2.4	0x2154	No error (0)	2.tcp.eu.ngrok.io	18.156.13.209	A (IP address)	IN (0x0001)	false
Dec 13, 2023 21:00:31.351510048 CET	1.1.1.1	192.168.2.4	0x88ed	No error (0)	2.tcp.eu.ngrok.io	3.126.37.18	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	20:56:54
Start date:	13/12/2023
Path:	C:\Users\user\Desktop\pQBmVoyRnw.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\pQBmVoyRnw.exe
Imagebase:	0xee0000
File size:	308'224 bytes
MD5 hash:	16C7B2832CE255D5DA4A5D85A4089758
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000000.1651277682.0000000000EE2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000000.00000000.1651277682.0000000000EE2000.00000002.00000001.01000000.00000003.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000000.00000000.1651277682.0000000000EE2000.00000002.00000001.01000000.00000003.sdmp, Author: Brian Wallace @botnet_hunter
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	20:57:01
Start date:	13/12/2023
Path:	C:\Users\user\System.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\System.exe"
Imagebase:	0x820000
File size:	308'224 bytes
MD5 hash:	16C7B2832CE255D5DA4A5D85A4089758
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000001.00000002.4111124324.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\System.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\System.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\System.exe, Author: Brian Wallace @botnet_hunter Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\System.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	20:57:07
Start date:	13/12/2023
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh firewall add allowedprogram "C:\Users\user\System.exe" "System.exe" ENABLE
Imagebase:	0x1560000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	20:57:07
Start date:	13/12/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	9.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	37
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 05830310 Relevance: 7.7, Strings: 6, Instructions: 188
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

=[4k^, xrefs: 05830477, 0583047C
[4k^, xrefs: 05830545, 0583054A
2*l, xrefs: 058304E9
-[4k^, xrefs: 058304DA, 058304DF
2*l, xrefs: 0583048B
2*l, xrefs: 05830554

Memory Dump Source

Source File: 00000000.00000002.1719687379.0000000005830000.00000040.00000800.00020000.00000000.sdmp, Offset: 05830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5830000_pQBmVoyRnw.jbxd

Similarity

API ID:
String ID: [4k^$-[4k^$2*l$2*l$2*l$=[4k^
API String ID: 0-2407101900
Opcode ID: 8c6e40f1e62e8637664915de84ea5c8f2b14aca0506c099b8742cdc7d6c68f5c
Instruction ID: 07aaaabf1cb4ea166773daf28ce6aa9425c7d87d78468f1a92665b946feb0342
Opcode Fuzzy Hash: 8c6e40f1e62e8637664915de84ea5c8f2b14aca0506c099b8742cdc7d6c68f5c
Instruction Fuzzy Hash: 1C5102307002058BC718EB7D94156BE77E7FB89208B548069E806DF7D5DF39DE0A8BA2

Uniqueness

Uniqueness Score: -1.00%

Function 058303BD Relevance: 7.6, Strings: 6, Instructions: 135
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

=[4k^, xrefs: 05830477, 0583047C
[4k^, xrefs: 05830545, 0583054A
2*l, xrefs: 058304E9
-[4k^, xrefs: 058304DA, 058304DF
2*l, xrefs: 0583048B
2*l, xrefs: 05830554

Memory Dump Source

Source File: 00000000.00000002.1719687379.0000000005830000.00000040.00000800.00020000.00000000.sdmp, Offset: 05830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5830000_pQBmVoyRnw.jbxd

Similarity

API ID:
String ID: [4k^$-[4k^$2*l$2*l$2*l$=[4k^
API String ID: 0-2407101900
Opcode ID: a79b7060878d4a6cd99b84879b8911524584636483c001dfb24286a14e17be15
Instruction ID: 08d6ea051206514f29248ecde04bb46bd3ed599c13b1d27e7f41e8f716754026
Opcode Fuzzy Hash: a79b7060878d4a6cd99b84879b8911524584636483c001dfb24286a14e17be15
Instruction Fuzzy Hash: FB41B430B002558BCB08A77D90152FD72D7AFC9648B548029D906DF7D4DF29CE0A8BE6

Uniqueness

Uniqueness Score: -1.00%

Function 05830958 Relevance: 1.7, Strings: 1, Instructions: 482
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\O*l, xrefs: 05830EB9

Memory Dump Source

Source File: 00000000.00000002.1719687379.0000000005830000.00000040.00000800.00020000.00000000.sdmp, Offset: 05830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5830000_pQBmVoyRnw.jbxd

Similarity

API ID:
String ID: \O*l
API String ID: 0-4030088352
Opcode ID: 316844f3c312a967ffe82204a0371bbf86c518c7cac36550c598c291b1feda0f
Instruction ID: f137ae00b2d7d4f923a002da8c8d5b2ad882d3375424631dcb3469b39a9ae7b0
Opcode Fuzzy Hash: 316844f3c312a967ffe82204a0371bbf86c518c7cac36550c598c291b1feda0f
Instruction Fuzzy Hash: FC027A30701204CFCB58EB78E455BAE77E6EF88208F608568D906DB7A5DF399C46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0187A612 Relevance: 1.6, APIs: 1, Instructions: 89
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0187A6B9

Memory Dump Source

Source File: 00000000.00000002.1719287915.000000000187A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_187a000_pQBmVoyRnw.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 33afe6a25dd71b5638c31bd8331dad94eb82636393a97a708c6012de62b4469d
Instruction ID: a0554a0f5611e076710f8f431bc7cf13716550521707631f41203bc342a1f25f
Opcode Fuzzy Hash: 33afe6a25dd71b5638c31bd8331dad94eb82636393a97a708c6012de62b4469d
Instruction Fuzzy Hash: 6A318FB55093806FE712CB65DC85B96BFF8EF06310F08849AE984CB292D365E909C761

Uniqueness

Uniqueness Score: -1.00%

Function 0187A361 Relevance: 1.6, APIs: 1, Instructions: 85
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,A7F2C20D,00000000,00000000,00000000,00000000), ref: 0187A40C

Memory Dump Source

Source File: 00000000.00000002.1719287915.000000000187A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_187a000_pQBmVoyRnw.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: a911314adee2f3901886db479946ae54d5613a8383bb3f8fa60e728e5f2eed20
Instruction ID: 2c5b01349a7ecc367be03cc16b9c24d948e93eebc4c61ab1307ce672dce506f3
Opcode Fuzzy Hash: a911314adee2f3901886db479946ae54d5613a8383bb3f8fa60e728e5f2eed20
Instruction Fuzzy Hash: 87315E75509780AFE722CF15DC84FA6BBF8EF06710F08849AE945CB292D364E949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0187A462 Relevance: 1.6, APIs: 1, Instructions: 77
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegSetValueExW.KERNELBASE(?,00000E24,A7F2C20D,00000000,00000000,00000000,00000000), ref: 0187A4F8

Memory Dump Source

Source File: 00000000.00000002.1719287915.000000000187A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_187a000_pQBmVoyRnw.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 895c380ec64dc2a24b8a715fe181465ffafabaae0d498433ef226d69ac792ada
Instruction ID: e27df3363cce7c15005753328cdede63075d709cbf42d3e64987859bb4b85068
Opcode Fuzzy Hash: 895c380ec64dc2a24b8a715fe181465ffafabaae0d498433ef226d69ac792ada
Instruction Fuzzy Hash: 972192B65043806FD7228F55DC44FA7BFB8DF45310F08849AE945CB692D365E948C771

Uniqueness

Uniqueness Score: -1.00%

Function 0187AA07 Relevance: 1.6, APIs: 1, Instructions: 72
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CopyFileW.KERNELBASE(?,?,?), ref: 0187AA86

Memory Dump Source

Source File: 00000000.00000002.1719287915.000000000187A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_187a000_pQBmVoyRnw.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 7fe92be6d366e8823227164bf71373c3c5a5e26e2f9a2d1a8356704c32fd00c1
Instruction ID: e661d4bdc315c5d4ef048a95f9ee099c26dcd9a1706322acedbe7e4c49b3dd45
Opcode Fuzzy Hash: 7fe92be6d366e8823227164bf71373c3c5a5e26e2f9a2d1a8356704c32fd00c1
Instruction Fuzzy Hash: C12171B25053809FE711CB25DD45B56BFF8EF06310F0D84DAE984CB163D264DA08CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0187A646 Relevance: 1.6, APIs: 1, Instructions: 72
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0187A6B9

Memory Dump Source

Source File: 00000000.00000002.1719287915.000000000187A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_187a000_pQBmVoyRnw.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 08f17ecd655c1c2403e7c684da2cb5bf95958c8fd239d386f2d4ee64dc9db321
Instruction ID: 8cfa819ab66b9a21c37ddda914acb0163ee8b1a95e9fb51e060f3bfef5075ba5
Opcode Fuzzy Hash: 08f17ecd655c1c2403e7c684da2cb5bf95958c8fd239d386f2d4ee64dc9db321
Instruction Fuzzy Hash: E921B0756042449FE714DB25DC85BAAFBE8EF04324F08C46AE945CB741E375E909CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0187A392 Relevance: 1.6, APIs: 1, Instructions: 69
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,A7F2C20D,00000000,00000000,00000000,00000000), ref: 0187A40C

Memory Dump Source

Source File: 00000000.00000002.1719287915.000000000187A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_187a000_pQBmVoyRnw.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 60825f74934ca2bf01e03521218dcc3ee9d8278e597b612a8684c0be197819c6
Instruction ID: 25c9d470fa12af3b790bdfaee000fc6c94c7a1a49052e535ae1c44690def71de
Opcode Fuzzy Hash: 60825f74934ca2bf01e03521218dcc3ee9d8278e597b612a8684c0be197819c6
Instruction Fuzzy Hash: 82219075600604AFE721CF15DC84FAAF7ECEF04724F08C49AE945CB651D765EA09CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 0187A486 Relevance: 1.6, APIs: 1, Instructions: 65
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegSetValueExW.KERNELBASE(?,00000E24,A7F2C20D,00000000,00000000,00000000,00000000), ref: 0187A4F8

Memory Dump Source

Source File: 00000000.00000002.1719287915.000000000187A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_187a000_pQBmVoyRnw.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 24657492acc85309a007f9086f22d697fcf90a1b0e308af0e725cf93a98804e1
Instruction ID: 05fccd295790f679725037373f83cbd38571748fa73c80b26b42e54526066734
Opcode Fuzzy Hash: 24657492acc85309a007f9086f22d697fcf90a1b0e308af0e725cf93a98804e1
Instruction Fuzzy Hash: 8E11AFB6500604AFE7218F55DC84FAABBE8EF04724F08845AE945CB691D361E548CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 0187A2D2 Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(?), ref: 0187A330

Memory Dump Source

Source File: 00000000.00000002.1719287915.000000000187A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_187a000_pQBmVoyRnw.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 6d0bd85e8f6edc24394e0b2c036053ca1732df929f35cdd8b4f56c43fc313c68
Instruction ID: 5968c6199ec5fdb9bbbac7487c80e67c99300aa376169849f891660dac32aa90
Opcode Fuzzy Hash: 6d0bd85e8f6edc24394e0b2c036053ca1732df929f35cdd8b4f56c43fc313c68
Instruction Fuzzy Hash: 0221297540E3C0AFD7138B259C54A56BFB49F47220F0D80DBED848F2A3C269A908DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0187AC24 Relevance: 1.6, APIs: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteExW.SHELL32(?), ref: 0187AC80

Memory Dump Source

Source File: 00000000.00000002.1719287915.000000000187A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_187a000_pQBmVoyRnw.jbxd

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: 452cac0e555c3dc5c229c46107ce9276f72bd30d1a44ebdaa04689ee57f58162
Instruction ID: 38b9a23975adb5b9f5bf05fa659ec6ff604f66d8abed7986ad538ea5122fefd3
Opcode Fuzzy Hash: 452cac0e555c3dc5c229c46107ce9276f72bd30d1a44ebdaa04689ee57f58162
Instruction Fuzzy Hash: C9115E75509380AFD712CB65DC94B56BFA8DF46220F0884EAED45CB252D265E908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0187A8A4 Relevance: 1.6, APIs: 1, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFileAttributesW.KERNELBASE(?,?), ref: 0187A903

Memory Dump Source

Source File: 00000000.00000002.1719287915.000000000187A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_187a000_pQBmVoyRnw.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 547230958c8cbb1bdb30544473de43f560003715f586e9ffd440f049e44615bd
Instruction ID: 5475603733979c19a1218147e8d57b8189c5f62249662a488693ffb6140da6a4
Opcode Fuzzy Hash: 547230958c8cbb1bdb30544473de43f560003715f586e9ffd440f049e44615bd
Instruction Fuzzy Hash: 6911B2755043809FDB15CF25DC84B56BFE8EF46320F0D84AAED85CB252D278E948CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0187AA3E Relevance: 1.6, APIs: 1, Instructions: 53
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CopyFileW.KERNELBASE(?,?,?), ref: 0187AA86

Memory Dump Source

Source File: 00000000.00000002.1719287915.000000000187A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_187a000_pQBmVoyRnw.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 4c25b8346011010e215c30b15862f08622ad661b118d50e7ca3fb54b53103e3a
Instruction ID: 5746d3898976fbdc3099c01466fe4fad03bfca0376902781abdb00f6cea1cc71
Opcode Fuzzy Hash: 4c25b8346011010e215c30b15862f08622ad661b118d50e7ca3fb54b53103e3a
Instruction Fuzzy Hash: F31165756002409FEB14DF59D985B5AFBE8EF04320F0C84AAED49CB752D775E604CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0187A8C6 Relevance: 1.5, APIs: 1, Instructions: 48
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFileAttributesW.KERNELBASE(?,?), ref: 0187A903

Memory Dump Source

Source File: 00000000.00000002.1719287915.000000000187A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_187a000_pQBmVoyRnw.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 96bb42321b0527e7505aa74824946719c2fb96eac7b00491026c92dd18100207
Instruction ID: d561d0732868585cbf15a274cc667eb78176ef7690fdc93b71cf27c8ccc5d03b
Opcode Fuzzy Hash: 96bb42321b0527e7505aa74824946719c2fb96eac7b00491026c92dd18100207
Instruction Fuzzy Hash: 570192766002449FEB14CF29D88476AFBE4EF04324F0C84AADD59CB752E375E648CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 0187AC46 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(?), ref: 0187AC80

Memory Dump Source

Source File: 00000000.00000002.1719287915.000000000187A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_187a000_pQBmVoyRnw.jbxd

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: 2f77a24c8b7952716f8cf2d94e215b56c486c6fc8d7bf246a0831cf5480cb7f4
Instruction ID: cc1b93b3931fae343dcefec2fce05b41318989959f1cca14a8f129f2c7285e5c
Opcode Fuzzy Hash: 2f77a24c8b7952716f8cf2d94e215b56c486c6fc8d7bf246a0831cf5480cb7f4
Instruction Fuzzy Hash: C7018075A042449FEB10CF59D98476ABBD8DF44324F0CC4AAED49CB652D375E608CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 0187A2FE Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0187A330

