Edit tour

Windows Analysis Report
2G8CgDVl3K.exe

Overview

General Information

Sample name:	2G8CgDVl3K.exe renamed because original name is a hash value
Original sample name:	3C3D7DCDC0C4EB7DD9DB090C60867A1E.exe
Analysis ID:	1369436
MD5:	3c3d7dcdc0c4eb7dd9db090c60867a1e
SHA1:	19d81e94000e24afb6f63ef7e3456a01cc884f30
SHA256:	aa60573d3d1a56190858edb2df0344b9d1082f0eae840004941a1d6b30a1b804
Tags:	exenjratRAT
Infos:

Detection

Njrat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected Njrat

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

C2 URLs / IPs found in malware configuration

Contains functionality to log keystrokes (.Net Source)

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies the windows firewall

Uses netsh to modify the Windows network and firewall settings

Abnormal high CPU Usage

Binary contains a suspicious time stamp

Contains functionality to call native functions

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May infect USB drives

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

2G8CgDVl3K.exe (PID: 6908 cmdline: C:\Users\user\Desktop\2G8CgDVl3K.exe MD5: 3C3D7DCDC0C4EB7DD9DB090C60867A1E)

Server.exe (PID: 7340 cmdline: "C:\Users\user\AppData\Local\Temp\Server.exe" MD5: F39D9EDCB7DB7838B0F7948F118B96AC)

netsh.exe (PID: 7572 cmdline: netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

conhost.exe (PID: 7588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
NjRAT	RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.	AQUATIC PANDA Earth Lusca Operation C-Major The Gorgon Group	http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/ http://blogs.360.cn/post/analysis-of-apt-c-37.html http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/ https://asec.ahnlab.com/1369	https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

Malware Configuration

Threatname: Njrat

{"Host": "2.tcp.eu.ngrok.io", "Port": "15020", "Version": "im523", "Campaign ID": "HacKed", "Install Name": "server.exe", "Install Dir": "TEMP"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\Server.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Users\user\AppData\Local\Temp\Server.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x64c1:$a1: get_Registry 0x7efa:$a3: Download ERROR 0x81ec:$a5: netsh firewall delete allowedprogram "
C:\Users\user\AppData\Local\Temp\Server.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x80e2:$a1: netsh firewall add allowedprogram 0x82dc:$b1: [TAP] 0x8282:$b2: & exit 0x824e:$c1: md.exe /k ping 0 & del
C:\Users\user\AppData\Local\Temp\Server.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x81ec:$s1: netsh firewall delete allowedprogram 0x80e2:$s2: netsh firewall add allowedprogram 0x824c:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 6B 00 20 00 70 00 69 00 6E 00 67 0x7ed6:$s4: Execute ERROR 0x7f36:$s4: Execute ERROR 0x7efa:$s5: Download ERROR 0x8292:$s6: [kl]

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1667081303.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000000.00000002.1667081303.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x34e61:$a1: get_Registry 0x3689a:$a3: Download ERROR 0x36b8c:$a5: netsh firewall delete allowedprogram "
00000000.00000002.1667081303.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x36a82:$a1: netsh firewall add allowedprogram 0x36c7c:$b1: [TAP] 0x36c22:$b2: & exit 0x36bee:$c1: md.exe /k ping 0 & del
00000005.00000000.1660160028.0000000000722000.00000002.00000001.01000000.0000000C.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000005.00000000.1660160028.0000000000722000.00000002.00000001.01000000.0000000C.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x62c1:$a1: get_Registry 0x7cfa:$a3: Download ERROR 0x7fec:$a5: netsh firewall delete allowedprogram "
00000005.00000000.1660160028.0000000000722000.00000002.00000001.01000000.0000000C.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x7ee2:$a1: netsh firewall add allowedprogram 0x80dc:$b1: [TAP] 0x8082:$b2: & exit 0x804e:$c1: md.exe /k ping 0 & del
00000000.00000002.1667081303.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000000.00000002.1667081303.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xe809:$a1: get_Registry 0x10242:$a3: Download ERROR 0x10534:$a5: netsh firewall delete allowedprogram "
00000000.00000002.1667081303.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1042a:$a1: netsh firewall add allowedprogram 0x10624:$b1: [TAP] 0x105ca:$b2: & exit 0x10596:$c1: md.exe /k ping 0 & del
Process Memory Space: 2G8CgDVl3K.exe PID: 6908	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Server.exe PID: 7340	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.0.Server.exe.720000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
5.0.Server.exe.720000.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x64c1:$a1: get_Registry 0x7efa:$a3: Download ERROR 0x81ec:$a5: netsh firewall delete allowedprogram "
5.0.Server.exe.720000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x80e2:$a1: netsh firewall add allowedprogram 0x82dc:$b1: [TAP] 0x8282:$b2: & exit 0x824e:$c1: md.exe /k ping 0 & del
5.0.Server.exe.720000.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x81ec:$s1: netsh firewall delete allowedprogram 0x80e2:$s2: netsh firewall add allowedprogram 0x824c:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 6B 00 20 00 70 00 69 00 6E 00 67 0x7ed6:$s4: Execute ERROR 0x7f36:$s4: Execute ERROR 0x7efa:$s5: Download ERROR 0x8292:$s6: [kl]
0.2.2G8CgDVl3K.exe.2d1f9a0.1.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0.2.2G8CgDVl3K.exe.2d1f9a0.1.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x64c1:$a1: get_Registry 0x7efa:$a3: Download ERROR 0x81ec:$a5: netsh firewall delete allowedprogram "
0.2.2G8CgDVl3K.exe.2d1f9a0.1.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x80e2:$a1: netsh firewall add allowedprogram 0x82dc:$b1: [TAP] 0x8282:$b2: & exit 0x824e:$c1: md.exe /k ping 0 & del
0.2.2G8CgDVl3K.exe.2d1f9a0.1.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x81ec:$s1: netsh firewall delete allowedprogram 0x80e2:$s2: netsh firewall add allowedprogram 0x824c:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 6B 00 20 00 70 00 69 00 6E 00 67 0x7ed6:$s4: Execute ERROR 0x7f36:$s4: Execute ERROR 0x7efa:$s5: Download ERROR 0x8292:$s6: [kl]
0.2.2G8CgDVl3K.exe.2d1f9a0.1.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0.2.2G8CgDVl3K.exe.2d1f9a0.1.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x46c1:$a1: get_Registry 0x60fa:$a3: Download ERROR 0x63ec:$a5: netsh firewall delete allowedprogram "
0.2.2G8CgDVl3K.exe.2d32348.2.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0.2.2G8CgDVl3K.exe.2d32348.2.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x46c1:$a1: get_Registry 0x60fa:$a3: Download ERROR 0x63ec:$a5: netsh firewall delete allowedprogram "
0.2.2G8CgDVl3K.exe.2d1f9a0.1.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x62e2:$a1: netsh firewall add allowedprogram 0x64dc:$b1: [TAP] 0x6482:$b2: & exit 0x644e:$c1: md.exe /k ping 0 & del
0.2.2G8CgDVl3K.exe.2d1f9a0.1.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x63ec:$s1: netsh firewall delete allowedprogram 0x62e2:$s2: netsh firewall add allowedprogram 0x644c:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 6B 00 20 00 70 00 69 00 6E 00 67 0x60d6:$s4: Execute ERROR 0x6136:$s4: Execute ERROR 0x60fa:$s5: Download ERROR 0x6492:$s6: [kl]
0.2.2G8CgDVl3K.exe.2d32348.2.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x62e2:$a1: netsh firewall add allowedprogram 0x64dc:$b1: [TAP] 0x6482:$b2: & exit 0x644e:$c1: md.exe /k ping 0 & del
0.2.2G8CgDVl3K.exe.2d32348.2.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x63ec:$s1: netsh firewall delete allowedprogram 0x62e2:$s2: netsh firewall add allowedprogram 0x644c:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 6B 00 20 00 70 00 69 00 6E 00 67 0x60d6:$s4: Execute ERROR 0x6136:$s4: Execute ERROR 0x60fa:$s5: Download ERROR 0x6492:$s6: [kl]
0.2.2G8CgDVl3K.exe.2d32348.2.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0.2.2G8CgDVl3K.exe.2d32348.2.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x64c1:$a1: get_Registry 0x7efa:$a3: Download ERROR 0x81ec:$a5: netsh firewall delete allowedprogram "
0.2.2G8CgDVl3K.exe.2d32348.2.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x80e2:$a1: netsh firewall add allowedprogram 0x82dc:$b1: [TAP] 0x8282:$b2: & exit 0x824e:$c1: md.exe /k ping 0 & del
0.2.2G8CgDVl3K.exe.2d32348.2.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x81ec:$s1: netsh firewall delete allowedprogram 0x80e2:$s2: netsh firewall add allowedprogram 0x824c:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 6B 00 20 00 70 00 69 00 6E 00 67 0x7ed6:$s4: Execute ERROR 0x7f36:$s4: Execute ERROR 0x7efa:$s5: Download ERROR 0x8292:$s6: [kl]
Click to see the 15 entries

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) - Source IP: 192.168.2.4 - Destination IP: 18.156.13.209

Timestamp:	192.168.2.418.156.13.20949748150202814860 01/03/24-19:00:02.820468
SID:	2814860
Source Port:	49748
Destination Port:	15020
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) - Source IP: 192.168.2.4 - Destination IP: 18.156.13.209

Timestamp:	192.168.2.418.156.13.20949749150202814860 01/03/24-19:00:10.945358
SID:	2814860
Source Port:	49749
Destination Port:	15020
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) - Source IP: 192.168.2.4 - Destination IP: 18.156.13.209

Timestamp:	192.168.2.418.156.13.20949747150202814860 01/03/24-18:59:50.235213
SID:	2814860
Source Port:	49747
Destination Port:	15020
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) - Source IP: 192.168.2.4 - Destination IP: 3.127.138.57

Timestamp:	192.168.2.43.127.138.5749751150202814860 01/03/24-19:00:35.275265
SID:	2814860
Source Port:	49751
Destination Port:	15020
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.4 - Destination IP: 18.197.239.5

Timestamp:	192.168.2.418.197.239.549734150202814856 01/03/24-18:57:06.244802
SID:	2814856
Source Port:	49734
Destination Port:	15020
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) - Source IP: 192.168.2.4 - Destination IP: 3.127.138.57

Timestamp:	192.168.2.43.127.138.5749752150202814860 01/03/24-19:00:41.992248
SID:	2814860
Source Port:	49752
Destination Port:	15020
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 18.197.239.5

Timestamp:	192.168.2.418.197.239.549741150202033132 01/03/24-18:57:40.349192
SID:	2033132
Source Port:	49741
Destination Port:	15020
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) - Source IP: 192.168.2.4 - Destination IP: 18.156.13.209

Timestamp:	192.168.2.418.156.13.20949749150202825563 01/03/24-19:00:05.386407
SID:	2825563
Source Port:	49749
Destination Port:	15020
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) - Source IP: 192.168.2.4 - Destination IP: 18.156.13.209

Timestamp:	192.168.2.418.156.13.20949749150202825564 01/03/24-19:00:10.945358
SID:	2825564
Source Port:	49749
Destination Port:	15020
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.4 - Destination IP: 3.127.138.57

Timestamp:	192.168.2.43.127.138.5749750150202814856 01/03/24-19:00:27.873123
SID:	2814856
Source Port:	49750
Destination Port:	15020
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.4 - Destination IP: 18.156.13.209

Timestamp:	192.168.2.418.156.13.20949746150202814856 01/03/24-18:59:22.979805
SID:	2814856
Source Port:	49746
Destination Port:	15020
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) - Source IP: 192.168.2.4 - Destination IP: 18.156.13.209

Timestamp:	192.168.2.418.156.13.20949748150202825564 01/03/24-19:00:02.820468
SID:	2825564
Source Port:	49748
Destination Port:	15020
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.4 - Destination IP: 18.156.13.209

Timestamp:	192.168.2.418.156.13.20949747150202814856 01/03/24-18:59:26.612164
SID:	2814856
Source Port:	49747
Destination Port:	15020
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) - Source IP: 192.168.2.4 - Destination IP: 18.156.13.209

Timestamp:	192.168.2.418.156.13.20949747150202825564 01/03/24-18:59:40.471375
SID:	2825564
Source Port:	49747
Destination Port:	15020
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.4 - Destination IP: 18.156.13.209

Timestamp:	192.168.2.418.156.13.20949749150202814856 01/03/24-19:00:05.386407
SID:	2814856
Source Port:	49749
Destination Port:	15020
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) - Source IP: 192.168.2.4 - Destination IP: 18.156.13.209

Timestamp:	192.168.2.418.156.13.20949747150202825563 01/03/24-18:59:26.612164
SID:	2825563
Source Port:	49747
Destination Port:	15020
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) - Source IP: 192.168.2.4 - Destination IP: 18.156.13.209

Timestamp:	192.168.2.418.156.13.20949746150202825563 01/03/24-18:59:22.979805
SID:	2825563
Source Port:	49746
Destination Port:	15020
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.4 - Destination IP: 18.156.13.209

Timestamp:	192.168.2.418.156.13.20949748150202814856 01/03/24-18:59:53.198364
SID:	2814856
Source Port:	49748
Destination Port:	15020
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 3.127.138.57

Timestamp:	192.168.2.43.127.138.5749751150202033132 01/03/24-19:00:32.073107
SID:	2033132
Source Port:	49751
Destination Port:	15020
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 3.127.138.57

Timestamp:	192.168.2.43.127.138.5749752150202033132 01/03/24-19:00:39.289239
SID:	2033132
Source Port:	49752
Destination Port:	15020
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 18.156.13.209

Timestamp:	192.168.2.418.156.13.20949746150202033132 01/03/24-18:59:22.723256
SID:	2033132
Source Port:	49746
Destination Port:	15020
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 18.156.13.209

Timestamp:	192.168.2.418.156.13.20949747150202033132 01/03/24-18:59:26.350303
SID:	2033132
Source Port:	49747
Destination Port:	15020
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.4 - Destination IP: 3.127.138.57

Timestamp:	192.168.2.43.127.138.5749752150202814856 01/03/24-19:00:39.547439
SID:	2814856
Source Port:	49752
Destination Port:	15020
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 3.127.138.57

Timestamp:	192.168.2.43.127.138.5749743150202033132 01/03/24-18:58:15.013937
SID:	2033132
Source Port:	49743
Destination Port:	15020
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 3.127.138.57

Timestamp:	192.168.2.43.127.138.5749753150202033132 01/03/24-19:00:56.222387
SID:	2033132
Source Port:	49753
Destination Port:	15020
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.4 - Destination IP: 3.127.138.57

Timestamp:	192.168.2.43.127.138.5749751150202814856 01/03/24-19:00:32.324468
SID:	2814856
Source Port:	49751
Destination Port:	15020
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 18.156.13.209

Timestamp:	192.168.2.418.156.13.20949748150202033132 01/03/24-18:59:52.842393
SID:	2033132
Source Port:	49748
Destination Port:	15020
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 18.156.13.209

Timestamp:	192.168.2.418.156.13.20949749150202033132 01/03/24-19:00:05.132396
SID:	2033132
Source Port:	49749
Destination Port:	15020
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.4 - Destination IP: 3.127.138.57

Timestamp:	192.168.2.43.127.138.5749753150202814856 01/03/24-19:00:56.474817
SID:	2814856
Source Port:	49753
Destination Port:	15020
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.4 - Destination IP: 3.127.138.57

Timestamp:	192.168.2.43.127.138.5749743150202814856 01/03/24-18:58:15.267671
SID:	2814856
Source Port:	49743
Destination Port:	15020
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.4 - Destination IP: 3.127.138.57

Timestamp:	192.168.2.43.127.138.5749745150202814856 01/03/24-18:59:09.970283
SID:	2814856
Source Port:	49745
Destination Port:	15020
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 3.127.138.57

Timestamp:	192.168.2.43.127.138.5749750150202033132 01/03/24-19:00:27.612511
SID:	2033132
Source Port:	49750
Destination Port:	15020
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.4 - Destination IP: 3.127.138.57

Timestamp:	192.168.2.43.127.138.5749744150202814856 01/03/24-18:58:35.447732
SID:	2814856
Source Port:	49744
Destination Port:	15020
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.4 - Destination IP: 18.197.239.5

Timestamp:	192.168.2.418.197.239.549741150202814856 01/03/24-18:57:40.604617
SID:	2814856
Source Port:	49741
Destination Port:	15020
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) - Source IP: 192.168.2.4 - Destination IP: 3.127.138.57

Timestamp:	192.168.2.43.127.138.5749743150202814860 01/03/24-18:58:32.848382
SID:	2814860
Source Port:	49743
Destination Port:	15020
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) - Source IP: 192.168.2.4 - Destination IP: 3.127.138.57

Timestamp:	192.168.2.43.127.138.5749745150202814860 01/03/24-18:59:13.757617
SID:	2814860
Source Port:	49745
Destination Port:	15020
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) - Source IP: 192.168.2.4 - Destination IP: 3.127.138.57

Timestamp:	192.168.2.43.127.138.5749744150202814860 01/03/24-18:58:41.788726
SID:	2814860
Source Port:	49744
Destination Port:	15020
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 3.127.138.57

Timestamp:	192.168.2.43.127.138.5749745150202033132 01/03/24-18:59:09.719744
SID:	2033132
Source Port:	49745
Destination Port:	15020
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 3.127.138.57

Timestamp:	192.168.2.43.127.138.5749744150202033132 01/03/24-18:58:35.165549
SID:	2033132
Source Port:	49744
Destination Port:	15020
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) - Source IP: 192.168.2.4 - Destination IP: 18.197.239.5

Timestamp:	192.168.2.418.197.239.549734150202825563 01/03/24-18:57:06.244802
SID:	2825563
Source Port:	49734
Destination Port:	15020
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) - Source IP: 192.168.2.4 - Destination IP: 18.197.239.5

Timestamp:	192.168.2.418.197.239.549734150202825564 01/03/24-18:57:11.449947
SID:	2825564
Source Port:	49734
Destination Port:	15020
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) - Source IP: 192.168.2.4 - Destination IP: 18.197.239.5

Timestamp:	192.168.2.418.197.239.549741150202814860 01/03/24-18:58:12.788305
SID:	2814860
Source Port:	49741
Destination Port:	15020
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) - Source IP: 192.168.2.4 - Destination IP: 3.127.138.57

Timestamp:	192.168.2.43.127.138.5749751150202825564 01/03/24-19:00:35.275265
SID:	2825564
Source Port:	49751
Destination Port:	15020
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) - Source IP: 192.168.2.4 - Destination IP: 3.127.138.57

Timestamp:	192.168.2.43.127.138.5749751150202825563 01/03/24-19:00:32.324468
SID:	2825563
Source Port:	49751
Destination Port:	15020
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 18.197.239.5

Timestamp:	192.168.2.418.197.239.549734150202033132 01/03/24-18:57:05.990876
SID:	2033132
Source Port:	49734
Destination Port:	15020
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) - Source IP: 192.168.2.4 - Destination IP: 3.127.138.57

Timestamp:	192.168.2.43.127.138.5749750150202825563 01/03/24-19:00:27.873123
SID:	2825563
Source Port:	49750
Destination Port:	15020
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) - Source IP: 192.168.2.4 - Destination IP: 18.197.239.5

Timestamp:	192.168.2.418.197.239.549734150202814860 01/03/24-18:57:11.449947
SID:	2814860
Source Port:	49734
Destination Port:	15020
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) - Source IP: 192.168.2.4 - Destination IP: 18.197.239.5

Timestamp:	192.168.2.418.197.239.549741150202825564 01/03/24-18:58:06.981061
SID:	2825564
Source Port:	49741
Destination Port:	15020
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) - Source IP: 192.168.2.4 - Destination IP: 3.127.138.57

Timestamp:	192.168.2.43.127.138.5749745150202825563 01/03/24-18:59:09.970283
SID:	2825563
Source Port:	49745
Destination Port:	15020
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) - Source IP: 192.168.2.4 - Destination IP: 18.197.239.5

Timestamp:	192.168.2.418.197.239.549741150202825563 01/03/24-18:57:40.604617
SID:	2825563
Source Port:	49741
Destination Port:	15020
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) - Source IP: 192.168.2.4 - Destination IP: 3.127.138.57

Timestamp:	192.168.2.43.127.138.5749745150202825564 01/03/24-18:59:13.757617
SID:	2825564
Source Port:	49745
Destination Port:	15020
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) - Source IP: 192.168.2.4 - Destination IP: 3.127.138.57

Timestamp:	192.168.2.43.127.138.5749744150202825564 01/03/24-18:58:41.788726
SID:	2825564
Source Port:	49744
Destination Port:	15020
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) - Source IP: 192.168.2.4 - Destination IP: 3.127.138.57

Timestamp:	192.168.2.43.127.138.5749752150202825563 01/03/24-19:00:39.547439
SID:	2825563
Source Port:	49752
Destination Port:	15020
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) - Source IP: 192.168.2.4 - Destination IP: 3.127.138.57

Timestamp:	192.168.2.43.127.138.5749752150202825564 01/03/24-19:00:41.992248
SID:	2825564
Source Port:	49752
Destination Port:	15020
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 2G8CgDVl3K.exe

Avira: detected

Antivirus detection for URL or domain

Source: 2.tcp.eu.ngrok.io

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Server.exe

Avira: detection malicious, Label: TR/ATRAPS.Gen

Found malware configuration

Source: 00000000.00000002.1667081303.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Njrat {"Host": "2.tcp.eu.ngrok.io", "Port": "15020", "Version": "im523", "Campaign ID": "HacKed", "Install Name": "server.exe", "Install Dir": "TEMP"}

Multi AV Scanner detection for domain / URL

Source: 2.tcp.eu.ngrok.io	Virustotal: Detection: 12%			Perma Link
Source: 2.tcp.eu.ngrok.io	Virustotal: Detection: 12%			Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Server.exe	ReversingLabs: Detection: 100%
Source: C:\Users\user\AppData\Local\Temp\Server.exe	Virustotal: Detection: 84%			Perma Link

Multi AV Scanner detection for submitted file

Source: 2G8CgDVl3K.exe	ReversingLabs: Detection: 77%
Source: 2G8CgDVl3K.exe	Virustotal: Detection: 82%			Perma Link

Yara detected Njrat

Source: Yara match	File source: 5.0.Server.exe.720000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2G8CgDVl3K.exe.2d1f9a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2G8CgDVl3K.exe.2d1f9a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2G8CgDVl3K.exe.2d32348.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2G8CgDVl3K.exe.2d32348.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1667081303.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.1660160028.0000000000722000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1667081303.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2G8CgDVl3K.exe PID: 6908, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Server.exe PID: 7340, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Server.exe, type: DROPPED