Memory Dump Source

Source File: 00000000.00000002.1719287915.000000000187A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_187a000_pQBmVoyRnw.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 0f598bd95d84376869811e92a9b182fb715370dcb22f531a0f8576f3ff7a89a7
Instruction ID: dd9b37d452dafd837e5e37e3637aad2451b52c2666aec5726df15a0ef7c060bf
Opcode Fuzzy Hash: 0f598bd95d84376869811e92a9b182fb715370dcb22f531a0f8576f3ff7a89a7
Instruction Fuzzy Hash: B1F08C358042449FDB10CF19E884B69FBE0EF04324F0CC09ADD598B752D3B9E648CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 05830080 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1719687379.0000000005830000.00000040.00000800.00020000.00000000.sdmp, Offset: 05830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5830000_pQBmVoyRnw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 899d0a1303d1f4bd15caffe42e08bdae86244fb383f81ecebff9dd260a507c75
Instruction ID: 7a19d02578ef347ed9b142a8f7f9e5faffb0a9f1293d89c9faecc75fa9f96cf6
Opcode Fuzzy Hash: 899d0a1303d1f4bd15caffe42e08bdae86244fb383f81ecebff9dd260a507c75
Instruction Fuzzy Hash: C35101702062828BCB04DB7CE5549DEB7A6FF84208741C979D5058B779DB38AD4ACB92

Uniqueness

Uniqueness Score: -1.00%

Function 05830007 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1719687379.0000000005830000.00000040.00000800.00020000.00000000.sdmp, Offset: 05830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5830000_pQBmVoyRnw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 519973a37305ae10496df6ccbbeabdc545e7ef01d77e77a6905df9f65ab3d54c
Instruction ID: bb946f70be5aa8099283bea3c73201f1e1530555c6ee0cb4843aaf4910e78774
Opcode Fuzzy Hash: 519973a37305ae10496df6ccbbeabdc545e7ef01d77e77a6905df9f65ab3d54c
Instruction Fuzzy Hash: E601526540E7C18FDB538778A8A87903FB0AF17224F0E42CBC4D0CA4A7D21C890ACB22

Uniqueness

Uniqueness Score: -1.00%

Function 05830889 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1719687379.0000000005830000.00000040.00000800.00020000.00000000.sdmp, Offset: 05830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5830000_pQBmVoyRnw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dd2757a77ce72b01b57ad1f826ff855989755fefad7eef7bca8ad73492a7018
Instruction ID: c5ffb906cce3d09e5d25a0b917d1a041f6793fcb9469e942e82d16062bb1f4bd
Opcode Fuzzy Hash: 7dd2757a77ce72b01b57ad1f826ff855989755fefad7eef7bca8ad73492a7018
Instruction Fuzzy Hash: C901AD74605283CBCB44EB78D05859DBBE2EF84309F54C86DE589CB354EB759A088F53

Uniqueness

Uniqueness Score: -1.00%

Function 018B0606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1719370657.00000000018B0000.00000040.00000020.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18b0000_pQBmVoyRnw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe5f0673a90024fc79c7bdc587c314007af8c9f41e4647705779a9672d231299
Instruction ID: d844fc0f023c6e55a45e65140f2742afdc7da2b63c5849e02595315c1436ef1f
Opcode Fuzzy Hash: fe5f0673a90024fc79c7bdc587c314007af8c9f41e4647705779a9672d231299
Instruction Fuzzy Hash: 3AE092B66006444B9750CF0AFC41852F7D8EB88630B18C07FDC0D8B701D636B508CAE5

Uniqueness

Uniqueness Score: -1.00%

Function 018723F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1719274278.0000000001872000.00000040.00000800.00020000.00000000.sdmp, Offset: 01872000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1872000_pQBmVoyRnw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed2f5c85b5f6238e920bcf9051b0968fb2e86573b0de6002bf782a52d0c06559
Instruction ID: dce67a9c0241d73b52cc9f24243831c1f3b005a4ce51856facaa220d47dc5ee9
Opcode Fuzzy Hash: ed2f5c85b5f6238e920bcf9051b0968fb2e86573b0de6002bf782a52d0c06559
Instruction Fuzzy Hash: 57D05E7A2056C18FE316DE1CC1A4B953BE5BB51714F4A44F9A800CB763C768D681D600

Uniqueness

Uniqueness Score: -1.00%

Function 018723BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1719274278.0000000001872000.00000040.00000800.00020000.00000000.sdmp, Offset: 01872000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1872000_pQBmVoyRnw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3d0675087771ae154ae604a6fd0874e89382b16caca2825eb84462e9e87e5ee
Instruction ID: 06df0905ca732663e65ed846f7e994ce63f4c58bce19747b263496ddb3dc33ad
Opcode Fuzzy Hash: f3d0675087771ae154ae604a6fd0874e89382b16caca2825eb84462e9e87e5ee
Instruction Fuzzy Hash: FED05E343406814BD715DE0CC2D4F593BD5AB40B15F0644ECAC10CB772C7A8DAC0CA00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 018B026D Relevance: .4, Instructions: 418COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1719370657.00000000018B0000.00000040.00000020.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18b0000_pQBmVoyRnw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e88cdce71f0303887a0b316fccd49f233d7718550ed8d8a7471854355c4f917b
Instruction ID: 4f51b7a287a025ccd08ddb3532ff97456854f8ac589504ec28e9cf047c392c50
Opcode Fuzzy Hash: e88cdce71f0303887a0b316fccd49f233d7718550ed8d8a7471854355c4f917b
Instruction Fuzzy Hash: BC11E9A254E3C04FD70387308CB52947F709E17208B1E45EBD4C5CE0E3E219480ECB62

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: System.exePID: 4488, Parent PID: 5408COMMON

Execution Graph

Execution Coverage:	18.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	7.4%
Total number of Nodes:	190
Total number of Limit Nodes:	9

Executed Functions

Function 00E7BB6B Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 00E7BBEB

Memory Dump Source

Source File: 00000001.00000002.4110375998.0000000000E7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e7a000_System.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 773285f8a027990c8caa4fade2ed0cf7ff946c3e154660077f29a7aedede80c5
Instruction ID: 5cd911f37f3d8ea0aeebf4407313267023bfe5323b25c9ca60683f2ecbd6d68c
Opcode Fuzzy Hash: 773285f8a027990c8caa4fade2ed0cf7ff946c3e154660077f29a7aedede80c5
Instruction Fuzzy Hash: 54219F75509780AFDB228F25DC44B92BFB4EF16314F0884DAE9858B563D375A908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0536038F Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 05360405

Memory Dump Source

Source File: 00000001.00000002.4113001835.0000000005360000.00000040.00000800.00020000.00000000.sdmp, Offset: 05360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5360000_System.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: aeccecf38b616ca78725d78ce5396175854b409958d2d1613102066328f38017
Instruction ID: 8342246ee3208ab389d957ca215c0d96394e1c1d72d95fef9c13d832577c0f30
Opcode Fuzzy Hash: aeccecf38b616ca78725d78ce5396175854b409958d2d1613102066328f38017
Instruction Fuzzy Hash: F621AE754097C0AFDB238B21DC55A52FFB0EF16314F0980DBE9848B1A3D265A91DCB62

Uniqueness

Uniqueness Score: -1.00%

Function 00E7BBA2 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 00E7BBEB

Memory Dump Source

Source File: 00000001.00000002.4110375998.0000000000E7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e7a000_System.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 559dca858c04757b41ea7ba9868d74f0b3b929b5cb9d80a62f23317708dc2161
Instruction ID: 8eb27b601125c7dd75087a0770d87fbb04f4c64b7a095967ebcdf4faf2343007
Opcode Fuzzy Hash: 559dca858c04757b41ea7ba9868d74f0b3b929b5cb9d80a62f23317708dc2161
Instruction Fuzzy Hash: 4411A0755002409FDB21CF15D884BA6FBE4EF04320F08C4AAED498B665D735E418DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00E7BED0 Relevance: 1.6, APIs: 1, Instructions: 50nativeCOMMON

Download Yara Rule

APIs

NtSetInformationProcess.NTDLL ref: 00E7BF2D

Memory Dump Source

Source File: 00000001.00000002.4110375998.0000000000E7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e7a000_System.jbxd

Similarity

API ID: InformationProcess
String ID:
API String ID: 1801817001-0
Opcode ID: 5549819fd675606c9c4e546900206d13f006c9c058559c8a006468da263a4224
Instruction ID: 55476aac219501e2a7ac340322123953e41542dc7ff1265a2569bd5dda3786ea
Opcode Fuzzy Hash: 5549819fd675606c9c4e546900206d13f006c9c058559c8a006468da263a4224
Instruction Fuzzy Hash: C211A071409380AFCB228F15DC44B52FFB4EF16324F09C49AED884B662D275A918DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00E7BEF2 Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtSetInformationProcess.NTDLL ref: 00E7BF2D

Memory Dump Source

Source File: 00000001.00000002.4110375998.0000000000E7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e7a000_System.jbxd

Similarity

API ID: InformationProcess
String ID:
API String ID: 1801817001-0
Opcode ID: 3061f0e017a317061c88d0c0fdc4dc5cf643bf218c4ce7cd89b786ddea6a117f
Instruction ID: dfa26be7392158f432f75bc074287a4ca4b5d857334c661010cfa13c4180f05c
Opcode Fuzzy Hash: 3061f0e017a317061c88d0c0fdc4dc5cf643bf218c4ce7cd89b786ddea6a117f
Instruction Fuzzy Hash: 59018B359002409FDB208F05DC84B66FBE0FF18725F08C09AEE494B662D375E818DF62

Uniqueness

Uniqueness Score: -1.00%

Function 053603CA Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 05360405

Memory Dump Source

Source File: 00000001.00000002.4113001835.0000000005360000.00000040.00000800.00020000.00000000.sdmp, Offset: 05360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5360000_System.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: f163e31c8c566b0b6f92e5f6225306cb5336a5485f07886e09b39f0bced5639a
Instruction ID: 06f0cf7994347da6d488884719c938ea8a10a34e38632610b00f8f12a4461590
Opcode Fuzzy Hash: f163e31c8c566b0b6f92e5f6225306cb5336a5485f07886e09b39f0bced5639a
Instruction Fuzzy Hash: 28018F354002449FDB21CF05D849B65FBE5EF04321F08C09EDD450B666D3B5E418CF62

Uniqueness

Uniqueness Score: -1.00%

Function 05030310 Relevance: 3.9, Strings: 3, Instructions: 193
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

2*l, xrefs: 0503048B
2*l, xrefs: 050304E9
2*l, xrefs: 05030554

Memory Dump Source

Source File: 00000001.00000002.4112734477.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5030000_System.jbxd

Similarity

API ID:
String ID: 2*l$2*l$2*l
API String ID: 0-1651321300
Opcode ID: 909dd3438bdf586c0f1d44b96602ef7a931fceb09af5635b99020d1809975571
Instruction ID: c3da250045aa7a9deb15a9678bb913f699c0c8e473f68cc9a6f9522b6802f568
Opcode Fuzzy Hash: 909dd3438bdf586c0f1d44b96602ef7a931fceb09af5635b99020d1809975571
Instruction Fuzzy Hash: B25148307002158FDB0CEB35A4256BD77E7AF85304B058169E406DB3E5DF35CD0A9BA2

Uniqueness

Uniqueness Score: -1.00%

Function 050303BD Relevance: 3.9, Strings: 3, Instructions: 135
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

2*l, xrefs: 0503048B
2*l, xrefs: 050304E9
2*l, xrefs: 05030554

Memory Dump Source

Source File: 00000001.00000002.4112734477.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5030000_System.jbxd

Similarity

API ID:
String ID: 2*l$2*l$2*l
API String ID: 0-1651321300
Opcode ID: 3cad1f8b6f1da709e1dfd34157501a36e7ecfe3e0b07bed23ba59c7a35f0c370
Instruction ID: 842fb6b14d3d8dc48eda016a2544f5639f074d4d56dd46a470cbab6a8c912b86
Opcode Fuzzy Hash: 3cad1f8b6f1da709e1dfd34157501a36e7ecfe3e0b07bed23ba59c7a35f0c370
Instruction Fuzzy Hash: 74411830B002154BDB4CF77994252BD72D7AFC5248B488029E806EB7D5DF29CD0AA7E6

Uniqueness

Uniqueness Score: -1.00%

Function 05031F3F Relevance: 1.8, Strings: 1, Instructions: 569
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

L.*l, xrefs: 05031FAB

Memory Dump Source

Source File: 00000001.00000002.4112734477.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5030000_System.jbxd

Similarity

API ID:
String ID: L.*l
API String ID: 0-3912938024
Opcode ID: 1dac6086ed73dee76eaf103e9ef0f72855558c535f69ee7987ed5b8d736da218
Instruction ID: bb912dc82be69b36c235f6231367ae74d50b183d2b24eda3240c9c81ea9ef77d
Opcode Fuzzy Hash: 1dac6086ed73dee76eaf103e9ef0f72855558c535f69ee7987ed5b8d736da218
Instruction Fuzzy Hash: 7312E535A002168FDB68EB79E4567BE72E6BF44304F148438D806EB391DB39DD85CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05030958 Relevance: 1.7, Strings: 1, Instructions: 482
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\O*l, xrefs: 05030EB9

Memory Dump Source

Source File: 00000001.00000002.4112734477.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5030000_System.jbxd

Similarity

API ID:
String ID: \O*l
API String ID: 0-4030088352
Opcode ID: 7d050866534afc442e8af2777f49fc7fa271dcb9baf39eb4aab75d5e02a4e057
Instruction ID: f137c5267627854b422e799ffdc4b08f62478eddd34b819c60a734fe1930f236
Opcode Fuzzy Hash: 7d050866534afc442e8af2777f49fc7fa271dcb9baf39eb4aab75d5e02a4e057
Instruction Fuzzy Hash: ED02AE347002148FCB48EB79E465BAE73E6AF88308F104579D906EB7A9DF359C46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05362DF2 Relevance: 1.6, APIs: 1, Instructions: 99
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 05362EB9

Memory Dump Source

Source File: 00000001.00000002.4113001835.0000000005360000.00000040.00000800.00020000.00000000.sdmp, Offset: 05360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5360000_System.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 3d1ea14bd4e64d9559970fe5b49e0b30bc3b57bd6df8aace86770898d7bfb075
Instruction ID: 1e0bed3e10b707849d7c00b0cc90d1cf05e5ee7a4951911ce2fcb7fd4045e602
Opcode Fuzzy Hash: 3d1ea14bd4e64d9559970fe5b49e0b30bc3b57bd6df8aace86770898d7bfb075
Instruction Fuzzy Hash: E7319076504344AFE722CB65DC44FA7BFFCEF05210F08859AF9858B652E364E908CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05360F73 Relevance: 1.6, APIs: 1, Instructions: 98
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 0536103A

Memory Dump Source

Source File: 00000001.00000002.4113001835.0000000005360000.00000040.00000800.00020000.00000000.sdmp, Offset: 05360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5360000_System.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: e69e1344de218105830422deb6b36f658be5e09d53c4939e7c69d992e1aa097e
Instruction ID: a21d7478f0026bca1b8cc3c8b723b6b96c58e84b05e562e35f64dc40f4819dc8
Opcode Fuzzy Hash: e69e1344de218105830422deb6b36f658be5e09d53c4939e7c69d992e1aa097e
Instruction Fuzzy Hash: 19317C7510E7C06FD3138B258C65A61BFB4EF47610B0E85CBD8C48F6A3D269A949C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 05361BA0 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32(?,00000E24), ref: 05361C67

Memory Dump Source

Source File: 00000001.00000002.4113001835.0000000005360000.00000040.00000800.00020000.00000000.sdmp, Offset: 05360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5360000_System.jbxd

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: 509c895d9bdf095072fcce18a883af7a615af4a23e9991b1378adc2041e4baa1
Instruction ID: f50382f09597db8ff9b6c814ca28c8a956b771328bbc4fdab3c1fa3a44db83a7
Opcode Fuzzy Hash: 509c895d9bdf095072fcce18a883af7a615af4a23e9991b1378adc2041e4baa1
Instruction Fuzzy Hash: 673191B1504344AFE721CB50DC44FA7FBACEB04314F04889AFA499B691E3B5A948CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05361E2E Relevance: 1.6, APIs: 1, Instructions: 92
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVolumeInformationA.KERNELBASE(?,00000E24,?,?), ref: 05361EEE

Memory Dump Source

Source File: 00000001.00000002.4113001835.0000000005360000.00000040.00000800.00020000.00000000.sdmp, Offset: 05360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5360000_System.jbxd

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: a04e3abb574a8fdbf77f996740fcb5cd50be9c3a472b4919db5de0bef261a6d7
Instruction ID: 60ae3c62667e8bd591bdb1ac9548744c9a2b2bbb94f31b2c592490c950d28ac3
Opcode Fuzzy Hash: a04e3abb574a8fdbf77f996740fcb5cd50be9c3a472b4919db5de0bef261a6d7
Instruction Fuzzy Hash: 57316E7150E3C06FD3138B359C61AA2BFB8AF47210F1981DBD8C4DF5A3D225A959C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00E7B2CB Relevance: 1.6, APIs: 1, Instructions: 90
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 00E7B385

Memory Dump Source

Source File: 00000001.00000002.4110375998.0000000000E7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e7a000_System.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 563450d2097f17d43cda814fcff9f5fe87687b8df3886097e99fd3a12b82f5da
Instruction ID: e004d5d45ee4a3f58649bdf68cdf07f2b188bde8f08bfc5d3d12913f3a634894
Opcode Fuzzy Hash: 563450d2097f17d43cda814fcff9f5fe87687b8df3886097e99fd3a12b82f5da
Instruction Fuzzy Hash: 843191724083846FE722CB55DC84FA7BFBCEF05314F08849AE9849B653D364A948C771

Uniqueness

Uniqueness Score: -1.00%

Function 00E7A612 Relevance: 1.6, APIs: 1, Instructions: 89
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 00E7A6B9

Memory Dump Source

Source File: 00000001.00000002.4110375998.0000000000E7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e7a000_System.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 89a05e817b154afdb4c8c2a85ed6b78b9e245df09863dda6fd394b1fd3ef7ae2
Instruction ID: aef0aad6a1efb2e7235cc3267db9d5aca46d9ec901d71a47ffb487c24f986094
Opcode Fuzzy Hash: 89a05e817b154afdb4c8c2a85ed6b78b9e245df09863dda6fd394b1fd3ef7ae2
Instruction Fuzzy Hash: 013193755093806FE712CB65DC45B96BFF8EF06314F08C4AAE984CF292D365E909C762

Uniqueness

Uniqueness Score: -1.00%

Function 05361A98 Relevance: 1.6, APIs: 1, Instructions: 89
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessTimes.KERNELBASE(?,00000E24,BA751A35,00000000,00000000,00000000,00000000), ref: 05361B35

Memory Dump Source

Source File: 00000001.00000002.4113001835.0000000005360000.00000040.00000800.00020000.00000000.sdmp, Offset: 05360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5360000_System.jbxd

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: e30299e9ff7213917d52c4f123f44c223b3919e77465e79c7f6b912887b7708e
Instruction ID: 3608a1acc89877a3d7f5a7f9858db3665c1fc0d5556483b47f6048f7f8b6892c
Opcode Fuzzy Hash: e30299e9ff7213917d52c4f123f44c223b3919e77465e79c7f6b912887b7708e
Instruction Fuzzy Hash: BA31F7725093806FD712CF60DC45FA6BFB8EF06310F08849EE9858B153D3659509CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0536148C Relevance: 1.6, APIs: 1, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 05361523

Memory Dump Source

Source File: 00000001.00000002.4113001835.0000000005360000.00000040.00000800.00020000.00000000.sdmp, Offset: 05360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5360000_System.jbxd

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: eb130c07bcce92b2d6dbc88774deceb073127cd8433cea3215d888f8726df092
Instruction ID: de4bf7c509ef7ca8db48b0cf503385cc20b393c872c17673814902497aa67dc9
Opcode Fuzzy Hash: eb130c07bcce92b2d6dbc88774deceb073127cd8433cea3215d888f8726df092
Instruction Fuzzy Hash: E23161725083846FE721CB65DC45FA7BFA8EF45210F08849AE945DB652D364E908CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00E7BDD8 Relevance: 1.6, APIs: 1, Instructions: 86
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetExitCodeProcess.KERNELBASE(?,00000E24,BA751A35,00000000,00000000,00000000,00000000), ref: 00E7BE6C

Memory Dump Source

Source File: 00000001.00000002.4110375998.0000000000E7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e7a000_System.jbxd

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: 21257ed7078ca53bff2527c3015c82e82a32247586629c751380d5078d14a92a
Instruction ID: 2da69530ae503cd66d93353cf4da90a1881cde075b645bf9438c885070bfc277
Opcode Fuzzy Hash: 21257ed7078ca53bff2527c3015c82e82a32247586629c751380d5078d14a92a
Instruction Fuzzy Hash: 2121B4B55093806FE7128B20DC45BA6BFB8EF46324F0884DBE944DF293D364A909C761

Uniqueness

Uniqueness Score: -1.00%

Function 00E7B025 Relevance: 1.6, APIs: 1, Instructions: 86
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00E7B0C9

Memory Dump Source

Source File: 00000001.00000002.4110375998.0000000000E7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e7a000_System.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 4dfab1ac93b29e778fef8724809a3ba93bdea928d751a880b2e1009a1f364b90
Instruction ID: a15d73f4031716c3c74605f880b2c787f00b23afd811b1b87bc9fd96c4bac95d
Opcode Fuzzy Hash: 4dfab1ac93b29e778fef8724809a3ba93bdea928d751a880b2e1009a1f364b90
Instruction Fuzzy Hash: 3831B171504384AFE721CF65DC85F52BBF8EF05314F08849EE9899B652D365E908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05362E1E Relevance: 1.6, APIs: 1, Instructions: 86
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 05362EB9

Memory Dump Source

Source File: 00000001.00000002.4113001835.0000000005360000.00000040.00000800.00020000.00000000.sdmp, Offset: 05360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5360000_System.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 693a3c6c37a44fc51199c18defffbce43d4c1415339816b1b25c85c0c5c8db31
Instruction ID: 998755a858b6d8ca18820acfba2defdfd97060d6bcaae5378921e99d8d63349b
Opcode Fuzzy Hash: 693a3c6c37a44fc51199c18defffbce43d4c1415339816b1b25c85c0c5c8db31
Instruction Fuzzy Hash: 6821AD76600204AFEB21CF55DC44FA7BBECEF08614F08856AF945CBA51E770E508CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 00E7A361 Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,BA751A35,00000000,00000000,00000000,00000000), ref: 00E7A40C

Memory Dump Source

Source File: 00000001.00000002.4110375998.0000000000E7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e7a000_System.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: c9ff521e6de40e778748a90b44b530c73480c6d85b0647718be24f2dad8b4a94
Instruction ID: a14f2f66aa7001dc86f335b6c861878c6131e7f3cc28478a9b0e2e5b5f6c86d5
Opcode Fuzzy Hash: c9ff521e6de40e778748a90b44b530c73480c6d85b0647718be24f2dad8b4a94
Instruction Fuzzy Hash: 55318F75509780AFE722CF11CC84F96BBF8EF46314F08C49AE9459B292D364E909CB72

Uniqueness

Uniqueness Score: -1.00%

Function 05363160 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

GetProcessWorkingSetSize.KERNEL32(?,00000E24,BA751A35,00000000,00000000,00000000,00000000), ref: 053631F7

Memory Dump Source

Source File: 00000001.00000002.4113001835.0000000005360000.00000040.00000800.00020000.00000000.sdmp, Offset: 05360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5360000_System.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: 67b00cd2ff69b76d07abf68478743a7abb186e8dc592dc97db8d911f41fa3bf6
Instruction ID: 90fcab7a0c195dc3b2df545c79f783376dc30a74032c4a573e797e16c4ed2318
Opcode Fuzzy Hash: 67b00cd2ff69b76d07abf68478743a7abb186e8dc592dc97db8d911f41fa3bf6
Instruction Fuzzy Hash: 6821A5715093C46FE713CB20DC55BA6BFB8AF46214F08C4DBE9448F293D265A909C771

Uniqueness

Uniqueness Score: -1.00%

Function 05361BC2 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000E24), ref: 05361C67

Memory Dump Source

Source File: 00000001.00000002.4113001835.0000000005360000.00000040.00000800.00020000.00000000.sdmp, Offset: 05360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5360000_System.jbxd

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: 7600d2503ec09945528f04515829363239fdb04e6be787e9477d607f303e0770
Instruction ID: 0f5db8ce14c0db979eafd57ddd2da4095bd7fd09b91ea1e6b6c35b6daac0db72
Opcode Fuzzy Hash: 7600d2503ec09945528f04515829363239fdb04e6be787e9477d607f303e0770
Instruction Fuzzy Hash: 2F21B571500204AEE721DF50DC84FAAF7ACEF04714F04889AFA49DB685D7B5E548CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05031929 Relevance: 1.6, Strings: 1, Instructions: 333COMMON

Download Yara Rule

Strings

\O*l, xrefs: 05031AA4

Memory Dump Source

Source File: 00000001.00000002.4112734477.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5030000_System.jbxd

Similarity

API ID:
String ID: \O*l
API String ID: 0-4030088352
Opcode ID: 0eb0f74c56c10ad0908a9891ebfaa0910aeb9b239b07b6522ba347e257624cca
Instruction ID: 3287a4a351119e7a5cd163e088dd0019360853e02c28982ffca728d30164c8c5
Opcode Fuzzy Hash: 0eb0f74c56c10ad0908a9891ebfaa0910aeb9b239b07b6522ba347e257624cca
Instruction Fuzzy Hash: CEC183707002648BDB09EB76E8227BE37E7AB8C308F10452AD506D7798DF399D46DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00E7B120 Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,BA751A35,00000000,00000000,00000000,00000000), ref: 00E7B1B5

Memory Dump Source

Source File: 00000001.00000002.4110375998.0000000000E7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e7a000_System.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: e804f219381a73239d75bbd2cc1bb52787a2629da24d464a544d5e6ee219f6e8
Instruction ID: 86f86504de8cc42f331d287abdcd30442efd503d5abb6dfad9f3dd93f9b248af
Opcode Fuzzy Hash: e804f219381a73239d75bbd2cc1bb52787a2629da24d464a544d5e6ee219f6e8
Instruction Fuzzy Hash: 3821F5B54097806FE7128B259C45BA2BFBCEF07724F09C0D6E9848B293D264A909C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 05363091 Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

select.WS2_32(?,?,?,?,?), ref: 05363120

Memory Dump Source

Source File: 00000001.00000002.4113001835.0000000005360000.00000040.00000800.00020000.00000000.sdmp, Offset: 05360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5360000_System.jbxd

Similarity

API ID: select
String ID:
API String ID: 1274211008-0
Opcode ID: 4145059ea43e9d889f16a766fbc173d920b1505814e17a5e8fb09c6da9dc15de
Instruction ID: 054baa2dc0b0ecd34c64088274e71847b900f45b9b7a6d4aef8fa50d4d6b1b03
Opcode Fuzzy Hash: 4145059ea43e9d889f16a766fbc173d920b1505814e17a5e8fb09c6da9dc15de
Instruction Fuzzy Hash: 892171755093849FD712CF25DC44B52BFF8EF06210F0888DAE984CB263D365E909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00E7A462 Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E24,BA751A35,00000000,00000000,00000000,00000000), ref: 00E7A4F8

Memory Dump Source

Source File: 00000001.00000002.4110375998.0000000000E7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e7a000_System.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 436eb25f5ec7550c9b696f4b7cf02658d4e53cdb98906c50b2f4b304cb68f77c
Instruction ID: f03d74fa65697a88136cdfec1e21290c6042bab3f55ce61c2511be276c9f3275
Opcode Fuzzy Hash: 436eb25f5ec7550c9b696f4b7cf02658d4e53cdb98906c50b2f4b304cb68f77c
Instruction Fuzzy Hash: 7B2192B65043806FD7228F51DC44FA7BFB8DF45214F08849AE945DB692D364E948C771

Uniqueness

Uniqueness Score: -1.00%

Function 05361066 Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 053610F2

Memory Dump Source

Source File: 00000001.00000002.4113001835.0000000005360000.00000040.00000800.00020000.00000000.sdmp, Offset: 05360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5360000_System.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: a2733beca0fae84f9478bef354efacbb746bec540a62134e8f66aec61c4d60d8
Instruction ID: 56b2cd0ac6975b73ae637305f984dbae8ed4c6dd54fd1e7572b9183cc13f3a18
Opcode Fuzzy Hash: a2733beca0fae84f9478bef354efacbb746bec540a62134e8f66aec61c4d60d8
Instruction Fuzzy Hash: 70219E71509380AFE722CF51DC44FA6FFB8EF05220F08889EE9858B652D375A509CB62

Uniqueness

Uniqueness Score: -1.00%

Function 05361642 Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 053616D6

Memory Dump Source

Source File: 00000001.00000002.4113001835.0000000005360000.00000040.00000800.00020000.00000000.sdmp, Offset: 05360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5360000_System.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: b60d9b8ab71c6f1824df48c3965139c62df645c34f9999684105cb3ee5bfe2d2
Instruction ID: 315a84a3e4439be648ccbc400cf6a27bc331c3e2a89e90d2856a71a76911ec68
Opcode Fuzzy Hash: b60d9b8ab71c6f1824df48c3965139c62df645c34f9999684105cb3ee5bfe2d2
Instruction Fuzzy Hash: 4F21D171409380AFE722CF15DC45FA6FFF8EF09224F08849EE9858B652D365E508CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00E7B04A Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00E7B0C9

Memory Dump Source

Source File: 00000001.00000002.4110375998.0000000000E7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e7a000_System.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: b4fc232b69e486f8bbe3cd54ba47679bd9dd942b4857adc7975b229481b94c2b
Instruction ID: 96bb81365e57dd052adf801cf6c497648b2b9107f5dc4bba9f1d8b0878e0e872
Opcode Fuzzy Hash: b4fc232b69e486f8bbe3cd54ba47679bd9dd942b4857adc7975b229481b94c2b
Instruction Fuzzy Hash: 8321AE71600244AFEB20DF65DC45BA6FBE8EF08324F08C89DE9499B651D371E809CB61

Uniqueness

Uniqueness Score: -1.00%

Function 053614B2 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 05361523

Memory Dump Source

Source File: 00000001.00000002.4113001835.0000000005360000.00000040.00000800.00020000.00000000.sdmp, Offset: 05360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5360000_System.jbxd