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Server.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 2G8CgDVl3K.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\2G8CgDVl3K.exe

File opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_88e266cb2fac7c0d\MSVCR80.dll

Jump to behavior

Source: 2G8CgDVl3K.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Users\ygzat\source\repos\Stub\Stub\obj\Debug\Stub.pdb source: 2G8CgDVl3K.exe

Source: 2G8CgDVl3K.exe, 00000000.00000002.1667081303.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: 2G8CgDVl3K.exe, 00000000.00000002.1667081303.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: 2G8CgDVl3K.exe, 00000000.00000002.1667081303.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: 2G8CgDVl3K.exe, 00000000.00000002.1667081303.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: Server.exe, 00000005.00000002.4076340403.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: Server.exe, 00000005.00000002.4076340403.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: Server.exe, 00000005.00000000.1660160028.0000000000722000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: autorun.inf
Source: Server.exe, 00000005.00000000.1660160028.0000000000722000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: [autorun]
Source: Server.exe.0.dr	Binary or memory string: autorun.inf
Source: Server.exe.0.dr	Binary or memory string: [autorun]

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49734 -> 18.197.239.5:15020
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49734 -> 18.197.239.5:15020
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49734 -> 18.197.239.5:15020
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49734 -> 18.197.239.5:15020
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49734 -> 18.197.239.5:15020
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49741 -> 18.197.239.5:15020
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49741 -> 18.197.239.5:15020
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49741 -> 18.197.239.5:15020
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49741 -> 18.197.239.5:15020
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49741 -> 18.197.239.5:15020
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49743 -> 3.127.138.57:15020
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49743 -> 3.127.138.57:15020
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49743 -> 3.127.138.57:15020
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49744 -> 3.127.138.57:15020
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49744 -> 3.127.138.57:15020
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49744 -> 3.127.138.57:15020
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49744 -> 3.127.138.57:15020
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49745 -> 3.127.138.57:15020
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49745 -> 3.127.138.57:15020
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49745 -> 3.127.138.57:15020
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49745 -> 3.127.138.57:15020
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49745 -> 3.127.138.57:15020
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49746 -> 18.156.13.209:15020
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49746 -> 18.156.13.209:15020
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49746 -> 18.156.13.209:15020
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49747 -> 18.156.13.209:15020
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49747 -> 18.156.13.209:15020
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49747 -> 18.156.13.209:15020
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49747 -> 18.156.13.209:15020
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49747 -> 18.156.13.209:15020
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49748 -> 18.156.13.209:15020
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49748 -> 18.156.13.209:15020
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49748 -> 18.156.13.209:15020
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49748 -> 18.156.13.209:15020
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49749 -> 18.156.13.209:15020
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49749 -> 18.156.13.209:15020
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49749 -> 18.156.13.209:15020
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49749 -> 18.156.13.209:15020
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49749 -> 18.156.13.209:15020
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49750 -> 3.127.138.57:15020
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49750 -> 3.127.138.57:15020
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49750 -> 3.127.138.57:15020
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49751 -> 3.127.138.57:15020
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49751 -> 3.127.138.57:15020
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49751 -> 3.127.138.57:15020
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49751 -> 3.127.138.57:15020
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49751 -> 3.127.138.57:15020
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49752 -> 3.127.138.57:15020
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49752 -> 3.127.138.57:15020
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49752 -> 3.127.138.57:15020
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49752 -> 3.127.138.57:15020
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49752 -> 3.127.138.57:15020
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49753 -> 3.127.138.57:15020
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49753 -> 3.127.138.57:15020

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 2.tcp.eu.ngrok.io

Source: global traffic	TCP traffic: 192.168.2.4:49734 -> 18.197.239.5:15020
Source: global traffic	TCP traffic: 192.168.2.4:49743 -> 3.127.138.57:15020
Source: global traffic	TCP traffic: 192.168.2.4:49746 -> 18.156.13.209:15020

Source: Joe Sandbox View	IP Address: 3.127.138.57 3.127.138.57
Source: Joe Sandbox View	IP Address: 18.156.13.209 18.156.13.209

Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: 2.tcp.eu.ngrok.io

Source: 2G8CgDVl3K.exe, 00000000.00000002.1667360740.0000000012EE0000.00000004.00000800.00020000.00000000.sdmp, 2G8CgDVl3K.exe, 00000000.00000002.1667360740.0000000012D00000.00000004.00000800.00020000.00000000.sdmp, VedaniTeam.png.0.dr	String found in binary or memory: http://ns.attribution.com/ads/1.0/
Source: 2G8CgDVl3K.exe, 00000000.00000002.1670394002.000000001CA22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: 2G8CgDVl3K.exe, 00000000.00000002.1670394002.000000001CA22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: 2G8CgDVl3K.exe, 00000000.00000002.1670394002.000000001CA22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: 2G8CgDVl3K.exe, 00000000.00000002.1670394002.000000001CA22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: 2G8CgDVl3K.exe, 00000000.00000002.1670394002.000000001CA22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: 2G8CgDVl3K.exe, 00000000.00000002.1670394002.000000001CA22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: 2G8CgDVl3K.exe, 00000000.00000002.1670394002.000000001CA22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: 2G8CgDVl3K.exe, 00000000.00000002.1670394002.000000001CA22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: 2G8CgDVl3K.exe, 00000000.00000002.1670394002.000000001CA22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: 2G8CgDVl3K.exe, 00000000.00000002.1670394002.000000001CA22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: 2G8CgDVl3K.exe, 00000000.00000002.1670394002.000000001CA22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: 2G8CgDVl3K.exe, 00000000.00000002.1670394002.000000001CA22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: 2G8CgDVl3K.exe, 00000000.00000002.1670394002.000000001CA22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: 2G8CgDVl3K.exe, 00000000.00000002.1670394002.000000001CA22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: 2G8CgDVl3K.exe, 00000000.00000002.1670394002.000000001CA22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: 2G8CgDVl3K.exe, 00000000.00000002.1670394002.000000001CA22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: 2G8CgDVl3K.exe, 00000000.00000002.1670394002.000000001CA22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: 2G8CgDVl3K.exe, 00000000.00000002.1670394002.000000001CA22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: 2G8CgDVl3K.exe, 00000000.00000002.1670394002.000000001CA22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: 2G8CgDVl3K.exe, 00000000.00000002.1670394002.000000001CA22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: 2G8CgDVl3K.exe, 00000000.00000002.1670394002.000000001CA22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: 2G8CgDVl3K.exe, 00000000.00000002.1670394002.000000001CA22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: 2G8CgDVl3K.exe, 00000000.00000002.1670394002.000000001CA22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: 2G8CgDVl3K.exe, 00000000.00000002.1670394002.000000001CA22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: 2G8CgDVl3K.exe, 00000000.00000002.1670394002.000000001CA22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: 2G8CgDVl3K.exe, 00000000.00000002.1667081303.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, 2G8CgDVl3K.exe, 00000000.00000002.1667081303.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp, Server.exe, 00000005.00000000.1660160028.0000000000722000.00000002.00000001.01000000.0000000C.sdmp, Server.exe.0.dr	String found in binary or memory: https://dl.dropbox.com/s/p84aaz28t0hepul/Pass.exe?dl=0

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: Server.exe.0.dr, kl.cs	.Net Code: VKCodeToUnicode
Source: 0.2.2G8CgDVl3K.exe.2d1f9a0.1.raw.unpack, kl.cs	.Net Code: VKCodeToUnicode
Source: 0.2.2G8CgDVl3K.exe.2d32348.2.raw.unpack, kl.cs	.Net Code: VKCodeToUnicode

E-Banking Fraud

Yara detected Njrat

Source: Yara match	File source: 5.0.Server.exe.720000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2G8CgDVl3K.exe.2d1f9a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2G8CgDVl3K.exe.2d1f9a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2G8CgDVl3K.exe.2d32348.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2G8CgDVl3K.exe.2d32348.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1667081303.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.1660160028.0000000000722000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1667081303.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2G8CgDVl3K.exe PID: 6908, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Server.exe PID: 7340, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Server.exe, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: 5.0.Server.exe.720000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 5.0.Server.exe.720000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 5.0.Server.exe.720000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.2.2G8CgDVl3K.exe.2d1f9a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.2.2G8CgDVl3K.exe.2d1f9a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.2G8CgDVl3K.exe.2d1f9a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.2.2G8CgDVl3K.exe.2d1f9a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.2.2G8CgDVl3K.exe.2d32348.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.2.2G8CgDVl3K.exe.2d1f9a0.1.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.2G8CgDVl3K.exe.2d1f9a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.2.2G8CgDVl3K.exe.2d32348.2.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.2G8CgDVl3K.exe.2d32348.2.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.2.2G8CgDVl3K.exe.2d32348.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.2.2G8CgDVl3K.exe.2d32348.2.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.2G8CgDVl3K.exe.2d32348.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 00000000.00000002.1667081303.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000000.00000002.1667081303.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000005.00000000.1660160028.0000000000722000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000005.00000000.1660160028.0000000000722000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000002.1667081303.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000000.00000002.1667081303.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\Users\user\AppData\Local\Temp\Server.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\Server.exe, type: DROPPED	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\Users\user\AppData\Local\Temp\Server.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen

Source: C:\Users\user\AppData\Local\Temp\Server.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\AppData\Local\Temp\Server.exe	Code function: 5_2_00E0B3F6 NtQuerySystemInformation,		5_2_00E0B3F6
Source: C:\Users\user\AppData\Local\Temp\Server.exe	Code function: 5_2_00E0B3BB NtQuerySystemInformation,		5_2_00E0B3BB

Source: C:\Users\user\AppData\Local\Temp\Server.exe	Code function: 5_2_00E02C83		5_2_00E02C83
Source: C:\Users\user\AppData\Local\Temp\Server.exe	Code function: 5_2_00E0269A		5_2_00E0269A

Source: 2G8CgDVl3K.exe, 00000000.00000002.1667081303.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameStub.exe* vs 2G8CgDVl3K.exe
Source: 2G8CgDVl3K.exe, 00000000.00000002.1667081303.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameStub.exe* vs 2G8CgDVl3K.exe
Source: 2G8CgDVl3K.exe, 00000000.00000002.1667360740.0000000012D00000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameStub.exe* vs 2G8CgDVl3K.exe
Source: 2G8CgDVl3K.exe, 00000000.00000000.1622428613.0000000000726000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameStub.exe* vs 2G8CgDVl3K.exe
Source: 2G8CgDVl3K.exe	Binary or memory string: OriginalFilenameStub.exe* vs 2G8CgDVl3K.exe

Source: 5.0.Server.exe.720000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 5.0.Server.exe.720000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 5.0.Server.exe.720000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.2.2G8CgDVl3K.exe.2d1f9a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.2.2G8CgDVl3K.exe.2d1f9a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.2G8CgDVl3K.exe.2d1f9a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.2.2G8CgDVl3K.exe.2d1f9a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.2.2G8CgDVl3K.exe.2d32348.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.2.2G8CgDVl3K.exe.2d1f9a0.1.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.2G8CgDVl3K.exe.2d1f9a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.2.2G8CgDVl3K.exe.2d32348.2.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.2G8CgDVl3K.exe.2d32348.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.2.2G8CgDVl3K.exe.2d32348.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.2.2G8CgDVl3K.exe.2d32348.2.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.2G8CgDVl3K.exe.2d32348.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 00000000.00000002.1667081303.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000000.00000002.1667081303.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000005.00000000.1660160028.0000000000722000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000005.00000000.1660160028.0000000000722000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000002.1667081303.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000000.00000002.1667081303.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\Users\user\AppData\Local\Temp\Server.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\Users\user\AppData\Local\Temp\Server.exe, type: DROPPED	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\Users\user\AppData\Local\Temp\Server.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi

Source: 2G8CgDVl3K.exe, 00000000.00000002.1669960815.000000001B7FB000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Inc.slnt*

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/3@4/3

Source: C:\Users\user\AppData\Local\Temp\Server.exe	Code function: 5_2_00E0B1B6 AdjustTokenPrivileges,		5_2_00E0B1B6
Source: C:\Users\user\AppData\Local\Temp\Server.exe	Code function: 5_2_00E0B17F AdjustTokenPrivileges,		5_2_00E0B17F

Source: C:\Users\user\AppData\Local\Temp\Server.exe	Mutant created: \Sessions\1\BaseNamedObjects\4e9daa30b38fc305bea41b41415459d5
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7588:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\Server.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: C:\Users\user\Desktop\2G8CgDVl3K.exe

File created: C:\Users\user\AppData\Local\Temp\VedaniTeam.png

Jump to behavior

Source: 2G8CgDVl3K.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 2G8CgDVl3K.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\e67b479da804d4099dedb9d353dde731\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Server.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\276d7f4a20a3c21c3bf6fc9bfc1915a2\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Server.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Server.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Users\user\Desktop\2G8CgDVl3K.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\2G8CgDVl3K.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 2G8CgDVl3K.exe	ReversingLabs: Detection: 77%
Source: 2G8CgDVl3K.exe	Virustotal: Detection: 82%

Source: C:\Users\user\Desktop\2G8CgDVl3K.exe

File read: C:\Users\user\Desktop\2G8CgDVl3K.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\2G8CgDVl3K.exe C:\Users\user\Desktop\2G8CgDVl3K.exe
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Process created: C:\Users\user\AppData\Local\Temp\Server.exe "C:\Users\user\AppData\Local\Temp\Server.exe"
Source: C:\Users\user\AppData\Local\Temp\Server.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Process created: C:\Users\user\AppData\Local\Temp\Server.exe "C:\Users\user\AppData\Local\Temp\Server.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Server.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Server.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\Server.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: 2G8CgDVl3K.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\2G8CgDVl3K.exe

File opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_88e266cb2fac7c0d\MSVCR80.dll

Jump to behavior

Source: 2G8CgDVl3K.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: 2G8CgDVl3K.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\Users\ygzat\source\repos\Stub\Stub\obj\Debug\Stub.pdb source: 2G8CgDVl3K.exe

Data Obfuscation

.NET source code contains potential unpacker

Source: Server.exe.0.dr, OK.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: 0.2.2G8CgDVl3K.exe.2d1f9a0.1.raw.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: 0.2.2G8CgDVl3K.exe.2d32348.2.raw.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])

Source: 2G8CgDVl3K.exe

Static PE information: 0x873B39D1 [Sat Nov 23 07:46:25 2041 UTC]

Source: C:\Users\user\AppData\Local\Temp\Server.exe

Code function: 5_2_05720BFD push 69E6C360h; ret

5_2_05720C12

Source: C:\Users\user\Desktop\2G8CgDVl3K.exe

File created: C:\Users\user\AppData\Local\Temp\Server.exe

Jump to dropped file

Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Server.exe	Window / User API: threadDelayed 374	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Server.exe	Window / User API: threadDelayed 3359	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Server.exe	Window / User API: threadDelayed 4830	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Server.exe	Window / User API: foregroundWindowGot 425	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Server.exe	Window / User API: foregroundWindowGot 1315	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Server.exe TID: 7344	Thread sleep count: 374 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Server.exe TID: 7344	Thread sleep time: -374000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Server.exe TID: 7584	Thread sleep count: 3359 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Server.exe TID: 7344	Thread sleep count: 4830 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Server.exe TID: 7344	Thread sleep time: -4830000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: Server.exe, 00000005.00000002.4075309853.0000000000C0F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW PublicKeyTokevmz
Source: Server.exe, 00000005.00000002.4075309853.0000000000C0F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllI
Source: netsh.exe, 00000006.00000003.1733600093.00000000009D1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Local\Temp\Server.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Server.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\2G8CgDVl3K.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: Server.exe.0.dr, kl.cs	Reference to suspicious API methods: MapVirtualKey(a, 0u)
Source: Server.exe.0.dr, kl.cs	Reference to suspicious API methods: GetAsyncKeyState(num2)
Source: Server.exe.0.dr, OK.cs	Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)

Source: C:\Users\user\Desktop\2G8CgDVl3K.exe

Process created: C:\Users\user\AppData\Local\Temp\Server.exe "C:\Users\user\AppData\Local\Temp\Server.exe"

Jump to behavior

Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2G8CgDVl3K.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Server.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Server.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Server.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Server.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Server.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Server.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Server.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Server.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Modifies the windows firewall

Source: C:\Users\user\AppData\Local\Temp\Server.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE

Uses netsh to modify the Windows network and firewall settings

Source: C:\Users\user\AppData\Local\Temp\Server.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE

Stealing of Sensitive Information

Yara detected Njrat

Source: Yara match	File source: 5.0.Server.exe.720000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2G8CgDVl3K.exe.2d1f9a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2G8CgDVl3K.exe.2d1f9a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2G8CgDVl3K.exe.2d32348.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2G8CgDVl3K.exe.2d32348.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1667081303.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.1660160028.0000000000722000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1667081303.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2G8CgDVl3K.exe PID: 6908, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Server.exe PID: 7340, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Server.exe, type: DROPPED

Remote Access Functionality

Yara detected Njrat

Source: Yara match	File source: 5.0.Server.exe.720000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2G8CgDVl3K.exe.2d1f9a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2G8CgDVl3K.exe.2d1f9a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2G8CgDVl3K.exe.2d32348.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2G8CgDVl3K.exe.2d32348.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1667081303.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.1660160028.0000000000722000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1667081303.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2G8CgDVl3K.exe PID: 6908, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Server.exe PID: 7340, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Server.exe, type: DROPPED

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
1 Replication Through Removable Media	1 Native API	Path Interception	1 Access Token Manipulation	1 Virtualization/Sandbox Evasion	1 Input Capture	11 Security Software Discovery	1 Replication Through Removable Media	1 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Abuse Accessibility Features	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	11 Process Injection	21 Disable or Modify Tools	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	1 Non-Standard Port	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials
Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Access Token Manipulation	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Non-Application Layer Protocol			Data Encrypted for Impact	DNS Server	Email Addresses
Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Traffic Duplication	11 Application Layer Protocol			Data Destruction	Virtual Private Server	Employee Names
Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	1 Peripheral Device Discovery	SSH	Keylogging	Scheduled Transfer	Fallback Channels			Data Encrypted for Impact	Server	Gather Victim Network Information
Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Data Transfer Size Limits	Multiband Communication			Service Stop	Botnet	Domain Properties
External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	12 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over C2 Channel	Commonly Used Port			Inhibit System Recovery	Web Services	DNS

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
2G8CgDVl3K.exe	78%	ReversingLabs	ByteCode-MSIL.Dropper.Disstl
2G8CgDVl3K.exe	83%	Virustotal		Browse
2G8CgDVl3K.exe	100%	Avira	TR/Dropper.Gen
2G8CgDVl3K.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\Server.exe	100%	Avira	TR/ATRAPS.Gen
C:\Users\user\AppData\Local\Temp\Server.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\Server.exe	100%	ReversingLabs	ByteCode-MSIL.Backdoor.Ratenjay
C:\Users\user\AppData\Local\Temp\Server.exe	85%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
2.tcp.eu.ngrok.io	12%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/cThe	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn	0%	Avira URL Cloud	safe
http://ns.attribution.com/ads/1.0/	0%	Avira URL Cloud	safe
2.tcp.eu.ngrok.io	100%	Avira URL Cloud	malware
http://www.zhongyicts.com.cn	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	Virustotal		Browse
2.tcp.eu.ngrok.io	12%	Virustotal		Browse
http://ns.attribution.com/ads/1.0/	0%	Virustotal		Browse
http://www.founder.com.cn/cn	0%	Virustotal		Browse
http://www.zhongyicts.com.cn	0%	Virustotal		Browse
http://www.founder.com.cn/cn/cThe	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
2.tcp.eu.ngrok.io	18.197.239.5	true	true	12%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
2.tcp.eu.ngrok.io	true	12%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	2G8CgDVl3K.exe, 00000000.00000002.1670394002.000000001CA22000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	2G8CgDVl3K.exe, 00000000.00000002.1670394002.000000001CA22000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	2G8CgDVl3K.exe, 00000000.00000002.1670394002.000000001CA22000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	2G8CgDVl3K.exe, 00000000.00000002.1670394002.000000001CA22000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	2G8CgDVl3K.exe, 00000000.00000002.1670394002.000000001CA22000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers?	2G8CgDVl3K.exe, 00000000.00000002.1670394002.000000001CA22000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.tiro.com	2G8CgDVl3K.exe, 00000000.00000002.1670394002.000000001CA22000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	2G8CgDVl3K.exe, 00000000.00000002.1670394002.000000001CA22000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	2G8CgDVl3K.exe, 00000000.00000002.1670394002.000000001CA22000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.coml	2G8CgDVl3K.exe, 00000000.00000002.1670394002.000000001CA22000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	2G8CgDVl3K.exe, 00000000.00000002.1670394002.000000001CA22000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	2G8CgDVl3K.exe, 00000000.00000002.1670394002.000000001CA22000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	2G8CgDVl3K.exe, 00000000.00000002.1670394002.000000001CA22000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	2G8CgDVl3K.exe, 00000000.00000002.1670394002.000000001CA22000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	2G8CgDVl3K.exe, 00000000.00000002.1670394002.000000001CA22000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn	2G8CgDVl3K.exe, 00000000.00000002.1670394002.000000001CA22000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	2G8CgDVl3K.exe, 00000000.00000002.1670394002.000000001CA22000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dl.dropbox.com/s/p84aaz28t0hepul/Pass.exe?dl=0	2G8CgDVl3K.exe, 00000000.00000002.1667081303.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, 2G8CgDVl3K.exe, 00000000.00000002.1667081303.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp, Server.exe, 00000005.00000000.1660160028.0000000000722000.00000002.00000001.01000000.0000000C.sdmp, Server.exe.0.dr	false		high
http://www.jiyu-kobo.co.jp/	2G8CgDVl3K.exe, 00000000.00000002.1670394002.000000001CA22000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	2G8CgDVl3K.exe, 00000000.00000002.1670394002.000000001CA22000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	2G8CgDVl3K.exe, 00000000.00000002.1670394002.000000001CA22000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ns.attribution.com/ads/1.0/	2G8CgDVl3K.exe, 00000000.00000002.1667360740.0000000012EE0000.00000004.00000800.00020000.00000000.sdmp, 2G8CgDVl3K.exe, 00000000.00000002.1667360740.0000000012D00000.00000004.00000800.00020000.00000000.sdmp, VedaniTeam.png.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.fonts.com	2G8CgDVl3K.exe, 00000000.00000002.1670394002.000000001CA22000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	2G8CgDVl3K.exe, 00000000.00000002.1670394002.000000001CA22000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	2G8CgDVl3K.exe, 00000000.00000002.1670394002.000000001CA22000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	2G8CgDVl3K.exe, 00000000.00000002.1670394002.000000001CA22000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.sakkal.com	2G8CgDVl3K.exe, 00000000.00000002.1670394002.000000001CA22000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
3.127.138.57	unknown	United States	16509	AMAZON-02US	true
18.156.13.209	unknown	United States	16509	AMAZON-02US	true
18.197.239.5	2.tcp.eu.ngrok.io	United States	16509	AMAZON-02US	true