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 72c03976509c0d2a42d3bfcd06de590a144940c5e0089a5a75520f73e5fa0d61
Instruction ID: 2b103762e53c3420eda0ba077489ad58529354c27c8e6de8f39e8237bc08ca7a
Opcode Fuzzy Hash: 72c03976509c0d2a42d3bfcd06de590a144940c5e0089a5a75520f73e5fa0d61
Instruction Fuzzy Hash: 4121C272504204AFEB20DF25DC45FAAFBACEF04224F08C46AE945DB655E774E508CA71

Uniqueness

Uniqueness Score: -1.00%

Function 0536139A Relevance: 1.6, APIs: 1, Instructions: 76registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,BA751A35,00000000,00000000,00000000,00000000), ref: 05361438

Memory Dump Source

Source File: 00000001.00000002.4113001835.0000000005360000.00000040.00000800.00020000.00000000.sdmp, Offset: 05360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5360000_System.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 5ea4534ca95b0e9ec135643d51bf7d15c3e1a2215587cf7d70f9aea5ab23d1e3
Instruction ID: 854fa593a0d2cb32a292ce36cc3593e434bade7bb09dbc45fd8cbb6166b081ca
Opcode Fuzzy Hash: 5ea4534ca95b0e9ec135643d51bf7d15c3e1a2215587cf7d70f9aea5ab23d1e3
Instruction Fuzzy Hash: 8F219F72508380AFD722CB11CC44FA7BFF8AF45310F08C49AE9459B692D365E918CB61

Uniqueness

Uniqueness Score: -1.00%

Function 053602C0 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,BA751A35,00000000,?,?,?,?,?,?,?,?,6CBD3C58), ref: 05360346

Memory Dump Source

Source File: 00000001.00000002.4113001835.0000000005360000.00000040.00000800.00020000.00000000.sdmp, Offset: 05360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5360000_System.jbxd

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 62c46f1732e63c65775157a4a8708b6db671fa32711670499643101336c4f7f3
Instruction ID: 74569ff4c32d9fffaad401df9b9b0fedcc7b75bb86a2110c91e8ebdd183b689b
Opcode Fuzzy Hash: 62c46f1732e63c65775157a4a8708b6db671fa32711670499643101336c4f7f3
Instruction Fuzzy Hash: 3B216B715093C09FD712CB65DC99A92BFB8AF07220F0D84DBE984CF1A3D2649918CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00E7B1F0 Relevance: 1.6, APIs: 1, Instructions: 75fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E24,BA751A35,00000000,00000000,00000000,00000000), ref: 00E7B281

Memory Dump Source

Source File: 00000001.00000002.4110375998.0000000000E7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e7a000_System.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: ec8140c3d71f675ee2d0f5892e0503ddd2fc3445c41f1d0944d5b73505023c02
Instruction ID: 720a2d3ab73ae1cf4cfc4af33b722f857598ea7e5879edf34602e5afefbcdd71
Opcode Fuzzy Hash: ec8140c3d71f675ee2d0f5892e0503ddd2fc3445c41f1d0944d5b73505023c02
Instruction Fuzzy Hash: FB219071409380AFD7228B51DC44FA6BFB8EF46314F08C49BE9849B663D365A909CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00E7B306 Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 00E7B385

Memory Dump Source

Source File: 00000001.00000002.4110375998.0000000000E7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e7a000_System.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 6f82afeec9bd2d55403cb1727ed12622065aaa1fd816f543ea1d721b78896e91
Instruction ID: fb1a9397dbb46924fe15c22b664de2a5ee445c15713d458880a8e8d612b8a36b
Opcode Fuzzy Hash: 6f82afeec9bd2d55403cb1727ed12622065aaa1fd816f543ea1d721b78896e91
Instruction Fuzzy Hash: 2E21AE72500204AEE721DF55DC84FABFBECEF14324F08C45AEA459B651E774E9488BB1

Uniqueness

Uniqueness Score: -1.00%

Function 0536325F Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetProcessWorkingSetSize.KERNEL32(?,00000E24,BA751A35,00000000,00000000,00000000,00000000), ref: 053632DB

Memory Dump Source

Source File: 00000001.00000002.4113001835.0000000005360000.00000040.00000800.00020000.00000000.sdmp, Offset: 05360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5360000_System.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: 040566992c451ac44f514bd0b4344d2cc290911d063f88d518dde0a567510bbd
Instruction ID: 918f324e396cda0bd4bb3b7c3b7f4d874e31eba1d043291318609dd32cb978f8
Opcode Fuzzy Hash: 040566992c451ac44f514bd0b4344d2cc290911d063f88d518dde0a567510bbd
Instruction Fuzzy Hash: 3521C2715093806FD712CF55DC44FA7BFA8EF45220F08C49AE944CB252D364E908CB75

Uniqueness

Uniqueness Score: -1.00%

Function 00E7A646 Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 00E7A6B9

Memory Dump Source

Source File: 00000001.00000002.4110375998.0000000000E7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e7a000_System.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: dc0fa3df56cf513efffb9a57bea0ac4c95c591bb8d0f9e59178bb4a49fca2672
Instruction ID: 899f44ff00293d67d844f893ca6d7c1666badcfa647d6cbbef406abc15b59c85
Opcode Fuzzy Hash: dc0fa3df56cf513efffb9a57bea0ac4c95c591bb8d0f9e59178bb4a49fca2672
Instruction Fuzzy Hash: 1A21C2756042409FE720DF65DC45BAAFBE8EF44324F08C4AAED489B741E375E909CA72

Uniqueness

Uniqueness Score: -1.00%

Function 053618D9 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

shutdown.WS2_32(?,00000E24,BA751A35,00000000,00000000,00000000,00000000), ref: 0536195C

Memory Dump Source

Source File: 00000001.00000002.4113001835.0000000005360000.00000040.00000800.00020000.00000000.sdmp, Offset: 05360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5360000_System.jbxd

Similarity

API ID: shutdown
String ID:
API String ID: 2510479042-0
Opcode ID: 1b0a3a7193a52775e989cfdeef0ad242caa37b03e145f3609b7eec8aaf3427ed
Instruction ID: f7bfb23b4ac23ac5a722a1501ec4b53d4be53455dc5a7308858a2e16f0d0a357
Opcode Fuzzy Hash: 1b0a3a7193a52775e989cfdeef0ad242caa37b03e145f3609b7eec8aaf3427ed
Instruction Fuzzy Hash: 332192B1409384AFD712CB10DC44FA6BFB8EF46220F08C4DBE9849F252D368A548CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00E7B9F3 Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 00E7BA6A

Memory Dump Source

Source File: 00000001.00000002.4110375998.0000000000E7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e7a000_System.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 389e5d2ad37edd59042fc0090b1328b89c7a988efcf2bd9e02520d16bb6977be
Instruction ID: 300c57304ea51d8f7f7f52c1351b40a00e1434cff45bfb50ed6b871750993273
Opcode Fuzzy Hash: 389e5d2ad37edd59042fc0090b1328b89c7a988efcf2bd9e02520d16bb6977be
Instruction Fuzzy Hash: 78216F715093805FEB22CF25DC54B62BFF8EF56214F0884DAE985DF252D365E808CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00E7A392 Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,BA751A35,00000000,00000000,00000000,00000000), ref: 00E7A40C

Memory Dump Source

Source File: 00000001.00000002.4110375998.0000000000E7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e7a000_System.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: cc5cdeec4f3c4591eb6b0516a6cb1e7f296f09d0f0190558e359d51834d5a8e3
Instruction ID: fc5bc3c2c128a943ec9afec31673aedab01178751b29ef2d62f4cbe6f8d44f0e
Opcode Fuzzy Hash: cc5cdeec4f3c4591eb6b0516a6cb1e7f296f09d0f0190558e359d51834d5a8e3
Instruction Fuzzy Hash: D121C075600204AFE720CF15DC84FABF7ECEF44724F08C4AAE9499B651E360E809CA72

Uniqueness

Uniqueness Score: -1.00%

Function 05362FCB Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000E24,BA751A35,00000000,00000000,00000000,00000000), ref: 05363047

Memory Dump Source

Source File: 00000001.00000002.4113001835.0000000005360000.00000040.00000800.00020000.00000000.sdmp, Offset: 05360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5360000_System.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: e356284e3f0cb96e32c3a37dbe67a14d0bbb96cf09abe9be73c2bb1587f4a659
Instruction ID: 9b358031af439e270d5af215faa3c931fd35ac8539510ee23e282b9b365f3d84
Opcode Fuzzy Hash: e356284e3f0cb96e32c3a37dbe67a14d0bbb96cf09abe9be73c2bb1587f4a659
Instruction Fuzzy Hash: E621C0714093846FDB22CF10DC44FA6BFB8EF45220F08C89BE9859B692D375A508CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00E7BC38 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00E7BCA4

Memory Dump Source

Source File: 00000001.00000002.4110375998.0000000000E7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e7a000_System.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 91de8776dee9409555504c27c4c5a74f7aff40497fb464a95a644c2403cb1197
Instruction ID: b046ee2ec48ff6436d8beaa0c9e412929a092fc980c842cf24e3088b97fefca8
Opcode Fuzzy Hash: 91de8776dee9409555504c27c4c5a74f7aff40497fb464a95a644c2403cb1197
Instruction Fuzzy Hash: 1621AEB25093C05FDB128B25DC94792BFB4AF17324F0984DAE8858F663D264A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00E7AB1E Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,?), ref: 00E7AB8F

Memory Dump Source

Source File: 00000001.00000002.4110375998.0000000000E7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e7a000_System.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 5c86fbfa9458f2d7025e0d1934aeedba8dc3a8b70361d76f96885739a3666c5a
Instruction ID: eb359d2cb319e11506d9cee2f005fe508b4bef1b04fadecf03de8c406ce12bce
Opcode Fuzzy Hash: 5c86fbfa9458f2d7025e0d1934aeedba8dc3a8b70361d76f96885739a3666c5a
Instruction Fuzzy Hash: D921A1755093C05FDB128B65DC94B96BFF4EF47210F0D84EAD884CF263D265A909CB62

Uniqueness

Uniqueness Score: -1.00%

Function 05361D72 Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 05361DEE

Memory Dump Source

Source File: 00000001.00000002.4113001835.0000000005360000.00000040.00000800.00020000.00000000.sdmp, Offset: 05360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5360000_System.jbxd

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: d67989e2aab4f771ac65e476eeaaf16c93ed7819a5dc6dd17efb039427c1626a
Instruction ID: 0ef00649b1b1484c475a4e96ff9ed1be9a5af7dfef44dc982f2d076a59c656c2
Opcode Fuzzy Hash: d67989e2aab4f771ac65e476eeaaf16c93ed7819a5dc6dd17efb039427c1626a
Instruction Fuzzy Hash: DF218B71408380AFDB228F55DC54B62FFF8EF0A210F08849AE9858B662D375E818DB61

Uniqueness

Uniqueness Score: -1.00%

Function 05361662 Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 053616D6

Memory Dump Source

Source File: 00000001.00000002.4113001835.0000000005360000.00000040.00000800.00020000.00000000.sdmp, Offset: 05360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5360000_System.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 304c3d29905e7678dbac3cf912e8939ec9dec702b1e4aed9c4596657ab1c928f
Instruction ID: 57ffc967a4db81dd343ab69bf67e7e2707ec9eabcc27c358e00a98cc00d0054f
Opcode Fuzzy Hash: 304c3d29905e7678dbac3cf912e8939ec9dec702b1e4aed9c4596657ab1c928f
Instruction Fuzzy Hash: DC21DC71504240AFE721CF15DC85FAAFBE8EF08324F08C49EE9458BA51E375E408CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 05361086 Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 053610F2

Memory Dump Source

Source File: 00000001.00000002.4113001835.0000000005360000.00000040.00000800.00020000.00000000.sdmp, Offset: 05360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5360000_System.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 7f1ec8c01d8be15c83e6b3a5ed8685bfb545e2815eb7ee5509499427b6e4503c
Instruction ID: 1a5ea6ba84736d8c7ebb71fd3ec3fd8cb37de588c9473f48152dc017826ed6b7
Opcode Fuzzy Hash: 7f1ec8c01d8be15c83e6b3a5ed8685bfb545e2815eb7ee5509499427b6e4503c
Instruction Fuzzy Hash: DF21CF71504240AFEB21CF55DC45BA6FBE9EF08324F04C89EE9458B651D376E409CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00E7AF5C Relevance: 1.6, APIs: 1, Instructions: 66fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,?,?), ref: 00E7AFCA

Memory Dump Source

Source File: 00000001.00000002.4110375998.0000000000E7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e7a000_System.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 01e71971f2d9841dd8d6d8ca590c457ba315a3e85a96ba2ae332ef7fc2b3f2d3
Instruction ID: aef91f3ba0be2c3c76bf29e69a2a8ba1a3a609e12bddceaacaae0f6205a69869
Opcode Fuzzy Hash: 01e71971f2d9841dd8d6d8ca590c457ba315a3e85a96ba2ae332ef7fc2b3f2d3
Instruction Fuzzy Hash: 612193716093809FD721CF65DC85B57BFF8EF46220F0C84AAE989DB652D364E808CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00E7A710 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00E7A780

Memory Dump Source

Source File: 00000001.00000002.4110375998.0000000000E7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e7a000_System.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: c441af85c9a7a643300a2cc60df831e4504737db21624c84ca174c2e3512f423
Instruction ID: 0cf4df8e56f1b5a79113da724409375a346f0b9cda93dba481130668ceae51a0
Opcode Fuzzy Hash: c441af85c9a7a643300a2cc60df831e4504737db21624c84ca174c2e3512f423
Instruction Fuzzy Hash: 9221C3B55043809FD7118F25D885752BFB4EF42324F0884ABED858B653D3359909CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0536210A Relevance: 1.6, APIs: 1, Instructions: 66libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00000E24), ref: 05362193

Memory Dump Source

Source File: 00000001.00000002.4113001835.0000000005360000.00000040.00000800.00020000.00000000.sdmp, Offset: 05360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5360000_System.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: ae312a1d0f83b3b643e336172095d0437425e85bc4d9d558c6f94a3884195747
Instruction ID: 9f280145ae1f8046a24127693a9e3ca474b6c2b272d89c77918c9aa15c85bacd
Opcode Fuzzy Hash: ae312a1d0f83b3b643e336172095d0437425e85bc4d9d558c6f94a3884195747
Instruction Fuzzy Hash: B311E4755083806FE721CB11DC85FA6FFB8DF05320F04809AFA448B292D3A8A948CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00E7A486 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E24,BA751A35,00000000,00000000,00000000,00000000), ref: 00E7A4F8

Memory Dump Source

Source File: 00000001.00000002.4110375998.0000000000E7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e7a000_System.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 8ba6b6cb3c762ea5031efb8b767ba3d72f7fdcd71c191564c9466d8077884c9b
Instruction ID: b182d579c2ab95b3ade6f5a40cf28eb088cdff8e3a8499fc25076cd41261d238
Opcode Fuzzy Hash: 8ba6b6cb3c762ea5031efb8b767ba3d72f7fdcd71c191564c9466d8077884c9b
Instruction Fuzzy Hash: 2811B475500600AFE7218F11DC44FABBBECEF44714F08C46AED499B751E360E808CA72