General Information

Joe Sandbox version:	38.0.0 Ammolite
Analysis ID:	1369436
Start date and time:	2024-01-03 18:56:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	2G8CgDVl3K.exe renamed because original name is a hash value
Original Sample Name:	3C3D7DCDC0C4EB7DD9DB090C60867A1E.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@6/3@4/3
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 99% Number of executed functions: 98 Number of non-executed functions: 2
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, RuntimeBroker.exe, WMIADAP.exe, Microsoft.Photos.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target 2G8CgDVl3K.exe, PID 6908 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
18:57:34	API Interceptor	324694x Sleep call for process: Server.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3.127.138.57	tiodtk2cfy.exe	Get hash	malicious	Njrat	Browse
	QUuUm3J8x3.exe	Get hash	malicious	Njrat	Browse
	RWqHoCWEPI.exe	Get hash	malicious	Njrat	Browse
	OUXkIxeP6k.exe	Get hash	malicious	Njrat	Browse
	eI43OwXSvq.exe	Get hash	malicious	Njrat	Browse
	i9z1c1OtFb.exe	Get hash	malicious	Njrat	Browse
	JYGc3o49WE.exe	Get hash	malicious	Njrat	Browse
	J6VIiRgq3w.exe	Get hash	malicious	Njrat	Browse
	7JdbeSrZ6s.exe	Get hash	malicious	Njrat	Browse
	KcWQQO3nZP.exe	Get hash	malicious	Njrat	Browse
	zep8vTa4sg.exe	Get hash	malicious	Njrat	Browse
	umyExrpkSF.exe	Get hash	malicious	Njrat	Browse
	QBEgLAO40T.exe	Get hash	malicious	Njrat	Browse
	4KWKhZNy9w.exe	Get hash	malicious	Njrat	Browse
	yPGBUzqVE3.exe	Get hash	malicious	Njrat	Browse
	D02E3399D85D6B14B30F440181EF5B8FE6B55C403B8C7.exe	Get hash	malicious	njRat	Browse
	2dZGR4PTLu.exe	Get hash	malicious	Njrat	Browse
	LMva1J8Xkv.exe	Get hash	malicious	Njrat	Browse
	XlNjZS4E8x.exe	Get hash	malicious	Njrat	Browse
	1F3YBPagot.exe	Get hash	malicious	Nanocore	Browse
18.156.13.209	http://www.sdrclm.cn/vendor/phpdocumentor/P800/P90GT_Invoice_Related_Property_Tax_P800.exe	Get hash	malicious	RedLine	Browse	2.tcp.eu.ngrok.io:17685/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
2.tcp.eu.ngrok.io	BHp5Is5Xe7.exe	Get hash	malicious	Njrat	Browse	18.192.93.86
	tiodtk2cfy.exe	Get hash	malicious	Njrat	Browse	3.127.138.57
	QUuUm3J8x3.exe	Get hash	malicious	Njrat	Browse	3.127.138.57
	81Rz15POL6.exe	Get hash	malicious	Njrat	Browse	18.157.68.73
	649DB66A36E095B16832637A31D3CCC75040C5A6C23F6.exe	Get hash	malicious	Njrat	Browse	18.156.13.209
	pQBmVoyRnw.exe	Get hash	malicious	Njrat	Browse	18.156.13.209
	RWqHoCWEPI.exe	Get hash	malicious	Njrat	Browse	18.192.93.86
	EB4B6878310B1E2843C964E02EC1782AACB518E32777A.exe	Get hash	malicious	Njrat	Browse	18.192.93.86
	NezbdhNgwG.exe	Get hash	malicious	Njrat	Browse	18.192.93.86
	xdPdkPMD8u.exe	Get hash	malicious	Njrat	Browse	18.192.93.86
	VBUXm77rfL.exe	Get hash	malicious	Njrat	Browse	18.192.93.86
	1UGdjTlX5v.exe	Get hash	malicious	Njrat	Browse	18.157.68.73
	kXghM8bJcm.exe	Get hash	malicious	Njrat	Browse	18.192.93.86
	OUXkIxeP6k.exe	Get hash	malicious	Njrat	Browse	3.126.37.18
	QzzmZiGinp.exe	Get hash	malicious	Njrat	Browse	18.156.13.209
	eI43OwXSvq.exe	Get hash	malicious	Njrat	Browse	18.197.239.5
	p0zYXkMETE.exe	Get hash	malicious	Njrat	Browse	18.157.68.73
	i9z1c1OtFb.exe	Get hash	malicious	Njrat	Browse	18.157.68.73
	aF73k2XwGj.exe	Get hash	malicious	Njrat	Browse	18.192.93.86
	7XyFhq6BDj.exe	Get hash	malicious	Njrat	Browse	3.126.37.18

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	UuyuRWsFcs.exe	Get hash	malicious	Unknown	Browse	18.154.97.194
	UuyuRWsFcs.exe	Get hash	malicious	Unknown	Browse	65.8.224.235
	https://trk.klclick3.com/ls/click?upn=qv6sSJ61i-2FCKcGs-2FWg5X5zSxUPH2ZrqUtgTrwIqP9tbV5nGRnmcCyzwEsyGChMEEVfcMVsKyWwCHSROXPHp2ssugEGqO5s0anA-2For84UxcDq0TVqcknxBCOK9bomYKxHZeGI_sriuaryqqdv1VntrH6X8cr710FsqQrnNUbUkxkf7x0pMSAkpeuB0WYDuTzAgnc1ypLmqKYwtOZGJRbr42WyOuUQfTu-2F4nzRvnExBDhTcsDCxAYSlvrUnKqhNu2QucwzzHnfd3nc1PaEOPnCY7lVi-2F-2FTTNyovG0zYk5qi6TlQOaMUlPhhOg1CBzrWoD-2BJCy6CeRTNCOxMmeykKFlmppbGGEqcnv1Ns33HkJq5QrEE1i7TzFrSdTciiW2xeho3yieI3kgFCvNAbW4DmtirZICDakbW9OIKR7-2BXEXF9V211cy5MWvnRyElRCDnZQGhhC4Xmy8QpWVQ1hkRUjNSqbxBIyJs0NLN-2BicHZse9nYwlxxMdUHA7kW8jSzXcgtmt4bmXpQ8CJpa3Q6l8HoWplFamAv33yszfV6dEc-2BB0CG8c2HMNZZ1XSXq7GmTl-2BvMA-2BfRvY#YnJ5b255LmdyaW1lc0B2aXJnaW5tZWRpYW8yLmNvLnVr	Get hash	malicious	HTMLPhisher	Browse	18.154.219.22
	Invoice 4149.htm	Get hash	malicious	Unknown	Browse	13.226.184.88
	http://www.tinyurl.com/stationnement-infraction	Get hash	malicious	Unknown	Browse	18.245.124.32
	https://aisdec.s3.eu-west-3.amazonaws.com/url.html#cl/15277_md/81/5390/1509/80/120824	Get hash	malicious	Phisher	Browse	52.95.156.86
	https://dmeodlekaed.blob.core.windows.net/dmeodlekaed/url.html#cl/8478_md/12/678/2075/430/395518	Get hash	malicious	Unknown	Browse	18.238.171.108
	SecuriteInfo.com.Trojan.DownLoader21.31174.24545.29097.exe	Get hash	malicious	Unknown	Browse	13.228.17.149
	SecuriteInfo.com.Trojan.DownLoader21.31174.24545.29097.exe	Get hash	malicious	Unknown	Browse	13.228.17.149
	https://welcomewinner.com/?action=register&sub_id=RADIASI-CUBLUK	Get hash	malicious	Phisher	Browse	34.251.101.162
	http://miningnl.com	Get hash	malicious	Unknown	Browse	54.187.159.182
	https://bolddough.top/nw78slqwt?mdbv1704276793076	Get hash	malicious	Phisher	Browse	52.40.188.60
	TAX INV_No. 68430304.msg	Get hash	malicious	HTMLPhisher	Browse	52.51.79.195
	http://www.vieiraimoveisrp.com.br/ants.asp?cname=dumbbell+3+day+split&cid=90	Get hash	malicious	Unknown	Browse	18.154.219.110
	18#U041a.exe	Get hash	malicious	FormBook	Browse	18.143.129.199
	https://nettle-melodious-blarney.glitch.me/rap.html	Get hash	malicious	Unknown	Browse	13.249.21.42
	https://hujr9.pages.dev/	Get hash	malicious	Unknown	Browse	99.86.102.53
	https://hrk4.pages.dev/	Get hash	malicious	Unknown	Browse	34.214.251.32
	DeLJB69tAu.elf	Get hash	malicious	Mirai	Browse	18.152.233.117
	https://www.cloudflare-ipfs.com/ipfs/bafybeidh3wdcpsqif5e33rgmpsv55ddzsbmoretfb6beocz24c75r6czyu/	Get hash	malicious	HTMLPhisher	Browse	18.238.132.58
AMAZON-02US	UuyuRWsFcs.exe	Get hash	malicious	Unknown	Browse	18.154.97.194
	UuyuRWsFcs.exe	Get hash	malicious	Unknown	Browse	65.8.224.235
	https://trk.klclick3.com/ls/click?upn=qv6sSJ61i-2FCKcGs-2FWg5X5zSxUPH2ZrqUtgTrwIqP9tbV5nGRnmcCyzwEsyGChMEEVfcMVsKyWwCHSROXPHp2ssugEGqO5s0anA-2For84UxcDq0TVqcknxBCOK9bomYKxHZeGI_sriuaryqqdv1VntrH6X8cr710FsqQrnNUbUkxkf7x0pMSAkpeuB0WYDuTzAgnc1ypLmqKYwtOZGJRbr42WyOuUQfTu-2F4nzRvnExBDhTcsDCxAYSlvrUnKqhNu2QucwzzHnfd3nc1PaEOPnCY7lVi-2F-2FTTNyovG0zYk5qi6TlQOaMUlPhhOg1CBzrWoD-2BJCy6CeRTNCOxMmeykKFlmppbGGEqcnv1Ns33HkJq5QrEE1i7TzFrSdTciiW2xeho3yieI3kgFCvNAbW4DmtirZICDakbW9OIKR7-2BXEXF9V211cy5MWvnRyElRCDnZQGhhC4Xmy8QpWVQ1hkRUjNSqbxBIyJs0NLN-2BicHZse9nYwlxxMdUHA7kW8jSzXcgtmt4bmXpQ8CJpa3Q6l8HoWplFamAv33yszfV6dEc-2BB0CG8c2HMNZZ1XSXq7GmTl-2BvMA-2BfRvY#YnJ5b255LmdyaW1lc0B2aXJnaW5tZWRpYW8yLmNvLnVr	Get hash	malicious	HTMLPhisher	Browse	18.154.219.22
	Invoice 4149.htm	Get hash	malicious	Unknown	Browse	13.226.184.88
	http://www.tinyurl.com/stationnement-infraction	Get hash	malicious	Unknown	Browse	18.245.124.32
	https://aisdec.s3.eu-west-3.amazonaws.com/url.html#cl/15277_md/81/5390/1509/80/120824	Get hash	malicious	Phisher	Browse	52.95.156.86
	https://dmeodlekaed.blob.core.windows.net/dmeodlekaed/url.html#cl/8478_md/12/678/2075/430/395518	Get hash	malicious	Unknown	Browse	18.238.171.108
	SecuriteInfo.com.Trojan.DownLoader21.31174.24545.29097.exe	Get hash	malicious	Unknown	Browse	13.228.17.149
	SecuriteInfo.com.Trojan.DownLoader21.31174.24545.29097.exe	Get hash	malicious	Unknown	Browse	13.228.17.149
	https://welcomewinner.com/?action=register&sub_id=RADIASI-CUBLUK	Get hash	malicious	Phisher	Browse	34.251.101.162
	http://miningnl.com	Get hash	malicious	Unknown	Browse	54.187.159.182
	https://bolddough.top/nw78slqwt?mdbv1704276793076	Get hash	malicious	Phisher	Browse	52.40.188.60
	TAX INV_No. 68430304.msg	Get hash	malicious	HTMLPhisher	Browse	52.51.79.195
	http://www.vieiraimoveisrp.com.br/ants.asp?cname=dumbbell+3+day+split&cid=90	Get hash	malicious	Unknown	Browse	18.154.219.110
	18#U041a.exe	Get hash	malicious	FormBook	Browse	18.143.129.199
	https://nettle-melodious-blarney.glitch.me/rap.html	Get hash	malicious	Unknown	Browse	13.249.21.42
	https://hujr9.pages.dev/	Get hash	malicious	Unknown	Browse	99.86.102.53
	https://hrk4.pages.dev/	Get hash	malicious	Unknown	Browse	34.214.251.32
	DeLJB69tAu.elf	Get hash	malicious	Mirai	Browse	18.152.233.117
	https://www.cloudflare-ipfs.com/ipfs/bafybeidh3wdcpsqif5e33rgmpsv55ddzsbmoretfb6beocz24c75r6czyu/	Get hash	malicious	HTMLPhisher	Browse	18.238.132.58

Process:	C:\Users\user\Desktop\2G8CgDVl3K.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	37888
Entropy (8bit):	5.576117788993635
Encrypted:	false
SSDEEP:	384:2mZ+vEiTbZvpWNcZ0y8f1CRDX5CLk6SiUrAF+rMRTyN/0L+EcoinblneHQM3epzY:3+dTZ38f1CRDcNSHrM+rMRa8NupQt
MD5:	F39D9EDCB7DB7838B0F7948F118B96AC
SHA1:	40C19B465BBA365EF8FFE3D2FC1E0BFF32B1DABB
SHA-256:	00BE3DF100019A015209E3EE4D2D8AA68D787BA0492E69A85DA681D80635CC72
SHA-512:	48393ECB3CF8934ECFEF7393C498E03CE8C035D27BFBF7A30938A5C37A35F31212C0D8C4FEDDFF0C02CFFCBA881AF934C6232A3DC6E41A19172CC29E40CDDF86
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Local\Temp\Server.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\Server.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Local\Temp\Server.exe, Author: Brian Wallace @botnet_hunter Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Local\Temp\Server.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100% Antivirus: Virustotal, Detection: 85%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....{.e................................. ........@.. ....................................@.................................l...O.......@............................................................................ ............... ..H............text....... ...................... ..`.rsrc...@...........................@..@.reloc..............................@..B........................H........e...E..........................................................&.(......*..(.......s.........s.........s.........s...........0...........~....o.....+...0...........~....o.....+...0...........~....o.....+...0...........~....o.....+...0.............(....(.....+.....0............(.....+...0................(.....+...0............(.....+...0.. ...................,.(...+.+.+....+....0...........................*..(..........0..&........~..............,.(...+.

C:\Users\user\AppData\Local\Temp\VedaniTeam.png

Download File

Process:	C:\Users\user\Desktop\2G8CgDVl3K.exe
File Type:	PNG image data, 500 x 500, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	263249
Entropy (8bit):	7.994910187686788
Encrypted:	true
SSDEEP:	6144:hzpWj3/xfwoQObnkXvmv/dPCbD37Es13v9pS65AqKFHeJ6Io:Cj3QkkXvmv/da37n13vnSz2Lo
MD5:	55BFCE878DDDDB0B96B7BD8DD87E31E3
SHA1:	B7BE7AD2E8C279C4F6105A09840A9397D0D358F4
SHA-256:	CAF4EF0F99598CA461220069EFC47BEBE453CC5B84C39A723CD940EE5CD2CEA7
SHA-512:	6CED40D2CF42FD7B8115EAA23BC33187E4DB2EC2E9F76E9F13353F2B5B6F956B34E08DFF3FAF50D937B44B07566EF19F6C9A589C8EF9936DB16225CE637836C1
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR....................sRGB.........sBIT....\|.d.....pHYs..........+......iTXtXML:com.adobe.xmp.....<?xpacket begin='.' id='W5M0MpCehiHzreSzNTczkc9d'?>.<x:xmpmeta xmlns:x='adobe:ns:meta/'>.<rdf:RDF xmlns:rdf='http://www.w3.org/1999/02/22-rdf-syntax-ns#'>.. <rdf:Description rdf:about=''. xmlns:Attrib='http://ns.attribution.com/ads/1.0/'>. <Attrib:Ads>. <rdf:Seq>. <rdf:li rdf:parseType='Resource'>. <Attrib:Created>2023-12-31</Attrib:Created>. <Attrib:ExtId>acb9b09e-8894-4c5e-aafd-70241108f648</Attrib:ExtId>. <Attrib:FbId>525265914179580</Attrib:FbId>. <Attrib:TouchType>2</Attrib:TouchType>. </rdf:li>. </rdf:Seq>. </Attrib:Ads>. </rdf:Description>.. <rdf:Description rdf:about=''. xmlns:dc='http://purl.org/dc/elements/1.1/'>. <dc:title>. <rdf:Alt>. <rdf:li xml:lang='x-default'>bizi tercih etti.iniz i.in te.ekk.r ederiz - 1</rdf:li>. </rdf:Alt>. </dc:title>. </rdf:Description>.. <rdf:Description rdf:about=''. xmlns:pdf='http://ns.ad

\Device\ConDrv

Download File

Process:	C:\Windows\SysWOW64\netsh.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	313
Entropy (8bit):	4.971939296804078
Encrypted:	false
SSDEEP:	6:/ojfKsUTGN8Ypox42k9L+DbGMKeQE+vigqAZs2E+AYeDPO+Yswyha:wjPIGNrkHk9iaeIM6ADDPOHyha
MD5:	689E2126A85BF55121488295EE068FA1
SHA1:	09BAAA253A49D80C18326DFBCA106551EBF22DD6
SHA-256:	D968A966EF474068E41256321F77807A042F1965744633D37A203A705662EC25
SHA-512:	C3736A8FC7E6573FA1B26FE6A901C05EE85C55A4A276F8F569D9EADC9A58BEC507D1BB90DBF9EA62AE79A6783178C69304187D6B90441D82E46F5F56172B5C5C
Malicious:	false
Reputation:	high, very likely benign file
Preview:	..IMPORTANT: Command executed successfully...However, "netsh firewall" is deprecated;..use "netsh advfirewall firewall" instead...For more information on using "netsh advfirewall firewall" commands..instead of "netsh firewall", see KB article 947709..at https://go.microsoft.com/fwlink/?linkid=121488 .....Ok.....