Uniqueness

Uniqueness Score: -1.00%

Function 053613C6 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,BA751A35,00000000,00000000,00000000,00000000), ref: 05361438

Memory Dump Source

Source File: 00000001.00000002.4113001835.0000000005360000.00000040.00000800.00020000.00000000.sdmp, Offset: 05360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5360000_System.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 15e9d8c14cec6cfcade053d882947301fcfa12f001c4e154996ca1550ebd6526
Instruction ID: 8c9a1176804afd2df3d4bd6764d6e4f7abd9c3d93cdbcff62fc02b972c5efeed
Opcode Fuzzy Hash: 15e9d8c14cec6cfcade053d882947301fcfa12f001c4e154996ca1550ebd6526
Instruction Fuzzy Hash: B011B176504204AFE722CF16DC84FA6FBFCEF04724F08C45AE9458BA51D764E418CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 05361AD6 Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E24,BA751A35,00000000,00000000,00000000,00000000), ref: 05361B35

Memory Dump Source

Source File: 00000001.00000002.4113001835.0000000005360000.00000040.00000800.00020000.00000000.sdmp, Offset: 05360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5360000_System.jbxd

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 1b0e6c41be44f0ff0bf21fbbe319b8252329b64565467a4e78f266f277c99882
Instruction ID: a29aadd0abd06dbc689b1f30df905956854794e17842a625515e65dcfe3d44fd
Opcode Fuzzy Hash: 1b0e6c41be44f0ff0bf21fbbe319b8252329b64565467a4e78f266f277c99882
Instruction Fuzzy Hash: 1511DD72500200AFEB21CF55DC45FAAFBA8EF44220F08C4AAE9458BA55E374E508CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0536319E Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

GetProcessWorkingSetSize.KERNEL32(?,00000E24,BA751A35,00000000,00000000,00000000,00000000), ref: 053631F7

Memory Dump Source

Source File: 00000001.00000002.4113001835.0000000005360000.00000040.00000800.00020000.00000000.sdmp, Offset: 05360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5360000_System.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: a06f91e6266ece3cf4826b9dea58df1fe1baab969ebabd2086771f8374497a3e
Instruction ID: cc5c0c19de840bff9628f526920e645dd8fb341417d54f4419002fabe0f6c79a
Opcode Fuzzy Hash: a06f91e6266ece3cf4826b9dea58df1fe1baab969ebabd2086771f8374497a3e
Instruction Fuzzy Hash: 0911C471500240AFE721CF55DC45BAABBECEF04624F08C46AEA05CB645D774E508CAB5

Uniqueness

Uniqueness Score: -1.00%

Function 05363282 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SetProcessWorkingSetSize.KERNEL32(?,00000E24,BA751A35,00000000,00000000,00000000,00000000), ref: 053632DB

Memory Dump Source

Source File: 00000001.00000002.4113001835.0000000005360000.00000040.00000800.00020000.00000000.sdmp, Offset: 05360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5360000_System.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: a06f91e6266ece3cf4826b9dea58df1fe1baab969ebabd2086771f8374497a3e
Instruction ID: c9bf5256c1b7b893fed88c9cd4683d75c2b6da5b8bd7f27789d1cb07c2c1fb4a
Opcode Fuzzy Hash: a06f91e6266ece3cf4826b9dea58df1fe1baab969ebabd2086771f8374497a3e
Instruction Fuzzy Hash: 1011C171604240AFEB21CF55DC45BAABBACEF04224F18C8AAED05CB645D774E508CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 00E7BE16 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E24,BA751A35,00000000,00000000,00000000,00000000), ref: 00E7BE6C

Memory Dump Source

Source File: 00000001.00000002.4110375998.0000000000E7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e7a000_System.jbxd

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: 7e10ddde99ff963b7665a5e48e2d523ae28ad5cb633011e918200dde3fe61652
Instruction ID: 94aa534067aecf47dd52ba5eb03093c4365dd4f6d9d13dbcace6a46b76b28d0d
Opcode Fuzzy Hash: 7e10ddde99ff963b7665a5e48e2d523ae28ad5cb633011e918200dde3fe61652
Instruction Fuzzy Hash: DF11C171500204AFEB11CF15DC84BEAB7A8DF44324F18C4AAEE08DB741E774E9088AA1

Uniqueness

Uniqueness Score: -1.00%

Function 05360444 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 053604B6

Memory Dump Source

Source File: 00000001.00000002.4113001835.0000000005360000.00000040.00000800.00020000.00000000.sdmp, Offset: 05360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5360000_System.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f04a6fe4836f8c0f28e43894145890fbb63784904580cbbc764411d5365a5153
Instruction ID: afa49c54fcc4a10b53439fc1166d583f4e6fd3cf27a4cfe80bcae69eadf3b223
Opcode Fuzzy Hash: f04a6fe4836f8c0f28e43894145890fbb63784904580cbbc764411d5365a5153
Instruction Fuzzy Hash: EE219371449380AFDB228F51DC44A56FFF4EF46220F0988DEE9858B562D379A918CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00E7B222 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E24,BA751A35,00000000,00000000,00000000,00000000), ref: 00E7B281

Memory Dump Source

Source File: 00000001.00000002.4110375998.0000000000E7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e7a000_System.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 6d0871898c491157a4b23584f8c7cf379ab89f969acfefc5fc1144463787305b
Instruction ID: 2366cf1f007d8bce21856945cd1b0f9959305e99c66370721b90441107af27ee
Opcode Fuzzy Hash: 6d0871898c491157a4b23584f8c7cf379ab89f969acfefc5fc1144463787305b
Instruction Fuzzy Hash: A711C172501240AFEB21CF51DC44FAAFBE8EF04324F18C49AEA499B652D374E508CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 05362FEE Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000E24,BA751A35,00000000,00000000,00000000,00000000), ref: 05363047

Memory Dump Source

Source File: 00000001.00000002.4113001835.0000000005360000.00000040.00000800.00020000.00000000.sdmp, Offset: 05360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5360000_System.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: 087d807491a276048262ef3fb97db377853e457afe8e387df1f01db8c246bdb1
Instruction ID: 25966f47798def6628af78e04d7ad49f8b165baca08a790abae628a71c9f3402
Opcode Fuzzy Hash: 087d807491a276048262ef3fb97db377853e457afe8e387df1f01db8c246bdb1
Instruction Fuzzy Hash: DD11E371500200AFEB21CF15DC44FA6FBA8EF44324F08C89AE9458B645D374E508CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 00E7AA81 Relevance: 1.6, APIs: 1, Instructions: 57comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 00E7AAE0

Memory Dump Source

Source File: 00000001.00000002.4110375998.0000000000E7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e7a000_System.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 71b913594d22b5a34cc32f9eaca2296b899b27fbd2aa9cf89b9b96535820198c
Instruction ID: ab7371373e17d1d33d71b91337e118655b92e0dfe1293a3d929e4ba13cc4b549
Opcode Fuzzy Hash: 71b913594d22b5a34cc32f9eaca2296b899b27fbd2aa9cf89b9b96535820198c
Instruction Fuzzy Hash: 561160715493C05FDB128B25DC54792BFB4DF46220F0884DBED848F153D265A948CB62

Uniqueness

Uniqueness Score: -1.00%

Function 05361906 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

shutdown.WS2_32(?,00000E24,BA751A35,00000000,00000000,00000000,00000000), ref: 0536195C

Memory Dump Source

Source File: 00000001.00000002.4113001835.0000000005360000.00000040.00000800.00020000.00000000.sdmp, Offset: 05360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5360000_System.jbxd

Similarity

API ID: shutdown
String ID:
API String ID: 2510479042-0
Opcode ID: fefb8e273cd57d35da6bb509b632a2a391652591c461bf4f4531de41f8378918
Instruction ID: c0c7590ac7a276dbda9aae204b74f95009ae589061ea92388c3fbfc2e0d79611
Opcode Fuzzy Hash: fefb8e273cd57d35da6bb509b632a2a391652591c461bf4f4531de41f8378918
Instruction Fuzzy Hash: 9611C271500244AFEB11CF15DC84FAABBE8EF44224F08C49AED449B745E374E508CAB5

Uniqueness

Uniqueness Score: -1.00%

Function 00E7A2D2 Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00E7A330

Memory Dump Source

Source File: 00000001.00000002.4110375998.0000000000E7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e7a000_System.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 6f3de7dc77b29798b1aff36673989a854fa00a004cbad5c065b51c56d77407eb
Instruction ID: fe59f79c60426b7f808a4e5636d8b8e63042d95762b47b3d2ce5ba70b36df912
Opcode Fuzzy Hash: 6f3de7dc77b29798b1aff36673989a854fa00a004cbad5c065b51c56d77407eb
Instruction Fuzzy Hash: 4F118F714093C0AFDB228B25DC54B66BFB4DF57224F0D80DBED848B263D265A908D772

Uniqueness

Uniqueness Score: -1.00%

Function 0536212A Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00000E24), ref: 05362193

Memory Dump Source

Source File: 00000001.00000002.4113001835.0000000005360000.00000040.00000800.00020000.00000000.sdmp, Offset: 05360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5360000_System.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: fdfbcd1d3128bd6457ed1b37ce4fa8d95b36c8b05f930d25891f8c4811485f91
Instruction ID: e7382214ea28f937bec84e593854ebce7c7e2121ff799baf7f87debed876228b
Opcode Fuzzy Hash: fdfbcd1d3128bd6457ed1b37ce4fa8d95b36c8b05f930d25891f8c4811485f91
Instruction Fuzzy Hash: 2911C279504200AEE720DB15DC81FBAFBA8DF04724F14C09AFE044A685D3A8B548CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 053630CA Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

select.WS2_32(?,?,?,?,?), ref: 05363120

Memory Dump Source

Source File: 00000001.00000002.4113001835.0000000005360000.00000040.00000800.00020000.00000000.sdmp, Offset: 05360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5360000_System.jbxd

Similarity

API ID: select
String ID:
API String ID: 1274211008-0
Opcode ID: 1eb5eb821fbe75b2c74d9a0b0526526a683eaa3db8450fbb32502b727f2cfa93
Instruction ID: d1bebf4e38d8d002e2fd51c1783275b7de7ae9df16ba7c3d22c13b03098e0512
Opcode Fuzzy Hash: 1eb5eb821fbe75b2c74d9a0b0526526a683eaa3db8450fbb32502b727f2cfa93
Instruction Fuzzy Hash: 86116A756042449FEB20DF15D884BA6FBE8EF04220F08C8AAED49CB656D374E508CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00E7A078 Relevance: 1.6, APIs: 1, Instructions: 54networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,?,?), ref: 00E7A0D5

Memory Dump Source

Source File: 00000001.00000002.4110375998.0000000000E7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e7a000_System.jbxd

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: ce78817aec83690f6a84f81d13c410c4c94e20a0ec1241f06c7d20f5cb368540
Instruction ID: 819aa25a870b44c98cdb99a3b85ffa4e13326a2127127a37662d5ad03ea0c22c
Opcode Fuzzy Hash: ce78817aec83690f6a84f81d13c410c4c94e20a0ec1241f06c7d20f5cb368540
Instruction Fuzzy Hash: 63118F75409380AFDB22CF15DC44B56FFB4EF56224F08C49AED888B552D275A918CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00E7BA22 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 00E7BA6A

Memory Dump Source

Source File: 00000001.00000002.4110375998.0000000000E7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e7a000_System.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 30a079b614f0c2fa6b23048da24ae13a1e76f2c93532d3c6ab7acd9d9bfd920d
Instruction ID: 49a1b7b3f11a1164e88ed8dc0652b8aaf3ca5a9e92af8091a28647b392bd6943
Opcode Fuzzy Hash: 30a079b614f0c2fa6b23048da24ae13a1e76f2c93532d3c6ab7acd9d9bfd920d
Instruction Fuzzy Hash: F2118EB1A002408FEB20DF29D885B56FBE8EF14324F08C4AAED49DB751D774E908CA71

Uniqueness

Uniqueness Score: -1.00%

Function 00E7AF82 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,?,?), ref: 00E7AFCA

Memory Dump Source

Source File: 00000001.00000002.4110375998.0000000000E7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e7a000_System.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 30a079b614f0c2fa6b23048da24ae13a1e76f2c93532d3c6ab7acd9d9bfd920d
Instruction ID: b26706c2d92678f5c44df6335ddb405da49d29dbd86f679f1dca55e9c11ba2ac
Opcode Fuzzy Hash: 30a079b614f0c2fa6b23048da24ae13a1e76f2c93532d3c6ab7acd9d9bfd920d
Instruction Fuzzy Hash: 711182B1A042408FDB20DF25D884B56FBE8EF54324F0CC4AAED49DB741D774E804CA62

Uniqueness

Uniqueness Score: -1.00%

Function 00E7B162 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,BA751A35,00000000,00000000,00000000,00000000), ref: 00E7B1B5

Memory Dump Source

Source File: 00000001.00000002.4110375998.0000000000E7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e7a000_System.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 58090b80f721eb499421f047ef376c19af19736413aa87d579b20b5f66d597c3
Instruction ID: c6205e3aa60c857fa8e0897f764068b99ffce93dcd2641aafe0d639d6c4bcb61
Opcode Fuzzy Hash: 58090b80f721eb499421f047ef376c19af19736413aa87d579b20b5f66d597c3
Instruction Fuzzy Hash: BA01D275505244AEE720CF05DC84BE6FBA8DF04724F18C09AED089B781D374E908CAB5

Uniqueness

Uniqueness Score: -1.00%

Function 00E7AE00 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 00E7AE54

Memory Dump Source

Source File: 00000001.00000002.4110375998.0000000000E7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e7a000_System.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 056b0fa2fadd025503e17dfadf04849a3dd6442d5aa01752593955599320c89c
Instruction ID: 92ec156520b9dc04c828660a5767b29e68fb1921f52bd6a3c345a0c6e63c9f51
Opcode Fuzzy Hash: 056b0fa2fadd025503e17dfadf04849a3dd6442d5aa01752593955599320c89c
Instruction Fuzzy Hash: 6611CE755093C09FCB128F15DC84B52FFB4DF46220F0880EAED858B2A2D264A948CB62

Uniqueness

Uniqueness Score: -1.00%

Function 05360306 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,BA751A35,00000000,?,?,?,?,?,?,?,?,6CBD3C58), ref: 05360346

Memory Dump Source

Source File: 00000001.00000002.4113001835.0000000005360000.00000040.00000800.00020000.00000000.sdmp, Offset: 05360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5360000_System.jbxd

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: afe3dd817fcabb768f613949da65008990ae23099a8288104369f3a3d2dd5b98
Instruction ID: 526cf188a7da4e3908f0daf047a4416f976881f34d2abe54e3e46c2e5b49fd5d
Opcode Fuzzy Hash: afe3dd817fcabb768f613949da65008990ae23099a8288104369f3a3d2dd5b98
Instruction Fuzzy Hash: 1611C0756002449FDB10CF65D889B66FBE8EF04221F18C4AEED49CF656D3B4E508CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05361DA2 Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 05361DEE

Memory Dump Source

Source File: 00000001.00000002.4113001835.0000000005360000.00000040.00000800.00020000.00000000.sdmp, Offset: 05360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5360000_System.jbxd