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.10377674004369
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	2G8CgDVl3K.exe
File size:	415'448 bytes
MD5:	3c3d7dcdc0c4eb7dd9db090c60867a1e
SHA1:	19d81e94000e24afb6f63ef7e3456a01cc884f30
SHA256:	aa60573d3d1a56190858edb2df0344b9d1082f0eae840004941a1d6b30a1b804
SHA512:	aa2b2e432539124cba4f3443f3b24fd0f9d6c5e56aadf990c44dfcebd13692e15ec72fabb10cf4f55aa0227bf159c19cc45240dda1ca95fbda36ae9d8a2d5bb6
SSDEEP:	6144:gxj7phR7li/HN9K2iZQbZc3Plf/muQuu3f8QsEdSGTYe0i82TFpjVvxD43y8v3nj:Su/t9KzZscMuPuP8ZEVE4FXjDX8vU8
TLSH:	DB942320ADD07E32CA3C0E390875AE9421F50A508183BABF4991BDEB557B71FCA975F1
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....9;..........."...P..,...........K... ...`....@.. ....................................@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x404bda
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x873B39D1 [Sat Nov 23 07:46:25 2041 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add dword ptr [edx], eax
add eax, dword ptr [09080706h+eax]
add dword ptr [edx], eax
add eax, dword ptr [06070706h+eax]
add eax, 01020304h
or dword ptr [eax], ecx
pop es
push es
add eax, 01020304h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4b85	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6000	0x58c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x4afc	0x38	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x2c00	0x2c00	False	0.5184659090909091	data	5.747146307393069	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x6000	0x58c	0x600	False	0.412109375	data	4.012707154380922	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x8000	0xc	0x200	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x6090	0x2fc	data			0.43455497382198954
RT_MANIFEST	0x639c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.418.156.13.20949748150202814860 01/03/24-19:00:02.820468	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49748	15020	192.168.2.4	18.156.13.209
192.168.2.418.156.13.20949749150202814860 01/03/24-19:00:10.945358	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49749	15020	192.168.2.4	18.156.13.209
192.168.2.418.156.13.20949747150202814860 01/03/24-18:59:50.235213	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49747	15020	192.168.2.4	18.156.13.209
192.168.2.43.127.138.5749751150202814860 01/03/24-19:00:35.275265	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49751	15020	192.168.2.4	3.127.138.57
192.168.2.418.197.239.549734150202814856 01/03/24-18:57:06.244802	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49734	15020	192.168.2.4	18.197.239.5
192.168.2.43.127.138.5749752150202814860 01/03/24-19:00:41.992248	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49752	15020	192.168.2.4	3.127.138.57
192.168.2.418.197.239.549741150202033132 01/03/24-18:57:40.349192	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49741	15020	192.168.2.4	18.197.239.5
192.168.2.418.156.13.20949749150202825563 01/03/24-19:00:05.386407	TCP	2825563	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)	49749	15020	192.168.2.4	18.156.13.209
192.168.2.418.156.13.20949749150202825564 01/03/24-19:00:10.945358	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49749	15020	192.168.2.4	18.156.13.209
192.168.2.43.127.138.5749750150202814856 01/03/24-19:00:27.873123	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49750	15020	192.168.2.4	3.127.138.57
192.168.2.418.156.13.20949746150202814856 01/03/24-18:59:22.979805	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49746	15020	192.168.2.4	18.156.13.209
192.168.2.418.156.13.20949748150202825564 01/03/24-19:00:02.820468	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49748	15020	192.168.2.4	18.156.13.209
192.168.2.418.156.13.20949747150202814856 01/03/24-18:59:26.612164	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49747	15020	192.168.2.4	18.156.13.209
192.168.2.418.156.13.20949747150202825564 01/03/24-18:59:40.471375	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49747	15020	192.168.2.4	18.156.13.209
192.168.2.418.156.13.20949749150202814856 01/03/24-19:00:05.386407	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49749	15020	192.168.2.4	18.156.13.209
192.168.2.418.156.13.20949747150202825563 01/03/24-18:59:26.612164	TCP	2825563	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)	49747	15020	192.168.2.4	18.156.13.209
192.168.2.418.156.13.20949746150202825563 01/03/24-18:59:22.979805	TCP	2825563	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)	49746	15020	192.168.2.4	18.156.13.209
192.168.2.418.156.13.20949748150202814856 01/03/24-18:59:53.198364	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49748	15020	192.168.2.4	18.156.13.209
192.168.2.43.127.138.5749751150202033132 01/03/24-19:00:32.073107	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49751	15020	192.168.2.4	3.127.138.57
192.168.2.43.127.138.5749752150202033132 01/03/24-19:00:39.289239	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49752	15020	192.168.2.4	3.127.138.57
192.168.2.418.156.13.20949746150202033132 01/03/24-18:59:22.723256	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49746	15020	192.168.2.4	18.156.13.209
192.168.2.418.156.13.20949747150202033132 01/03/24-18:59:26.350303	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49747	15020	192.168.2.4	18.156.13.209
192.168.2.43.127.138.5749752150202814856 01/03/24-19:00:39.547439	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49752	15020	192.168.2.4	3.127.138.57
192.168.2.43.127.138.5749743150202033132 01/03/24-18:58:15.013937	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49743	15020	192.168.2.4	3.127.138.57
192.168.2.43.127.138.5749753150202033132 01/03/24-19:00:56.222387	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49753	15020	192.168.2.4	3.127.138.57
192.168.2.43.127.138.5749751150202814856 01/03/24-19:00:32.324468	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49751	15020	192.168.2.4	3.127.138.57
192.168.2.418.156.13.20949748150202033132 01/03/24-18:59:52.842393	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49748	15020	192.168.2.4	18.156.13.209
192.168.2.418.156.13.20949749150202033132 01/03/24-19:00:05.132396	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49749	15020	192.168.2.4	18.156.13.209
192.168.2.43.127.138.5749753150202814856 01/03/24-19:00:56.474817	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49753	15020	192.168.2.4	3.127.138.57
192.168.2.43.127.138.5749743150202814856 01/03/24-18:58:15.267671	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49743	15020	192.168.2.4	3.127.138.57
192.168.2.43.127.138.5749745150202814856 01/03/24-18:59:09.970283	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49745	15020	192.168.2.4	3.127.138.57
192.168.2.43.127.138.5749750150202033132 01/03/24-19:00:27.612511	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49750	15020	192.168.2.4	3.127.138.57
192.168.2.43.127.138.5749744150202814856 01/03/24-18:58:35.447732	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49744	15020	192.168.2.4	3.127.138.57
192.168.2.418.197.239.549741150202814856 01/03/24-18:57:40.604617	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49741	15020	192.168.2.4	18.197.239.5
192.168.2.43.127.138.5749743150202814860 01/03/24-18:58:32.848382	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49743	15020	192.168.2.4	3.127.138.57
192.168.2.43.127.138.5749745150202814860 01/03/24-18:59:13.757617	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49745	15020	192.168.2.4	3.127.138.57
192.168.2.43.127.138.5749744150202814860 01/03/24-18:58:41.788726	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49744	15020	192.168.2.4	3.127.138.57
192.168.2.43.127.138.5749745150202033132 01/03/24-18:59:09.719744	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49745	15020	192.168.2.4	3.127.138.57
192.168.2.43.127.138.5749744150202033132 01/03/24-18:58:35.165549	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49744	15020	192.168.2.4	3.127.138.57
192.168.2.418.197.239.549734150202825563 01/03/24-18:57:06.244802	TCP	2825563	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)	49734	15020	192.168.2.4	18.197.239.5
192.168.2.418.197.239.549734150202825564 01/03/24-18:57:11.449947	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49734	15020	192.168.2.4	18.197.239.5
192.168.2.418.197.239.549741150202814860 01/03/24-18:58:12.788305	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49741	15020	192.168.2.4	18.197.239.5
192.168.2.43.127.138.5749751150202825564 01/03/24-19:00:35.275265	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49751	15020	192.168.2.4	3.127.138.57
192.168.2.43.127.138.5749751150202825563 01/03/24-19:00:32.324468	TCP	2825563	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)	49751	15020	192.168.2.4	3.127.138.57
192.168.2.418.197.239.549734150202033132 01/03/24-18:57:05.990876	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49734	15020	192.168.2.4	18.197.239.5
192.168.2.43.127.138.5749750150202825563 01/03/24-19:00:27.873123	TCP	2825563	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)	49750	15020	192.168.2.4	3.127.138.57
192.168.2.418.197.239.549734150202814860 01/03/24-18:57:11.449947	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49734	15020	192.168.2.4	18.197.239.5
192.168.2.418.197.239.549741150202825564 01/03/24-18:58:06.981061	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49741	15020	192.168.2.4	18.197.239.5
192.168.2.43.127.138.5749745150202825563 01/03/24-18:59:09.970283	TCP	2825563	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)	49745	15020	192.168.2.4	3.127.138.57
192.168.2.418.197.239.549741150202825563 01/03/24-18:57:40.604617	TCP	2825563	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)	49741	15020	192.168.2.4	18.197.239.5
192.168.2.43.127.138.5749745150202825564 01/03/24-18:59:13.757617	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49745	15020	192.168.2.4	3.127.138.57
192.168.2.43.127.138.5749744150202825564 01/03/24-18:58:41.788726	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49744	15020	192.168.2.4	3.127.138.57
192.168.2.43.127.138.5749752150202825563 01/03/24-19:00:39.547439	TCP	2825563	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)	49752	15020	192.168.2.4	3.127.138.57
192.168.2.43.127.138.5749752150202825564 01/03/24-19:00:41.992248	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49752	15020	192.168.2.4	3.127.138.57