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: 765cb3b73b686b33402ad6c13d68c6d6b8b1d72c12f16f2d3134983527edb8fb
Instruction ID: d2cfbe15646d803c7af5eed4eebddda6b5f342b798d5c1aaddbe399b5ade37bc
Opcode Fuzzy Hash: 765cb3b73b686b33402ad6c13d68c6d6b8b1d72c12f16f2d3134983527edb8fb
Instruction Fuzzy Hash: 98117C355006449FDB20CF55D844B66FBE5FF08321F08C4AEED458BA66D375E418DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00E7AB52 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,?), ref: 00E7AB8F

Memory Dump Source

Source File: 00000001.00000002.4110375998.0000000000E7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e7a000_System.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: bc6e0480d6e4e11d12f0fa4f5aa5f2270045a61b3814c38e232865da3ebc9286
Instruction ID: 824d99577d96e947809989157d7ae7958bf19893fe57732783b1c09d0abcd8ef
Opcode Fuzzy Hash: bc6e0480d6e4e11d12f0fa4f5aa5f2270045a61b3814c38e232865da3ebc9286
Instruction Fuzzy Hash: 9C0180756012409FDB10CF69D88476AFBD4EF44325F0CC4AAED49DB651D274E908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 05361E9E Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetVolumeInformationA.KERNELBASE(?,00000E24,?,?), ref: 05361EEE

Memory Dump Source

Source File: 00000001.00000002.4113001835.0000000005360000.00000040.00000800.00020000.00000000.sdmp, Offset: 05360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5360000_System.jbxd

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: 18e884d34122a3de5b56266ce278c43a83cb51138930924f869db6f8c30c087e
Instruction ID: 0834b645fa077ec6c88e21ba77fd0ac17e80fd5b1deac9960306d502843cf41f
Opcode Fuzzy Hash: 18e884d34122a3de5b56266ce278c43a83cb51138930924f869db6f8c30c087e
Instruction Fuzzy Hash: 4E01B171600600ABD310DF16DC45B66FBE8EB88A20F14C15AED089BB45E731F955CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 05360472 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 053604B6

Memory Dump Source

Source File: 00000001.00000002.4113001835.0000000005360000.00000040.00000800.00020000.00000000.sdmp, Offset: 05360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5360000_System.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0cb87c7b14f64d3737d88d31783035bc35d4c3ebac5709c78fceb906b8b25598
Instruction ID: d5af8ec6bdf36fef7f2e9b0addd09b1473ade34fff8e8ed15c3c9596ae20a84b
Opcode Fuzzy Hash: 0cb87c7b14f64d3737d88d31783035bc35d4c3ebac5709c78fceb906b8b25598
Instruction Fuzzy Hash: AC015B324006409FDB21CF55D949B66FBE5EF08220F08C89EEE494AA56D375E528DF61

Uniqueness

Uniqueness Score: -1.00%

Function 00E7BC72 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00E7BCA4

Memory Dump Source

Source File: 00000001.00000002.4110375998.0000000000E7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e7a000_System.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 60eb02fdf21cf5ac3019b3ff0e922f0b9830bb7eb0c7de8b31a3ba480b3c5edd
Instruction ID: 4273b063da78f31701f111960f9392f060ae4a3aa6e13bb4f80b58c8c4b8d895
Opcode Fuzzy Hash: 60eb02fdf21cf5ac3019b3ff0e922f0b9830bb7eb0c7de8b31a3ba480b3c5edd
Instruction Fuzzy Hash: B001BC756042448FEB11CF19E884796FBE4EF14324F08C0AADD499B656D775E808CA62

Uniqueness

Uniqueness Score: -1.00%

Function 00E7A74E Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00E7A780

Memory Dump Source

Source File: 00000001.00000002.4110375998.0000000000E7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e7a000_System.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 37ded352caf9fcc2c9b350fa9a1e48248eb4bc71ec7a38794e5cc0e91b5d3f75
Instruction ID: b8cf5b016919976d018bd28e5afeb9cfbcd9e949f374979809d74e146378dc61
Opcode Fuzzy Hash: 37ded352caf9fcc2c9b350fa9a1e48248eb4bc71ec7a38794e5cc0e91b5d3f75
Instruction Fuzzy Hash: 9201BC759002408FEB108F15E8847AAFBA4DF44320F0CC4ABED499B652D278E808CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 05360FEA Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 0536103A

Memory Dump Source

Source File: 00000001.00000002.4113001835.0000000005360000.00000040.00000800.00020000.00000000.sdmp, Offset: 05360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5360000_System.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: d8db53df9846d8f129a367018e66c1ca3990abea2f40b52c5222c3b2ef5e847b
Instruction ID: 50f3a52409ed0acd3668763de0e333aeb8b18514bd485d0ce2e5357d836826e0
Opcode Fuzzy Hash: d8db53df9846d8f129a367018e66c1ca3990abea2f40b52c5222c3b2ef5e847b
Instruction Fuzzy Hash: FB01A271500600ABD210DF16DC46B66FBE8FB88A20F14C15AED089BB41E771F955CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00E7A09A Relevance: 1.5, APIs: 1, Instructions: 42networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,?,?), ref: 00E7A0D5

Memory Dump Source

Source File: 00000001.00000002.4110375998.0000000000E7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e7a000_System.jbxd

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: c136c527c9788ca73b0d6e14826e9caa6c90ae08feee386c4f0d6112cb3ef0ac
Instruction ID: 7ab05b5c5722fa02f0d4c4d9a74fa1d11719b962619fe64f91b09fe3aab697d1
Opcode Fuzzy Hash: c136c527c9788ca73b0d6e14826e9caa6c90ae08feee386c4f0d6112cb3ef0ac
Instruction Fuzzy Hash: 2101B1754002409FEB20CF55E844BAAFBE0EF44324F0CC8AAED499B652D375E408CF62

Uniqueness

Uniqueness Score: -1.00%

Function 00E7AA06 Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

WaitForInputIdle.USER32(?,?), ref: 00E7AA3B

Memory Dump Source

Source File: 00000001.00000002.4110375998.0000000000E7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e7a000_System.jbxd

Similarity

API ID: IdleInputWait
String ID:
API String ID: 2200289081-0
Opcode ID: 7765f3b9e754053eceec9ae3e6ad2c14ddceff51257a3929648c05e231c48217
Instruction ID: 139db13528009f0ec8175c0bc9232b9af1441c44e941179b1efb22fd3d2b87e1
Opcode Fuzzy Hash: 7765f3b9e754053eceec9ae3e6ad2c14ddceff51257a3929648c05e231c48217
Instruction Fuzzy Hash: F3017C759042409FDB10CF15D98476AFBA4EF44324F0CC8AADD499B656D279A508CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00E7AE22 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 00E7AE54

Memory Dump Source

Source File: 00000001.00000002.4110375998.0000000000E7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e7a000_System.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: be332416e2d87c81a034c03a3f7be4b410706d8f0403c816bcb5ddc343303c29
Instruction ID: 380f582cadba120004b2a4af99fe08d19b6de7f82e493d91b20a09b1482cac41
Opcode Fuzzy Hash: be332416e2d87c81a034c03a3f7be4b410706d8f0403c816bcb5ddc343303c29
Instruction Fuzzy Hash: 9301A4755052449FDB108F15D8857AAFBE4EF44325F0CC0EAED099B752D375E888CEA2

Uniqueness

Uniqueness Score: -1.00%

Function 00E7AAAE Relevance: 1.5, APIs: 1, Instructions: 39comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 00E7AAE0

Memory Dump Source

Source File: 00000001.00000002.4110375998.0000000000E7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e7a000_System.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 2f91932942d3da820da898b22812c4ea118ae6b06b1f2239746ea53c5e9c9f26
Instruction ID: 1f29cbfab85912fe121cac18e8251a49784e826e73b1aaf08bf9d10d33c7b1d9
Opcode Fuzzy Hash: 2f91932942d3da820da898b22812c4ea118ae6b06b1f2239746ea53c5e9c9f26
Instruction Fuzzy Hash: A901DB309002408FDB10CF05D8847AAFBA0EF44320F0CC4AADD489F606D378E808CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 00E7A2FE Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00E7A330

Memory Dump Source

Source File: 00000001.00000002.4110375998.0000000000E7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e7a000_System.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 4a46faa504ccfcca1ea880de7db8a6c6110a0a15c6384a3ccc645473ca706fde
Instruction ID: 11ee5a0a70a1ebcdcef85edd878bf1c4deff9cd476458391755f2414cfa6c4a9
Opcode Fuzzy Hash: 4a46faa504ccfcca1ea880de7db8a6c6110a0a15c6384a3ccc645473ca706fde
Instruction Fuzzy Hash: 30F08C35804244AFDB109F19D888769FBA0EF44725F0CC0AADD595B752D3B9E808DAA2

Uniqueness

Uniqueness Score: -1.00%

Function 05031510 Relevance: 1.5, Strings: 1, Instructions: 283COMMON

Download Yara Rule

Strings

2*l, xrefs: 05031818

Memory Dump Source

Source File: 00000001.00000002.4112734477.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5030000_System.jbxd

Similarity

API ID:
String ID: 2*l
API String ID: 0-668979667
Opcode ID: 4745b5f6ce2624ece9cb0ca4b80c84525e09074a17f4f7259706ed90c717cd61
Instruction ID: 29da6b57e7bd8b44dc806864b78dc73961bee1b8a9647b4dadb9d69bd5a37b3f
Opcode Fuzzy Hash: 4745b5f6ce2624ece9cb0ca4b80c84525e09074a17f4f7259706ed90c717cd61
Instruction Fuzzy Hash: CCA1D030B042118BC718EB7AE9467AD77E7BF88354F184668E812AB3D5EF35D806CB51

Uniqueness

Uniqueness Score: -1.00%

Function 05031999 Relevance: 1.5, Strings: 1, Instructions: 280COMMON

Download Yara Rule

Strings

\O*l, xrefs: 05031AA4

Memory Dump Source

Source File: 00000001.00000002.4112734477.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5030000_System.jbxd

Similarity

API ID:
String ID: \O*l
API String ID: 0-4030088352
Opcode ID: f55aaf9827c60057694046e0518c24d7c10dbaf7f3a9bb73be1613cad220e743
Instruction ID: 7c002561e8ed4940c84abf586582656d1752a95c9a02cb7da5c56370e3678df7
Opcode Fuzzy Hash: f55aaf9827c60057694046e0518c24d7c10dbaf7f3a9bb73be1613cad220e743
Instruction Fuzzy Hash: 41A197707002648BDB09EB76E8227BD37EBAB88308F11452AD406D7BD5CF789C46D761

Uniqueness

Uniqueness Score: -1.00%

Function 050319B7 Relevance: 1.5, Strings: 1, Instructions: 277COMMON

Download Yara Rule

Strings

\O*l, xrefs: 05031AA4

Memory Dump Source

Source File: 00000001.00000002.4112734477.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5030000_System.jbxd

Similarity

API ID:
String ID: \O*l
API String ID: 0-4030088352
Opcode ID: 1e9ee503596bc98fde393c0a99021dcc68ccfbda30f9539ca6b630b45f04de34
Instruction ID: 63334f960e4e289a3af9209b1bba867b5be5cf17251afc85bef62930375b1c60
Opcode Fuzzy Hash: 1e9ee503596bc98fde393c0a99021dcc68ccfbda30f9539ca6b630b45f04de34
Instruction Fuzzy Hash: 7FA187707002648BDB09EB76E8227BE37EBAB88308F11452AD406D7BD5CF799C46D761

Uniqueness

Uniqueness Score: -1.00%

Function 050319CA Relevance: 1.5, Strings: 1, Instructions: 276COMMON

Download Yara Rule

Strings

\O*l, xrefs: 05031AA4

Memory Dump Source

Source File: 00000001.00000002.4112734477.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5030000_System.jbxd

Similarity

API ID:
String ID: \O*l
API String ID: 0-4030088352
Opcode ID: 120d68fbfcfb0da5715f0390243852b1b705950ee6265e5d5c4401a1238e5036
Instruction ID: c0b102d858612faee79c6a078b1435ffa4270124f86e7c69353e7dc6f69bb479
Opcode Fuzzy Hash: 120d68fbfcfb0da5715f0390243852b1b705950ee6265e5d5c4401a1238e5036
Instruction Fuzzy Hash: F5A177707002648BDB09EB76E8227BE37EBAB88308F11452AD406D7BD5CF799C46D761

Uniqueness

Uniqueness Score: -1.00%

Function 05032698 Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

L.*l, xrefs: 050326B9

Memory Dump Source

Source File: 00000001.00000002.4112734477.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5030000_System.jbxd

Similarity

API ID:
String ID: L.*l
API String ID: 0-3912938024
Opcode ID: 2540f2213ec5ff11220961f93a5d18f730ee36c968f039448a8da1c8803d6f5a
Instruction ID: 2daaa86af670e4c2d447bbbfd4688a71aabce534e61ec8c05f53c44482b577db
Opcode Fuzzy Hash: 2540f2213ec5ff11220961f93a5d18f730ee36c968f039448a8da1c8803d6f5a
Instruction Fuzzy Hash: A811A235F002199BDF14EAB9DD52BFEB6F6BF88300F108539E505AB285EE359C4097A1

Uniqueness

Uniqueness Score: -1.00%

Function 05030E55 Relevance: 1.3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

Strings

\O*l, xrefs: 05030EB9

Memory Dump Source

Source File: 00000001.00000002.4112734477.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5030000_System.jbxd

Similarity

API ID:
String ID: \O*l
API String ID: 0-4030088352
Opcode ID: 4bd4ca389056d7327442ad7108c45b05bac9667d15a666b502edeba16ccd0a75
Instruction ID: 968d0e384a67225c791b17b233736586a798bd9924a372a3a2ef671f094fd473
Opcode Fuzzy Hash: 4bd4ca389056d7327442ad7108c45b05bac9667d15a666b502edeba16ccd0a75
Instruction Fuzzy Hash: B3215E34B111189FCB04EBA8E494AEDB3F3BF88618B108165E815EB764CF319C45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05032687 Relevance: 1.3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

Strings

L.*l, xrefs: 050326B9

Memory Dump Source

Source File: 00000001.00000002.4112734477.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5030000_System.jbxd

Similarity

API ID:
String ID: L.*l
API String ID: 0-3912938024
Opcode ID: 51f8351f9d64f29c765c9ba8d92c05c699e8a4dd80c939f295ac0fea314d7702
Instruction ID: 5d2a885a7c8f6f430cf3c00e00c774ccbc2c8b160f5a8dd99775ce876a954bb9
Opcode Fuzzy Hash: 51f8351f9d64f29c765c9ba8d92c05c699e8a4dd80c939f295ac0fea314d7702
Instruction Fuzzy Hash: 5F012035F042595BDB14DA75B9127BF7BEAFB88740F004039E505D7380EB31D84147A1

Uniqueness

Uniqueness Score: -1.00%

Function 05030509 Relevance: 1.3, Strings: 1, Instructions: 50COMMON

Download Yara Rule

Strings

2*l, xrefs: 05030554

Memory Dump Source

Source File: 00000001.00000002.4112734477.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5030000_System.jbxd

Similarity

API ID:
String ID: 2*l
API String ID: 0-668979667
Opcode ID: 93ffed417eabbc3ef5f98193e2933e5f5fc63557968374e7858a1f80f3409164
Instruction ID: 0aa931af17f25b85e5aa4c832fceb6ee5d1d39900a4bc2e2e19f66fe18ec92d5
Opcode Fuzzy Hash: 93ffed417eabbc3ef5f98193e2933e5f5fc63557968374e7858a1f80f3409164
Instruction Fuzzy Hash: F401F720B001198B8B4CF779543627E75C75FC920870D802ED44AEB391DF28CC056BF6

Uniqueness

Uniqueness Score: -1.00%

Function 050327B8 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4112734477.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5030000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df998d68a9753fc1b3b8019c6bb1c8957a426035b269d32c5c4b6a24d9c3e0c0
Instruction ID: b5178272a5ad5321ebff4a410d4c57180ddb76dafca7193b93318f79c0342ca2
Opcode Fuzzy Hash: df998d68a9753fc1b3b8019c6bb1c8957a426035b269d32c5c4b6a24d9c3e0c0
Instruction Fuzzy Hash: B6D14234A00219DFCB09EF76F455A9D77B6BF88344B208629E912A77A8DF359C06CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05032757 Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4112734477.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5030000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b608f03b5f209264ecc0f7cf15bc3bf6b673980e1887b70a2991f45e404911d
Instruction ID: 434aea537d8243399937348d4d06c6025e599cd51136e3122274337ff442356e
Opcode Fuzzy Hash: 5b608f03b5f209264ecc0f7cf15bc3bf6b673980e1887b70a2991f45e404911d
Instruction Fuzzy Hash: B9B16034B00219DFCB09EF76E451A9D77B2BF88248B208529E916A77A8DF359C06CF50

Uniqueness

Uniqueness Score: -1.00%

Function 050328BD Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4112734477.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5030000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f0637a5b0eb914e4447a803f05a7eb4254202988621216cbfc0273e3fc73aaf
Instruction ID: a4ced83013999782825a452fe8022c63241ac16ceb72349c6997ab809567692e
Opcode Fuzzy Hash: 9f0637a5b0eb914e4447a803f05a7eb4254202988621216cbfc0273e3fc73aaf
Instruction Fuzzy Hash: BD911034A00219DFCB09EF75E451A9D77B2BF88348B208629E916A77A8DF359C46CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0503290D Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4112734477.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5030000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 082c818eecaec38074eef1b439bae2c951d5b7d9c3d0ff459c9e422bd6f8e261
Instruction ID: f6a113f738aab12a4e4dc2df9c7f950f4345372e9b225a1797c12cd1c04c3e51
Opcode Fuzzy Hash: 082c818eecaec38074eef1b439bae2c951d5b7d9c3d0ff459c9e422bd6f8e261
Instruction Fuzzy Hash: 86810E34A00215DFCB19EF75E451AAD77B2BF88348B208629E916A77A8DF359C06CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0503294F Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4112734477.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5030000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3db347d980a943c1a34cd4a374e1a0a8551e652ce932c168d815f265e54e607d
Instruction ID: 04987be187afe0aa6932cb14889e037659c9e89626f626a1261cdab93d777654
Opcode Fuzzy Hash: 3db347d980a943c1a34cd4a374e1a0a8551e652ce932c168d815f265e54e607d
Instruction Fuzzy Hash: CD810F34B00215DFCB19EF75E451A9D77B2BF88348B208629E916A77A8DF359C06CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05030B03 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4112734477.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5030000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30f13553273d20cd0207c058e0c0048c9e9a5aa89b308e25909e9e357cdab5d3
Instruction ID: b7c42c7bc3065d98d1545f7d4cbfc486f37a96b622cfcdfcd3fb5e07b30a5e25
Opcode Fuzzy Hash: 30f13553273d20cd0207c058e0c0048c9e9a5aa89b308e25909e9e357cdab5d3
Instruction Fuzzy Hash: 0C719F347002208FCB19EB76E46576D37E3BB89308B104269E506EB7A9DF36AC46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 050329C3 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4112734477.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5030000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40fdd48cc5a3179b0ccdc4b1f35f14c86230730722923066c818fbbf2cb13ffc
Instruction ID: ada2fa5ff15b2a19086bf6f132c68beb40a25eb986bfe7dbbb6928c5db013d47
Opcode Fuzzy Hash: 40fdd48cc5a3179b0ccdc4b1f35f14c86230730722923066c818fbbf2cb13ffc
Instruction Fuzzy Hash: 35710C34B01225DFCB19EF75E451A6D73A2BF88348B208A29E916977A8DF35DC06CF50

Uniqueness

Uniqueness Score: -1.00%

Function 050305C5 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4112734477.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5030000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a8b1897760f6e242abb461ce14c3c513ca03f7903d16b2ef0b574587fe001b8
Instruction ID: 7a39ddab400ec2ba64cb0281bbec820ca88565918fa80a32d28e4af0b696e5e2
Opcode Fuzzy Hash: 1a8b1897760f6e242abb461ce14c3c513ca03f7903d16b2ef0b574587fe001b8
Instruction Fuzzy Hash: 29614935700321CFCB09EB76E4556AD77A2BF88208B144669D902EB3A9EF35EC46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 05030BA8 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4112734477.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5030000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a30581923716eb27321b5e675469ab1373c087ffea28782479d738291013a198
Instruction ID: d558f94fff55053b5ea644bac7a9910a1825c6bd3a9017ed1187d94fb4dd2bb5
Opcode Fuzzy Hash: a30581923716eb27321b5e675469ab1373c087ffea28782479d738291013a198
Instruction Fuzzy Hash: 9D518C34700220CFCB19EB76E4557AD37E2BB89208B144669D906EB7A9DF36E846CB50

Uniqueness

Uniqueness Score: -1.00%

Function 050314FF Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4112734477.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5030000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e414b5f934c4fe1364f8c1e4bfaf837714b3f3f8b5695c911dae0cf63b23a7f
Instruction ID: 1ca31bab53f17469870ab6e95e4d1a13de771cc4b6b86c7127ecd2e3363dd9e7
Opcode Fuzzy Hash: 9e414b5f934c4fe1364f8c1e4bfaf837714b3f3f8b5695c911dae0cf63b23a7f
Instruction Fuzzy Hash: D2519F30A08211DEDB18DB36E9427BD37EBBF48355F584665E402EA2E1EF34D946CB20

Uniqueness

Uniqueness Score: -1.00%

Function 05030634 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4112734477.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5030000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffa66ed2f358436e9fcf9f4b9f7d5d6f3eca71385d08ee99c974999f35a93c11
Instruction ID: 31670a2d9f9b4f371e93a3c9e409010778137edcc5d020c592cbc0b1f386dc62
Opcode Fuzzy Hash: ffa66ed2f358436e9fcf9f4b9f7d5d6f3eca71385d08ee99c974999f35a93c11
Instruction Fuzzy Hash: 3C514735700321CFCB09EB36E45466E77A3BF882097144669D902EB3A9EF36EC46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 05032AA5 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4112734477.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5030000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d2621bea8523a65b8281074bae61c7f4aaf21cec90db24b12934ed662042e4e
Instruction ID: e420712687170bfa753cb3117b31069aaa8d580298eb9092f763fe0a1aa9e4a2
Opcode Fuzzy Hash: 9d2621bea8523a65b8281074bae61c7f4aaf21cec90db24b12934ed662042e4e
Instruction Fuzzy Hash: B1514134A002159FCB18EF75F4517AE73A6BF88348F208529D916A77A8DF35DC06CB50

Uniqueness

Uniqueness Score: -1.00%

Function 050318E0 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4112734477.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5030000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c19b035c6a4cac2f082eb9e1c6f3001e1e81a7f1046fb30dac81b9acea7d9a70
Instruction ID: 6d34603cbd3154f3077406ed46f0bc99ddf2140c2c7896d2de51f66f8d8238ea
Opcode Fuzzy Hash: c19b035c6a4cac2f082eb9e1c6f3001e1e81a7f1046fb30dac81b9acea7d9a70
Instruction Fuzzy Hash: 55419030A04311CADB18EB36E9027BC36EBBF48355F584665D402EA2E1EF34D946CB21

Uniqueness

Uniqueness Score: -1.00%

Function 05030080 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4112734477.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5030000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34efe2db27e7c1eae0ce3172f6ca865ebd4105d6034d79f748b793746bdc2ea8
Instruction ID: 8f39dd7d4bc5e45c0a7c587b596fbcc443f39657005cf1bcb59654d1fb5deb52
Opcode Fuzzy Hash: 34efe2db27e7c1eae0ce3172f6ca865ebd4105d6034d79f748b793746bdc2ea8
Instruction Fuzzy Hash: 335145705013968BC708FF36E44568EB7A2FF852087418A3DD1059B76EEB346D0BDB92

Uniqueness

Uniqueness Score: -1.00%

Function 05030C22 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4112734477.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5030000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82d8d627b20d3dff8408dd707fc8ca7871639f215ea7bd7179fe5bc6893a23e6
Instruction ID: b3b3352003e8ec1a34a445d15b2c18367e721ea302b6d45ed8e996c23fcefcf0
Opcode Fuzzy Hash: 82d8d627b20d3dff8408dd707fc8ca7871639f215ea7bd7179fe5bc6893a23e6
Instruction Fuzzy Hash: 3141B134700220CFCB18EB75E4557AD37E2AF89308B144669D416DB7A9DF36E846CB50

Uniqueness

Uniqueness Score: -1.00%

Function 05031238 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4112734477.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5030000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 025f1a78ad7cb0d560950c7c3771e61de59d6fe365258062698c768c96a39f38
Instruction ID: e623a87f25aef5402044f04cec337bb7f96a48d09c2bdbdacd4ec8ad5422c2b2
Opcode Fuzzy Hash: 025f1a78ad7cb0d560950c7c3771e61de59d6fe365258062698c768c96a39f38
Instruction Fuzzy Hash: 3D41B631A002118FCB18DF74D8855ADB7F6EF88204B548479D805DB799EF38DD45C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 050311D0 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4112734477.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5030000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83f18ef99230146f12d99dd0f9ad353489fb9368c6bc275b4f7763b7c390fd1c
Instruction ID: 60608f87041572795ce63fac1a6d9c3a4cf35cc4f5f1e64407e8f72586c0f1af
Opcode Fuzzy Hash: 83f18ef99230146f12d99dd0f9ad353489fb9368c6bc275b4f7763b7c390fd1c
Instruction Fuzzy Hash: 7631C2316002018BCB18DF34D8896AD73E6FF8820475985A9E806CB3EADF39DD46C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0503122B Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4112734477.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5030000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3778436e1001628b3b1d46a36e455fc22dc598f3404a43cd4313c76d0648bd00
Instruction ID: dd37b764cd17c3b28b6e76c6bcd39f84a0db00592094f5371f3a71abaadd38ae
Opcode Fuzzy Hash: 3778436e1001628b3b1d46a36e455fc22dc598f3404a43cd4313c76d0648bd00
Instruction Fuzzy Hash: 01319571A002118FCB18DF34D8956AEB7E6EF88204B548479D805DF79AEB34DD46CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05033070 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4112734477.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5030000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 865ef82838d26071ed28a6a779c95016ab02de7b56a1fc97f906a6d10599674b
Instruction ID: bead5ee45aa03694ec27e1bb7a0ee12c8f96a3b49a477f00758f3717dd48f59c
Opcode Fuzzy Hash: 865ef82838d26071ed28a6a779c95016ab02de7b56a1fc97f906a6d10599674b
Instruction Fuzzy Hash: FC31A030B002059FDB04DB65E895BEEBBF6BF88204F248569E405EB3A0DF749C09CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05030C8D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4112734477.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5030000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ad2c5c7a2a8148c3ef607ab85b367af2d3691e5dfd5bed5ae7603bffae18d01
Instruction ID: 6ef3ea982fc3dcafb0daf07b1fb9bc2e9fc53ba86b66770d1b3a3af3b03041dc
Opcode Fuzzy Hash: 8ad2c5c7a2a8148c3ef607ab85b367af2d3691e5dfd5bed5ae7603bffae18d01
Instruction Fuzzy Hash: C331F2347002208FCB58FB75F8197AD37E2AF89208F148629D41ADB7A8DF35D805DB60

Uniqueness

Uniqueness Score: -1.00%

Function 05032BC0 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4112734477.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5030000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e5c6089225c62530c273779231fbf38a0ecd8e7c739916deeaad16f46cefdc4
Instruction ID: 63e872bd2ab10c5c8ffacb7f41d1483a90074c278542f40a68764bbbd789d0ef
Opcode Fuzzy Hash: 1e5c6089225c62530c273779231fbf38a0ecd8e7c739916deeaad16f46cefdc4
Instruction Fuzzy Hash: BF315234B002259FCB09EB75E4517AD73A7FF88248F21852AD805A77A9DF399C06CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05030D40 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4112734477.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5030000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67dc96d32e634e5b4a3fc4673e77f5ae7c8e9b490de43a57e2fd927402d3c474
Instruction ID: f5688969548d9f3cb7cb1c4c8bfd90f3174d3abface2aad6da2eca6a8494415a
Opcode Fuzzy Hash: 67dc96d32e634e5b4a3fc4673e77f5ae7c8e9b490de43a57e2fd927402d3c474
Instruction Fuzzy Hash: 76110334B01214CFCB18EF76F55A6AD77F2BF84218B14812AE016DB394DB35D441CB20

Uniqueness

Uniqueness Score: -1.00%

Function 05032F88 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4112734477.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5030000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 479621bdcc0f259e0034b26558c1971aecb12a7dee4443735973d1bf7548ef54
Instruction ID: 2eeba4eb6a15ede46bf8c887bd4ee68ab972fe13c11bbf0399d3d7f678bbf3df
Opcode Fuzzy Hash: 479621bdcc0f259e0034b26558c1971aecb12a7dee4443735973d1bf7548ef54
Instruction Fuzzy Hash: 5101D672F001159BDF04E7B4ED5A5EE77F8EF48250B0509A5E501FB241EB29EE09CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 059726C0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4113539634.0000000005970000.00000040.00000800.00020000.00000000.sdmp, Offset: 05970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5970000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e9c4018b835f93399a2b7516050cd35e74e5d13485550f856983cfe085543a6
Instruction ID: eb6336d559f2caa5fa213afb34ca6849d2e49c7325c56d8dccea9180c7738653
Opcode Fuzzy Hash: 3e9c4018b835f93399a2b7516050cd35e74e5d13485550f856983cfe085543a6
Instruction Fuzzy Hash: 4B11CCB5908341AFD350CF19D840A5BFBE4FB98664F04896EF998D7311E331E9088FA2

Uniqueness

Uniqueness Score: -1.00%

Function 01260934 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4111026976.0000000001260000.00000040.00000020.00020000.00000000.sdmp, Offset: 01260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1260000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4cfb321bdc18965a2a699e399454a9f5ea0cb530d04e764d1238ef6f495971b
Instruction ID: d8b492e38f560261bc00cc46b8db4f202f8497f7c25d35ca48922a7112256330
Opcode Fuzzy Hash: b4cfb321bdc18965a2a699e399454a9f5ea0cb530d04e764d1238ef6f495971b
Instruction Fuzzy Hash: 0811E430255281DFE311CB14D540B26FBAAAB89B1CF28C59CF9490B793C77BD883DA45