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 3, 2024 18:57:05.551722050 CET	49734	15020	192.168.2.4	18.197.239.5
Jan 3, 2024 18:57:05.805557013 CET	15020	49734	18.197.239.5	192.168.2.4
Jan 3, 2024 18:57:05.805706024 CET	49734	15020	192.168.2.4	18.197.239.5
Jan 3, 2024 18:57:05.990875959 CET	49734	15020	192.168.2.4	18.197.239.5
Jan 3, 2024 18:57:06.244699001 CET	15020	49734	18.197.239.5	192.168.2.4
Jan 3, 2024 18:57:06.244801998 CET	49734	15020	192.168.2.4	18.197.239.5
Jan 3, 2024 18:57:06.498796940 CET	15020	49734	18.197.239.5	192.168.2.4
Jan 3, 2024 18:57:11.449947119 CET	49734	15020	192.168.2.4	18.197.239.5
Jan 3, 2024 18:57:11.704329967 CET	15020	49734	18.197.239.5	192.168.2.4
Jan 3, 2024 18:57:26.847254038 CET	15020	49734	18.197.239.5	192.168.2.4
Jan 3, 2024 18:57:26.847489119 CET	49734	15020	192.168.2.4	18.197.239.5
Jan 3, 2024 18:57:38.072411060 CET	15020	49734	18.197.239.5	192.168.2.4
Jan 3, 2024 18:57:38.072490931 CET	49734	15020	192.168.2.4	18.197.239.5
Jan 3, 2024 18:57:40.085891008 CET	49734	15020	192.168.2.4	18.197.239.5
Jan 3, 2024 18:57:40.088579893 CET	49741	15020	192.168.2.4	18.197.239.5
Jan 3, 2024 18:57:40.340102911 CET	15020	49734	18.197.239.5	192.168.2.4
Jan 3, 2024 18:57:40.343936920 CET	15020	49741	18.197.239.5	192.168.2.4
Jan 3, 2024 18:57:40.344017029 CET	49741	15020	192.168.2.4	18.197.239.5
Jan 3, 2024 18:57:40.349191904 CET	49741	15020	192.168.2.4	18.197.239.5
Jan 3, 2024 18:57:40.604562044 CET	15020	49741	18.197.239.5	192.168.2.4
Jan 3, 2024 18:57:40.604617119 CET	49741	15020	192.168.2.4	18.197.239.5
Jan 3, 2024 18:57:40.860527992 CET	15020	49741	18.197.239.5	192.168.2.4
Jan 3, 2024 18:57:42.757263899 CET	49741	15020	192.168.2.4	18.197.239.5
Jan 3, 2024 18:57:43.012839079 CET	15020	49741	18.197.239.5	192.168.2.4
Jan 3, 2024 18:57:55.288959026 CET	49741	15020	192.168.2.4	18.197.239.5
Jan 3, 2024 18:57:55.545037031 CET	15020	49741	18.197.239.5	192.168.2.4
Jan 3, 2024 18:57:57.679150105 CET	49741	15020	192.168.2.4	18.197.239.5
Jan 3, 2024 18:57:57.934420109 CET	15020	49741	18.197.239.5	192.168.2.4
Jan 3, 2024 18:58:04.866806030 CET	49741	15020	192.168.2.4	18.197.239.5
Jan 3, 2024 18:58:05.122623920 CET	15020	49741	18.197.239.5	192.168.2.4
Jan 3, 2024 18:58:05.122684002 CET	49741	15020	192.168.2.4	18.197.239.5
Jan 3, 2024 18:58:05.378094912 CET	15020	49741	18.197.239.5	192.168.2.4
Jan 3, 2024 18:58:06.429387093 CET	49741	15020	192.168.2.4	18.197.239.5
Jan 3, 2024 18:58:06.684932947 CET	15020	49741	18.197.239.5	192.168.2.4
Jan 3, 2024 18:58:06.684989929 CET	49741	15020	192.168.2.4	18.197.239.5
Jan 3, 2024 18:58:06.940207958 CET	15020	49741	18.197.239.5	192.168.2.4
Jan 3, 2024 18:58:06.981060982 CET	49741	15020	192.168.2.4	18.197.239.5
Jan 3, 2024 18:58:07.236938000 CET	15020	49741	18.197.239.5	192.168.2.4
Jan 3, 2024 18:58:07.237005949 CET	49741	15020	192.168.2.4	18.197.239.5
Jan 3, 2024 18:58:07.492278099 CET	15020	49741	18.197.239.5	192.168.2.4
Jan 3, 2024 18:58:07.492379904 CET	49741	15020	192.168.2.4	18.197.239.5
Jan 3, 2024 18:58:07.747955084 CET	15020	49741	18.197.239.5	192.168.2.4
Jan 3, 2024 18:58:07.748059034 CET	49741	15020	192.168.2.4	18.197.239.5
Jan 3, 2024 18:58:08.004327059 CET	15020	49741	18.197.239.5	192.168.2.4
Jan 3, 2024 18:58:08.004440069 CET	49741	15020	192.168.2.4	18.197.239.5
Jan 3, 2024 18:58:08.259747028 CET	15020	49741	18.197.239.5	192.168.2.4
Jan 3, 2024 18:58:08.259897947 CET	49741	15020	192.168.2.4	18.197.239.5
Jan 3, 2024 18:58:08.515182018 CET	15020	49741	18.197.239.5	192.168.2.4
Jan 3, 2024 18:58:08.515357018 CET	49741	15020	192.168.2.4	18.197.239.5
Jan 3, 2024 18:58:08.772001982 CET	15020	49741	18.197.239.5	192.168.2.4
Jan 3, 2024 18:58:08.772238016 CET	49741	15020	192.168.2.4	18.197.239.5
Jan 3, 2024 18:58:09.027476072 CET	15020	49741	18.197.239.5	192.168.2.4
Jan 3, 2024 18:58:09.027615070 CET	49741	15020	192.168.2.4	18.197.239.5
Jan 3, 2024 18:58:09.283917904 CET	15020	49741	18.197.239.5	192.168.2.4
Jan 3, 2024 18:58:09.284152031 CET	49741	15020	192.168.2.4	18.197.239.5
Jan 3, 2024 18:58:09.540862083 CET	15020	49741	18.197.239.5	192.168.2.4
Jan 3, 2024 18:58:09.540977001 CET	49741	15020	192.168.2.4	18.197.239.5
Jan 3, 2024 18:58:09.796233892 CET	15020	49741	18.197.239.5	192.168.2.4
Jan 3, 2024 18:58:09.796437979 CET	49741	15020	192.168.2.4	18.197.239.5
Jan 3, 2024 18:58:10.053355932 CET	15020	49741	18.197.239.5	192.168.2.4
Jan 3, 2024 18:58:10.053608894 CET	49741	15020	192.168.2.4	18.197.239.5
Jan 3, 2024 18:58:10.309473038 CET	15020	49741	18.197.239.5	192.168.2.4
Jan 3, 2024 18:58:10.309667110 CET	49741	15020	192.168.2.4	18.197.239.5
Jan 3, 2024 18:58:10.566102028 CET	15020	49741	18.197.239.5	192.168.2.4
Jan 3, 2024 18:58:10.566319942 CET	49741	15020	192.168.2.4	18.197.239.5
Jan 3, 2024 18:58:10.821674109 CET	15020	49741	18.197.239.5	192.168.2.4
Jan 3, 2024 18:58:10.821794987 CET	49741	15020	192.168.2.4	18.197.239.5
Jan 3, 2024 18:58:11.077302933 CET	15020	49741	18.197.239.5	192.168.2.4
Jan 3, 2024 18:58:11.077574015 CET	49741	15020	192.168.2.4	18.197.239.5
Jan 3, 2024 18:58:11.333571911 CET	15020	49741	18.197.239.5	192.168.2.4
Jan 3, 2024 18:58:11.333837032 CET	49741	15020	192.168.2.4	18.197.239.5
Jan 3, 2024 18:58:11.589235067 CET	15020	49741	18.197.239.5	192.168.2.4
Jan 3, 2024 18:58:11.589512110 CET	49741	15020	192.168.2.4	18.197.239.5
Jan 3, 2024 18:58:11.845041037 CET	15020	49741	18.197.239.5	192.168.2.4
Jan 3, 2024 18:58:11.845149994 CET	49741	15020	192.168.2.4	18.197.239.5
Jan 3, 2024 18:58:12.142066956 CET	15020	49741	18.197.239.5	192.168.2.4
Jan 3, 2024 18:58:12.142252922 CET	49741	15020	192.168.2.4	18.197.239.5
Jan 3, 2024 18:58:12.444961071 CET	49741	15020	192.168.2.4	18.197.239.5
Jan 3, 2024 18:58:12.478045940 CET	15020	49741	18.197.239.5	192.168.2.4
Jan 3, 2024 18:58:12.478307962 CET	49741	15020	192.168.2.4	18.197.239.5
Jan 3, 2024 18:58:12.609904051 CET	15020	49741	18.197.239.5	192.168.2.4
Jan 3, 2024 18:58:12.609998941 CET	49741	15020	192.168.2.4	18.197.239.5
Jan 3, 2024 18:58:12.701124907 CET	15020	49741	18.197.239.5	192.168.2.4
Jan 3, 2024 18:58:12.734302044 CET	15020	49741	18.197.239.5	192.168.2.4
Jan 3, 2024 18:58:12.788305044 CET	49741	15020	192.168.2.4	18.197.239.5
Jan 3, 2024 18:58:12.865621090 CET	15020	49741	18.197.239.5	192.168.2.4
Jan 3, 2024 18:58:13.043625116 CET	15020	49741	18.197.239.5	192.168.2.4
Jan 3, 2024 18:58:14.755034924 CET	49743	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:15.007802010 CET	15020	49743	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:15.007921934 CET	49743	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:15.013936996 CET	49743	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:15.267606020 CET	15020	49743	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:15.267671108 CET	49743	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:15.520328999 CET	15020	49743	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:15.520451069 CET	49743	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:15.773125887 CET	15020	49743	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:15.773253918 CET	49743	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:16.025954962 CET	15020	49743	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:16.026388884 CET	49743	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:16.278949976 CET	15020	49743	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:16.279094934 CET	49743	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:16.531721115 CET	15020	49743	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:16.531814098 CET	49743	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:16.784533978 CET	15020	49743	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:16.784657001 CET	49743	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:17.037403107 CET	15020	49743	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:17.037477016 CET	49743	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:17.290085077 CET	15020	49743	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:17.290205956 CET	49743	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:17.542784929 CET	15020	49743	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:17.542879105 CET	49743	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:17.795485973 CET	15020	49743	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:17.795747995 CET	49743	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:18.048418999 CET	15020	49743	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:18.048535109 CET	49743	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:18.302889109 CET	15020	49743	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:18.303018093 CET	49743	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:18.555645943 CET	15020	49743	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:18.555773020 CET	49743	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:18.808509111 CET	15020	49743	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:18.808648109 CET	49743	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:19.061224937 CET	15020	49743	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:19.061331034 CET	49743	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:19.314048052 CET	15020	49743	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:19.314160109 CET	49743	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:19.567322969 CET	15020	49743	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:19.567451954 CET	49743	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:19.820159912 CET	15020	49743	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:19.820262909 CET	49743	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:20.072966099 CET	15020	49743	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:20.073105097 CET	49743	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:20.326155901 CET	15020	49743	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:20.326261044 CET	49743	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:20.579324961 CET	15020	49743	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:20.579426050 CET	49743	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:20.832101107 CET	15020	49743	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:20.832218885 CET	49743	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:21.085078001 CET	15020	49743	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:21.086271048 CET	49743	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:21.338999033 CET	15020	49743	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:21.342363119 CET	49743	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:21.595119953 CET	15020	49743	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:21.595207930 CET	49743	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:21.847749949 CET	15020	49743	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:21.847821951 CET	49743	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:22.100600958 CET	15020	49743	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:22.102344036 CET	49743	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:22.355012894 CET	15020	49743	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:22.358330011 CET	49743	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:22.610989094 CET	15020	49743	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:22.614397049 CET	49743	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:22.908561945 CET	15020	49743	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:22.908679962 CET	49743	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:23.244658947 CET	15020	49743	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:23.244870901 CET	49743	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:23.647671938 CET	49743	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:23.664503098 CET	15020	49743	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:23.664602041 CET	49743	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:23.917412043 CET	15020	49743	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:23.917500019 CET	49743	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:24.170192003 CET	15020	49743	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:24.170285940 CET	49743	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:24.423281908 CET	15020	49743	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:24.423446894 CET	49743	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:24.676340103 CET	15020	49743	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:24.676467896 CET	49743	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:24.929177046 CET	15020	49743	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:24.929260015 CET	49743	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:25.182281017 CET	15020	49743	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:25.182410002 CET	49743	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:25.434989929 CET	15020	49743	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:25.435126066 CET	49743	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:25.687810898 CET	15020	49743	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:25.687988043 CET	49743	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:25.940622091 CET	15020	49743	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:25.940737963 CET	49743	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:26.194988966 CET	15020	49743	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:26.195082903 CET	49743	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:26.449107885 CET	15020	49743	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:26.449212074 CET	49743	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:26.702052116 CET	15020	49743	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:26.702168941 CET	49743	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:26.955070019 CET	15020	49743	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:26.955177069 CET	49743	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:27.207794905 CET	15020	49743	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:27.207921028 CET	49743	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:27.460571051 CET	15020	49743	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:27.460675955 CET	49743	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:27.713414907 CET	15020	49743	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:27.713542938 CET	49743	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:27.966295004 CET	15020	49743	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:27.966406107 CET	49743	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:28.219153881 CET	15020	49743	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:28.219268084 CET	49743	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:28.471898079 CET	15020	49743	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:28.471977949 CET	49743	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:28.724577904 CET	15020	49743	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:28.724695921 CET	49743	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:28.977319002 CET	15020	49743	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:28.977422953 CET	49743	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:29.230045080 CET	15020	49743	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:29.230156898 CET	49743	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:29.484100103 CET	15020	49743	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:29.484194994 CET	49743	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:29.736916065 CET	15020	49743	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:29.737148046 CET	49743	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:29.989728928 CET	15020	49743	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:29.989856005 CET	49743	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:30.242902040 CET	15020	49743	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:30.242985964 CET	49743	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:30.495681047 CET	15020	49743	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:30.495810032 CET	49743	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:30.748569965 CET	15020	49743	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:30.748648882 CET	49743	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:31.001311064 CET	15020	49743	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:31.001425982 CET	49743	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:31.253978014 CET	15020	49743	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:31.254113913 CET	49743	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:31.506750107 CET	15020	49743	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:31.506865978 CET	49743	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:31.940604925 CET	15020	49743	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:31.940692902 CET	49743	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:32.396538019 CET	15020	49743	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:32.396644115 CET	49743	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:32.848234892 CET	15020	49743	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:32.848381996 CET	49743	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:33.308676958 CET	15020	49743	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:34.866791010 CET	49743	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:34.868860960 CET	49744	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:35.158818960 CET	15020	49744	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:35.159090996 CET	49744	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:35.165549040 CET	49744	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:35.447649002 CET	15020	49744	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:35.447731972 CET	49744	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:35.749552965 CET	15020	49744	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:35.749763012 CET	49744	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:36.037216902 CET	15020	49744	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:36.037322044 CET	49744	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:36.292862892 CET	15020	49744	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:36.293055058 CET	49744	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:36.588387012 CET	15020	49744	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:36.588479042 CET	49744	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:36.885737896 CET	15020	49744	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:36.885926962 CET	49744	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:37.158580065 CET	15020	49744	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:41.788726091 CET	49744	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:58:42.083969116 CET	15020	49744	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:57.132554054 CET	15020	49744	3.127.138.57	192.168.2.4
Jan 3, 2024 18:58:57.132713079 CET	49744	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:59:07.455949068 CET	15020	49744	3.127.138.57	192.168.2.4
Jan 3, 2024 18:59:07.456121922 CET	49744	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:59:09.460485935 CET	49744	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:59:09.462518930 CET	49745	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:59:09.713017941 CET	15020	49745	3.127.138.57	192.168.2.4
Jan 3, 2024 18:59:09.713115931 CET	49745	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:59:09.719743967 CET	49745	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:59:09.838864088 CET	15020	49744	3.127.138.57	192.168.2.4
Jan 3, 2024 18:59:09.970124006 CET	15020	49745	3.127.138.57	192.168.2.4
Jan 3, 2024 18:59:09.970283031 CET	49745	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:59:10.220820904 CET	15020	49745	3.127.138.57	192.168.2.4
Jan 3, 2024 18:59:13.757616997 CET	49745	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:59:14.008115053 CET	15020	49745	3.127.138.57	192.168.2.4
Jan 3, 2024 18:59:20.297938108 CET	15020	49745	3.127.138.57	192.168.2.4
Jan 3, 2024 18:59:20.298017025 CET	49745	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:59:22.304203033 CET	49745	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 18:59:22.462908030 CET	49746	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:22.558435917 CET	15020	49745	3.127.138.57	192.168.2.4
Jan 3, 2024 18:59:22.717524052 CET	15020	49746	18.156.13.209	192.168.2.4
Jan 3, 2024 18:59:22.717619896 CET	49746	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:22.723256111 CET	49746	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:22.979762077 CET	15020	49746	18.156.13.209	192.168.2.4
Jan 3, 2024 18:59:22.979804993 CET	49746	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:23.234553099 CET	15020	49746	18.156.13.209	192.168.2.4
Jan 3, 2024 18:59:24.078310013 CET	15020	49746	18.156.13.209	192.168.2.4
Jan 3, 2024 18:59:24.078371048 CET	49746	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:26.085459948 CET	49746	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:26.086993933 CET	49747	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:26.340261936 CET	15020	49746	18.156.13.209	192.168.2.4
Jan 3, 2024 18:59:26.344902039 CET	15020	49747	18.156.13.209	192.168.2.4
Jan 3, 2024 18:59:26.344994068 CET	49747	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:26.350302935 CET	49747	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:26.612102032 CET	15020	49747	18.156.13.209	192.168.2.4
Jan 3, 2024 18:59:26.612164021 CET	49747	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:26.870758057 CET	15020	49747	18.156.13.209	192.168.2.4
Jan 3, 2024 18:59:27.601315975 CET	49747	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:27.866879940 CET	15020	49747	18.156.13.209	192.168.2.4
Jan 3, 2024 18:59:30.241964102 CET	49747	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:30.505727053 CET	15020	49747	18.156.13.209	192.168.2.4
Jan 3, 2024 18:59:32.273283005 CET	49747	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:32.531228065 CET	15020	49747	18.156.13.209	192.168.2.4
Jan 3, 2024 18:59:38.429590940 CET	49747	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:38.700705051 CET	15020	49747	18.156.13.209	192.168.2.4
Jan 3, 2024 18:59:38.700757980 CET	49747	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:38.958648920 CET	15020	49747	18.156.13.209	192.168.2.4
Jan 3, 2024 18:59:39.945123911 CET	49747	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:40.203247070 CET	15020	49747	18.156.13.209	192.168.2.4
Jan 3, 2024 18:59:40.203316927 CET	49747	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:40.471297979 CET	15020	49747	18.156.13.209	192.168.2.4
Jan 3, 2024 18:59:40.471374989 CET	49747	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:40.746834040 CET	15020	49747	18.156.13.209	192.168.2.4
Jan 3, 2024 18:59:40.746929884 CET	49747	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:41.004757881 CET	15020	49747	18.156.13.209	192.168.2.4
Jan 3, 2024 18:59:41.004879951 CET	49747	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:41.268992901 CET	15020	49747	18.156.13.209	192.168.2.4
Jan 3, 2024 18:59:41.269151926 CET	49747	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:41.540324926 CET	15020	49747	18.156.13.209	192.168.2.4
Jan 3, 2024 18:59:41.540518045 CET	49747	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:41.798221111 CET	15020	49747	18.156.13.209	192.168.2.4
Jan 3, 2024 18:59:41.798350096 CET	49747	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:42.057343960 CET	15020	49747	18.156.13.209	192.168.2.4
Jan 3, 2024 18:59:42.057440996 CET	49747	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:42.316235065 CET	15020	49747	18.156.13.209	192.168.2.4
Jan 3, 2024 18:59:42.316343069 CET	49747	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:42.573890924 CET	15020	49747	18.156.13.209	192.168.2.4
Jan 3, 2024 18:59:42.574002028 CET	49747	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:42.832550049 CET	15020	49747	18.156.13.209	192.168.2.4
Jan 3, 2024 18:59:42.832685947 CET	49747	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:43.134139061 CET	15020	49747	18.156.13.209	192.168.2.4
Jan 3, 2024 18:59:43.134268045 CET	49747	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:43.391845942 CET	15020	49747	18.156.13.209	192.168.2.4
Jan 3, 2024 18:59:43.391966105 CET	49747	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:43.650605917 CET	15020	49747	18.156.13.209	192.168.2.4
Jan 3, 2024 18:59:43.650702953 CET	49747	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:43.908482075 CET	15020	49747	18.156.13.209	192.168.2.4
Jan 3, 2024 18:59:43.908566952 CET	49747	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:44.166126013 CET	15020	49747	18.156.13.209	192.168.2.4
Jan 3, 2024 18:59:44.166224957 CET	49747	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:44.431248903 CET	15020	49747	18.156.13.209	192.168.2.4
Jan 3, 2024 18:59:44.431456089 CET	49747	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:44.745549917 CET	15020	49747	18.156.13.209	192.168.2.4
Jan 3, 2024 18:59:44.745754957 CET	49747	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:45.097579002 CET	15020	49747	18.156.13.209	192.168.2.4
Jan 3, 2024 18:59:45.097680092 CET	49747	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:45.384280920 CET	15020	49747	18.156.13.209	192.168.2.4
Jan 3, 2024 18:59:45.384525061 CET	49747	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:45.804344893 CET	49747	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:45.809669018 CET	15020	49747	18.156.13.209	192.168.2.4
Jan 3, 2024 18:59:45.809766054 CET	49747	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:46.068306923 CET	15020	49747	18.156.13.209	192.168.2.4
Jan 3, 2024 18:59:46.068445921 CET	49747	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:46.327883959 CET	15020	49747	18.156.13.209	192.168.2.4
Jan 3, 2024 18:59:46.328149080 CET	49747	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:46.585772991 CET	15020	49747	18.156.13.209	192.168.2.4
Jan 3, 2024 18:59:46.585982084 CET	49747	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:46.847440958 CET	15020	49747	18.156.13.209	192.168.2.4
Jan 3, 2024 18:59:46.847523928 CET	49747	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:47.123087883 CET	15020	49747	18.156.13.209	192.168.2.4
Jan 3, 2024 18:59:47.123281002 CET	49747	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:47.381413937 CET	15020	49747	18.156.13.209	192.168.2.4
Jan 3, 2024 18:59:47.381503105 CET	49747	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:47.641732931 CET	15020	49747	18.156.13.209	192.168.2.4
Jan 3, 2024 18:59:47.641973972 CET	49747	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:47.899734974 CET	15020	49747	18.156.13.209	192.168.2.4
Jan 3, 2024 18:59:47.899979115 CET	49747	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:48.158979893 CET	15020	49747	18.156.13.209	192.168.2.4
Jan 3, 2024 18:59:48.159149885 CET	49747	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:48.417630911 CET	15020	49747	18.156.13.209	192.168.2.4
Jan 3, 2024 18:59:48.417726040 CET	49747	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:48.676861048 CET	15020	49747	18.156.13.209	192.168.2.4
Jan 3, 2024 18:59:48.676969051 CET	49747	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:48.938221931 CET	15020	49747	18.156.13.209	192.168.2.4
Jan 3, 2024 18:59:48.938394070 CET	49747	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:49.198395967 CET	15020	49747	18.156.13.209	192.168.2.4
Jan 3, 2024 18:59:49.198491096 CET	49747	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:49.456764936 CET	15020	49747	18.156.13.209	192.168.2.4
Jan 3, 2024 18:59:49.456887960 CET	49747	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:49.719295979 CET	15020	49747	18.156.13.209	192.168.2.4
Jan 3, 2024 18:59:49.719388008 CET	49747	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:49.977111101 CET	15020	49747	18.156.13.209	192.168.2.4
Jan 3, 2024 18:59:49.977299929 CET	49747	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:50.235012054 CET	15020	49747	18.156.13.209	192.168.2.4
Jan 3, 2024 18:59:50.235213041 CET	49747	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:50.467257023 CET	15020	49747	18.156.13.209	192.168.2.4
Jan 3, 2024 18:59:50.467344046 CET	49747	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:50.496289968 CET	15020	49747	18.156.13.209	192.168.2.4
Jan 3, 2024 18:59:50.601145029 CET	49747	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:50.733304024 CET	15020	49747	18.156.13.209	192.168.2.4
Jan 3, 2024 18:59:50.861320972 CET	15020	49747	18.156.13.209	192.168.2.4
Jan 3, 2024 18:59:52.479083061 CET	49748	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:52.835277081 CET	15020	49748	18.156.13.209	192.168.2.4
Jan 3, 2024 18:59:52.835410118 CET	49748	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:52.842392921 CET	49748	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:53.198293924 CET	15020	49748	18.156.13.209	192.168.2.4
Jan 3, 2024 18:59:53.198364019 CET	49748	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:53.568427086 CET	15020	49748	18.156.13.209	192.168.2.4
Jan 3, 2024 18:59:53.568537951 CET	49748	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:53.946400881 CET	15020	49748	18.156.13.209	192.168.2.4
Jan 3, 2024 18:59:53.946578026 CET	49748	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:54.327150106 CET	15020	49748	18.156.13.209	192.168.2.4
Jan 3, 2024 18:59:54.327326059 CET	49748	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:54.700675964 CET	15020	49748	18.156.13.209	192.168.2.4
Jan 3, 2024 18:59:54.700818062 CET	49748	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:55.061311007 CET	15020	49748	18.156.13.209	192.168.2.4
Jan 3, 2024 18:59:55.061420918 CET	49748	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:55.390733004 CET	15020	49748	18.156.13.209	192.168.2.4
Jan 3, 2024 18:59:55.390837908 CET	49748	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:55.734622955 CET	15020	49748	18.156.13.209	192.168.2.4
Jan 3, 2024 18:59:55.734801054 CET	49748	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:56.107014894 CET	15020	49748	18.156.13.209	192.168.2.4
Jan 3, 2024 18:59:56.107093096 CET	49748	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:56.477221012 CET	15020	49748	18.156.13.209	192.168.2.4
Jan 3, 2024 18:59:56.477464914 CET	49748	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:56.824023962 CET	15020	49748	18.156.13.209	192.168.2.4
Jan 3, 2024 18:59:56.824147940 CET	49748	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:57.181340933 CET	15020	49748	18.156.13.209	192.168.2.4
Jan 3, 2024 18:59:57.181437969 CET	49748	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:57.543116093 CET	15020	49748	18.156.13.209	192.168.2.4
Jan 3, 2024 18:59:57.543199062 CET	49748	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:57.893831968 CET	15020	49748	18.156.13.209	192.168.2.4
Jan 3, 2024 18:59:57.893927097 CET	49748	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:58.237124920 CET	15020	49748	18.156.13.209	192.168.2.4
Jan 3, 2024 18:59:58.237240076 CET	49748	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:58.586400986 CET	15020	49748	18.156.13.209	192.168.2.4
Jan 3, 2024 18:59:58.586522102 CET	49748	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:58.930402994 CET	15020	49748	18.156.13.209	192.168.2.4
Jan 3, 2024 18:59:58.930519104 CET	49748	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:59.303837061 CET	15020	49748	18.156.13.209	192.168.2.4
Jan 3, 2024 18:59:59.303962946 CET	49748	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 18:59:59.706978083 CET	15020	49748	18.156.13.209	192.168.2.4
Jan 3, 2024 18:59:59.707079887 CET	49748	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 19:00:00.100061893 CET	15020	49748	18.156.13.209	192.168.2.4
Jan 3, 2024 19:00:00.100172043 CET	49748	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 19:00:00.487885952 CET	15020	49748	18.156.13.209	192.168.2.4
Jan 3, 2024 19:00:00.488106012 CET	49748	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 19:00:00.842242002 CET	15020	49748	18.156.13.209	192.168.2.4
Jan 3, 2024 19:00:00.842340946 CET	49748	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 19:00:01.185050964 CET	15020	49748	18.156.13.209	192.168.2.4
Jan 3, 2024 19:00:01.185250998 CET	49748	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 19:00:01.527215958 CET	15020	49748	18.156.13.209	192.168.2.4
Jan 3, 2024 19:00:01.528562069 CET	49748	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 19:00:01.884457111 CET	15020	49748	18.156.13.209	192.168.2.4
Jan 3, 2024 19:00:01.884659052 CET	49748	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 19:00:02.241082907 CET	15020	49748	18.156.13.209	192.168.2.4
Jan 3, 2024 19:00:02.820467949 CET	49748	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 19:00:02.851536989 CET	15020	49748	18.156.13.209	192.168.2.4
Jan 3, 2024 19:00:02.929290056 CET	49748	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 19:00:03.194327116 CET	15020	49748	18.156.13.209	192.168.2.4
Jan 3, 2024 19:00:04.867042065 CET	49748	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 19:00:04.869622946 CET	49749	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 19:00:05.124058008 CET	15020	49749	18.156.13.209	192.168.2.4
Jan 3, 2024 19:00:05.124198914 CET	49749	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 19:00:05.132395983 CET	49749	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 19:00:05.386326075 CET	15020	49749	18.156.13.209	192.168.2.4
Jan 3, 2024 19:00:05.386406898 CET	49749	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 19:00:05.638864994 CET	15020	49749	18.156.13.209	192.168.2.4
Jan 3, 2024 19:00:10.945358038 CET	49749	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 19:00:11.252386093 CET	15020	49749	18.156.13.209	192.168.2.4
Jan 3, 2024 19:00:25.204226017 CET	15020	49749	18.156.13.209	192.168.2.4
Jan 3, 2024 19:00:25.204330921 CET	49749	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 19:00:27.210702896 CET	49749	15020	192.168.2.4	18.156.13.209
Jan 3, 2024 19:00:27.351140976 CET	49750	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 19:00:27.465785980 CET	15020	49749	18.156.13.209	192.168.2.4
Jan 3, 2024 19:00:27.606502056 CET	15020	49750	3.127.138.57	192.168.2.4
Jan 3, 2024 19:00:27.606601954 CET	49750	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 19:00:27.612510920 CET	49750	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 19:00:27.873059034 CET	15020	49750	3.127.138.57	192.168.2.4
Jan 3, 2024 19:00:27.873122931 CET	49750	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 19:00:28.129676104 CET	15020	49750	3.127.138.57	192.168.2.4
Jan 3, 2024 19:00:29.797163010 CET	15020	49750	3.127.138.57	192.168.2.4
Jan 3, 2024 19:00:29.797243118 CET	49750	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 19:00:31.804862022 CET	49750	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 19:00:31.806054115 CET	49751	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 19:00:32.067259073 CET	15020	49751	3.127.138.57	192.168.2.4
Jan 3, 2024 19:00:32.067353010 CET	49751	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 19:00:32.070363998 CET	15020	49750	3.127.138.57	192.168.2.4
Jan 3, 2024 19:00:32.073107004 CET	49751	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 19:00:32.324331999 CET	15020	49751	3.127.138.57	192.168.2.4
Jan 3, 2024 19:00:32.324467897 CET	49751	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 19:00:32.575136900 CET	15020	49751	3.127.138.57	192.168.2.4
Jan 3, 2024 19:00:35.275264978 CET	49751	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 19:00:35.525633097 CET	15020	49751	3.127.138.57	192.168.2.4
Jan 3, 2024 19:00:37.009248018 CET	15020	49751	3.127.138.57	192.168.2.4
Jan 3, 2024 19:00:37.009439945 CET	49751	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 19:00:39.024462938 CET	49751	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 19:00:39.027422905 CET	49752	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 19:00:39.274435997 CET	15020	49751	3.127.138.57	192.168.2.4
Jan 3, 2024 19:00:39.282180071 CET	15020	49752	3.127.138.57	192.168.2.4
Jan 3, 2024 19:00:39.282365084 CET	49752	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 19:00:39.289238930 CET	49752	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 19:00:39.547267914 CET	15020	49752	3.127.138.57	192.168.2.4
Jan 3, 2024 19:00:39.547439098 CET	49752	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 19:00:39.802398920 CET	15020	49752	3.127.138.57	192.168.2.4
Jan 3, 2024 19:00:41.992248058 CET	49752	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 19:00:42.247246981 CET	15020	49752	3.127.138.57	192.168.2.4
Jan 3, 2024 19:00:53.946882010 CET	15020	49752	3.127.138.57	192.168.2.4
Jan 3, 2024 19:00:53.946948051 CET	49752	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 19:00:55.962217093 CET	49752	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 19:00:55.963953018 CET	49753	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 19:00:56.214221001 CET	15020	49753	3.127.138.57	192.168.2.4
Jan 3, 2024 19:00:56.214772940 CET	49753	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 19:00:56.217531919 CET	15020	49752	3.127.138.57	192.168.2.4
Jan 3, 2024 19:00:56.222387075 CET	49753	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 19:00:56.473822117 CET	15020	49753	3.127.138.57	192.168.2.4
Jan 3, 2024 19:00:56.474817038 CET	49753	15020	192.168.2.4	3.127.138.57
Jan 3, 2024 19:00:56.724981070 CET	15020	49753	3.127.138.57	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 3, 2024 18:57:05.407907009 CET	52545	53	192.168.2.4	1.1.1.1
Jan 3, 2024 18:57:05.543792009 CET	53	52545	1.1.1.1	192.168.2.4
Jan 3, 2024 18:58:14.617805958 CET	54315	53	192.168.2.4	1.1.1.1
Jan 3, 2024 18:58:14.753573895 CET	53	54315	1.1.1.1	192.168.2.4
Jan 3, 2024 18:59:22.305636883 CET	65231	53	192.168.2.4	1.1.1.1
Jan 3, 2024 18:59:22.461771011 CET	53	65231	1.1.1.1	192.168.2.4
Jan 3, 2024 19:00:27.212135077 CET	62745	53	192.168.2.4	1.1.1.1
Jan 3, 2024 19:00:27.350171089 CET	53	62745	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 3, 2024 18:57:05.407907009 CET	192.168.2.4	1.1.1.1	0xca5f	Standard query (0)	2.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false
Jan 3, 2024 18:58:14.617805958 CET	192.168.2.4	1.1.1.1	0x92bf	Standard query (0)	2.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false
Jan 3, 2024 18:59:22.305636883 CET	192.168.2.4	1.1.1.1	0x3965	Standard query (0)	2.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false
Jan 3, 2024 19:00:27.212135077 CET	192.168.2.4	1.1.1.1	0xc6b2	Standard query (0)	2.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 3, 2024 18:57:05.543792009 CET	1.1.1.1	192.168.2.4	0xca5f	No error (0)	2.tcp.eu.ngrok.io	18.197.239.5	A (IP address)	IN (0x0001)	false
Jan 3, 2024 18:58:14.753573895 CET	1.1.1.1	192.168.2.4	0x92bf	No error (0)	2.tcp.eu.ngrok.io	3.127.138.57	A (IP address)	IN (0x0001)	false
Jan 3, 2024 18:59:22.461771011 CET	1.1.1.1	192.168.2.4	0x3965	No error (0)	2.tcp.eu.ngrok.io	18.156.13.209	A (IP address)	IN (0x0001)	false
Jan 3, 2024 19:00:27.350171089 CET	1.1.1.1	192.168.2.4	0xc6b2	No error (0)	2.tcp.eu.ngrok.io	3.127.138.57	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	18:56:51
Start date:	03/01/2024
Path:	C:\Users\user\Desktop\2G8CgDVl3K.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\2G8CgDVl3K.exe
Imagebase:	0x720000
File size:	415'448 bytes
MD5 hash:	3C3D7DCDC0C4EB7DD9DB090C60867A1E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000002.1667081303.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000000.00000002.1667081303.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000000.00000002.1667081303.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000002.1667081303.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000000.00000002.1667081303.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000000.00000002.1667081303.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	18:56:55
Start date:	03/01/2024
Path:	C:\Users\user\AppData\Local\Temp\Server.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\Server.exe"
Imagebase:	0x720000
File size:	37'888 bytes
MD5 hash:	F39D9EDCB7DB7838B0F7948F118B96AC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000005.00000000.1660160028.0000000000722000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000005.00000000.1660160028.0000000000722000.00000002.00000001.01000000.0000000C.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000005.00000000.1660160028.0000000000722000.00000002.00000001.01000000.0000000C.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Local\Temp\Server.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\Server.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Local\Temp\Server.exe, Author: Brian Wallace @botnet_hunter Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Local\Temp\Server.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 100%, ReversingLabs Detection: 85%, Virustotal, Browse
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	18:57:02
Start date:	03/01/2024
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE
Imagebase:	0x1560000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	18:57:02
Start date:	03/01/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Function 00007FFD9B78A009 Relevance: 1.4, Strings: 1, Instructions: 150COMMON

Download Yara Rule

Strings

>`us, xrefs: 00007FFD9B78A0C7

Memory Dump Source

Source File: 00000000.00000002.1671409007.00007FFD9B78A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B78A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b78a000_2G8CgDVl3K.jbxd

Similarity

API ID:
String ID: >`us
API String ID: 0-3793958555
Opcode ID: 6a935582b50f6cdebed5dac49d5eb9039c6d56251d32fb3937697384836cbf59
Instruction ID: c3074c316dcf46e57bca3e83231f1b4e54394fc02805087df780f115ea28368a
Opcode Fuzzy Hash: 6a935582b50f6cdebed5dac49d5eb9039c6d56251d32fb3937697384836cbf59
Instruction Fuzzy Hash: 8641F57150DB885FE7668F289856A627FE0EF52311F1602DFD088C71B3E634A845C762

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8D11AA Relevance: .4, Instructions: 406COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672284203.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8d0000_2G8CgDVl3K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9981a587e28d19d45abf5c022cdde825921f9b39735bf333652011e20775a73
Instruction ID: 9032fc6b5057407745b16691fdf91fa7eb6d3fa54437806b182a1d12107e6dcb
Opcode Fuzzy Hash: d9981a587e28d19d45abf5c022cdde825921f9b39735bf333652011e20775a73
Instruction Fuzzy Hash: 85F1CB70A19A8D8FDFA1EF28C854BD837E1FF19340F514566E85DC72A6DB34A984CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8D0410 Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672284203.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8d0000_2G8CgDVl3K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bc9e125f6f365005d50e8095ad7962c45a10c76d8b3356aed82557a2d6c566c
Instruction ID: f9deac213ae67c47813194f7f177190a0b0e40faf295339b72289cc93eec2d7e
Opcode Fuzzy Hash: 0bc9e125f6f365005d50e8095ad7962c45a10c76d8b3356aed82557a2d6c566c
Instruction Fuzzy Hash: BE91117061DBC98FD7A1EB2CC455B5ABBE1FF99340F4449AEE48DC72A2DA349844C702

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8D17A9 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672284203.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8d0000_2G8CgDVl3K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e80bb724cadb3b5fdad12cc110a5836699ca1e13d9ec5cb924dfeb663f32797
Instruction ID: 5e6d850eb359dc8e23118e0d046e3efbb055a5c1ffb31ab4a87b9f4fe0b07283
Opcode Fuzzy Hash: 0e80bb724cadb3b5fdad12cc110a5836699ca1e13d9ec5cb924dfeb663f32797
Instruction Fuzzy Hash: CA51D97160AACD8FEB91EF68C859B957BE0FF59340F0506AAF84DC71A2D734A940C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8D000A Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672284203.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8d0000_2G8CgDVl3K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 008a23745d8f36e25e86c8ecc42a2a68e4554211ee4173e7dbc41bca73db3f96
Instruction ID: 68df00eb78e65b68e5b0f2f8c4baf263e84c4f40cd7032763cfb6fc327718fc7
Opcode Fuzzy Hash: 008a23745d8f36e25e86c8ecc42a2a68e4554211ee4173e7dbc41bca73db3f96
Instruction Fuzzy Hash: E441AF61A1F7CA5FDB138B704C765A43F709E07100B4A06EBE499CF1E3DA2C5A09C722