Uniqueness

Uniqueness Score: -1.00%

Function 05032EE1 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4112734477.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5030000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0f04ba899ccc8438d04f8c82b17c095830c28d4b42c1f827761044876308a4f
Instruction ID: 47dd5d6ed016bff1030deea7d74d8fef2a2fb3e75baf3013b43806e253983807
Opcode Fuzzy Hash: b0f04ba899ccc8438d04f8c82b17c095830c28d4b42c1f827761044876308a4f
Instruction Fuzzy Hash: C901D236B0020A5EEB04EAB9E8076EE77EAEBC4354F040031E905E7280EA79D94186A1

Uniqueness

Uniqueness Score: -1.00%

Function 00F9B858 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4110485005.0000000000F9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f9a000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c183d7e01d67495c0ae85b47f7026cda0d1c869eaa2acc035a2ba42660291cd
Instruction ID: 9ae49b28146a21c800820a23cd274bb63b90cecf9aace6ff5821acc9879292cf
Opcode Fuzzy Hash: 9c183d7e01d67495c0ae85b47f7026cda0d1c869eaa2acc035a2ba42660291cd
Instruction Fuzzy Hash: 2B110CB5908345AFD350CF09DC40E5BFBE8EB98660F04892EF95897311E331E9088FA2

Uniqueness

Uniqueness Score: -1.00%

Function 05030006 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4112734477.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5030000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0edccb402ff3c1e983ab5ff32fb82c0feefad89ab0f69250147a0243bb0b2f03
Instruction ID: 62c1dce8b3d7f6542ee4094057d2488345b476768b41e2e593435a34aea83c9d
Opcode Fuzzy Hash: 0edccb402ff3c1e983ab5ff32fb82c0feefad89ab0f69250147a0243bb0b2f03
Instruction Fuzzy Hash: C301456605E3C18FD7038B74ACAAB603FB4AF17211B0E85D7D080CB1B3D2AC9819D722

Uniqueness

Uniqueness Score: -1.00%

Function 05032DD0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4112734477.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5030000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4478335407e0cf7d838ad09242583dd75c6013977088337f43cd54a0c38efad2
Instruction ID: b0b808648b9bf46780f68aa3e1ab82b7b4edce25762b7edf0c3040f48f6a5955
Opcode Fuzzy Hash: 4478335407e0cf7d838ad09242583dd75c6013977088337f43cd54a0c38efad2
Instruction Fuzzy Hash: 2E110CB2D11149AFCF04DFA9E8858EEBBB9EF88214F10852AE515E3610EB305905CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0126090C Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4111026976.0000000001260000.00000040.00000020.00020000.00000000.sdmp, Offset: 01260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1260000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea2d31ab32e564b84445158eb9b07735eb7067bdbe34f9747509806041d4b567
Instruction ID: 6566c768656a0fb5a7360d636fddc74030d1eeb25268211cad9132ee1643be60
Opcode Fuzzy Hash: ea2d31ab32e564b84445158eb9b07735eb7067bdbe34f9747509806041d4b567
Instruction Fuzzy Hash: 30117C315093C1DFD713CB10C980B15BFB6AB46618F288AEEE8854B6A3C33A9846DB41

Uniqueness

Uniqueness Score: -1.00%

Function 050313B8 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4112734477.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5030000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04c28aadf5408c5097d7ccd39084adb3591840d6b37230602811a3b283802c5b
Instruction ID: d02cfd9145b1ce0d4764e357b42abf54abad537db61b32422273403f34efd3d5
Opcode Fuzzy Hash: 04c28aadf5408c5097d7ccd39084adb3591840d6b37230602811a3b283802c5b
Instruction Fuzzy Hash: BE015A71E002258F8F54EB7AE84069EB7F6AB89254B2045BAD809E7354EB319D16CB90

Uniqueness

Uniqueness Score: -1.00%

Function 012605E0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4111026976.0000000001260000.00000040.00000020.00020000.00000000.sdmp, Offset: 01260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1260000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ce9cdbf5dc103059a324dd05a29b8120b9b927d7c091b9da44bfe776f090ea0
Instruction ID: c7a965e7f8c91968a814147af5fb94699c1771ad6784b615e9dacccf942536b6
Opcode Fuzzy Hash: 3ce9cdbf5dc103059a324dd05a29b8120b9b927d7c091b9da44bfe776f090ea0
Instruction Fuzzy Hash: 6A0186755097C46FD712CB15AC41862FFB8DB86531709C49FE8498B652D225A809CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0503088A Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4112734477.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5030000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e3217c1d9181b612473b082107cd358f9f45c27d0e03f8718256937f86b0663
Instruction ID: 378360641bfec223e9d484b86e4020a320f2e43ca7dcc51d3df9fbe401046fe4
Opcode Fuzzy Hash: 0e3217c1d9181b612473b082107cd358f9f45c27d0e03f8718256937f86b0663
Instruction Fuzzy Hash: 9C0156706093828FCB05FB74D45845DBBF1EF84348B01C96DE589CB356DB3598099B53

Uniqueness

Uniqueness Score: -1.00%

Function 05030D98 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4112734477.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5030000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5193860de9893929433a6a0140e05c18efbfb54be17b1d96fbd980d968edc182
Instruction ID: 4671078ad9424a771e52f0713617c2ac1cdbe8fdfb700b887e5dfd8f86a6cc61
Opcode Fuzzy Hash: 5193860de9893929433a6a0140e05c18efbfb54be17b1d96fbd980d968edc182
Instruction Fuzzy Hash: B3017C74A01214CFCB18EF75F05A5ACB7F2FF48218B54856AE405EB354DB3AC541CB60

Uniqueness

Uniqueness Score: -1.00%

Function 05031EAF Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4112734477.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5030000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c63d46372a6a3952303a1901c4a01a13a03c2d504f15cb92a273cdc25219fe9
Instruction ID: 9ff440090c0240df73e21fdb8e8461fac680d7d16f076260213b2a0de832b9e2
Opcode Fuzzy Hash: 3c63d46372a6a3952303a1901c4a01a13a03c2d504f15cb92a273cdc25219fe9
Instruction Fuzzy Hash: F2F096B1E052489FDF00DBB998426EFBFF8EB89214F10407AC209E3201E6358906CB91

Uniqueness

Uniqueness Score: -1.00%

Function 012609F0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4111026976.0000000001260000.00000040.00000020.00020000.00000000.sdmp, Offset: 01260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1260000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52e5d790dd90795d3261334ff3f62b06e1c2728967e6733cf91c63f702055a41
Instruction ID: e83c6a34e17c7b9db1828e6315a44c67c08b6f7dec85dd26627a2abaa0371e2c
Opcode Fuzzy Hash: 52e5d790dd90795d3261334ff3f62b06e1c2728967e6733cf91c63f702055a41
Instruction Fuzzy Hash: 08F06D35104641DFC302CF00C540B15FBA6EB89718F24CAADE94807762C737E813DA81

Uniqueness

Uniqueness Score: -1.00%

Function 01260606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4111026976.0000000001260000.00000040.00000020.00020000.00000000.sdmp, Offset: 01260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1260000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02d8e041a5fdcb972aa74e650447d1eba58fa9bc2ce24f9022ae3d63b5bb444d
Instruction ID: b76e37cbf02c161a4fa1490b8cb39f273e3873c3c5c9d15021e3bfa4a2819d16
Opcode Fuzzy Hash: 02d8e041a5fdcb972aa74e650447d1eba58fa9bc2ce24f9022ae3d63b5bb444d
Instruction Fuzzy Hash: 06E092B66046444B9650DF0AFC41452F7D8EB88631708C07FDC0D8BB01E635B508CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 00F9B8A7 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4110485005.0000000000F9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f9a000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9625184f769c9602aba520f0c61accaa9f9e422ce65acbb24c84df9e95e69a1
Instruction ID: 1c57749717c50548db9b419ba312ecdecbdfdeacb7d74e78b4015a9809f4ba5d
Opcode Fuzzy Hash: f9625184f769c9602aba520f0c61accaa9f9e422ce65acbb24c84df9e95e69a1
Instruction Fuzzy Hash: C8E0D8B254024467D2509E06AC45F53FB9CDB50931F08C567ED085B702E271B50489F1

Uniqueness

Uniqueness Score: -1.00%

Function 05971FD7 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4113539634.0000000005970000.00000040.00000800.00020000.00000000.sdmp, Offset: 05970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5970000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 857507ce213929569d3a3caa17bf8e28da3e019655e6340deeeea0535ca05feb
Instruction ID: 908a3b4ea4d1555c859bc7a24aa82d6970801e55660443d011589a499e23fb9c
Opcode Fuzzy Hash: 857507ce213929569d3a3caa17bf8e28da3e019655e6340deeeea0535ca05feb
Instruction Fuzzy Hash: 07E0D8B254020467D250DE06AC45F53FB9CDB50A31F08C467ED081B701E172B514CDE1

Uniqueness

Uniqueness Score: -1.00%

Function 0597272B Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4113539634.0000000005970000.00000040.00000800.00020000.00000000.sdmp, Offset: 05970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5970000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6a00e52c1ec4875c0dbc4da1319721c1e34cd2684a7c87615d892a0be00815d
Instruction ID: 5e2b0af58a723a593fd4925bf394ed6e02d4b9f264eb41d343e88d686b750983
Opcode Fuzzy Hash: f6a00e52c1ec4875c0dbc4da1319721c1e34cd2684a7c87615d892a0be00815d
Instruction Fuzzy Hash: 79E0D8B254030467D2509E06AC45F53FB9CDB54A31F08C467ED085B742E171B5188AE1

Uniqueness

Uniqueness Score: -1.00%

Function 05032EB1 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4112734477.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5030000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5de1509f3f984fccfff1bddebe6660c26ba00175e44aa758c7ea92fd6a9762e8
Instruction ID: 8c5dff11cd347ceef166c13e3ef660eb90ec1f43091cb6a4cc01db36b1530372
Opcode Fuzzy Hash: 5de1509f3f984fccfff1bddebe6660c26ba00175e44aa758c7ea92fd6a9762e8
Instruction Fuzzy Hash: 3DD02E315083904FC7018378945AAE43FF0EF1A24070A81FBD485CBA62C6220C0787A2

Uniqueness

Uniqueness Score: -1.00%

Function 05031452 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4112734477.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5030000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1fb9e312f6643c8cc6064611c5a645c5e7f89e4477885f9ad5deae51384aab7
Instruction ID: 80ca36db040015fa31a37eaa8b24299d3311752ffe12cdd17b9906181f717d02
Opcode Fuzzy Hash: f1fb9e312f6643c8cc6064611c5a645c5e7f89e4477885f9ad5deae51384aab7
Instruction Fuzzy Hash: 1FD0C22110D2D10FCB1A2238A4480983F749A8619030B41EBD0049B552CB205C0BD362

Uniqueness

Uniqueness Score: -1.00%

Function 05033030 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4112734477.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5030000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26fcb4bfbeb596869a7ca3ffc2c1484b48e7744d3fe7a6c61103a0f405f906b1
Instruction ID: 8fbafd6e35779eb1632d7940ed46536675b911255d91d2268d21c98a04860deb
Opcode Fuzzy Hash: 26fcb4bfbeb596869a7ca3ffc2c1484b48e7744d3fe7a6c61103a0f405f906b1
Instruction Fuzzy Hash: 6FD0A77290020CA7DF10EFA4E8073DDB7BCDB14205F150479D805C3340EA306F189281

Uniqueness

Uniqueness Score: -1.00%

Function 00E723F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4110358696.0000000000E72000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E72000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e72000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd15279683bb72fee72680f698c31204761351ac083914d1f66182fc3237068f
Instruction ID: 4275be130e75d60ce33aa2f79f7fbde9559af93c3dd463adefd5b09fbb5d93a0
Opcode Fuzzy Hash: dd15279683bb72fee72680f698c31204761351ac083914d1f66182fc3237068f
Instruction Fuzzy Hash: 8CD05E7A2056C18FD3169E1CC1A4B9537D4BB51718F4A84FDA8048B763D768D981E600

Uniqueness

Uniqueness Score: -1.00%

Function 00E723BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4110358696.0000000000E72000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E72000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e72000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fa84aa41353c8a04c61fbd9637f8a2ef1db58df0c7be340e4066d8ce4c723e4
Instruction ID: fbd9bfab70494671ac6630d8ae57ad4b8030dda3f3f541073d8dfabfdedab9a6
Opcode Fuzzy Hash: 7fa84aa41353c8a04c61fbd9637f8a2ef1db58df0c7be340e4066d8ce4c723e4
Instruction Fuzzy Hash: 50D05E343406824BC715DE0CC6D4F5937D4AB40B19F0694ECAC108B762C7A8D9C0CA00

Uniqueness

Uniqueness Score: -1.00%

Function 05032EC0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4112734477.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5030000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d29ea456a4cca65f4ea93cdcd41c2557390938e5a35fa6656015ba79d826df96
Instruction ID: 3d0f153d21d1948727edf7ac37940475364dffddb4838ca4829c538e1d9dafd4
Opcode Fuzzy Hash: d29ea456a4cca65f4ea93cdcd41c2557390938e5a35fa6656015ba79d826df96
Instruction Fuzzy Hash: E5C08C312001148BC610AB6CD404ED6B7ECEF4D124B1544BAE148C7711CE72AC0047E0

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report pQBmVoyRnw.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Njrat

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

HIPS / PFW / Operating System Protection Evasion

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\pQBmVoyRnw.exe.log

C:\Users\user\System.exe

C:\Users\user\System.exe:Zone.Identifier

C:\autorun.inf

C:\svchost.exe

C:\svchost.exe:Zone.Identifier

\Device\ConDrv

Static File Info

Windows Analysis Report
pQBmVoyRnw.exe

Function 05830310 Relevance: 7.7, Strings: 6, Instructions: 188
COMMON

Function 058303BD Relevance: 7.6, Strings: 6, Instructions: 135
COMMON

Function 05830958 Relevance: 1.7, Strings: 1, Instructions: 482
COMMON

Function 0187A612 Relevance: 1.6, APIs: 1, Instructions: 89
synchronizationCOMMON

Function 0187A361 Relevance: 1.6, APIs: 1, Instructions: 85
registryCOMMON

Function 0187A462 Relevance: 1.6, APIs: 1, Instructions: 77
registryCOMMON

Function 0187AA07 Relevance: 1.6, APIs: 1, Instructions: 72
fileCOMMON

Function 0187A646 Relevance: 1.6, APIs: 1, Instructions: 72
synchronizationCOMMON

Function 0187A392 Relevance: 1.6, APIs: 1, Instructions: 69
registryCOMMON

Function 0187A486 Relevance: 1.6, APIs: 1, Instructions: 65
registryCOMMON

Function 0187A2D2 Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Function 0187AC24 Relevance: 1.6, APIs: 1, Instructions: 60
COMMON

Function 0187A8A4 Relevance: 1.6, APIs: 1, Instructions: 59
COMMON

Function 0187AA3E Relevance: 1.6, APIs: 1, Instructions: 53
fileCOMMON

Function 0187A8C6 Relevance: 1.5, APIs: 1, Instructions: 48
COMMON