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8D1069 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672284203.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8d0000_2G8CgDVl3K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6835c2cabdf91fe21758816395e65fe7f567e49d57788810251a5e3bbdb0ef14
Instruction ID: ba12f5895c6fdd847ee0798d39f2677c62105ef7d8f1781289bd1c3e3757164d
Opcode Fuzzy Hash: 6835c2cabdf91fe21758816395e65fe7f567e49d57788810251a5e3bbdb0ef14
Instruction Fuzzy Hash: EB319731A1DA894FD741EB28C851A6ABBE2FFC6300F454679E089C72E7DA24ED05C702

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8D0B25 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672284203.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8d0000_2G8CgDVl3K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ac3b0199eb4efcb4876cb0fab7a940701301ed06b949a8c46e4030bc98c2de6
Instruction ID: 1099a5bd9e7425994f30e212485919bfc8feb6d70e10f66e6e7e0f67823d4d27
Opcode Fuzzy Hash: 6ac3b0199eb4efcb4876cb0fab7a940701301ed06b949a8c46e4030bc98c2de6
Instruction Fuzzy Hash: A831FE70A2994D8FDBB4EF18C864BE937E2FF59300F514266984DCB2A1DF34AA44C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8D0C7A Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672284203.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8d0000_2G8CgDVl3K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03e25a40bf7519b777182c6a646b0998fe31afd9a166539bec8ac9c8b2ccf148
Instruction ID: 7ac65062b16f57afe343441ebe4ce9a630bdd88422ad1b1865ba87531a4fab5b
Opcode Fuzzy Hash: 03e25a40bf7519b777182c6a646b0998fe31afd9a166539bec8ac9c8b2ccf148
Instruction Fuzzy Hash: C9314F70A2AA8D8FDBB5DF58C864BE977E1FF59300F5142AAD40DCB1A1DB34A644CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8D0B91 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672284203.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8d0000_2G8CgDVl3K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdf3aba2fcc7ca1b1d5425410af671ea33a25d0fa0bf2d1cbe42f72a00c8a63d
Instruction ID: 982f4d4e1d811449964561be899683d74b965cd9e95f7572abae31de136543b1
Opcode Fuzzy Hash: cdf3aba2fcc7ca1b1d5425410af671ea33a25d0fa0bf2d1cbe42f72a00c8a63d
Instruction Fuzzy Hash: 85316370A18A8D8FDBB4EF1CC898BE977E1FF59301F514266984DCB261DB74AA44CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8D0F91 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672284203.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8d0000_2G8CgDVl3K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72d79eec87b9b15e3d2fed19873d8ec6a3d111fece4b1ecada37e7950e3cac2e
Instruction ID: af62ba80ea7cd244d8d4ee47db8e7530fffea55f68cf2087731e97dfcc69cda3
Opcode Fuzzy Hash: 72d79eec87b9b15e3d2fed19873d8ec6a3d111fece4b1ecada37e7950e3cac2e
Instruction Fuzzy Hash: BE21D67165D7894FE750DB1CC8A69557BB0FF99210F4507BBE048CB2B3D918AD41C342

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8D0B5A Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672284203.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8d0000_2G8CgDVl3K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a91fc82c532b23e47b9d2eba206c9aa9df338c35d6d3c14d9d37a6181dd12ba2
Instruction ID: 9b5604e828f73d8336ae4232d2ce0c03635e355101d272f7e5d8f15da6572246
Opcode Fuzzy Hash: a91fc82c532b23e47b9d2eba206c9aa9df338c35d6d3c14d9d37a6181dd12ba2
Instruction Fuzzy Hash: EA21EA70A29A8D8FDBB4DF58C868BE973E1FF99701F514266980DCB261DB34AA44C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8D06ED Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672284203.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8d0000_2G8CgDVl3K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 386d1be7850ca727fa4e334c1c79c72cdc22f995ce1011436fb5e0ceca81d149
Instruction ID: 7e2738341ac77ffab1f65d701fc0d7796ca584a1f73b8cee90fad0b57cc07168
Opcode Fuzzy Hash: 386d1be7850ca727fa4e334c1c79c72cdc22f995ce1011436fb5e0ceca81d149
Instruction Fuzzy Hash: 5701D860E6D6495BD354EF28CCB1E6537E1AFD5604F84697AF048C71E7DC156804C707

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8D0361 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672284203.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8d0000_2G8CgDVl3K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd481d2b157e364b955275a667b5c5428943d35fcb8d1ed235608c37fc0f29c7
Instruction ID: 092d845d096390b035fcf02c79d756895e6664953478faa38dbabfb825f3a55c
Opcode Fuzzy Hash: dd481d2b157e364b955275a667b5c5428943d35fcb8d1ed235608c37fc0f29c7
Instruction Fuzzy Hash: B1018F61A5DB885FD781CB1888507157BF0FF8D244F8906AAF48CD72B2E7289A00C716

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8D0781 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672284203.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8d0000_2G8CgDVl3K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41195124350e6aba9d07818417b5ccb5038c3092ca66c66a05eb735e486e2a85
Instruction ID: d988ce7600302b243c1567f4a176f548c4a5ce816767fbad2eacf7fc7096845a
Opcode Fuzzy Hash: 41195124350e6aba9d07818417b5ccb5038c3092ca66c66a05eb735e486e2a85
Instruction Fuzzy Hash: 7D018461A5DB8D4FD740DB2888617697BF0FF89200F85467AE48CC72B3D6289940C702

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Server.exePID: 7340, Parent PID: 6908COMMON

Execution Graph

Execution Coverage:	16.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	5.2%
Total number of Nodes:	134
Total number of Limit Nodes:	6

Executed Functions

Function 00E0B17F Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 00E0B1FF

Memory Dump Source

Source File: 00000005.00000002.4075775477.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e0a000_Server.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 6ab66d92c101bb7dcfd23a5b9e4d7523892f4cdc28f821876b1c7d9f9f4f471a
Instruction ID: e726b616eb249f77f7d1211e3982e1f583cbe1ac274465e8e670bc58fbc5c3a8
Opcode Fuzzy Hash: 6ab66d92c101bb7dcfd23a5b9e4d7523892f4cdc28f821876b1c7d9f9f4f471a
Instruction Fuzzy Hash: 0221BF755093809FDB228F25DC40B52BFF4FF06314F0884DAE9848B5A3D3349908DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00E0B3BB Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 00E0B431

Memory Dump Source

Source File: 00000005.00000002.4075775477.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e0a000_Server.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 62b75a7687129c47d74557b994e36e4527958a052db8b5b6e45f9e0a757db1e7
Instruction ID: 74a69df13970a1a31d3d4a37f73e795eae12d8179259d63fae7ede58fe93afe9
Opcode Fuzzy Hash: 62b75a7687129c47d74557b994e36e4527958a052db8b5b6e45f9e0a757db1e7
Instruction Fuzzy Hash: 5521AE714097C09FDB238B21DC45A52FFB0EF17314F0984DBE9848B5A3D269A909DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00E0B1B6 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 00E0B1FF

Memory Dump Source

Source File: 00000005.00000002.4075775477.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e0a000_Server.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: db3d79ec9c011cee8cd6d89791a95c77a4003fe7b19c70dd03f6cb0d1f66ae66
Instruction ID: 804f0d2663ef380c67b3eaf9f327325ee1824929b75c6aa48bcfb2b9d08e830f
Opcode Fuzzy Hash: db3d79ec9c011cee8cd6d89791a95c77a4003fe7b19c70dd03f6cb0d1f66ae66
Instruction Fuzzy Hash: E011A0315002009FDB20CF55D944B66FBE4FF08324F08C8AADD459BA61D335E458DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00E0B3F6 Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 00E0B431

Memory Dump Source

Source File: 00000005.00000002.4075775477.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e0a000_Server.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: ec0021530a5f7e60996f31196f4bd809573ba0f626e2bc2e2763666a7041a6ee
Instruction ID: 1eb91ad606df702626f8db2fada41428044aae5e19d6ad1738a1fbf65d88ffc0
Opcode Fuzzy Hash: ec0021530a5f7e60996f31196f4bd809573ba0f626e2bc2e2763666a7041a6ee
Instruction Fuzzy Hash: 99018F318006009FDB208F05D984B62FBE0FF44724F08C4AADD590AA52D379A558DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 04EE0F90 Relevance: 1.6, APIs: 1, Instructions: 115
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 04EE0FB7

Memory Dump Source

Source File: 00000005.00000002.4078212153.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4ee0000_Server.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 3219af2e7a2f59f9d91ecc1dcfb136461b63ccfc34aeefd90f516652ccee2415
Instruction ID: 6f4cb0e243f7ad342f9e10d09286be7c41aea8afc7794137f7ee7ff3e3713fa9
Opcode Fuzzy Hash: 3219af2e7a2f59f9d91ecc1dcfb136461b63ccfc34aeefd90f516652ccee2415
Instruction Fuzzy Hash: C8416D317002118FCB14EF79D8846ADB7E6EF84209B148479D819DB39AEF39DD85CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04EE0F7F Relevance: 1.6, APIs: 1, Instructions: 109
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 04EE0FB7

Memory Dump Source

Source File: 00000005.00000002.4078212153.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4ee0000_Server.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 5d4f002e2d5c284230c3484005bf9159a177b5d50ec406a61abaf049bd1e270c
Instruction ID: d0674350cd13a789468e0f8493525e289d5e30d20eb0ff5b97f0cb44daf3907b
Opcode Fuzzy Hash: 5d4f002e2d5c284230c3484005bf9159a177b5d50ec406a61abaf049bd1e270c
Instruction Fuzzy Hash: F1415E316002518FCB24DF75D894AAEB6E6EF84304B548479D809DB39AEB39DD85CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0507144A Relevance: 1.6, APIs: 1, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVolumeInformationA.KERNELBASE(?,00000E24,?,?), ref: 0507152E

Memory Dump Source

Source File: 00000005.00000002.4078447035.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5070000_Server.jbxd

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: 257089479ecf1722be59c7b56799b5e9c1b78da84f0739ed2bec7a33c2aae7aa
Instruction ID: 59a86358534a793d7e854f150c082c4dcced3ddadf04729526bc141eefdeeb72
Opcode Fuzzy Hash: 257089479ecf1722be59c7b56799b5e9c1b78da84f0739ed2bec7a33c2aae7aa
Instruction Fuzzy Hash: D4415B6150E3C16FD3138B358C61AA2BFB4AF47210F0E85DBD8C4CF5A3D6286959C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00E0BDA2 Relevance: 1.6, APIs: 1, Instructions: 103
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00E0BE61

Memory Dump Source

Source File: 00000005.00000002.4075775477.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e0a000_Server.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 0e6fb3b45e9d6a5d7fc556ef60a66c757ffd88ac0cb2c5ca98fb564229e45579
Instruction ID: 26e6ff7e08731900ec5526c6a524b97f0eac081de3a5a45c375cdc14facf0302
Opcode Fuzzy Hash: 0e6fb3b45e9d6a5d7fc556ef60a66c757ffd88ac0cb2c5ca98fb564229e45579
Instruction Fuzzy Hash: 5C31E5715053806FE722CF25DC44BA2BFF8EF06314F0888AAE9848B652D335A809D771

Uniqueness

Uniqueness Score: -1.00%

Function 050724F6 Relevance: 1.6, APIs: 1, Instructions: 99
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 050725BD

Memory Dump Source

Source File: 00000005.00000002.4078447035.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5070000_Server.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 5342506dafd71469760316ba3ec3c29a6d278f4d01963c3de8fcf98533637453
Instruction ID: 1cfefb3f235daaaa23a4c6f5630032dab05705c48b02e04baac47dcbf18b9fe3
Opcode Fuzzy Hash: 5342506dafd71469760316ba3ec3c29a6d278f4d01963c3de8fcf98533637453
Instruction Fuzzy Hash: 83318F76504344AFE721CB65DC44FA7BBFCEF09214F08899AE985CB662D334E908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05070387 Relevance: 1.6, APIs: 1, Instructions: 98
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 0507044E

Memory Dump Source

Source File: 00000005.00000002.4078447035.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5070000_Server.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 1fbabda2cfee21f46589353628c18252748d47b4b55a1f4170618dd4961a041d
Instruction ID: b329ce94d5c1813d3213e0263f9cc13c9976be05867a62dfc514713316ed9666
Opcode Fuzzy Hash: 1fbabda2cfee21f46589353628c18252748d47b4b55a1f4170618dd4961a041d
Instruction Fuzzy Hash: 19318B6510E3C06FD3138B258C65A61BFB4EF47610F0E45DBE8C48B6A3D229A909C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 050711BC Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32(?,00000E24), ref: 05071283

Memory Dump Source

Source File: 00000005.00000002.4078447035.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5070000_Server.jbxd

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: 7c4619efe5f2ed960f4db46e1112a0d3796df7105e313482faf9e2194e526bea
Instruction ID: 627883f7a9a83aff8f78ceb983b621b8a4de7641eb44a590fd150b9bf3cbd788
Opcode Fuzzy Hash: 7c4619efe5f2ed960f4db46e1112a0d3796df7105e313482faf9e2194e526bea
Instruction Fuzzy Hash: 0531ADB2500344AFE721CB61DC84FA6FBECEF05714F04889AFA489B681D375A909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00E0AA52 Relevance: 1.6, APIs: 1, Instructions: 91
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 00E0AB05

Memory Dump Source

Source File: 00000005.00000002.4075775477.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e0a000_Server.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 849fb3dc5328013b71869bed5745422ea16be254d8c258a74bf4725ab25b6a28
Instruction ID: d1d27729903d546b119fbf976a9bcd4ca71fac8c08bf17c8933a881cfc5663fc
Opcode Fuzzy Hash: 849fb3dc5328013b71869bed5745422ea16be254d8c258a74bf4725ab25b6a28
Instruction Fuzzy Hash: 9E3175764093846FE7228B65CC44FA7BFBCEF16314F08859AE9849B592D324A909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00E0A612 Relevance: 1.6, APIs: 1, Instructions: 89
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 00E0A6B9

Memory Dump Source

Source File: 00000005.00000002.4075775477.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e0a000_Server.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 9c4082dd1f0e6be715a08aca567ca7a84f2f8886cfae5448b0233d5d9e25f3ba
Instruction ID: 2d62bf31954d56b4cca0644219b402272a4fbb17b905c495928ef42649d5f347
Opcode Fuzzy Hash: 9c4082dd1f0e6be715a08aca567ca7a84f2f8886cfae5448b0233d5d9e25f3ba
Instruction Fuzzy Hash: 2E31D3715093805FE722CB25DC45B96BFF8EF06314F0884AAE984CB293D335A909C762

Uniqueness

Uniqueness Score: -1.00%

Function 05070938 Relevance: 1.6, APIs: 1, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 050709CF

Memory Dump Source

Source File: 00000005.00000002.4078447035.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5070000_Server.jbxd

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 93d6be38b18f7265aae777203fab0547f6d69574eb803a20c3d267174c9f3f2a
Instruction ID: 4bd5f8d88cf2c7a3ef935bcf8a1a1540a1c522d1120c1c244a0577d987699d28
Opcode Fuzzy Hash: 93d6be38b18f7265aae777203fab0547f6d69574eb803a20c3d267174c9f3f2a
Instruction Fuzzy Hash: B431C371505344AFE721CB65DC45FA7BBFCEF05210F0884AAE944DB652D324E908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0507103C Relevance: 1.6, APIs: 1, Instructions: 88
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessTimes.KERNELBASE(?,00000E24,9F328CEF,00000000,00000000,00000000,00000000), ref: 050710D9

Memory Dump Source

Source File: 00000005.00000002.4078447035.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5070000_Server.jbxd

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 599980ed07d1d039310685bb549e3f5effc75aea5b8e6b4148a277603ac09d51
Instruction ID: d81216917a52972f7d581aa9c6ad4c47f4e4b89bf316d55d6b90ef5afc109bc7
Opcode Fuzzy Hash: 599980ed07d1d039310685bb549e3f5effc75aea5b8e6b4148a277603ac09d51
Instruction Fuzzy Hash: 5431E5725093806FD7228F64DC45FA6BFB8EF06314F08849AE9448F592D324A909CB75

Uniqueness

Uniqueness Score: -1.00%

Function 05072522 Relevance: 1.6, APIs: 1, Instructions: 86
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 050725BD

Memory Dump Source

Source File: 00000005.00000002.4078447035.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5070000_Server.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 5be01216aa1f1305b1c1800f9a7b8ce8b9dfcc56641d62aa5b2de75c5db295c0
Instruction ID: 0d8cdb6f204544125146d6292d7b1de630295d60cccec52a60315399c9c889e5
Opcode Fuzzy Hash: 5be01216aa1f1305b1c1800f9a7b8ce8b9dfcc56641d62aa5b2de75c5db295c0
Instruction Fuzzy Hash: CE21A076500309AFE731CE15DD44FABBBEDEF08614F04886AE945CAA51E734E5088B75

Uniqueness

Uniqueness Score: -1.00%

Function 00E0A361 Relevance: 1.6, APIs: 1, Instructions: 85
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,9F328CEF,00000000,00000000,00000000,00000000), ref: 00E0A40C

Memory Dump Source

Source File: 00000005.00000002.4075775477.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e0a000_Server.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 52dbca5100019df8447520c323b70734d79b9d47200bfef701b702d4f6b62246
Instruction ID: 20cad5ceb9ea6d8590d28f1dcd39ea6a090655b0e384a87f2b7edeaa1a73df3e
Opcode Fuzzy Hash: 52dbca5100019df8447520c323b70734d79b9d47200bfef701b702d4f6b62246
Instruction Fuzzy Hash: 8C31D175104344AFD722CF15CC84F96BBF8EF06314F0884AAE845DB692C324E849CB62

Uniqueness

Uniqueness Score: -1.00%

Function 050711DE Relevance: 1.6, APIs: 1, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32(?,00000E24), ref: 05071283

Memory Dump Source

Source File: 00000005.00000002.4078447035.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5070000_Server.jbxd

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: 4b2706ea4da4b697b1ec645df8c274bb3f84f79f8768ec79cacd34d572bbcd92
Instruction ID: f3a9819b76d81f058beee8e1d4b47ffbfbf804bfc4ded7677d9aa028c1a711ec
Opcode Fuzzy Hash: 4b2706ea4da4b697b1ec645df8c274bb3f84f79f8768ec79cacd34d572bbcd92
Instruction Fuzzy Hash: C321AD71500204AEEB30DB65DC84FAAF7ECEF14714F04886AEA489AA81D775E509CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 05072795 Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

select.WS2_32(?,?,?,?,?), ref: 05072824

Memory Dump Source

Source File: 00000005.00000002.4078447035.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5070000_Server.jbxd

Similarity

API ID: select
String ID:
API String ID: 1274211008-0
Opcode ID: 09859ddaf18bc0b67c065d87cd605e1ffe11796700b1fed9aed514aa2cf21c8a
Instruction ID: 14ee41721e8ee35020b2018ef1274eb8bfbd70b75a6457ab8b27999a6b43cd09
Opcode Fuzzy Hash: 09859ddaf18bc0b67c065d87cd605e1ffe11796700b1fed9aed514aa2cf21c8a
Instruction Fuzzy Hash: 6A218D755093849FD762CF25DC44B62BFF8FF06210F0884DAE884CB162D335A909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00E0A462 Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E24,9F328CEF,00000000,00000000,00000000,00000000), ref: 00E0A4F8

Memory Dump Source

Source File: 00000005.00000002.4075775477.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e0a000_Server.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 4600f3c3827764e369550f43511de504a24efc0bd8f1dac55db38ea5332b07fa
Instruction ID: 44d36d0fd5c13d16f9d65fd4c605260c6a0d4430b27eb806271fd4e8c1069dee
Opcode Fuzzy Hash: 4600f3c3827764e369550f43511de504a24efc0bd8f1dac55db38ea5332b07fa
Instruction Fuzzy Hash: 4D21E0721043846FD7228F10CC44FA7BFB8EF06314F0884AAE885DB692C364E848C772

Uniqueness

Uniqueness Score: -1.00%

Function 0507047A Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 05070506

Memory Dump Source

Source File: 00000005.00000002.4078447035.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5070000_Server.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: c2630f900681a080d5182feba7bd109bcd55d12e24ed4d4cb8b8b4d20dd8f016
Instruction ID: 6a6b31349969ef284632aef89396d224a7729a78a50aef6be9971be05bfc36e8
Opcode Fuzzy Hash: c2630f900681a080d5182feba7bd109bcd55d12e24ed4d4cb8b8b4d20dd8f016
Instruction Fuzzy Hash: D921B171505380AFE722CF55DC45FA6FFF8EF05210F0888AEE9858B652C375A509CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05070AEE Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 05070B82

Memory Dump Source

Source File: 00000005.00000002.4078447035.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5070000_Server.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 02bed71b9e248b390b2fdae69734a8a31a9cccd312c87185d715cde974f09c53
Instruction ID: c7578f765d43c51b6a7f8488447b72f8b8c29505a8ca7ab5ef0d9c4e058f1132
Opcode Fuzzy Hash: 02bed71b9e248b390b2fdae69734a8a31a9cccd312c87185d715cde974f09c53
Instruction Fuzzy Hash: BC21B171405344AFE722CF55DC44F96FBF8EF09224F04889EE9848B652D375A909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00E0BDE2 Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00E0BE61

Memory Dump Source

Source File: 00000005.00000002.4075775477.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e0a000_Server.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: bfe4723927ca87dafce2666124b087e24d03071777072eb2c6faec1dc4351e93
Instruction ID: 44602c3f8aff93baf4c0cd18fdd87a3b710a5a90b38dd98fa7a3920ed442d4ab
Opcode Fuzzy Hash: bfe4723927ca87dafce2666124b087e24d03071777072eb2c6faec1dc4351e93
Instruction Fuzzy Hash: 3621A171600204AFEB20CF25DD45BA6FBE8FF08714F04886AEA459BA91D375E449CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0507095E Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 050709CF

Memory Dump Source

Source File: 00000005.00000002.4078447035.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5070000_Server.jbxd

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: a8effc822a643778cc659c9ec06c8b0487880dd12a235b6da7f90115850eb45a
Instruction ID: bad1627ff4074964afaee622e1a2b371e616db92a4ce5e888cde96b968539c93
Opcode Fuzzy Hash: a8effc822a643778cc659c9ec06c8b0487880dd12a235b6da7f90115850eb45a
Instruction Fuzzy Hash: AF21C272A01204AFFB20DF25DC45FABBBECEF04614F04896AE945DBA41D774E5088A75

Uniqueness

Uniqueness Score: -1.00%

Function 00E0BEB8 Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,9F328CEF,00000000,00000000,00000000,00000000), ref: 00E0BF4D

Memory Dump Source

Source File: 00000005.00000002.4075775477.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e0a000_Server.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 2ca3bba46cfdde8df9dbb34fa94f0566c9569dae75aa72d3e75ca852b717bf22
Instruction ID: aa19a2ce0b29f4e71cc79d850209718c88ded22c8c998ddfaad10112b0352e89
Opcode Fuzzy Hash: 2ca3bba46cfdde8df9dbb34fa94f0566c9569dae75aa72d3e75ca852b717bf22
Instruction Fuzzy Hash: BD2149B15087806FE7228B15DC40BA3BFBCEF46724F0885DAE8818B693C324A909C771

Uniqueness

Uniqueness Score: -1.00%

Function 05070852 Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,9F328CEF,00000000,00000000,00000000,00000000), ref: 050708E4

Memory Dump Source

Source File: 00000005.00000002.4078447035.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5070000_Server.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 5f0f32b6ee4c9b012bf87222690ae16075e39cc113e5d146239ed6f84ef71d19
Instruction ID: 9ba9cb6cc3158e8e441a4d7b035c6938985c17b118a18346df972894764cbbfd
Opcode Fuzzy Hash: 5f0f32b6ee4c9b012bf87222690ae16075e39cc113e5d146239ed6f84ef71d19
Instruction Fuzzy Hash: 4521BD72505344AFE722CF55DC44FA7BBF8EF05610F08859AE9858B692C364E908CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 00E0AA86 Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 00E0AB05

Memory Dump Source

Source File: 00000005.00000002.4075775477.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e0a000_Server.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: c77e8d8d17fc09b49c218adc748eb2ace2e9c36a3747b9df769b694f1283f601
Instruction ID: 6f22e6bbe2fa7153a867722e5ea682da14bf71b6e571af291125cc0e3e0981b2
Opcode Fuzzy Hash: c77e8d8d17fc09b49c218adc748eb2ace2e9c36a3747b9df769b694f1283f601
Instruction Fuzzy Hash: 5221D472500304AEE730DF55CD44FABFBECEF14714F08886AE9449BA91D734E9488A72

Uniqueness

Uniqueness Score: -1.00%

Function 05072C47 Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetProcessWorkingSetSize.KERNEL32(?,00000E24,9F328CEF,00000000,00000000,00000000,00000000), ref: 05072CC3

Memory Dump Source

Source File: 00000005.00000002.4078447035.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5070000_Server.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: aeb8fa03c3ff38d30c80136a7ef0e81d868ddc509c35b544a399c1c646e0c4ed
Instruction ID: 7bdbf26dc0f20d0b7f06270d7303a55561464bef0c23bbb8e285d70ae8e41fbd
Opcode Fuzzy Hash: aeb8fa03c3ff38d30c80136a7ef0e81d868ddc509c35b544a399c1c646e0c4ed
Instruction Fuzzy Hash: 0921C2715053846FD722CB15DC44FAABFA8EF46210F08C8AAE944DB652D374A908CB65

Uniqueness

Uniqueness Score: -1.00%

Function 05072B63 Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GetProcessWorkingSetSize.KERNEL32(?,00000E24,9F328CEF,00000000,00000000,00000000,00000000), ref: 05072BDF

Memory Dump Source

Source File: 00000005.00000002.4078447035.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5070000_Server.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: aeb8fa03c3ff38d30c80136a7ef0e81d868ddc509c35b544a399c1c646e0c4ed
Instruction ID: c5f16f069340e2f4e33bfceb59b14c9199eb53daa3aca666ceb50baa9096126a
Opcode Fuzzy Hash: aeb8fa03c3ff38d30c80136a7ef0e81d868ddc509c35b544a399c1c646e0c4ed
Instruction Fuzzy Hash: 0621C2715053846FD722CB15DC44FAABFE8EF45210F08C8AAE944CB652D374A908CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00E0A646 Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 00E0A6B9

Memory Dump Source

Source File: 00000005.00000002.4075775477.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e0a000_Server.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 18342615318edef0a80a3ef444798f2a620b606e6fa5f4da3f42c80a3d41ce45
Instruction ID: 7ff9167e83563887dd008fbf53afb8e890215e48d265903f1f8ffc89f4b11b01
Opcode Fuzzy Hash: 18342615318edef0a80a3ef444798f2a620b606e6fa5f4da3f42c80a3d41ce45
Instruction Fuzzy Hash: F021AF716003049FE720CB69DD45BA6FBE8EF04314F08887AE9449BA81D775E9498A62

Uniqueness

Uniqueness Score: -1.00%

Function 05070D85 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

shutdown.WS2_32(?,00000E24,9F328CEF,00000000,00000000,00000000,00000000), ref: 05070E08

Memory Dump Source

Source File: 00000005.00000002.4078447035.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5070000_Server.jbxd

Similarity

API ID: shutdown
String ID:
API String ID: 2510479042-0
Opcode ID: ddc8708c5478229c9416a57d254b95996e59cc1455fd556c9b31398fd461bdcf
Instruction ID: fa70b85825d08c181bfee5081d7e7971b17c6217185fb3e1048f7affe7d43c54
Opcode Fuzzy Hash: ddc8708c5478229c9416a57d254b95996e59cc1455fd556c9b31398fd461bdcf
Instruction Fuzzy Hash: 8A21C5B14093846FD7228B14DC44F96FFB8EF46210F0885DBE9849B652C378A908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05072A88 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E24,9F328CEF,00000000,00000000,00000000,00000000), ref: 05072B00

Memory Dump Source

Source File: 00000005.00000002.4078447035.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5070000_Server.jbxd

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: d96b2402a51fbf6606596673906ecb9be3e01352776e41c8fe0bf88b6eda0736
Instruction ID: 3e57019983ba1ae41ddf4eb1c4e296aa346139c677776372035f285e0fc02ef9
Opcode Fuzzy Hash: d96b2402a51fbf6606596673906ecb9be3e01352776e41c8fe0bf88b6eda0736
Instruction Fuzzy Hash: B621C3715053846FE721CB55DC85FAAFFE8EF45720F0884AAE944CB692D378A908C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 05070212 Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000E24,9F328CEF,00000000,00000000,00000000,00000000), ref: 05070291

Memory Dump Source

Source File: 00000005.00000002.4078447035.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5070000_Server.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 868989661325c45036875882e18396597509e388ae2add74770d77ce210ebb4a
Instruction ID: 660c629b98d300eb5ebfeccca1f2529fbb6e1ebc3eb1ded7d09a3ef07e83c60f
Opcode Fuzzy Hash: 868989661325c45036875882e18396597509e388ae2add74770d77ce210ebb4a
Instruction Fuzzy Hash: DF21C272405340AFD722CF55DC44FA7BFF8EF45210F08889AE9449B552C334A909CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 00E0A392 Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,9F328CEF,00000000,00000000,00000000,00000000), ref: 00E0A40C

Memory Dump Source

Source File: 00000005.00000002.4075775477.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e0a000_Server.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: cd545f6595dd85be72217a7517e9ec368b97902d26bce5bc431f081e813428a0
Instruction ID: db576a0349bc2e989f32f2ddb59319d5e98da3a0c150720d043902e73cc85f19
Opcode Fuzzy Hash: cd545f6595dd85be72217a7517e9ec368b97902d26bce5bc431f081e813428a0
Instruction Fuzzy Hash: 57216D766003049FE720CE15CD84FA6B7ECEF04714F08846AE9559B691D778E949CA72

Uniqueness

Uniqueness Score: -1.00%

Function 050726CF Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000E24,9F328CEF,00000000,00000000,00000000,00000000), ref: 0507274B

Memory Dump Source

Source File: 00000005.00000002.4078447035.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5070000_Server.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: 8e21e0f3ed4515244fd47a312647f795b6b6e8ff148a98785f5831809c10c2fb
Instruction ID: 242fb94b3cc71f591cd770f1ce0cdcaec080f60772f7b0c71694b87692cbb300
Opcode Fuzzy Hash: 8e21e0f3ed4515244fd47a312647f795b6b6e8ff148a98785f5831809c10c2fb
Instruction Fuzzy Hash: DD21A1754093846FD722CB54DD48FAABFB8EF45214F0888AAE9449B652C378A908C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 00E0B24C Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00E0B2B8

Memory Dump Source

Source File: 00000005.00000002.4075775477.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e0a000_Server.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 4c7076349d02f62f774560d18cc663d80a27098081e5c6499b7f733268414def
Instruction ID: e65a8869e58e216091fb932d2bf9a51dda56c106c97043c03dd87afdddb75bdd
Opcode Fuzzy Hash: 4c7076349d02f62f774560d18cc663d80a27098081e5c6499b7f733268414def
Instruction Fuzzy Hash: 0821C0725093C05FDB128B25DC54792BFF4AF47324F0984EAE8859F6A3D264A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00E0B301 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,9F328CEF,00000000,?,?,?,?,?,?,?,?,6C883C58), ref: 00E0B372

Memory Dump Source

Source File: 00000005.00000002.4075775477.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e0a000_Server.jbxd

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: c2700c38e4dc18ccf9837e849893b6eb1dc48824e34061138a23cd0a8a8f257b
Instruction ID: 90ce3d45cd784e764c27762ac8971d0644ef69e78bde2b879cf4a0af58dc35ec
Opcode Fuzzy Hash: c2700c38e4dc18ccf9837e849893b6eb1dc48824e34061138a23cd0a8a8f257b
Instruction Fuzzy Hash: D5219F715093809FD712CB25CC84B92BFF8EF06310F0984EAE984DB6A3D374A908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05070B0E Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 05070B82

Memory Dump Source

Source File: 00000005.00000002.4078447035.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5070000_Server.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: f7f152e1fa5b06651636e9085a5917a6c68b6d27ed5ece02ee5ade137ff1dfa9
Instruction ID: 0d6e323bc13cc4518def149d13191de7f04b74b686a25d68f4be5a80b0803acf
Opcode Fuzzy Hash: f7f152e1fa5b06651636e9085a5917a6c68b6d27ed5ece02ee5ade137ff1dfa9
Instruction Fuzzy Hash: 6521D471500204AFE731CF15DD45FAAFBE8EF08328F04896DE9458BA51D375A509CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0507138E Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 0507140A

Memory Dump Source

Source File: 00000005.00000002.4078447035.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5070000_Server.jbxd

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: 7b1589177981b49658f2bc7753359654201fbcf363d048f50ae47b3470a26770
Instruction ID: 2d67745eb4cec6294dbe48189d094882e311d4fb40f1f904e53785484493d48a
Opcode Fuzzy Hash: 7b1589177981b49658f2bc7753359654201fbcf363d048f50ae47b3470a26770
Instruction Fuzzy Hash: 33218E71508384AFDB228F55DC44B62BFF8EF06210F08859AED858B662D339A819DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0507049A Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 05070506

Memory Dump Source

Source File: 00000005.00000002.4078447035.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5070000_Server.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 2223493d2a25b5486918a29e06e965675b2723ba990f3845726472d2a22ea984
Instruction ID: 905c54c2ce97296bfdbf970fe1197df92d76acf8e958c7c785c4028ff9092f33
Opcode Fuzzy Hash: 2223493d2a25b5486918a29e06e965675b2723ba990f3845726472d2a22ea984
Instruction Fuzzy Hash: 85210E71900200AFEB31CF69DD44FAAFBE8EF08320F04896AE9458BA41C375A409CB75

Uniqueness

Uniqueness Score: -1.00%

Function 00E0A710 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00E0A780

Memory Dump Source

Source File: 00000005.00000002.4075775477.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e0a000_Server.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: bf04cfcf30e252c56a4d61577edfd5155de386e9fe45604a66477be443c97c91
Instruction ID: 05ab47927e8451a67b69bc0897b76f7f9cce17b0530569f7d613b6793e795c4e
Opcode Fuzzy Hash: bf04cfcf30e252c56a4d61577edfd5155de386e9fe45604a66477be443c97c91
Instruction Fuzzy Hash: C721D2B55043809FD711CF15DD85752BFB8EF02324F0984ABED448B693D335A905DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0507174A Relevance: 1.6, APIs: 1, Instructions: 66libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00000E24), ref: 050717D3

Memory Dump Source

Source File: 00000005.00000002.4078447035.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5070000_Server.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e4d4e2c2f0c3d90e2ab9013aa364e6eb791c4911f402f31d6c8d301b09dc9831
Instruction ID: 181e454528bab1e595516677754fb0f57d107ef2a9214b69367beb105d308904
Opcode Fuzzy Hash: e4d4e2c2f0c3d90e2ab9013aa364e6eb791c4911f402f31d6c8d301b09dc9831
Instruction Fuzzy Hash: A0110371405344AFE721CB15DC85FA6FFF8EF46720F08849AF9448B692C378A948CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00E0A486 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E24,9F328CEF,00000000,00000000,00000000,00000000), ref: 00E0A4F8

Memory Dump Source

Source File: 00000005.00000002.4075775477.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e0a000_Server.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 8df09ae83e24b341fb0f45bdc3e2b7f314eee0480e9948250055abff1721bbc2
Instruction ID: 26fac7242c671c4da225e442728f1d09d5593ab5b11ff1149699e00f6eed873a
Opcode Fuzzy Hash: 8df09ae83e24b341fb0f45bdc3e2b7f314eee0480e9948250055abff1721bbc2
Instruction Fuzzy Hash: 8E11D076500304AFEB318E55CD45FA7FBECEF08714F08846AED459AA81D774E848CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 05070872 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,9F328CEF,00000000,00000000,00000000,00000000), ref: 050708E4

Memory Dump Source

Source File: 00000005.00000002.4078447035.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5070000_Server.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 91d3c896c08be9a5096808aeb6f2a16acf7559c07d3453c3b944add0ab9383b4
Instruction ID: 6d862b57bb10707e8d74c225a9829e74c76204e95e2328c6e432baae49b5a3da
Opcode Fuzzy Hash: 91d3c896c08be9a5096808aeb6f2a16acf7559c07d3453c3b944add0ab9383b4
Instruction Fuzzy Hash: D011DF72A00308AFE771CF55DD44FAAF7E8EF04710F04856AE9458BA51D774E508CAB5

Uniqueness

Uniqueness Score: -1.00%

Function 00E0B014 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 00E0B07E

Memory Dump Source

Source File: 00000005.00000002.4075775477.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e0a000_Server.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 0a070b81a66e5be2864be73f7de966cfd27d94de509e406dc5f9b8bd76fb5195
Instruction ID: 37d97845eb3c04a95c07e77667760fed41768a454ba93aaa7b433196f3b7a095
Opcode Fuzzy Hash: 0a070b81a66e5be2864be73f7de966cfd27d94de509e406dc5f9b8bd76fb5195
Instruction Fuzzy Hash: 7B117F716053809FD721CF25DC85B63BFE8EF55310F0884AAE945DB6A2D334E848CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0507107A Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E24,9F328CEF,00000000,00000000,00000000,00000000), ref: 050710D9

Memory Dump Source

Source File: 00000005.00000002.4078447035.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5070000_Server.jbxd

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 35eee3e68dca7f62d451cf9139610e20ef58c0b3dc6bf7c755cdc0afd5f9770b
Instruction ID: 9766c33b1faeb614762591c0bf1add1daec5e66528a28b0c39581b5de48721c9
Opcode Fuzzy Hash: 35eee3e68dca7f62d451cf9139610e20ef58c0b3dc6bf7c755cdc0afd5f9770b
Instruction Fuzzy Hash: 63110372600204AFEB31CF55DD45FAAFBE8EF04310F08C86AE9458BA81C774A509CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 05072C6A Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SetProcessWorkingSetSize.KERNEL32(?,00000E24,9F328CEF,00000000,00000000,00000000,00000000), ref: 05072CC3

Memory Dump Source

Source File: 00000005.00000002.4078447035.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5070000_Server.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: d61622e5bf0997ad817a2027a9b2f827df354afdbfcdc6c24f2ff514143d427f
Instruction ID: 3b15983691450cb23e9305a217d8d7dac52450c6611dfbdd74bcd59e3dc1af3a
Opcode Fuzzy Hash: d61622e5bf0997ad817a2027a9b2f827df354afdbfcdc6c24f2ff514143d427f
Instruction Fuzzy Hash: 091104755002049FE720CF14DD45BAAF7E8EF04324F04C87AE904CBA45D778A9088BB5

Uniqueness

Uniqueness Score: -1.00%

Function 05072B86 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

GetProcessWorkingSetSize.KERNEL32(?,00000E24,9F328CEF,00000000,00000000,00000000,00000000), ref: 05072BDF

Memory Dump Source

Source File: 00000005.00000002.4078447035.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5070000_Server.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: d61622e5bf0997ad817a2027a9b2f827df354afdbfcdc6c24f2ff514143d427f
Instruction ID: 2a30f9242667f9d2807495ccbb034f773285f302ef2ec31dcd800ce2acc5ace0
Opcode Fuzzy Hash: d61622e5bf0997ad817a2027a9b2f827df354afdbfcdc6c24f2ff514143d427f
Instruction Fuzzy Hash: 141104755002049FEB21CF14DD44BAAF7E8EF44324F04C87AE905CBA41D778A5088AB5

Uniqueness

Uniqueness Score: -1.00%

Function 00E0B507 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00E0B572

Memory Dump Source

Source File: 00000005.00000002.4075775477.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e0a000_Server.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 88e90f7d70027d136a0e58fa19ef753e125c148ad1bde5984ac4e9eaf76cf007
Instruction ID: 419369e28c9fd302e4b70cc3e502c39cff4d84ef419433702217a0277c90339d
Opcode Fuzzy Hash: 88e90f7d70027d136a0e58fa19ef753e125c148ad1bde5984ac4e9eaf76cf007
Instruction Fuzzy Hash: AD11B471409380AFDB228F55DC44A62FFF4EF4A310F0888DAED858B562C375A818DB61

Uniqueness

Uniqueness Score: -1.00%

Function 05072AAA Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E24,9F328CEF,00000000,00000000,00000000,00000000), ref: 05072B00

Memory Dump Source

Source File: 00000005.00000002.4078447035.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5070000_Server.jbxd

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: 47e68930fd818422f616e18f79943ba70afba62c6e361261840c6bfe555b06be
Instruction ID: 776e46618c97aa3d087a5fe331c5f90c5419ac0df215907e34d7ea6c8ccb6c66
Opcode Fuzzy Hash: 47e68930fd818422f616e18f79943ba70afba62c6e361261840c6bfe555b06be
Instruction Fuzzy Hash: 0A110A75900204AFE720CF15DD85BAAF7E8EF44724F04C47AED05CB641D778E5088AB5

Uniqueness

Uniqueness Score: -1.00%

Function 05070232 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000E24,9F328CEF,00000000,00000000,00000000,00000000), ref: 05070291

Memory Dump Source

Source File: 00000005.00000002.4078447035.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5070000_Server.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 3262d8eb21961995233f1024792070123d13f6a57c185d3e107e48f3aca09aaa
Instruction ID: 10495ee1cafd6b8b162365fd43a479eb677305ed63f4e464120033d20b6071b5
Opcode Fuzzy Hash: 3262d8eb21961995233f1024792070123d13f6a57c185d3e107e48f3aca09aaa
Instruction Fuzzy Hash: BA11EF72900204AFEB21CF54DD44FAAFBE8EF04724F04C96AE9458AA41C778A5098BB5

Uniqueness

Uniqueness Score: -1.00%

Function 050726F2 Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000E24,9F328CEF,00000000,00000000,00000000,00000000), ref: 0507274B

Memory Dump Source

Source File: 00000005.00000002.4078447035.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5070000_Server.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: e441afeafb442394798e8bbb28c3c453a5c0e10e6ca1c1305204c0b27e0650c5
Instruction ID: 1d3756c2bac6a12647a7cd92f29131ee612d500053cb4d6e840143a214fa385f
Opcode Fuzzy Hash: e441afeafb442394798e8bbb28c3c453a5c0e10e6ca1c1305204c0b27e0650c5
Instruction Fuzzy Hash: C711E375900244AFE721CF54DE44FAAF7E8EF44724F04C8AAED049BA41D778A508CAB5

Uniqueness

Uniqueness Score: -1.00%

Function 00E0A9B5 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00E0AA14

Memory Dump Source

Source File: 00000005.00000002.4075775477.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e0a000_Server.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 7108ee986349eed0066a0da761b21161c383565c2ecbea2f4f64e79f73b2648a
Instruction ID: 0c84b4eb332af436fa58942419b67fc161a6793a9e8d9c5daafc473e4654ecc4
Opcode Fuzzy Hash: 7108ee986349eed0066a0da761b21161c383565c2ecbea2f4f64e79f73b2648a
Instruction Fuzzy Hash: D01160715093C05FDB128B25DD44692BFB4EF46224F0884DBED848F693C279A948CB62

Uniqueness

Uniqueness Score: -1.00%

Function 05070DB2 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

shutdown.WS2_32(?,00000E24,9F328CEF,00000000,00000000,00000000,00000000), ref: 05070E08

Memory Dump Source

Source File: 00000005.00000002.4078447035.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5070000_Server.jbxd

Similarity

API ID: shutdown
String ID:
API String ID: 2510479042-0
Opcode ID: 2ba860aaa7be280ff3ee55d3d6fafcc569e72fcfc938fa6c5a3259445ba5b04c
Instruction ID: 76397667cb967e78cce507e557673a659c851f3be9b882b95b8cd5ec117589cb
Opcode Fuzzy Hash: 2ba860aaa7be280ff3ee55d3d6fafcc569e72fcfc938fa6c5a3259445ba5b04c
Instruction Fuzzy Hash: 4111E571900204AFEB21CF15DD49FAAF7ECEF44724F04C8AAED449BA41D778A5098BB5

Uniqueness

Uniqueness Score: -1.00%

Function 00E0A2D2 Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00E0A330

Memory Dump Source

Source File: 00000005.00000002.4075775477.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e0a000_Server.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: a769bf352fa532c26d1acded746764bf8ef29a5279f4d49c8592bd808b03f83c
Instruction ID: adf8b421ee88923f58788216315d7b5816d08a4ec40476c7bdf963f7282988ab
Opcode Fuzzy Hash: a769bf352fa532c26d1acded746764bf8ef29a5279f4d49c8592bd808b03f83c
Instruction Fuzzy Hash: 6811BF7140A3C46FDB228B25DC44A62BFB4DF47224F0D80DBED848F6A3C2696808D772

Uniqueness

Uniqueness Score: -1.00%

Function 0507176A Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00000E24), ref: 050717D3

Memory Dump Source

Source File: 00000005.00000002.4078447035.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5070000_Server.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 2733707d4400022734d1002e3a6143eabfeb5e86146086a777d25ffec5354d44
Instruction ID: 947f8059076f4ca52d4d90d1755d0b13d2585c3953c48fb5032d3410d8ce771e
Opcode Fuzzy Hash: 2733707d4400022734d1002e3a6143eabfeb5e86146086a777d25ffec5354d44
Instruction Fuzzy Hash: D311E571900204AEE730DB15DD81FBAFBE8DF04724F14C4AAED444ABC1D7B8A508CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 050727CE Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

select.WS2_32(?,?,?,?,?), ref: 05072824

Memory Dump Source

Source File: 00000005.00000002.4078447035.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5070000_Server.jbxd

Similarity

API ID: select
String ID:
API String ID: 1274211008-0
Opcode ID: 115cf568054504e0cab5628f4b05fcfb949170f27e4e3ba8ef488b5eacd480b8
Instruction ID: bbde6fb7a2c28824246498a1a22c07520af101dc0b997112c49763400b6e1e1f
Opcode Fuzzy Hash: 115cf568054504e0cab5628f4b05fcfb949170f27e4e3ba8ef488b5eacd480b8
Instruction Fuzzy Hash: A0116D75A052099FEB60CF19D984B6AF7E8FF04610F0884AADD49CB651D335E418CB75

Uniqueness

Uniqueness Score: -1.00%

Function 00E0A078 Relevance: 1.6, APIs: 1, Instructions: 54networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,?,?), ref: 00E0A0D5

Memory Dump Source

Source File: 00000005.00000002.4075775477.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e0a000_Server.jbxd

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: e0264cd456185a01e559559f8707112ba97bc189e47e647093f2b84001fc1f34
Instruction ID: c4637a75c1770cffc20dfc098f1bdabafa57e6e0b2213e397c27f0ec86967f24
Opcode Fuzzy Hash: e0264cd456185a01e559559f8707112ba97bc189e47e647093f2b84001fc1f34
Instruction Fuzzy Hash: CD118F71509380AFDB22CF55DD44B52FFB4EF46224F0888AAED848B652C275A918CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00E0B036 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 00E0B07E

Memory Dump Source

Source File: 00000005.00000002.4075775477.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e0a000_Server.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 68a77ebe602e1ce809c3763392e220cb456178c311e3bdcf8c2aa64c67ff7a8e
Instruction ID: 9b0ed5868fbfafcc0083e01fb9eaf49c90e9abfb202342fe58ef3e4f697b4c59
Opcode Fuzzy Hash: 68a77ebe602e1ce809c3763392e220cb456178c311e3bdcf8c2aa64c67ff7a8e
Instruction Fuzzy Hash: A0117071600200CFDB20CF29D945B67FBE8EF04314F0884AADD55DB691D734D844CA61

Uniqueness

Uniqueness Score: -1.00%

Function 00E0BEFA Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,9F328CEF,00000000,00000000,00000000,00000000), ref: 00E0BF4D

Memory Dump Source

Source File: 00000005.00000002.4075775477.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e0a000_Server.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 9d801e89903a70860f184849d2cf8c877a7ca9ce4b538966986acbf5bedf0d5f
Instruction ID: 336b62ff89edb4bac156d9ec87e8aaa87a80916dfdf9082d01ee42fd3622ffe0
Opcode Fuzzy Hash: 9d801e89903a70860f184849d2cf8c877a7ca9ce4b538966986acbf5bedf0d5f
Instruction Fuzzy Hash: 3801D671500300AFE720CB05DD85BA6F7E8EF44724F14C4A6ED059BB81D778A9498AB5

Uniqueness

Uniqueness Score: -1.00%

Function 00E0A918 Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

WaitForInputIdle.USER32(?,?), ref: 00E0A96F

Memory Dump Source

Source File: 00000005.00000002.4075775477.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e0a000_Server.jbxd

Similarity

API ID: IdleInputWait
String ID:
API String ID: 2200289081-0
Opcode ID: fe294fa88105915617675e2e246d2556b5b79cc817cd703438e86da5b6a2c91e
Instruction ID: 53a51d98b6f3030be14d3f01198ed7b9eea3654514583352a1363712c3e7f9ee
Opcode Fuzzy Hash: fe294fa88105915617675e2e246d2556b5b79cc817cd703438e86da5b6a2c91e
Instruction Fuzzy Hash: 8511A0715093849FDB218F15DC84B52FFF4EF46320F0984EAED848F662D279A848CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00E0B332 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,9F328CEF,00000000,?,?,?,?,?,?,?,?,6C883C58), ref: 00E0B372

Memory Dump Source

Source File: 00000005.00000002.4075775477.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e0a000_Server.jbxd

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 6001d52f35df33949df493f1b0228fee4853048a89140ace16fe152ce38224b1
Instruction ID: 60c1a92aa98d105dfb8535aa4257edd30b852ef7498c18c317df8bf0fa81c621
Opcode Fuzzy Hash: 6001d52f35df33949df493f1b0228fee4853048a89140ace16fe152ce38224b1
Instruction Fuzzy Hash: 6B115E716002008FDB20CF19D985B96FBE8FF44324F18C4AADD499BA95D779E844CB61

Uniqueness

Uniqueness Score: -1.00%

Function 050713BE Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 0507140A

Memory Dump Source

Source File: 00000005.00000002.4078447035.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5070000_Server.jbxd

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: 8c485a681101b6620e7e6236ed66c2641ef0f6ef5a0839a65add3c0eebaae8c1
Instruction ID: 6bddcb282ec6194f11935b0e9ddb9d54864d84c8045caab19b30c288c41dc5e0
Opcode Fuzzy Hash: 8c485a681101b6620e7e6236ed66c2641ef0f6ef5a0839a65add3c0eebaae8c1
Instruction Fuzzy Hash: E3117C719002449FDB20CF55D944B66FBE5FF08610F0889AAED458BA62D335E419CB61

Uniqueness

Uniqueness Score: -1.00%

Function 050714DE Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetVolumeInformationA.KERNELBASE(?,00000E24,?,?), ref: 0507152E

Memory Dump Source

Source File: 00000005.00000002.4078447035.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5070000_Server.jbxd

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: e7d0ac95453575069d65d5e2fbf14ea274c4da2ab59117b2c45a6775cde69612
Instruction ID: 0c68ead400be9a8357b0e6bcfc8fc6ef8c48354b1e5f53c32506666ff8792a26
Opcode Fuzzy Hash: e7d0ac95453575069d65d5e2fbf14ea274c4da2ab59117b2c45a6775cde69612
Instruction Fuzzy Hash: D2017171600200ABD310DF1ADD46B66FBE8FB88A20F14856AED089BB41D735F915CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00E0B52E Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00E0B572

Memory Dump Source

Source File: 00000005.00000002.4075775477.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e0a000_Server.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 8ab838bee7cec7e2be69c79a8a29f4e66e9a3b6b8b30721bd2a8fdb1fefe8a34
Instruction ID: 451e3a40c8fea870acc80dc01f9f4901f4add793a0330fffc5d345492235a1bd
Opcode Fuzzy Hash: 8ab838bee7cec7e2be69c79a8a29f4e66e9a3b6b8b30721bd2a8fdb1fefe8a34
Instruction Fuzzy Hash: 7A01AD328002009FDB20CF55DD44B52FBE1FF48320F08C8AADD895AA51C375E458DF61

Uniqueness

Uniqueness Score: -1.00%

Function 00E0A74E Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00E0A780

Memory Dump Source

Source File: 00000005.00000002.4075775477.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e0a000_Server.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 320b5e4e6f80e7128b966a6df3d8344c8ad3ed060ba4ca5c90cb1193da8fb92f
Instruction ID: bb45dfad681669c3de3f51300c5829f5331bfbbb380dbb7b9396d884b51589c6
Opcode Fuzzy Hash: 320b5e4e6f80e7128b966a6df3d8344c8ad3ed060ba4ca5c90cb1193da8fb92f
Instruction Fuzzy Hash: 0A01B1715002048FDB208F19D9847A6FBE4DF04324F0CC4BBDD459BA86D778A444CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 00E0B286 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00E0B2B8

Memory Dump Source

Source File: 00000005.00000002.4075775477.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e0a000_Server.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 99237ad57b1f1c8b244223fb6629ebe1d739c00cc477455c61937ccf400828d8
Instruction ID: cef16ec457b6ea8ea166e6451fdeb262c43b1f45df1fec24b0be3c3e997fa31b
Opcode Fuzzy Hash: 99237ad57b1f1c8b244223fb6629ebe1d739c00cc477455c61937ccf400828d8
Instruction Fuzzy Hash: 7101D4719002408FDB10CF19D984796FBE4EF45324F08C4BADC499BB95C778E448CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 050703FE Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 0507044E

Memory Dump Source

Source File: 00000005.00000002.4078447035.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5070000_Server.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: e7901965f72a869206c19c46b713818c6a0454f44e4ac5b1aec0c5db14cdf046
Instruction ID: a93e89397ad67066b314484ba17d1947f3b21aaa3d590f91ab8c3c7dfc7f24f3
Opcode Fuzzy Hash: e7901965f72a869206c19c46b713818c6a0454f44e4ac5b1aec0c5db14cdf046
Instruction Fuzzy Hash: 2801A7715002006BD210DF1ACD46B66FBE4FB88A20F14815AEC0857B41D771F515CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00E0A09A Relevance: 1.5, APIs: 1, Instructions: 42networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,?,?), ref: 00E0A0D5

Memory Dump Source

Source File: 00000005.00000002.4075775477.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e0a000_Server.jbxd

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: 3392dac871dcf1d7fc0f0fb3e75bdc20afa2da4701a9611d140c245b8feacf91
Instruction ID: f53c9fc93d205e086656e20518b86eeb1a895cfc881b1f6f7fc28c1f3088284a
Opcode Fuzzy Hash: 3392dac871dcf1d7fc0f0fb3e75bdc20afa2da4701a9611d140c245b8feacf91
Instruction Fuzzy Hash: B301B1715013449FDB20CF55D944BA2FBE0EF44324F08C8BADD499BA96D379E458CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00E0A93A Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

WaitForInputIdle.USER32(?,?), ref: 00E0A96F

Memory Dump Source

Source File: 00000005.00000002.4075775477.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e0a000_Server.jbxd

Similarity

API ID: IdleInputWait
String ID:
API String ID: 2200289081-0
Opcode ID: 4f8f01e205aac330635e7bfa5d41f52667f489b8e3390a9ff44dbf470b3aa522
Instruction ID: b3d790b531d6fe2277d93e5df3d03832c65dcb9f269ac7603d1f5233c716208e
Opcode Fuzzy Hash: 4f8f01e205aac330635e7bfa5d41f52667f489b8e3390a9ff44dbf470b3aa522
Instruction Fuzzy Hash: 2F0184719042449FDB20CF19D944765FBE4EF44324F0CC8BADD449B655D3799444CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 00E0A9E2 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00E0AA14

Memory Dump Source

Source File: 00000005.00000002.4075775477.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e0a000_Server.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 748d46bdea22c553e6759632f8c4c09312cf93318af698cff6986330ca27a55e
Instruction ID: d3bb2dda79de9f0314cfedf665b855ba90f1b6b57054e2f7a1bd9c23496083ab
Opcode Fuzzy Hash: 748d46bdea22c553e6759632f8c4c09312cf93318af698cff6986330ca27a55e
Instruction Fuzzy Hash: CA01A271A003449FDB20CF15DA847A1FBE4EF44324F08C4BADD499FA86D379E444CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 00E0A2FE Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00E0A330

Memory Dump Source

Source File: 00000005.00000002.4075775477.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e0a000_Server.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 949b55ca24cbebe6ad2e3832c15aaec253a1bb9a0f8d2b9d8a6b36157b1bb283
Instruction ID: a18e15d235a5c4c7dc91afbc88605540de3166cde434835022b61bbf1841ae40
Opcode Fuzzy Hash: 949b55ca24cbebe6ad2e3832c15aaec253a1bb9a0f8d2b9d8a6b36157b1bb283
Instruction Fuzzy Hash: 65F08C359043448FDB209F19D9847A5FBE0EF04724F0CC0AADD495BB92D379A848CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 00B407DE Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4075185397.0000000000B40000.00000040.00000020.00020000.00000000.sdmp, Offset: 00B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b40000_Server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf829ca601b0c9e03bbec5a0be36d2d3a48dd0e1bedf3398f990fbe4ddc847b4
Instruction ID: 2a291813f67ddc173dd82aef41dc0c6782f7cd794496394dcce88250d501ca5f
Opcode Fuzzy Hash: cf829ca601b0c9e03bbec5a0be36d2d3a48dd0e1bedf3398f990fbe4ddc847b4
Instruction Fuzzy Hash: 67213B3150D3C18FC7139B24C950B55BFB1AF47314F198AEED5C98B6A3C23A984ADB52

Uniqueness

Uniqueness Score: -1.00%

Function 057222B8 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4078878403.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5720000_Server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32b5fcfa3db20633695a93f014a583579f3eaef6498783573ec8c363dc5b7901
Instruction ID: 87efcd322b993559cfe883b2c75272d46f479a662352a78604d4fedb3fd43206
Opcode Fuzzy Hash: 32b5fcfa3db20633695a93f014a583579f3eaef6498783573ec8c363dc5b7901
Instruction Fuzzy Hash: 2B11E7B5908301AFC350CF19D880A5BFBE4FB88664F04896EF898D7311D335E9088FA2

Uniqueness

Uniqueness Score: -1.00%

Function 00B40814 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4075185397.0000000000B40000.00000040.00000020.00020000.00000000.sdmp, Offset: 00B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b40000_Server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b60e632bf36d575a19b383b9905034bb0946ef22f43757e5e33bf19fa070527
Instruction ID: d897ff791a96b9984d2d20ddc014d36500bc68072f9e31ebf74aebb126c5049a
Opcode Fuzzy Hash: 7b60e632bf36d575a19b383b9905034bb0946ef22f43757e5e33bf19fa070527
Instruction Fuzzy Hash: 8E11E430614280DFC711EB14DA80B16B7E5EB88708F24C9ECE5491BB53C77BD943EA91

Uniqueness

Uniqueness Score: -1.00%

Function 00E1B444 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4075848992.0000000000E1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E1A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e1a000_Server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d4ca9d95e537ee82ed0244332266ff76f2633fc502ca91389fd12b0e73cf86e
Instruction ID: 1401bc766ed58764a2a8dc330a3e71d9a2b6ccd6046dcda2e017d56976466a19
Opcode Fuzzy Hash: 7d4ca9d95e537ee82ed0244332266ff76f2633fc502ca91389fd12b0e73cf86e
Instruction Fuzzy Hash: FA11FAB5A08301AFD350CF09DC40E5BFBE8EB88660F04892EF95897711D335E9088FA2

Uniqueness

Uniqueness Score: -1.00%

Function 00B405E0 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4075185397.0000000000B40000.00000040.00000020.00020000.00000000.sdmp, Offset: 00B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b40000_Server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbc37e44fdb9d0c72d4f8d710d4cbc3c789c00d3253c6d4fff18efa21c05d4fa
Instruction ID: 34c6781d0707b6e02b062b90d99ae2e20a3a334992606fb332e0a7f3e2df2f7c
Opcode Fuzzy Hash: dbc37e44fdb9d0c72d4f8d710d4cbc3c789c00d3253c6d4fff18efa21c05d4fa
Instruction Fuzzy Hash: CF01D6754493805FC3118B19EC41893FFE8EF8623070984BBE8498B612D229A94ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B408D0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4075185397.0000000000B40000.00000040.00000020.00020000.00000000.sdmp, Offset: 00B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b40000_Server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74b9f174851936b42c91253ba0377f3a0e724fe011995a5d7daf0febe73ee2ff
Instruction ID: 0dc28ab0f65a6533082352c50572bef560fab633420cb08a24cfc5395f8756ec
Opcode Fuzzy Hash: 74b9f174851936b42c91253ba0377f3a0e724fe011995a5d7daf0febe73ee2ff
Instruction Fuzzy Hash: C8F0FB35108644DFC705DB00D680B15FBE2EB89718F24CAADE94917A52C737D912EA81

Uniqueness

Uniqueness Score: -1.00%

Function 00B40606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4075185397.0000000000B40000.00000040.00000020.00020000.00000000.sdmp, Offset: 00B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b40000_Server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e69101da068012c0eb6c164d1ae762c63ba16b6e34d7615e19282830aafd7418
Instruction ID: d1793d49d3b559a8a183c9f7f34c37be6a7bfa3d5bdd6bfda815d1365d698f6a
Opcode Fuzzy Hash: e69101da068012c0eb6c164d1ae762c63ba16b6e34d7615e19282830aafd7418
Instruction Fuzzy Hash: 9AE092B66006004BD650CF0AED41452F7D8EF88630B08C47FDC0D8BB11D339B508CAE5

Uniqueness

Uniqueness Score: -1.00%

Function 00E1B493 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4075848992.0000000000E1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E1A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e1a000_Server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae10f0b225ec1a082a817741a419f756b88cccab972401e1dd2cde94cbf3ebaa
Instruction ID: 27e395f685c937ce758232e43cee429f07e2aeb3842f8cd3f0fac685a229c1f2
Opcode Fuzzy Hash: ae10f0b225ec1a082a817741a419f756b88cccab972401e1dd2cde94cbf3ebaa
Instruction Fuzzy Hash: 76E020B254120467D2108F0ADC45F63F7DCDB44931F04C567ED085B702D275B514C9F5

Uniqueness

Uniqueness Score: -1.00%

Function 05722323 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4078878403.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5720000_Server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ba0ee5101a600d31d7012393df2925a91f9cd0b52cf2c7754789ee551cd62a4
Instruction ID: 7ebd7f4bbb6ad83b098e81cdc2d8d0e677dc6160d0d02a56aefbf8e5f5163bb0
Opcode Fuzzy Hash: 1ba0ee5101a600d31d7012393df2925a91f9cd0b52cf2c7754789ee551cd62a4
Instruction Fuzzy Hash: 2FE0D8B255120067D2108E0A9C45F52FBDCDB84931F04C567ED081B741D275B51489E5

Uniqueness

Uniqueness Score: -1.00%

Function 05721BCF Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4078878403.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5720000_Server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e89ac1ea5fa3657b43d00abaf380317b598671c1cdbabea117f8ed401c4c113
Instruction ID: eab06922cbb34dee67ef6327d1bd6490a7f2d12b2895f26bd07ad42b0bcdf560
Opcode Fuzzy Hash: 1e89ac1ea5fa3657b43d00abaf380317b598671c1cdbabea117f8ed401c4c113
Instruction Fuzzy Hash: F9E0D8B255120067D2109E0A9C46F53FBD8DB80931F04C567ED085B701D276B514C9E5

Uniqueness

Uniqueness Score: -1.00%

Function 00E023F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4075751809.0000000000E02000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E02000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e02000_Server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86864e3ad4de1b19a3b32b7a06484b66120bde7b6e326f238c8312c4df127398
Instruction ID: 2d5f102d51270db9c076ce928b9fe76a3b515376b5354a9c7d0db2db2ebb4b2a
Opcode Fuzzy Hash: 86864e3ad4de1b19a3b32b7a06484b66120bde7b6e326f238c8312c4df127398
Instruction Fuzzy Hash: 0BD05E79205AD14FD3269A1CC6A8B9537D4AB51718F4A44FDAC00DB7A3C768D9C1E600

Uniqueness

Uniqueness Score: -1.00%

Function 00E023BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4075751809.0000000000E02000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E02000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e02000_Server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d4bb50d1e84a5ce347740744364ada82e8edd529c6e8b14c689dfe77dddf683
Instruction ID: 61f1b470d8389b632cefd403bd62ee2857245cd4010d2a83035945572646f426
Opcode Fuzzy Hash: 5d4bb50d1e84a5ce347740744364ada82e8edd529c6e8b14c689dfe77dddf683
Instruction Fuzzy Hash: 32D05E342002824BCB25DA0CD6D8F5977D8AB40718F0644ECAC109B7A6C7BCD8C0DA00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00E0269A Relevance: .4, Instructions: 405COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4075751809.0000000000E02000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E02000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e02000_Server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 207c4ee4e37e8feea18da3174f20b88888495ef7ae50c7de69e15c218b425ff3
Instruction ID: 2b8e99c800b94f227e991990a0ff568180094f26def5e16644944fd9a2a35935
Opcode Fuzzy Hash: 207c4ee4e37e8feea18da3174f20b88888495ef7ae50c7de69e15c218b425ff3
Instruction Fuzzy Hash: 64F1ED6540E7C14FD71BDB3489AA145BFB4AE9321471E9ACFC8C08F1E7D3688949C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00E02C83 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4075751809.0000000000E02000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E02000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e02000_Server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d21afacb28d087e8dfa4c9c9b109e23fffd021a1412951dde847e107dc6235d5
Instruction ID: 2b33e9fc3d21d3428f53f8a04d58820636cc0c8d33e461a219b90c1288696f01
Opcode Fuzzy Hash: d21afacb28d087e8dfa4c9c9b109e23fffd021a1412951dde847e107dc6235d5
Instruction Fuzzy Hash: E651AEA550E7C19FD7078B308CA2491BFB1AE5320434E92DBC980CF5F7E365885AC7A2

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 2G8CgDVl3K.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Njrat

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Server.exe

C:\Users\user\AppData\Local\Temp\VedaniTeam.png

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Windows Analysis Report
2G8CgDVl3K.exe

Function 04EE0F90 Relevance: 1.6, APIs: 1, Instructions: 115
COMMON

Function 04EE0F7F Relevance: 1.6, APIs: 1, Instructions: 109
COMMON

Function 0507144A Relevance: 1.6, APIs: 1, Instructions: 108
COMMON

Function 00E0BDA2 Relevance: 1.6, APIs: 1, Instructions: 103
fileCOMMON

Function 050724F6 Relevance: 1.6, APIs: 1, Instructions: 99
registryCOMMON

Function 05070387 Relevance: 1.6, APIs: 1, Instructions: 98
registryCOMMON

Function 050711BC Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Function 00E0AA52 Relevance: 1.6, APIs: 1, Instructions: 91
registryCOMMON

Function 00E0A612 Relevance: 1.6, APIs: 1, Instructions: 89
synchronizationCOMMON